[racket] OpenSSL: server-side session caching?

From: Ryan Culpepper (ryanc at ccs.neu.edu)
Date: Tue Dec 23 14:23:29 EST 2014

On Dec 23, 2014, at 5:21 AM, Snyder Pearson <aranhoide at getlantern.org> wrote:

> I can't see any way to control either client or server-side SSL/TLS session caching using Racket's openssl bindings.  I don't really need such control as long as the server-side part of it works as (IIUC) OpenSSL does by default, that is, each server-side SSL context contains a session cache that is populated and used as long as the client side shuts down their SSL sessions properly.
> Is this understanding correct?  Either way, do Racket's openssl bindings work like this?

I’m going off of fuzzy memories, but I think it will not work by default because Racket closes SSL connections without sending the shutdown message, and that’s supposed to invalidate the session. (Because it could indicate that an attacker truncated communication before, say, a ChangeCipherSpec message or something similar.)


Posted on the users mailing list.