openssl/doc/man3/SSL_CTX_sess_set_get_cb.pod

=pod

=head1 NAME

SSL_CTX_sess_set_new_cb, SSL_CTX_sess_set_remove_cb, SSL_CTX_sess_set_get_cb, SSL_CTX_sess_get_new_cb, SSL_CTX_sess_get_remove_cb, SSL_CTX_sess_get_get_cb - provide callback functions for server side external session caching

=head1 SYNOPSIS

 #include <openssl/ssl.h>

 void SSL_CTX_sess_set_new_cb(SSL_CTX *ctx,
                              int (*new_session_cb)(SSL *, SSL_SESSION *));
 void SSL_CTX_sess_set_remove_cb(SSL_CTX *ctx,
                                 void (*remove_session_cb)(SSL_CTX *ctx,
                                                           SSL_SESSION *));
 void SSL_CTX_sess_set_get_cb(SSL_CTX *ctx,
                              SSL_SESSION (*get_session_cb)(SSL *,
                                                            const unsigned char *,
                                                            int, int *));

 int (*SSL_CTX_sess_get_new_cb(SSL_CTX *ctx))(struct ssl_st *ssl,
                                              SSL_SESSION *sess);
 void (*SSL_CTX_sess_get_remove_cb(SSL_CTX *ctx))(struct ssl_ctx_st *ctx,
                                                  SSL_SESSION *sess);
 SSL_SESSION *(*SSL_CTX_sess_get_get_cb(SSL_CTX *ctx))(struct ssl_st *ssl,
                                                       const unsigned char *data,
                                                       int len, int *copy);

=head1 DESCRIPTION

SSL_CTX_sess_set_new_cb() sets the callback function, which is automatically
called whenever a new session was negotiated.

SSL_CTX_sess_set_remove_cb() sets the callback function, which is
automatically called whenever a session is removed by the SSL engine,
because it is considered faulty or the session has become obsolete because
of exceeding the timeout value.

SSL_CTX_sess_set_get_cb() sets the callback function which is called,
whenever a SSL/TLS client proposed to resume a session but the session
could not be found in the internal session cache (see
L<SSL_CTX_set_session_cache_mode(3)>).
(SSL/TLS server only.)

SSL_CTX_sess_get_new_cb(), SSL_CTX_sess_get_remove_cb(), and
SSL_CTX_sess_get_get_cb() retrieve the function pointers set by the
corresponding set callback functions. If a callback function has not been
set, the NULL pointer is returned.

=head1 NOTES

In order to allow external session caching, synchronization with the internal
session cache is realized via callback functions. Inside these callback
functions, session can be saved to disk or put into a database using the
L<d2i_SSL_SESSION(3)> interface.

The new_session_cb() is called, whenever a new session has been negotiated
and session caching is enabled (see
L<SSL_CTX_set_session_cache_mode(3)>).
The new_session_cb() is passed the B<ssl> connection and the ssl session
B<sess>. If the callback returns B<0>, the session will be immediately
removed again. Note that in TLSv1.3, sessions are established after the main
handshake has completed. The server decides when to send the client the session
information and this may occur some time after the end of the handshake (or not
at all). This means that applications should expect the new_session_cb()
function to be invoked during the handshake (for <= TLSv1.2) or after the
handshake (for TLSv1.3). It is also possible in TLSv1.3 for multiple sessions to
be established with a single connection. In these case the new_session_cb()
function will be invoked multiple times.

In TLSv1.3 it is recommended that each SSL_SESSION object is only used for
resumption once. One way of enforcing that is for applications to call
L<SSL_CTX_remove_session(3)> after a session has been used.

The remove_session_cb() is called, whenever the SSL engine removes a session
from the internal cache. This happens when the session is removed because
it is expired or when a connection was not shutdown cleanly. It also happens
for all sessions in the internal session cache when
L<SSL_CTX_free(3)> is called. The remove_session_cb() is passed
the B<ctx> and the ssl session B<sess>. It does not provide any feedback.

The get_session_cb() is only called on SSL/TLS servers with the session id
proposed by the client. The get_session_cb() is always called, also when
session caching was disabled. The get_session_cb() is passed the
B<ssl> connection, the session id of length B<length> at the memory location
B<data>. With the parameter B<copy> the callback can require the
SSL engine to increment the reference count of the SSL_SESSION object,
Normally the reference count is not incremented and therefore the
session must not be explicitly freed with
L<SSL_SESSION_free(3)>.

