Contract of d2i_SSL_SESSION ?

Matt Caswell matt at openssl.org
Thu Dec 16 11:16:27 UTC 2021 

On 16/12/2021 08:58, Jesper Pedersen wrote:
> Hi,
> 
> I have a use-case where I need to reuse the SSL session in another 
> process that created it. So, it looks like
> 
> Process 1:
>   * Create SSL_CTX
>   * Create SSL
>   * Use SSL
>   * i2d_SSL_SESSION into shared memory [1] -- this works
>   * Free SSL (no SSL_shutdown as I need socket descriptor as well)
>   * Transfer socket descriptor to parent process
> 
> Process 2:
>   * Create SSL_CTX
>   * Create SSL
>   * Attach SSL_SESSION through d2i_SSL_SESSION [2]
>   * Associate the socket descriptor (as its number may have changed)
>   * Call SSL_connect (same result as SSL_set_connect_state + 
> SSL_do_handshake)
> 
> After the SSL_connect call SSL_pending [3] will show 19 0-bytes in the 
> buffer which leads to
> 
> AFTER CONNECT: 19
> 00000000000000000000000000000000000000
> ???????????????????
> SSL_ERROR_SSL: FD 15
> error:140940F4:SSL routines:ssl3_read_bytes:unexpected message
> SSL routines
> unexpected message
> 
> so I must be missing something in the contract of d2i_SSL_SESSION.
> 
> The SSL session cache is SSL_SESS_CACHE_CLIENT | 
> SSL_SESS_CACHE_NO_INTERNAL_STORE.


It's not 100% clear to me what you are trying to achieve or what you 
expected to happen - but it sounds like you are trying to transfer an 
active SSL connection from one process to another. This capability is 
not supported although it has been asked for from time to time.

All SSL_SESSION allows you to do is to *resume* a session based on an 
old connection, i.e. a new connection is created based on parameters 
negotiated from an old connection.

Matt


> 
> Using OpenSSL 1.1.1l
> 
> [1] 
> https://github.com/jesperpedersen/pgagroal/commit/05f6c65bf95b932faf3fb583d484100d83211634#diff-b0ad697326050bb80fb89068786852d7b974e1f648103fe382acea69097fd152R3446 
> 
> [2] 
> https://github.com/jesperpedersen/pgagroal/commit/05f6c65bf95b932faf3fb583d484100d83211634#diff-b0ad697326050bb80fb89068786852d7b974e1f648103fe382acea69097fd152R5857 
> 
> [3] 
> https://github.com/jesperpedersen/pgagroal/commit/05f6c65bf95b932faf3fb583d484100d83211634#diff-b0ad697326050bb80fb89068786852d7b974e1f648103fe382acea69097fd152R5899 
> 
> 
> Full patch: 
> https://github.com/jesperpedersen/pgagroal/commit/05f6c65bf95b932faf3fb583d484100d83211634 
> 
> 
> Upstream project: https://github.com/agroal/pgagroal
> 
> Thanks in advance for questions, suggestions, hints or comments on the 
> current code !
> 
> Best regards,
>   Jesper
>

More information about the openssl-users mailing list