Phil Mayers wrote:
On 10/20/2011 01:25 PM, Alan DeKok wrote: I'm looking at the code for handling SSL sessions, and I'm not sure it's right with regards reference counting.
I have no idea...
I'm comparing it with the code in mod_ssl, which I'm assuming is definitely right; in their "delete" callback, they don't call SSL_SESSION_free(). They also return "0" from their "new" callback, indicating as they say:
/* * return 0 which means to OpenSSL that the pNew is still * valid and was not freed by us with SSL_SESSION_free(). */ return 0;
Are we sure the session code is doing the right things?
It works... until you do session resumption. :(
Of course, the crappy OpenSSL API is really, really badly documented so it's hard to be sure...
Yeah. It reminds me of the documentation for a graphing program I used in university. 400 pages of documentation, and *every single* example in it produced "syntax error" when typed in verbatim. It takes dedication to be that incompetent. Alan DeKok.