[openssl-users] Example on SSL_SESSION_set_ex_data?

Michael Wojcik Michael.Wojcik at microfocus.com
Thu Aug 25 13:51:52 UTC 2016 

Sorry, I missed that call to SSL_set_session. No, you don't need to call SSL_set_session. SSL_get_session is a get0-type function; it just returns a copy of the pointer in the SSL object. So any changes you make to that SSL_SESSION object are to the one that's already in the SSL object.

Calling SSL_set_session with the same session that's already in the SSL should be OK, because the code increments the reference count on the SSL_SESSION before calling SSL_SESSION_free - and so the free will just decrement the count again. But it doesn't do anything useful.

(SSL_set_session could do a reference comparison on the existing and new sessions and return without doing anything if they're the same, but there's probably little real-world value in adding such an optimization.)

The code's in ssl/ssl_sess.c (at least for 1.0.2), if you want to have a look for yourself. It's quite straightforward, which is not *always* the case with OpenSSL.

Michael Wojcik
Distinguished Engineer, Micro Focus



From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of Eric To
Sent: Thursday, August 25, 2016 09:29
To: openssl-users at openssl.org
Subject: Re: [openssl-users] Example on SSL_SESSION_set_ex_data?

Thanks Rich and Michael.

That was it, I was under the impression that these set functions would behave like those i2d function that would put the actual data inside... as I don't want to deal with the deallocation later (as I am modifying apache's mod_ssl). This seems to work as I can immediately read it back (before I couldn't) with get_ex_data.


Do I still need to call SSL_set_session to put the updated session back in the SSL?
According to the documentation:
"If there is already a session set inside ssl (because it was set with SSL_set_session() before or because the same ssl was already used for a connection), SSL_SESSION_free() will be called for that session."


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160825/f5babb5f/attachment-0001.html>

More information about the openssl-users mailing list