Client side session handling

Viktor Dukhovni openssl-users at dukhovni.org
Wed Oct 13 18:13:47 UTC 2021 

On Wed, Oct 13, 2021 at 02:32:10PM +0000, Jason Schultz wrote:

> The confusing part is that given everything above, when I free the
> SSL_CTX associated with these connections/sessions, I see the remove
> callback function get called again for client-side sessions that I
> already called SSL_SESSION_free() on. Is this normal behavior? Is
> there something else I’m missing?

OpenSSL SSL_SESSSIONS are reference-counted.  This is typical of a
number of similar sufficiently complex structures for which it makes
more sense to bump a reference counter than to make a copy.

The SSL_SESSION_free(3), X509_free(), and various other calls just
decrement the reference counter, with the object only actually freed
once the counter reaches 0.

Various functions (though not all, as documented for each function) that
return such objects to the application increment the refernce counter
(say initially from 1 to 2), and the application is then responsible for
decrementing it.  THe object is finally freed when any internal
reference is released (if that happens last).

The internal store of client-side sessions is not used by OpenSSL
for anything other than asking the application to remove sessions
when the cache exceeds some limit, the application still needs its
own cache lookup mechanism and its own separat cache (of the same
shared by reference count underlying objects), all the OpenSSL
cache is doing for you is "helping" you keep the cache size bounded.

In Postfix we serialise session objects into a cache in which they
are not shared with OpenSSL and manage expunging stale sessions
independently of OpenSSL.  We therefore tell OpenSSL to not bother
maintaining an internal cache.

    SSL_CTX_set_session_cache_mode(client_ctx,
                                   SSL_SESS_CACHE_CLIENT |
                                   SSL_SESS_CACHE_NO_INTERNAL_STORE |
                                   SSL_SESS_CACHE_NO_AUTO_CLEAR);

All the work of managing session storage and lookup is done by
the callback:

    SSL_CTX_sess_set_new_cb(client_ctx, new_client_session_cb);

There's no remove callback, we handle cache management outside OpenSSL..

-- 
    Viktor.

More information about the openssl-users mailing list