128 available can improve performance. Another flag that can be set is SSL_SESS_CACHE_NO_INTERNAL_LOOKUP . Up to this point, weve relied solely on the internal lookup, but in the next section, well outline an on-disk caching method that can replace the internal lookup methods. Session caching adds subtleties when we also use connection renegotiations. Before implementing a caching server, we should be aware of the potential pitfalls. The section below on renegotiation explores some of these problems after explaining a little more about what renegotiation entails.

5.2.1.3 An on-disk, session caching framework

OpenSSLs session caching features include API calls to set three callbacks for synchronization of sessions with external caches. Like other OpenSSL callbacks, three functions are used to set a pointer to the callback function. For each one, the first argument is an SSL_CTX object, and the second argument is a pointer to the callback function. The callback set by SSL_CTX_sess_set_new_cb is invoked whenever a new SSL_SESSION is created by the SSL_CTX object. This callback enables us to add the new session to our external container. If the callback returns zero, the session object will not be cached. A nonzero return allows the session to be cached. int new_session_cbSSL ctx, SSL_SESSION session; ctx The SSL connections connection object. session A newly created session object. The callback set by SSL_CTX_sess_set_remove_cb is invoked whenever an SSL_SESSION is destroyed. It is called just before the session object is destroyed because it is invalid or has expired. void remove_session_cbSSL_CTX ctx, SSL_SESSION session; ctx The SSL_CTX object that is destroying the session. session The session object that is about to be destroyed because its invalid or expiring. The SSL_CTX_sess_set_get_cb function is used to set a cache retrieval callback. The assigned function is called whenever the internal cache cannot find a hit for the requested session resumption. In other words, this callback should query our external cache in hopes of finding a match. SSL_SESSION get_session_cbSSL ctx, unsigned char id, int len, int ref; ctx 129 The SSL connections connection object. id The session ID thats being requested by the peer. It should be noted that the session ID is distinctly different from the session ID context. The context is an application specific classification on session groups, whereas the session ID is an identifier for a peer. len The length of the session ID. Since the session ID can be any arbitrary string of characters, it may not necessarily be NULL terminated. Thus, the length of the session ID must also be specified. ref An output from the callback. It is used to allow the callback to specify whether the reference count on the returned session object should be incremented or not. It returns as nonzero if the objects reference count should be incremented; otherwise, zero is returned. Some of the features required by the caching mechanism in Example 5-14 are easily implemented. Since we are using files to store the sessions, we can use the filesystems built-in locking mechanisms. In order to write the keys to disk, we can use the macro PEM_write_bio_SSL_SESSION , but it doesnt allow for encryption. Remember, SSL_SESSION objects hold the shared secrets that were negotiated; thus, their contents shoud be protected when serialized. Instead, we can call the underlying function PEM_ASN1_write_bio directly. Alternatively, it may be sufficient for some applications to simply use a secure directory and write the sessions unencrypted. In general, it is far safer to use encryption with an in-memory key. Example 5-14. A framework for external session caching new_session_cb { acquire a lock for the file named according to the session id open file named according to session id encrypt and write the SSL_SESSION object to the file release the lock } remove_session_cb { acquire a lock for the file named according to the session id remove the file named according to the session id release the lock } get_session_cb { acquire a lock for the file named according to the session id in the 2nd arg read and decrypt contents of file and create a new SSL_SESSION object release the lock set the integer referenced by the fourth parameter to 0 return the new session object } TE AM FL Y Team-Fly ® 130 This framework, when implemented, provides a powerful mechanism for session caching. By using the filesystem, the cache isnt constrained by memory restrictions. Additionally, it is easier to use than an in-memory caching scheme since the on-disk scheme allows multiple processes to access the session cache.

5.2.2 IO on SSL Connections