Update information as a partial response to the post
From: "Chris D. Peterson" <cpeterson@aventail.com> Subject: Implementation Issues with OpenSSL To: openssl-users@openssl.org Date: Wed, 22 Aug 2001 16:13:17 -0700 The patch included in the original post may improve the internal session list handling (and is therefore worth a seperate investigation). No change to the list handling will however solve the problems of incorrect SSL_SESSION_free() calls. The session list is only one possible point of failure, dangling pointers would also occur for SSL object currently using the session. The correct solution is to only use SSL_SESSION_free() when applicable!
This commit is contained in:
Lutz Jänicke
@@ -23,6 +23,14 @@ If there is already a session set inside B<ssl> (because it was set with
|
||||
SSL_set_session() before or because the same B<ssl> was already used for
|
||||
a connection), SSL_SESSION_free() will be called for that session.
|
||||
|
||||
=head1 NOTES
|
||||
|
||||
SSL_SESSION objects keep internal link information about the session cache
|
||||
list, when being inserted into one SSL_CTX object's session cache.
|
||||
One SSL_SESSION object, regardless of its reference count, must therefore
|
||||
only be used with one SSL_CTX object (and the SSL objects created
|
||||
from this SSL_CTX object).
|
||||
|
||||
=head1 RETURN VALUES
|
||||
|
||||
The following return values can occur:
|
||||
@@ -42,6 +50,7 @@ The operation succeeded.
|
||||
=head1 SEE ALSO
|
||||
|
||||
L<ssl(3)|ssl(3)>, L<SSL_SESSION_free(3)|SSL_SESSION_free(3)>,
|
||||
L<SSL_get_session(3)|SSL_get_session(3)>,
|
||||
L<SSL_session_reused(3)|SSL_session_reused(3)>,
|
||||
L<SSL_CTX_set_session_cache_mode(3)|SSL_CTX_set_session_cache_mode(3)>
|
||||
|
||||
|
||||
Reference in New Issue
Block a user