On Fri, 30 May 2003, Cyrill Osterwalder wrote:

> The only reason why I keep my curl handle at this point is because I'd like
> to benefit from SSL session resumes. I'm testing the SSL handshakes and
> find that the SSL sessions are not resumed if I create new curl handles so
> reusing the handle looks like a must.

Correct. That is the only way libcurl supports session ID caching/re-use.

> However, reusing the curl handle does not seem to provide 100% SSL session
> resume support. According to the OpenSSL trace log of the web server,
> libcurl does not seem to update it's SSL session

Can you provide us with a public URL and example code showing this happen?

> - if it is not a new handshake but an attempt to resume the SSL session
>
> - if the server does not resume the SSL session for any reason (SSL session
> dead, cache miss, etc)

libcurl re-uses the session ID if it has one in its cache for the same name,
and it has no existing TCP connection to the site (if it has it re-uses that
instead).

That's the theory at least.

> In this case, a new SSL session is created between client and server but it
> does not seem to be kept by the libcurl client. This happens now for each
> following requests. I can provide the server SSL engine log files if
> anybody would be interested.

Well, it would be better if you could also debug libcurl to see if it
actually has the ID in the cache but doesn't re-use it, or if it actually
attempts to re-use it but it somehow fails.

> Any ideas on this? Is this an OpenSSL issue?

I don't know, I don't use this much myself and I don't think we have any test
cases for it.

-- 
 Daniel Stenberg -- curl: been grokking URLs since 1998
-------------------------------------------------------
This SF.net email is sponsored by: eBay
Get office equipment for less on eBay!
http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5