I wonder if session-id generator really provide uniqueness.

The def_generate_session_id check uniqueness by calling
SSL_has_matching_session_id. (ssl_sess.c)
SSL_has_matching_session_id check uniqueness by calling
lh_retrieve(ssl->ctx->sessions, &r). (ssl_lib.c)

So, if SSL_has_matching_session_id doesn't call get_session_cb (as in
get_prev_session, i.e. doesn't check external cache), i suspect that uniqueness are only local, not

Am i missing something, or this is an error?

Best regards,
Anthony Pankov

__________________________________________________ ____________________
OpenSSL Project
User Support Mailing List
Automated List Manager