Greetings.

I wonder if session-id generator really provide uniqueness.

The def_generate_session_id check uniqueness by calling
SSL_has_matching_session_id. (ssl_sess.c)
SSL_has_matching_session_id check uniqueness by calling
lh_retrieve(ssl->ctx->sessions, &r). (ssl_lib.c)

So, if SSL_has_matching_session_id doesn't call get_session_cb (as in
get_prev_session, i.e. doesn't check external cache), i suspect that uniqueness are only local, not
cache-wide.


Am i missing something, or this is an error?


--
Best regards,
Anthony Pankov mailto:ap00@mail.ru


__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org