=head1 RETURN VALUES

SSL_CTX_sess_get_new_cb(), SSL_CTX_sess_get_remove_cb() and SSL_CTX_sess_get_get_cb()
return different callback function pointers respectively.

=head1 SEE ALSO

L<ssl(7)>, L<d2i_SSL_SESSION(3)>,
L<SSL_CTX_set_session_cache_mode(3)>,
L<SSL_CTX_flush_sessions(3)>,
L<SSL_SESSION_free(3)>,
L<SSL_CTX_free(3)>

=head1 COPYRIGHT

Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.

Licensed under the Apache License 2.0 (the "License").  You may not use
this file except in compliance with the License.  You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.

=cut
Document session caching, first step. 2001-02-02 22:40:52 +08:00			`=pod`

			`=head1 NAME`

			`SSL_CTX_sess_set_new_cb, SSL_CTX_sess_set_remove_cb, SSL_CTX_sess_set_get_cb, SSL_CTX_sess_get_new_cb, SSL_CTX_sess_get_remove_cb, SSL_CTX_sess_get_get_cb - provide callback functions for server side external session caching`

			`=head1 SYNOPSIS`

			`#include <openssl/ssl.h>`

			`void SSL_CTX_sess_set_new_cb(SSL_CTX *ctx,`
Fix nits in pod files. Add doc-nit-check to help find future issues. Make podchecker be almost clean. Remove trailing whitespace. Tab expansion Reviewed-by: Richard Levitte <levitte@openssl.org> 2016-05-20 20:11:46 +08:00			`int (new_session_cb)(SSL , SSL_SESSION *));`
Document session caching, first step. 2001-02-02 22:40:52 +08:00			`void SSL_CTX_sess_set_remove_cb(SSL_CTX *ctx,`
doc/man3: reformat the function prototypes in the synopses I tried hard to keep the lines at 80 characters or less, but in a few cases I had to punt and just indented the subsequent lines by 4 spaces. A few well-placed typedefs for callback functions would really help, but these would be part of the API, so that's probably for later. I also took the liberty of inserting empty lines in overlong blocks to provide some visual space. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/1956) 2017-01-21 02:58:49 +08:00			`void (remove_session_cb)(SSL_CTX ctx,`
			`SSL_SESSION *));`
Document session caching, first step. 2001-02-02 22:40:52 +08:00			`void SSL_CTX_sess_set_get_cb(SSL_CTX *ctx,`
doc/man3: reformat the function prototypes in the synopses I tried hard to keep the lines at 80 characters or less, but in a few cases I had to punt and just indented the subsequent lines by 4 spaces. A few well-placed typedefs for callback functions would really help, but these would be part of the API, so that's probably for later. I also took the liberty of inserting empty lines in overlong blocks to provide some visual space. Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/1956) 2017-01-21 02:58:49 +08:00			`SSL_SESSION (get_session_cb)(SSL ,`
			`const unsigned char *,`
			`int, int *));`

			`int (SSL_CTX_sess_get_new_cb(SSL_CTX ctx))(struct ssl_st *ssl,`
			`SSL_SESSION *sess);`
			`void (SSL_CTX_sess_get_remove_cb(SSL_CTX ctx))(struct ssl_ctx_st *ctx,`
			`SSL_SESSION *sess);`
			`SSL_SESSION (SSL_CTX_sess_get_get_cb(SSL_CTX ctx))(struct ssl_st ssl,`
			`const unsigned char *data,`
			`int len, int *copy);`
Document session caching, first step. 2001-02-02 22:40:52 +08:00
			`=head1 DESCRIPTION`

			`SSL_CTX_sess_set_new_cb() sets the callback function, which is automatically`
			`called whenever a new session was negotiated.`

			`SSL_CTX_sess_set_remove_cb() sets the callback function, which is`
			`automatically called whenever a session is removed by the SSL engine,`
			`because it is considered faulty or the session has become obsolete because`
			`of exceeding the timeout value.`

