1=pod
2
3=head1 NAME
4
5SSL_CTX_sess_set_new_cb, SSL_CTX_sess_set_remove_cb, SSL_CTX_sess_set_get_cb, SSL_CTX_sess_get_new_cb, SSL_CTX_sess_get_remove_cb, SSL_CTX_sess_get_get_cb - provide callback functions for server side external session caching
6
7=head1 SYNOPSIS
8
9 #include <openssl/ssl.h>
10
11 void SSL_CTX_sess_set_new_cb(SSL_CTX *ctx,
12                              int (*new_session_cb)(SSL *, SSL_SESSION *));
13 void SSL_CTX_sess_set_remove_cb(SSL_CTX *ctx,
14                                 void (*remove_session_cb)(SSL_CTX *ctx,
15                                                           SSL_SESSION *));
16 void SSL_CTX_sess_set_get_cb(SSL_CTX *ctx,
17                              SSL_SESSION (*get_session_cb)(SSL *,
18                                                            const unsigned char *,
19                                                            int, int *));
20
21 int (*SSL_CTX_sess_get_new_cb(SSL_CTX *ctx))(struct ssl_st *ssl,
22                                              SSL_SESSION *sess);
23 void (*SSL_CTX_sess_get_remove_cb(SSL_CTX *ctx))(struct ssl_ctx_st *ctx,
24                                                  SSL_SESSION *sess);
25 SSL_SESSION *(*SSL_CTX_sess_get_get_cb(SSL_CTX *ctx))(struct ssl_st *ssl,
26                                                       const unsigned char *data,
27                                                       int len, int *copy);
28
29=head1 DESCRIPTION
30
31SSL_CTX_sess_set_new_cb() sets the callback function that is
32called whenever a new session was negotiated.
33
34SSL_CTX_sess_set_remove_cb() sets the callback function that is
35called whenever a session is removed by the SSL engine.  For example,
36this can occur because a session is considered faulty or has become obsolete
37because of exceeding the timeout value.
38
39SSL_CTX_sess_set_get_cb() sets the callback function that is called
40whenever a TLS client proposed to resume a session but the session
41could not be found in the internal session cache (see
42L<SSL_CTX_set_session_cache_mode(3)>).
43(TLS server only.)
44
45SSL_CTX_sess_get_new_cb(), SSL_CTX_sess_get_remove_cb(), and
46SSL_CTX_sess_get_get_cb() retrieve the function pointers set by the
47corresponding set callback functions. If a callback function has not been
48set, the NULL pointer is returned.
49
50=head1 NOTES
51
52In order to allow external session caching, synchronization with the internal
53session cache is realized via callback functions. Inside these callback
54functions, session can be saved to disk or put into a database using the
55L<d2i_SSL_SESSION(3)> interface.
56
57The new_session_cb() is called whenever a new session has been negotiated and
58session caching is enabled (see L<SSL_CTX_set_session_cache_mode(3)>).  The
59new_session_cb() is passed the B<ssl> connection and the nascent
60ssl session B<sess>.
61Since sessions are reference-counted objects, the reference count on the
62session is incremented before the callback, on behalf of the application.  If
63the callback returns B<0>, the session will be immediately removed from the
64internal cache and the reference count released. If the callback returns B<1>,
65the application retains the reference (for an entry in the
66application-maintained "external session cache"), and is responsible for
67calling SSL_SESSION_free() when the session reference is no longer in use.
68
69Note that in TLSv1.3, sessions are established after the main
70handshake has completed. The server decides when to send the client the session
71information and this may occur some time after the end of the handshake (or not
72at all). This means that applications should expect the new_session_cb()
73function to be invoked during the handshake (for <= TLSv1.2) or after the
74handshake (for TLSv1.3). It is also possible in TLSv1.3 for multiple sessions to
75be established with a single connection. In these case the new_session_cb()
76function will be invoked multiple times.
77
78In TLSv1.3 it is recommended that each SSL_SESSION object is only used for
79resumption once. One way of enforcing that is for applications to call
80L<SSL_CTX_remove_session(3)> after a session has been used.
81
82The remove_session_cb() is called whenever the SSL engine removes a session
83from the internal cache. This can happen when the session is removed because
84it is expired or when a connection was not shutdown cleanly. It also happens
85for all sessions in the internal session cache when
86L<SSL_CTX_free(3)> is called. The remove_session_cb() is passed
87the B<ctx> and the ssl session B<sess>. It does not provide any feedback.
88
89The get_session_cb() is only called on SSL/TLS servers, and is given
90the session id
91proposed by the client. The get_session_cb() is always called, even when
92session caching was disabled. The get_session_cb() is passed the
93B<ssl> connection and the session id of length B<length> at the memory location
94B<data>. By setting the parameter B<copy> to B<1>, the callback can require the
95SSL engine to increment the reference count of the SSL_SESSION object;
96setting B<copy> to B<0> causes the reference count to remain unchanged.
97If the get_session_cb() does not write to B<copy>, the reference count
98is incremented and the session must be explicitly freed with
99L<SSL_SESSION_free(3)>.
100
101=head1 RETURN VALUES
102
103SSL_CTX_sess_get_new_cb(), SSL_CTX_sess_get_remove_cb() and SSL_CTX_sess_get_get_cb()
104return different callback function pointers respectively.
105
106=head1 SEE ALSO
107
108L<ssl(7)>, L<d2i_SSL_SESSION(3)>,
109L<SSL_CTX_set_session_cache_mode(3)>,
110L<SSL_CTX_flush_sessions(3)>,
111L<SSL_SESSION_free(3)>,
112L<SSL_CTX_free(3)>
113
114=head1 COPYRIGHT
115
116Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved.
117
118Licensed under the Apache License 2.0 (the "License").  You may not use
119this file except in compliance with the License.  You can obtain a copy
120in the file LICENSE in the source distribution or at
121L<https://www.openssl.org/source/license.html>.
122
123=cut
124