Update per latest manual pages after running 'man-update'.
[dragonfly.git] / secure / lib / libssl / man / SSL_CTX_set_generate_session_id.3
CommitLineData
a7d27d5a
JR
1.rn '' }`
2''' $RCSfile$$Revision$$Date$
3'''
4''' $Log$
5'''
6.de Sh
984263bc
MD
7.br
8.if t .Sp
9.ne 5
10.PP
11\fB\\$1\fR
12.PP
13..
a7d27d5a 14.de Sp
984263bc
MD
15.if t .sp .5v
16.if n .sp
17..
a7d27d5a 18.de Ip
984263bc
MD
19.br
20.ie \\n(.$>=3 .ne \\$3
21.el .ne 3
22.IP "\\$1" \\$2
23..
a7d27d5a 24.de Vb
984263bc
MD
25.ft CW
26.nf
27.ne \\$1
28..
a7d27d5a 29.de Ve
984263bc
MD
30.ft R
31
32.fi
33..
a7d27d5a
JR
34'''
35'''
36''' Set up \*(-- to give an unbreakable dash;
37''' string Tr holds user defined translation string.
38''' Bell System Logo is used as a dummy character.
39'''
984263bc 40.tr \(*W-|\(bv\*(Tr
984263bc 41.ie n \{\
a7d27d5a
JR
42.ds -- \(*W-
43.ds PI pi
44.if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
45.if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
46.ds L" ""
47.ds R" ""
48''' \*(M", \*(S", \*(N" and \*(T" are the equivalent of
49''' \*(L" and \*(R", except that they are used on ".xx" lines,
50''' such as .IP and .SH, which do another additional levels of
51''' double-quote interpretation
52.ds M" """
53.ds S" """
54.ds N" """""
55.ds T" """""
56.ds L' '
57.ds R' '
58.ds M' '
59.ds S' '
60.ds N' '
61.ds T' '
984263bc
MD
62'br\}
63.el\{\
a7d27d5a
JR
64.ds -- \(em\|
65.tr \*(Tr
66.ds L" ``
67.ds R" ''
68.ds M" ``
69.ds S" ''
70.ds N" ``
71.ds T" ''
72.ds L' `
73.ds R' '
74.ds M' `
75.ds S' '
76.ds N' `
77.ds T' '
78.ds PI \(*p
984263bc 79'br\}
a7d27d5a
JR
80.\" If the F register is turned on, we'll generate
81.\" index entries out stderr for the following things:
82.\" TH Title
83.\" SH Header
84.\" Sh Subsection
85.\" Ip Item
86.\" X<> Xref (embedded
87.\" Of course, you have to process the output yourself
88.\" in some meaninful fashion.
89.if \nF \{
90.de IX
91.tm Index:\\$1\t\\n%\t"\\$2"
984263bc 92..
a7d27d5a
JR
93.nr % 0
94.rr F
984263bc 95.\}
a7d27d5a
JR
96.TH SSL_CTX_set_generate_session_id 3 "0.9.7d" "2/Sep/2004" "OpenSSL"
97.UC
98.if n .hy 0
984263bc 99.if n .na
a7d27d5a
JR
100.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
101.de CQ \" put $1 in typewriter font
102.ft CW
103'if n "\c
104'if t \\&\\$1\c
105'if n \\&\\$1\c
106'if n \&"
107\\&\\$2 \\$3 \\$4 \\$5 \\$6 \\$7
108'.ft R
109..
110.\" @(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2
111. \" AM - accent mark definitions
984263bc 112.bd B 3
a7d27d5a 113. \" fudge factors for nroff and troff
984263bc 114.if n \{\
a7d27d5a
JR
115. ds #H 0
116. ds #V .8m
117. ds #F .3m
118. ds #[ \f1
119. ds #] \fP
984263bc
MD
120.\}
121.if t \{\
a7d27d5a
JR
122. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
123. ds #V .6m
124. ds #F 0
125. ds #[ \&
126. ds #] \&
984263bc 127.\}
a7d27d5a 128. \" simple accents for nroff and troff
984263bc 129.if n \{\
a7d27d5a
JR
130. ds ' \&
131. ds ` \&
132. ds ^ \&
133. ds , \&
134. ds ~ ~
135. ds ? ?
136. ds ! !