			`SSL_CTX_sess_set_get_cb() sets the callback function which is called,`
			`whenever a SSL/TLS client proposed to resume a session but the session`
			`could not be found in the internal session cache (see`
Fix L<> content in manpages L<foo\|foo> is sub-optimal If the xref is the same as the title, which is what we do, then you only need L<foo>. This fixes all 1457 occurrences in 349 files. Approximately. (And pod used to need both.) Reviewed-by: Richard Levitte <levitte@openssl.org> 2015-08-18 03:21:33 +08:00			`L<SSL_CTX_set_session_cache_mode(3)>).`
Document session caching, first step. 2001-02-02 22:40:52 +08:00			`(SSL/TLS server only.)`

			`SSL_CTX_sess_get_new_cb(), SSL_CTX_sess_get_remove_cb(), and`
Fix spelling errors in documentation. Also fix some clumsy wording. [skip_ci] Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6545) 2018-06-21 11:39:23 +08:00			`SSL_CTX_sess_get_get_cb() retrieve the function pointers set by the`
			`corresponding set callback functions. If a callback function has not been`
			`set, the NULL pointer is returned.`
Document session caching, first step. 2001-02-02 22:40:52 +08:00
			`=head1 NOTES`

			`In order to allow external session caching, synchronization with the internal`
			`session cache is realized via callback functions. Inside these callback`
			`functions, session can be saved to disk or put into a database using the`
Fix L<> content in manpages L<foo\|foo> is sub-optimal If the xref is the same as the title, which is what we do, then you only need L<foo>. This fixes all 1457 occurrences in 349 files. Approximately. (And pod used to need both.) Reviewed-by: Richard Levitte <levitte@openssl.org> 2015-08-18 03:21:33 +08:00			`L<d2i_SSL_SESSION(3)> interface.`
Document session caching, first step. 2001-02-02 22:40:52 +08:00
			`The new_session_cb() is called, whenever a new session has been negotiated`
			`and session caching is enabled (see`
Fix L<> content in manpages L<foo\|foo> is sub-optimal If the xref is the same as the title, which is what we do, then you only need L<foo>. This fixes all 1457 occurrences in 349 files. Approximately. (And pod used to need both.) Reviewed-by: Richard Levitte <levitte@openssl.org> 2015-08-18 03:21:33 +08:00			`L<SSL_CTX_set_session_cache_mode(3)>).`
Document session caching, first step. 2001-02-02 22:40:52 +08:00			`The new_session_cb() is passed the B<ssl> connection and the ssl session`
Documenting session caching, 2nd step. 2001-02-05 02:05:27 +08:00			`B<sess>. If the callback returns B<0>, the session will be immediately`
More SSL_SESSION documentation tweaks based on feedback Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3008) 2017-04-26 22:14:03 +08:00			`removed again. Note that in TLSv1.3, sessions are established after the main`
Documentation updates for TLSv1.3 sessions Add documentation for SSL_SESSION_is_resumable(). Also describe the interaction of the various session functions and TLSv1.3 post-handshake sessions. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3008) 2017-03-21 21:51:03 +08:00			`handshake has completed. The server decides when to send the client the session`
			`information and this may occur some time after the end of the handshake (or not`
			`at all). This means that applications should expect the new_session_cb()`
			`function to be invoked during the handshake (for <= TLSv1.2) or after the`
			`handshake (for TLSv1.3). It is also possible in TLSv1.3 for multiple sessions to`
			`be established with a single connection. In these case the new_session_cb()`
			`function will be invoked multiple times.`

