<div dir="ltr"><br><div class="gmail_extra"><div class="gmail_quote">On Tue, Dec 23, 2014 at 8:23 PM, Ryan Culpepper <span dir="ltr"><<a href="mailto:ryanc@ccs.neu.edu" target="_blank">ryanc@ccs.neu.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On Dec 23, 2014, at 5:21 AM, Snyder Pearson <<a href="mailto:aranhoide@getlantern.org">aranhoide@getlantern.org</a>> wrote:<br>
<br>
> I can't see any way to control either client or server-side SSL/TLS session caching using Racket's openssl bindings. I don't really need such control as long as the server-side part of it works as (IIUC) OpenSSL does by default, that is, each server-side SSL context contains a session cache that is populated and used as long as the client side shuts down their SSL sessions properly.<br>
><br>
> Is this understanding correct? Either way, do Racket's openssl bindings work like this?<br>
<br>
</span>I’m going off of fuzzy memories, but I think it will not work by default because Racket closes SSL connections without sending the shutdown message, and that’s supposed to invalidate the session. (Because it could indicate that an attacker truncated communication before, say, a ChangeCipherSpec message or something similar.)<span class="HOEnZb"><font color="#888888"><br></font></span></blockquote><div><br></div><div>Thanks! While that's indeed Racket's default behavior, you can override that via the #:shutdown-on-close? parameter of ports->ssl-ports [1]. Also, that only applies to Racket servers talking to clients that also use (the openssl bindings of) Racket, or which otherwise don't send shutdown messages.<br><br></div><div>So let me slightly reformulate my question: does a Racket TLS server do session caching, provided that clients send shutdown messages appropriately when closing their connections? Or is there anything in the implementation of Racket's openssl bindings that inhibits OpenSSL's default caching behavior? <br></div><div><br></div><div>[1] Thanks again to Matthew Flatt for very helpfully pointing this to me recently-- and for your amazing work on Racket.<br></div></div><br></div></div>