137. ds /
138. ds q
984263bc
MD
139.\}
140.if t \{\
a7d27d5a
JR
141. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
142. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
143. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
144. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
145. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
146. ds ? \s-2c\h'-\w'c'u*7/10'\u\h'\*(#H'\zi\d\s+2\h'\w'c'u*8/10'
147. ds ! \s-2\(or\s+2\h'-\w'\(or'u'\v'-.8m'.\v'.8m'
148. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
149. ds q o\h'-\w'o'u*8/10'\s-4\v'.4m'\z\(*i\v'-.4m'\s+4\h'\w'o'u*8/10'
984263bc 150.\}
a7d27d5a 151. \" troff and (daisy-wheel) nroff accents
984263bc
MD
152.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
153.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
a7d27d5a
JR
154.ds v \\k:\h'-(\\n(.wu*9/10-\*(#H)'\v'-\*(#V'\*(#[\s-4v\s0\v'\*(#V'\h'|\\n:u'\*(#]
155.ds _ \\k:\h'-(\\n(.wu*9/10-\*(#H+(\*(#F*2/3))'\v'-.4m'\z\(hy\v'.4m'\h'|\\n:u'
156.ds . \\k:\h'-(\\n(.wu*8/10)'\v'\*(#V*4/10'\z.\v'-\*(#V*4/10'\h'|\\n:u'
157.ds 3 \*(#[\v'.2m'\s-2\&3\s0\v'-.2m'\*(#]
984263bc
MD
158.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
159.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
160.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
161.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
162.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
163.ds ae a\h'-(\w'a'u*4/10)'e
164.ds Ae A\h'-(\w'A'u*4/10)'E
a7d27d5a
JR
165.ds oe o\h'-(\w'o'u*4/10)'e
166.ds Oe O\h'-(\w'O'u*4/10)'E
167. \" corrections for vroff
984263bc
MD
168.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
169.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
a7d27d5a 170. \" for low resolution devices (crt and lpr)
984263bc
MD
171.if \n(.H>23 .if \n(.V>19 \
172\{\
a7d27d5a
JR
173. ds : e
174. ds 8 ss
175. ds v \h'-1'\o'\(aa\(ga'
176. ds _ \h'-1'^
177. ds . \h'-1'.
178. ds 3 3
179. ds o a
180. ds d- d\h'-1'\(ga
181. ds D- D\h'-1'\(hy
182. ds th \o'bp'
183. ds Th \o'LP'
184. ds ae ae
185. ds Ae AE
186. ds oe oe
187. ds Oe OE
984263bc
MD
188.\}
189.rm #[ #] #H #V #F C
984263bc 190.SH "NAME"
a7d27d5a 191SSL_CTX_set_generate_session_id, SSL_set_generate_session_id, SSL_has_matching_session_id \- manipulate generation of SSL session IDs (server only)
984263bc 192.SH "SYNOPSIS"
a7d27d5a 193.PP
984263bc
MD
194.Vb 1
195\& #include <openssl/ssl.h>
196.Ve
197.Vb 2
198\& typedef int (*GEN_SESSION_CB)(const SSL *ssl, unsigned char *id,
199\& unsigned int *id_len);
200.Ve
201.Vb 4
202\& int SSL_CTX_set_generate_session_id(SSL_CTX *ctx, GEN_SESSION_CB cb);
203\& int SSL_set_generate_session_id(SSL *ssl, GEN_SESSION_CB, cb);
204\& int SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id,
205\& unsigned int id_len);
206.Ve
207.SH "DESCRIPTION"
a7d27d5a
JR
208\fISSL_CTX_set_generate_session_id()\fR sets the callback function for generating
209new session ids for SSL/TLS sessions for \fBctx\fR to be \fBcb\fR.
984263bc 210.PP
a7d27d5a
JR
211\fISSL_set_generate_session_id()\fR sets the callback function for generating
212new session ids for SSL/TLS sessions for \fBssl\fR to be \fBcb\fR.
984263bc 213.PP
a7d27d5a 214\fISSL_has_matching_session_id()\fR checks, whether a session with id \fBid\fR
984263bc
MD
215(of length \fBid_len\fR) is already contained in the internal session cache
216of the parent context of \fBssl\fR.
217.SH "NOTES"
984263bc
MD
218When a new session is established between client and server, the server
219generates a session id. The session id is an arbitrary sequence of bytes.
220The length of the session id is 16 bytes for SSLv2 sessions and between
2211 and 32 bytes for SSLv3/TLSv1. The session id is not security critical
222but must be unique for the server. Additionally, the session id is
223transmitted in the clear when reusing the session so it must not contain
224sensitive information.
225.PP
226Without a callback being set, an OpenSSL server will generate a unique
227session id from pseudo random numbers of the maximum possible length.
228Using the callback function, the session id can be changed to contain
229additional information like e.g. a host id in order to improve load balancing
230or external caching techniques.
231.PP
232The callback function receives a pointer to the memory location to put
a7d27d5a 233\fBid\fR into and a pointer to the maximum allowed length \fBid_len\fR. The
984263bc
MD
234buffer at location \fBid\fR is only guaranteed to have the size \fBid_len\fR.
235The callback is only allowed to generate a shorter id and reduce \fBid_len\fR;
236the callback \fBmust never\fR increase \fBid_len\fR or write to the location
a7d27d5a 237\fBid\fR exceeding the given limit.
984263bc
MD
238.PP
239If a SSLv2 session id is generated and \fBid_len\fR is reduced, it will be
240restored after the callback has finished and the session id will be padded
241with 0x00. It is not recommended to change the \fBid_len\fR for SSLv2 sessions.
