| 1 | =pod
|
|---|
| 2 |
|
|---|
| 3 | =head1 NAME
|
|---|
| 4 |
|
|---|
| 5 | SSL_get_session, SSL_get0_session, SSL_get1_session - retrieve TLS/SSL session data
|
|---|
| 6 |
|
|---|
| 7 | =head1 SYNOPSIS
|
|---|
| 8 |
|
|---|
| 9 | #include <openssl/ssl.h>
|
|---|
| 10 |
|
|---|
| 11 | SSL_SESSION *SSL_get_session(const SSL *ssl);
|
|---|
| 12 | SSL_SESSION *SSL_get0_session(const SSL *ssl);
|
|---|
| 13 | SSL_SESSION *SSL_get1_session(SSL *ssl);
|
|---|
| 14 |
|
|---|
| 15 | =head1 DESCRIPTION
|
|---|
| 16 |
|
|---|
| 17 | SSL_get_session() returns a pointer to the B<SSL_SESSION> actually used in
|
|---|
| 18 | B<ssl>. The reference count of the B<SSL_SESSION> is not incremented, so
|
|---|
| 19 | that the pointer can become invalid by other operations.
|
|---|
| 20 |
|
|---|
| 21 | SSL_get0_session() is the same as SSL_get_session().
|
|---|
| 22 |
|
|---|
| 23 | SSL_get1_session() is the same as SSL_get_session(), but the reference
|
|---|
| 24 | count of the B<SSL_SESSION> is incremented by one.
|
|---|
| 25 |
|
|---|
| 26 | =head1 NOTES
|
|---|
| 27 |
|
|---|
| 28 | The ssl session contains all information required to re-establish the
|
|---|
| 29 | connection without a full handshake for SSL versions up to and including
|
|---|
| 30 | TLSv1.2. In TLSv1.3 the same is true, but sessions are established after the
|
|---|
| 31 | main handshake has occurred. The server will send the session information to the
|
|---|
| 32 | client at a time of its choosing, which may be some while after the initial
|
|---|
| 33 | connection is established (or never). Calling these functions on the client side
|
|---|
| 34 | in TLSv1.3 before the session has been established will still return an
|
|---|
| 35 | SSL_SESSION object but that object cannot be used for resuming the session. See
|
|---|
| 36 | L<SSL_SESSION_is_resumable(3)> for information on how to determine whether an
|
|---|
| 37 | SSL_SESSION object can be used for resumption or not.
|
|---|
| 38 |
|
|---|
| 39 | Additionally, in TLSv1.3, a server can send multiple messages that establish a
|
|---|
| 40 | session for a single connection. In that case the above functions will only
|
|---|
| 41 | return information on the last session that was received.
|
|---|
| 42 |
|
|---|
| 43 | The preferred way for applications to obtain a resumable SSL_SESSION object is
|
|---|
| 44 | to use a new session callback as described in L<SSL_CTX_sess_set_new_cb(3)>.
|
|---|
| 45 | The new session callback is only invoked when a session is actually established,
|
|---|
| 46 | so this avoids the problem described above where an application obtains an
|
|---|
| 47 | SSL_SESSION object that cannot be used for resumption in TLSv1.3. It also
|
|---|
| 48 | enables applications to obtain information about all sessions sent by the
|
|---|
| 49 | server.
|
|---|
| 50 |
|
|---|
| 51 | A session will be automatically removed from the session cache and marked as
|
|---|
| 52 | non-resumable if the connection is not closed down cleanly, e.g. if a fatal
|
|---|
| 53 | error occurs on the connection or L<SSL_shutdown(3)> is not called prior to
|
|---|
| 54 | L<SSL_free(3)>.
|
|---|
| 55 |
|
|---|
| 56 | In TLSv1.3 it is recommended that each SSL_SESSION object is only used for
|
|---|
| 57 | resumption once.
|
|---|
| 58 |
|
|---|
| 59 | SSL_get0_session() returns a pointer to the actual session. As the
|
|---|
| 60 | reference counter is not incremented, the pointer is only valid while
|
|---|
| 61 | the connection is in use. If L<SSL_clear(3)> or
|
|---|
| 62 | L<SSL_free(3)> is called, the session may be removed completely
|
|---|
| 63 | (if considered bad), and the pointer obtained will become invalid. Even
|
|---|
| 64 | if the session is valid, it can be removed at any time due to timeout
|
|---|
| 65 | during L<SSL_CTX_flush_sessions(3)>.
|
|---|
| 66 |
|
|---|
| 67 | If the data is to be kept, SSL_get1_session() will increment the reference
|
|---|
| 68 | count, so that the session will not be implicitly removed by other operations
|
|---|
| 69 | but stays in memory. In order to remove the session
|
|---|
| 70 | L<SSL_SESSION_free(3)> must be explicitly called once
|
|---|
| 71 | to decrement the reference count again.
|
|---|
| 72 |
|
|---|
| 73 | SSL_SESSION objects keep internal link information about the session cache
|
|---|
| 74 | list, when being inserted into one SSL_CTX object's session cache.
|
|---|
| 75 | One SSL_SESSION object, regardless of its reference count, must therefore
|
|---|
| 76 | only be used with one SSL_CTX object (and the SSL objects created
|
|---|
| 77 | from this SSL_CTX object).
|
|---|
| 78 |
|
|---|
| 79 | =head1 RETURN VALUES
|
|---|
| 80 |
|
|---|
| 81 | The following return values can occur:
|
|---|
| 82 |
|
|---|
| 83 | =over 4
|
|---|
| 84 |
|
|---|
| 85 | =item NULL
|
|---|
| 86 |
|
|---|
| 87 | There is no session available in B<ssl>.
|
|---|
| 88 |
|
|---|
| 89 | =item Pointer to an SSL_SESSION
|
|---|
| 90 |
|
|---|
| 91 | The return value points to the data of an SSL session.
|
|---|
| 92 |
|
|---|
| 93 | =back
|
|---|
| 94 |
|
|---|
| 95 | =head1 SEE ALSO
|
|---|
| 96 |
|
|---|
| 97 | L<ssl(7)>, L<SSL_free(3)>,
|
|---|
| 98 | L<SSL_clear(3)>,
|
|---|
| 99 | L<SSL_SESSION_free(3)>
|
|---|
| 100 |
|
|---|
| 101 | =head1 COPYRIGHT
|
|---|
| 102 |
|
|---|
| 103 | Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
|
|---|
| 104 |
|
|---|
| 105 | Licensed under the OpenSSL license (the "License"). You may not use
|
|---|
| 106 | this file except in compliance with the License. You can obtain a copy
|
|---|
| 107 | in the file LICENSE in the source distribution or at
|
|---|
| 108 | L<https://www.openssl.org/source/license.html>.
|
|---|
| 109 |
|
|---|
| 110 | =cut
|
|---|