			`In TLSv1.3 it is recommended that each SSL_SESSION object is only used for`
Clarify that SSL_CTX_remove_session() marks a session as non-resumable Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3008) 2017-04-26 22:16:18 +08:00			`resumption once. One way of enforcing that is for applications to call`
			`L<SSL_CTX_remove_session(3)> after a session has been used.`
Document session caching, first step. 2001-02-02 22:40:52 +08:00
			`The remove_session_cb() is called, whenever the SSL engine removes a session`
Add warning about unwanted side effect when calling SSL_CTX_free(): sessions in the external session cache might be removed. Submitted by: "Nadav Har'El" <nyh@math.technion.ac.il> PR: 547 2003-03-28 06:04:05 +08:00			`from the internal cache. This happens when the session is removed because`
			`it is expired or when a connection was not shutdown cleanly. It also happens`
			`for all sessions in the internal session cache when`
Fix L<> content in manpages L<foo\|foo> is sub-optimal If the xref is the same as the title, which is what we do, then you only need L<foo>. This fixes all 1457 occurrences in 349 files. Approximately. (And pod used to need both.) Reviewed-by: Richard Levitte <levitte@openssl.org> 2015-08-18 03:21:33 +08:00			`L<SSL_CTX_free(3)> is called. The remove_session_cb() is passed`
Add warning about unwanted side effect when calling SSL_CTX_free(): sessions in the external session cache might be removed. Submitted by: "Nadav Har'El" <nyh@math.technion.ac.il> PR: 547 2003-03-28 06:04:05 +08:00			`the B<ctx> and the ssl session B<sess>. It does not provide any feedback.`
Document session caching, first step. 2001-02-02 22:40:52 +08:00
			`The get_session_cb() is only called on SSL/TLS servers with the session id`
			`proposed by the client. The get_session_cb() is always called, also when`
			`session caching was disabled. The get_session_cb() is passed the`
			`B<ssl> connection, the session id of length B<length> at the memory location`
			`B<data>. With the parameter B<copy> the callback can require the`
Update information as a partial response to the post From: "Chris D. Peterson" <cpeterson@aventail.com> Subject: Implementation Issues with OpenSSL To: openssl-users@openssl.org Date: Wed, 22 Aug 2001 16:13:17 -0700 The patch included in the original post may improve the internal session list handling (and is therefore worth a seperate investigation). No change to the list handling will however solve the problems of incorrect SSL_SESSION_free() calls. The session list is only one possible point of failure, dangling pointers would also occur for SSL object currently using the session. The correct solution is to only use SSL_SESSION_free() when applicable! 2001-10-12 20:29:16 +08:00			`SSL engine to increment the reference count of the SSL_SESSION object,`
			`Normally the reference count is not incremented and therefore the`
			`session must not be explicitly freed with`
Fix L<> content in manpages L<foo\|foo> is sub-optimal If the xref is the same as the title, which is what we do, then you only need L<foo>. This fixes all 1457 occurrences in 349 files. Approximately. (And pod used to need both.) Reviewed-by: Richard Levitte <levitte@openssl.org> 2015-08-18 03:21:33 +08:00			`L<SSL_SESSION_free(3)>.`
Document session caching, first step. 2001-02-02 22:40:52 +08:00
Add missing 'RETURN VALUES' sections in doc All missing sections are added. Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4976) 2017-12-25 17:50:39 +08:00			`=head1 RETURN VALUES`

			`SSL_CTX_sess_get_new_cb(), SSL_CTX_sess_get_remove_cb() and SSL_CTX_sess_get_get_cb()`
			`return different callback function pointers respectively.`

Document session caching, first step. 2001-02-02 22:40:52 +08:00			`=head1 SEE ALSO`

Fix referenses in section 3 manuals Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/1900) 2016-11-11 16:33:09 +08:00			`L<ssl(7)>, L<d2i_SSL_SESSION(3)>,`
Fix L<> content in manpages L<foo\|foo> is sub-optimal If the xref is the same as the title, which is what we do, then you only need L<foo>. This fixes all 1457 occurrences in 349 files. Approximately. (And pod used to need both.) Reviewed-by: Richard Levitte <levitte@openssl.org> 2015-08-18 03:21:33 +08:00			`L<SSL_CTX_set_session_cache_mode(3)>,`
			`L<SSL_CTX_flush_sessions(3)>,`
			`L<SSL_SESSION_free(3)>,`
			`L<SSL_CTX_free(3)>`
Document session caching, first step. 2001-02-02 22:40:52 +08:00
Add copyright to manpages Reviewed-by: Richard Levitte <levitte@openssl.org> 2016-05-18 23:44:05 +08:00			`=head1 COPYRIGHT`

Update all affected files' copyright year to 2018 Because the related PR/commits are merged in 2018... Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4976) 2018-01-16 01:01:46 +08:00			`Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.`
Add copyright to manpages Reviewed-by: Richard Levitte <levitte@openssl.org> 2016-05-18 23:44:05 +08:00
Following the license change, modify the boilerplates in doc/man3/ [skip ci] Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7829) 2018-12-06 21:04:44 +08:00			`Licensed under the Apache License 2.0 (the "License"). You may not use`
Add copyright to manpages Reviewed-by: Richard Levitte <levitte@openssl.org> 2016-05-18 23:44:05 +08:00			`this file except in compliance with the License. You can obtain a copy`
			`in the file LICENSE in the source distribution or at`
			`L<https://www.openssl.org/source/license.html>.`

			`=cut`