On Wed, Mar 25, 2015 at 03:32:08PM +0000, Dr. Stephen Henson wrote: > > I am trying to implement server side caching support for sessions by > > using callback functions. However, the callback functions are never > > being called, even though connection happens successfully without > > session resumption. For your reference some of the sample code I am > > pasting below: > > > > ssl_session_ctx_id = 1; > > SSL_CTX_set_session_id_context (c, (void *)&ssl_session_ctx_id, sizeof > > (ssl_session_ctx_id)); > > SSL_CTX_set_session_cache_mode(c, SSL_SESS_CACHE_SERVER | > > SSL_SESS_CACHE_NO_INTERNAL); > > SSL_CTX_sess_set_new_cb (c, custom_new_session_cb ); > > SSL_CTX_sess_set_remove_cb (c, custom_remove_session_cb ); > > SSL_CTX_sess_set_get_cb (c, custom_get_session_cb); > > > > > > Can somebody kindly help me as to what I am missing out here? What > > could be the reason behind the callback functions not being called? > > The client could be using session tickets which don't use a session cache. You > can try disabling them by setting SSL_OP_NO_TICKET. I would NOT recommend disabling session tickets, they are better than server-side caches. That said, Postfix supports both, ahd the callbacks are called. See lines 624-669 of: https://github.com/vdukhovni/postfix/blob/master/postfix/src/tls/tls_server.c -- Viktor. line 165: static const char server_session_id_context[] = "Postfix/TLS"; lines 624-669: if (cachable || ticketable || props->set_sessid) { /* * Initialize the session cache. * * With a large number of concurrent smtpd(8) processes, it is not a * good idea to cache multiple large session objects in each process. * We set the internal cache size to 1, and don't register a * "remove_cb" so as to avoid deleting good sessions from the * external cache prematurely (when the internal cache is full, * OpenSSL removes sessions from the external cache also)! * * This makes SSL_CTX_remove_session() not useful for flushing broken * sessions from the external cache, so we must delete them directly * (not via a callback). * * Set a session id context to identify to what type of server process * created a session. In our case, the context is simply the name of * the mail system: "Postfix/TLS". */ SSL_CTX_sess_set_cache_size(server_ctx, 1); SSL_CTX_set_session_id_context(server_ctx, (void *) &server_session_id_context, sizeof(server_session_id_context)); SSL_CTX_set_session_cache_mode(server_ctx, SSL_SESS_CACHE_SERVER | SSL_SESS_CACHE_NO_AUTO_CLEAR); if (cachable) { app_ctx->cache_type = mystrdup(props->cache_type); SSL_CTX_sess_set_get_cb(server_ctx, get_server_session_cb); SSL_CTX_sess_set_new_cb(server_ctx, new_server_session_cb); } /* * OpenSSL ignores timed-out sessions. We need to set the internal * cache timeout at least as high as the external cache timeout. This * applies even if no internal cache is used. We set the session * lifetime to twice the cache lifetime, which is also the issuing * and retired key validation lifetime of session tickets keys. This * way a session always lasts longer than the server's ability to * decrypt its session ticket. Otherwise, a bug in OpenSSL may fail * to re-issue tickets when sessions decrypt, but are expired. */ SSL_CTX_set_timeout(server_ctx, 2 * scache_timeout); }
