openssl/doc/man3/SSL_get_session.pod

=pod

=head1 NAME

SSL_get_session, SSL_get0_session, SSL_get1_session - retrieve TLS/SSL session data

=head1 SYNOPSIS

 #include <openssl/ssl.h>

 SSL_SESSION *SSL_get_session(const SSL *ssl);
 SSL_SESSION *SSL_get0_session(const SSL *ssl);
 SSL_SESSION *SSL_get1_session(SSL *ssl);

=head1 DESCRIPTION

SSL_get_session() returns a pointer to the B<SSL_SESSION> actually used in
B<ssl>. The reference count of the B<SSL_SESSION> is not incremented, so
that the pointer can become invalid by other operations.

SSL_get0_session() is the same as SSL_get_session().

SSL_get1_session() is the same as SSL_get_session(), but the reference
count of the B<SSL_SESSION> is incremented by one.

=head1 NOTES

The ssl session contains all information required to re-establish the
connection without a full handshake for SSL versions up to and including
TLSv1.2. In TLSv1.3 the same is true, but sessions are established after the
main handshake has occurred. The server will send the session information to the
client at a time of its choosing, which may be some while after the initial
connection is established (or never). Calling these functions on the client side
in TLSv1.3 before the session has been established will still return an
SSL_SESSION object but that object cannot be used for resuming the session. See
L<SSL_SESSION_is_resumable(3)> for information on how to determine whether an
SSL_SESSION object can be used for resumption or not.

Additionally, in TLSv1.3, a server can send multiple messages that establish a
session for a single connection. In that case, on the client side, the above
functions will only return information on the last session that was received. On
the server side they will only return information on the last session that was
sent, or if no session tickets were sent then the session for the current
connection.

The preferred way for applications to obtain a resumable SSL_SESSION object is
to use a new session callback as described in L<SSL_CTX_sess_set_new_cb(3)>.
The new session callback is only invoked when a session is actually established,
so this avoids the problem described above where an application obtains an
SSL_SESSION object that cannot be used for resumption in TLSv1.3. It also
enables applications to obtain information about all sessions sent by the
server.

A session will be automatically removed from the session cache and marked as
non-resumable if the connection is not closed down cleanly, e.g. if a fatal
error occurs on the connection or L<SSL_shutdown(3)> is not called prior to
L<SSL_free(3)>.

In TLSv1.3 it is recommended that each SSL_SESSION object is only used for
resumption once.

SSL_get0_session() returns a pointer to the actual session. As the
reference counter is not incremented, the pointer is only valid while
the connection is in use. If L<SSL_clear(3)> or
L<SSL_free(3)> is called, the session may be removed completely
(if considered bad), and the pointer obtained will become invalid. Even
if the session is valid, it can be removed at any time due to timeout
during L<SSL_CTX_flush_sessions(3)>.

If the data is to be kept, SSL_get1_session() will increment the reference
count, so that the session will not be implicitly removed by other operations
but stays in memory. In order to remove the session
L<SSL_SESSION_free(3)> must be explicitly called once
to decrement the reference count again.

SSL_SESSION objects keep internal link information about the session cache
list, when being inserted into one SSL_CTX object's session cache.
One SSL_SESSION object, regardless of its reference count, must therefore
only be used with one SSL_CTX object (and the SSL objects created
from this SSL_CTX object).

=head1 RETURN VALUES

The following return values can occur:

=over 4

=item NULL

There is no session available in B<ssl>.

=item Pointer to an SSL_SESSION

The return value points to the data of an SSL session.

=back

=head1 SEE ALSO

L<ssl(7)>, L<SSL_free(3)>,
L<SSL_clear(3)>,
L<SSL_SESSION_free(3)>

=head1 COPYRIGHT

Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.

Licensed under the Apache License 2.0 (the "License").  You may not use
this file except in compliance with the License.  You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.

=cut
Add a number of documentation files, mostly for SSL routines, but also for a few BIO routines. Submitted by Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE> 2000-09-14 21:11:56 +08:00			`=pod`

			`=head1 NAME`

Document updates from wiki. PR#3071 The primary changes made are: - Updates to the "NAME" section of many pages to correctly reflect the functions defined on those pages. This section is automatically parsed by the util/extract-names.pl script, so if it is not correct then running "man" will not correctly locate the right manual pages. - Updates to take account of where functions are now deprecated - Full documentation of the ec sub-library - A number of other typo corrections and other minor tweaks 2013-06-13 06:42:08 +08:00			`SSL_get_session, SSL_get0_session, SSL_get1_session - retrieve TLS/SSL session data`
Add a number of documentation files, mostly for SSL routines, but also for a few BIO routines. Submitted by Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE> 2000-09-14 21:11:56 +08:00
			`=head1 SYNOPSIS`

