sessions reuse in openssl

Viktor Dukhovni openssl-users at
Wed Jan 20 06:27:05 UTC 2021

On Wed, Jan 20, 2021 at 11:33:21AM +0530, Harish Kulkarni wrote:

> I am working on memory analysis of OpenSSL.  One of the observation is the
> memory allocated by d2i_X509() API (returned in x) is not being freed after
> the connection is closed.. and this memory is stored as part of session.. I
> want to limit number of sessions which we cache for re-use.. or if possible
> completely avoid session caching.

You still have not explicitly stated whether the issue is server-side or
client-side.  Reading between the lines, it seems to be client-side.
The server certificate is an expectedd part of the session object.  When
you free the session object, the certificate object is also freed.

In OpenSSL, X.509 certificate objects are reference-counted, you also
need to be careful with functions that inspect the server certificate
and increment its reference count as a side-effect.  If you use these,
you need to call X509_free() when the returned certificate is no longer

There is no automatic client-side session reuse in OpenSSL, so you don't
need to do anything to avoid resuming sessions.  Internal caching of
client-side sessions is off by default.  See the manual page of


More information about the openssl-users mailing list