[openssl-users] session resumption tls1.2/tls1.3

Viktor Dukhovni openssl-users at dukhovni.org
Tue Jul 18 21:43:47 UTC 2017

On Mon, Jul 17, 2017 at 09:54:39AM +0100, Matt Caswell wrote:

>                    In the default case a server will just use the
> internal session cache. You can populate that cache manually using
> SSL_CTX_add_session(). So if you have a set of pre-existing SSL_SESSION
> objects (perhaps loaded from a file) you can manually populate that
> cache at application startup.

When server side (non-ticket) caches are enabled in Postfix it uses
a file-based key-value store.  The lookup key is the session id
sent by the client, and the value is the serialized session object.

So it is also possible to load saved sessions on demand.  In Postfix
this is used to share sessions within a pool of cooperating processes,
and the cache is deleted on restart, but that's a design choice
that other applications could (with care) make differently.  I
would avoid using session objects across changes in the OpenSSL
library version between the process that saved the session and the
process that's reading it.


More information about the openssl-users mailing list