			`#include <openssl/ssl.h>`

update docs (recent constification) 2005-03-30 19:50:14 +08:00			`SSL_SESSION SSL_get_session(const SSL ssl);`
			`SSL_SESSION SSL_get0_session(const SSL ssl);`
Add a number of documentation files, mostly for SSL routines, but also for a few BIO routines. Submitted by Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE> 2000-09-14 21:11:56 +08:00			`SSL_SESSION SSL_get1_session(SSL ssl);`

			`=head1 DESCRIPTION`

ispell and some other nit-picking 2000-09-16 23:39:28 +08:00			`SSL_get_session() returns a pointer to the B<SSL_SESSION> actually used in`
			`B<ssl>. The reference count of the B<SSL_SESSION> is not incremented, so`
Finish first round of session cache documentation. 2001-02-13 22:00:09 +08:00			`that the pointer can become invalid by other operations.`
Add a number of documentation files, mostly for SSL routines, but also for a few BIO routines. Submitted by Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE> 2000-09-14 21:11:56 +08:00
			`SSL_get0_session() is the same as SSL_get_session().`

			`SSL_get1_session() is the same as SSL_get_session(), but the reference`
ispell and some other nit-picking 2000-09-16 23:39:28 +08:00			`count of the B<SSL_SESSION> is incremented by one.`
Add a number of documentation files, mostly for SSL routines, but also for a few BIO routines. Submitted by Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE> 2000-09-14 21:11:56 +08:00
Finish first round of session cache documentation. 2001-02-13 22:00:09 +08:00			`=head1 NOTES`

			`The ssl session contains all information required to re-establish the`
Tweak SSL_get_session.pod wording Based on feedback received. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3008) 2017-03-23 19:56:46 +08:00			`connection without a full handshake for SSL versions up to and including`
			`TLSv1.2. In TLSv1.3 the same is true, but sessions are established after the`
			`main handshake has occurred. The server will send the session information to the`
			`client at a time of its choosing, which may be some while after the initial`
			`connection is established (or never). Calling these functions on the client side`
			`in TLSv1.3 before the session has been established will still return an`
			`SSL_SESSION object but that object cannot be used for resuming the session. See`
			`L<SSL_SESSION_is_resumable(3)> for information on how to determine whether an`
			`SSL_SESSION object can be used for resumption or not.`

			`Additionally, in TLSv1.3, a server can send multiple messages that establish a`
Clarify what SSL_get_session() does on the server side in TLSv1.3 Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16582) 2021-09-11 17:02:21 +08:00			`session for a single connection. In that case, on the client side, the above`
			`functions will only return information on the last session that was received. On`
			`the server side they will only return information on the last session that was`
			`sent, or if no session tickets were sent then the session for the current`
			`connection.`
Documentation updates for TLSv1.3 sessions Add documentation for SSL_SESSION_is_resumable(). Also describe the interaction of the various session functions and TLSv1.3 post-handshake sessions. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3008) 2017-03-21 21:51:03 +08:00
			`The preferred way for applications to obtain a resumable SSL_SESSION object is`
			`to use a new session callback as described in L<SSL_CTX_sess_set_new_cb(3)>.`
			`The new session callback is only invoked when a session is actually established,`
			`so this avoids the problem described above where an application obtains an`
			`SSL_SESSION object that cannot be used for resumption in TLSv1.3. It also`
			`enables applications to obtain information about all sessions sent by the`
			`server.`

Document when a session gets removed from cache Document the fact that if a session is not closed down cleanly then the session gets removed from the cache and marked as non-resumable. Fixes #4720 Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/6053) 2018-04-23 18:23:43 +08:00			`A session will be automatically removed from the session cache and marked as`
			`non-resumable if the connection is not closed down cleanly, e.g. if a fatal`
			`error occurs on the connection or L<SSL_shutdown(3)> is not called prior to`
			`L<SSL_free(3)>.`