242The callback can use the SSL_get_version(3) function
243to check, whether the session is of type SSLv2.
244.PP
245The location \fBid\fR is filled with 0x00 before the callback is called, so the
246callback may only fill part of the possible length and leave \fBid_len\fR
247untouched while maintaining reproducibility.
248.PP
249Since the sessions must be distinguished, session ids must be unique.
250Without the callback a random number is used, so that the probability
251of generating the same session id is extremely small (2^128 possible ids
252for an SSLv2 session, 2^256 for SSLv3/TLSv1). In order to assure the
253uniqueness of the generated session id, the callback must call
a7d27d5a 254\fISSL_has_matching_session_id()\fR and generate another id if a conflict occurs.
984263bc
MD
255If an id conflict is not resolved, the handshake will fail.
256If the application codes e.g. a unique host id, a unique process number, and
257a unique sequence number into the session id, uniqueness could easily be
258achieved without randomness added (it should however be taken care that
259no confidential information is leaked this way). If the application can not
260guarantee uniqueness, it is recommended to use the maximum \fBid_len\fR and
261fill in the bytes not used to code special information with random data
262to avoid collisions.
263.PP
a7d27d5a 264\fISSL_has_matching_session_id()\fR will only query the internal session cache,
984263bc
MD
265not the external one. Since the session id is generated before the
266handshake is completed, it is not immediately added to the cache. If
267another thread is using the same internal session cache, a race condition
268can occur in that another thread generates the same session id.
269Collisions can also occur when using an external session cache, since
270the external cache is not tested with \fISSL_has_matching_session_id()\fR
271and the same race condition applies.
272.PP
273When calling \fISSL_has_matching_session_id()\fR for an SSLv2 session with
274reduced \fBid_len\fR, the match operation will be performed using the
275fixed length required and with a 0x00 padded id.
276.PP
277The callback must return 0 if it cannot generate a session id for whatever
278reason and return 1 on success.
279.SH "EXAMPLES"
984263bc
MD
280The callback function listed will generate a session id with the
281server id given, and will fill the rest with pseudo random bytes:
282.PP
283.Vb 1
284\& const char session_id_prefix = "www-18";
285.Ve
286.Vb 6
287\& #define MAX_SESSION_ID_ATTEMPTS 10
288\& static int generate_session_id(const SSL *ssl, unsigned char *id,
289\& unsigned int *id_len)
290\& {
291\& unsigned int count = 0;
292\& const char *version;
293.Ve
294.Vb 3
295\& version = SSL_get_version(ssl);
296\& if (!strcmp(version, "SSLv2"))
297\& /* we must not change id_len */;
298.Ve
299.Vb 17
300\& do {
301\& RAND_pseudo_bytes(id, *id_len);
302\& /* Prefix the session_id with the required prefix. NB: If our
303\& * prefix is too long, clip it - but there will be worse effects
304\& * anyway, eg. the server could only possibly create 1 session
305\& * ID (ie. the prefix!) so all future session negotiations will
306\& * fail due to conflicts. */
307\& memcpy(id, session_id_prefix,
308\& (strlen(session_id_prefix) < *id_len) ?
309\& strlen(session_id_prefix) : *id_len);
310\& }
311\& while(SSL_has_matching_session_id(ssl, id, *id_len) &&
312\& (++count < MAX_SESSION_ID_ATTEMPTS));
313\& if(count >= MAX_SESSION_ID_ATTEMPTS)
314\& return 0;
315\& return 1;
316\& }
317.Ve
318.SH "RETURN VALUES"
a7d27d5a 319\fISSL_CTX_set_generate_session_id()\fR and \fISSL_set_generate_session_id()\fR
984263bc
MD
320always return 1.
321.PP
a7d27d5a 322\fISSL_has_matching_session_id()\fR returns 1 if another session with the
984263bc
MD
323same id is already in the cache.
324.SH "SEE ALSO"
984263bc
MD
325ssl(3), SSL_get_version(3)
326.SH "HISTORY"
a7d27d5a 327\fISSL_CTX_set_generate_session_id()\fR, \fISSL_set_generate_session_id()\fR
984263bc
MD
328and \fISSL_has_matching_session_id()\fR have been introduced in
329OpenSSL 0.9.7.
a7d27d5a
JR
330
331.rn }` ''
332.IX Title "SSL_CTX_set_generate_session_id 3"
333.IX Name "SSL_CTX_set_generate_session_id, SSL_set_generate_session_id, SSL_has_matching_session_id - manipulate generation of SSL session IDs (server only)"
334
335.IX Header "NAME"
336
337.IX Header "SYNOPSIS"
338
339.IX Header "DESCRIPTION"
340
341.IX Header "NOTES"
342
343.IX Header "EXAMPLES"
344
345.IX Header "RETURN VALUES"
346
347.IX Header "SEE ALSO"
348
349.IX Header "HISTORY"
350