Re: SSL session ID reuse - clarification needed
Date: Fri, 3 Jan 2020 23:29:04 +0100
Hi Daniel,
On Fri, Jan 03, 2020 at 09:21:04PM +0100, Daniel Jeliński via curl-library wrote:
> Hi all,
> I see that libcurl supports SSL session ID cache already, unless
> CURLOPT_SSL_SESSIONID_CACHE is cleared. However, I'm having a hard
> time finding information about the scope of session ID reuse:
> - Are session IDs reused only within an easy handle or globally for
> all handles within the application?
It looks like it is reused within an easy handle only. The attached
program was based on the output of:
curl --http1.1 -vIH connection:close https://example.com/ https://example.com/ --libcurl some.c
With `cc some.c -lcurl`, I see "SSL re-using session ID" in stderr.
With `cc some.c -lcurl -DRESET`, I do not see that line.
> - Does libcurl keep a mapping between host names and session IDs? As
> far as I can tell, openSSL does not.
It appears so. Aside from hostname, the port number, and TLS config
(client cert, certificate validation, etc.) are also checked:
https://github.com/curl/curl/blob/curl-7_67_0/lib/vtls/vtls.c#L344-L353
For OpenSSL, the relevant glue code is here:
https://github.com/curl/curl/blob/curl-7_67_0/lib/vtls/openssl.c#L2864-L2875
-- Kind regards, Peter Wu https://lekensteyn.nl
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
- text/plain attachment: some.c