Documentation updates for TLSv1.3 sessions Add documentation for SSL_SESSION_is_resumable(). Also describe the interaction of the various session functions and TLSv1.3 post-handshake sessions. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3008) 2017-03-21 21:51:03 +08:00			`In TLSv1.3 it is recommended that each SSL_SESSION object is only used for`
			`resumption once.`
Finish first round of session cache documentation. 2001-02-13 22:00:09 +08:00
			`SSL_get0_session() returns a pointer to the actual session. As the`
			`reference counter is not incremented, the pointer is only valid while`
Fix L<> content in manpages L<foo\|foo> is sub-optimal If the xref is the same as the title, which is what we do, then you only need L<foo>. This fixes all 1457 occurrences in 349 files. Approximately. (And pod used to need both.) Reviewed-by: Richard Levitte <levitte@openssl.org> 2015-08-18 03:21:33 +08:00			`the connection is in use. If L<SSL_clear(3)> or`
			`L<SSL_free(3)> is called, the session may be removed completely`
Finish first round of session cache documentation. 2001-02-13 22:00:09 +08:00			`(if considered bad), and the pointer obtained will become invalid. Even`
			`if the session is valid, it can be removed at any time due to timeout`
Fix L<> content in manpages L<foo\|foo> is sub-optimal If the xref is the same as the title, which is what we do, then you only need L<foo>. This fixes all 1457 occurrences in 349 files. Approximately. (And pod used to need both.) Reviewed-by: Richard Levitte <levitte@openssl.org> 2015-08-18 03:21:33 +08:00			`during L<SSL_CTX_flush_sessions(3)>.`
Finish first round of session cache documentation. 2001-02-13 22:00:09 +08:00
			`If the data is to be kept, SSL_get1_session() will increment the reference`
Clarify reference count handling/removal of session (shinagawa@star.zko.dec.com). 2001-11-19 19:11:23 +08:00			`count, so that the session will not be implicitly removed by other operations`
			`but stays in memory. In order to remove the session`
Fix L<> content in manpages L<foo\|foo> is sub-optimal If the xref is the same as the title, which is what we do, then you only need L<foo>. This fixes all 1457 occurrences in 349 files. Approximately. (And pod used to need both.) Reviewed-by: Richard Levitte <levitte@openssl.org> 2015-08-18 03:21:33 +08:00			`L<SSL_SESSION_free(3)> must be explicitly called once`
Clarify reference count handling/removal of session (shinagawa@star.zko.dec.com). 2001-11-19 19:11:23 +08:00			`to decrement the reference count again.`
Finish first round of session cache documentation. 2001-02-13 22:00:09 +08:00
Update information as a partial response to the post From: "Chris D. Peterson" <cpeterson@aventail.com> Subject: Implementation Issues with OpenSSL To: openssl-users@openssl.org Date: Wed, 22 Aug 2001 16:13:17 -0700 The patch included in the original post may improve the internal session list handling (and is therefore worth a seperate investigation). No change to the list handling will however solve the problems of incorrect SSL_SESSION_free() calls. The session list is only one possible point of failure, dangling pointers would also occur for SSL object currently using the session. The correct solution is to only use SSL_SESSION_free() when applicable! 2001-10-12 20:29:16 +08:00			`SSL_SESSION objects keep internal link information about the session cache`
			`list, when being inserted into one SSL_CTX object's session cache.`
			`One SSL_SESSION object, regardless of its reference count, must therefore`
			`only be used with one SSL_CTX object (and the SSL objects created`
			`from this SSL_CTX object).`

Add a number of documentation files, mostly for SSL routines, but also for a few BIO routines. Submitted by Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE> 2000-09-14 21:11:56 +08:00			`=head1 RETURN VALUES`

			`The following return values can occur:`

			`=over 4`

			`=item NULL`

			`There is no session available in B<ssl>.`

Doc fixes suggested by Claus Assmann RT4264, RT4268 Reviewed-by: Tim Hudson <tjh@openssl.org> 2016-01-27 13:55:19 +08:00			`=item Pointer to an SSL_SESSION`
Add a number of documentation files, mostly for SSL routines, but also for a few BIO routines. Submitted by Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE> 2000-09-14 21:11:56 +08:00
			`The return value points to the data of an SSL session.`

			`=back`

			`=head1 SEE ALSO`

Fix referenses in section 3 manuals Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/1900) 2016-11-11 16:33:09 +08:00			`L<ssl(7)>, L<SSL_free(3)>,`
Fix L<> content in manpages L<foo\|foo> is sub-optimal If the xref is the same as the title, which is what we do, then you only need L<foo>. This fixes all 1457 occurrences in 349 files. Approximately. (And pod used to need both.) Reviewed-by: Richard Levitte <levitte@openssl.org> 2015-08-18 03:21:33 +08:00			`L<SSL_clear(3)>,`
			`L<SSL_SESSION_free(3)>`
Add a number of documentation files, mostly for SSL routines, but also for a few BIO routines. Submitted by Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE> 2000-09-14 21:11:56 +08:00
Add copyright to manpages Reviewed-by: Richard Levitte <levitte@openssl.org> 2016-05-18 23:44:05 +08:00			`=head1 COPYRIGHT`

Update copyright year Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6145) 2018-05-01 20:34:30 +08:00			`Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.`
Add copyright to manpages Reviewed-by: Richard Levitte <levitte@openssl.org> 2016-05-18 23:44:05 +08:00
Following the license change, modify the boilerplates in doc/man3/ [skip ci] Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7829) 2018-12-06 21:04:44 +08:00			`Licensed under the Apache License 2.0 (the "License"). You may not use`
Add copyright to manpages Reviewed-by: Richard Levitte <levitte@openssl.org> 2016-05-18 23:44:05 +08:00			`this file except in compliance with the License. You can obtain a copy`
			`in the file LICENSE in the source distribution or at`
			`L<https://www.openssl.org/source/license.html>.`

			`=cut`