1e71b7053SJung-uk Kim=pod 2e71b7053SJung-uk Kim 3e71b7053SJung-uk Kim=head1 NAME 4e71b7053SJung-uk Kim 5e71b7053SJung-uk KimSSL_get_session, SSL_get0_session, SSL_get1_session - retrieve TLS/SSL session data 6e71b7053SJung-uk Kim 7e71b7053SJung-uk Kim=head1 SYNOPSIS 8e71b7053SJung-uk Kim 9e71b7053SJung-uk Kim #include <openssl/ssl.h> 10e71b7053SJung-uk Kim 11e71b7053SJung-uk Kim SSL_SESSION *SSL_get_session(const SSL *ssl); 12e71b7053SJung-uk Kim SSL_SESSION *SSL_get0_session(const SSL *ssl); 13e71b7053SJung-uk Kim SSL_SESSION *SSL_get1_session(SSL *ssl); 14e71b7053SJung-uk Kim 15e71b7053SJung-uk Kim=head1 DESCRIPTION 16e71b7053SJung-uk Kim 17e71b7053SJung-uk KimSSL_get_session() returns a pointer to the B<SSL_SESSION> actually used in 18e71b7053SJung-uk KimB<ssl>. The reference count of the B<SSL_SESSION> is not incremented, so 19e71b7053SJung-uk Kimthat the pointer can become invalid by other operations. 20e71b7053SJung-uk Kim 21e71b7053SJung-uk KimSSL_get0_session() is the same as SSL_get_session(). 22e71b7053SJung-uk Kim 23e71b7053SJung-uk KimSSL_get1_session() is the same as SSL_get_session(), but the reference 24e71b7053SJung-uk Kimcount of the B<SSL_SESSION> is incremented by one. 25e71b7053SJung-uk Kim 26e71b7053SJung-uk Kim=head1 NOTES 27e71b7053SJung-uk Kim 28e71b7053SJung-uk KimThe ssl session contains all information required to re-establish the 29e71b7053SJung-uk Kimconnection without a full handshake for SSL versions up to and including 30e71b7053SJung-uk KimTLSv1.2. In TLSv1.3 the same is true, but sessions are established after the 31e71b7053SJung-uk Kimmain handshake has occurred. The server will send the session information to the 32e71b7053SJung-uk Kimclient at a time of its choosing, which may be some while after the initial 33e71b7053SJung-uk Kimconnection is established (or never). Calling these functions on the client side 34e71b7053SJung-uk Kimin TLSv1.3 before the session has been established will still return an 35e71b7053SJung-uk KimSSL_SESSION object but that object cannot be used for resuming the session. See 36e71b7053SJung-uk KimL<SSL_SESSION_is_resumable(3)> for information on how to determine whether an 37e71b7053SJung-uk KimSSL_SESSION object can be used for resumption or not. 38e71b7053SJung-uk Kim 39e71b7053SJung-uk KimAdditionally, in TLSv1.3, a server can send multiple messages that establish a 40b2bf0c7eSJung-uk Kimsession for a single connection. In that case, on the client side, the above 41b2bf0c7eSJung-uk Kimfunctions will only return information on the last session that was received. On 42b2bf0c7eSJung-uk Kimthe server side they will only return information on the last session that was 43b2bf0c7eSJung-uk Kimsent, or if no session tickets were sent then the session for the current 44b2bf0c7eSJung-uk Kimconnection. 45e71b7053SJung-uk Kim 46e71b7053SJung-uk KimThe preferred way for applications to obtain a resumable SSL_SESSION object is 47e71b7053SJung-uk Kimto use a new session callback as described in L<SSL_CTX_sess_set_new_cb(3)>. 48e71b7053SJung-uk KimThe new session callback is only invoked when a session is actually established, 49e71b7053SJung-uk Kimso this avoids the problem described above where an application obtains an 50e71b7053SJung-uk KimSSL_SESSION object that cannot be used for resumption in TLSv1.3. It also 51e71b7053SJung-uk Kimenables applications to obtain information about all sessions sent by the 52e71b7053SJung-uk Kimserver. 53e71b7053SJung-uk Kim 54e71b7053SJung-uk KimA session will be automatically removed from the session cache and marked as 55e71b7053SJung-uk Kimnon-resumable if the connection is not closed down cleanly, e.g. if a fatal 56e71b7053SJung-uk Kimerror occurs on the connection or L<SSL_shutdown(3)> is not called prior to 57e71b7053SJung-uk KimL<SSL_free(3)>. 58e71b7053SJung-uk Kim 59e71b7053SJung-uk KimIn TLSv1.3 it is recommended that each SSL_SESSION object is only used for 60e71b7053SJung-uk Kimresumption once. 61e71b7053SJung-uk Kim 62e71b7053SJung-uk KimSSL_get0_session() returns a pointer to the actual session. As the 63e71b7053SJung-uk Kimreference counter is not incremented, the pointer is only valid while 64e71b7053SJung-uk Kimthe connection is in use. If L<SSL_clear(3)> or 65e71b7053SJung-uk KimL<SSL_free(3)> is called, the session may be removed completely 66e71b7053SJung-uk Kim(if considered bad), and the pointer obtained will become invalid. Even 67e71b7053SJung-uk Kimif the session is valid, it can be removed at any time due to timeout 68e71b7053SJung-uk Kimduring L<SSL_CTX_flush_sessions(3)>. 69e71b7053SJung-uk Kim 70e71b7053SJung-uk KimIf the data is to be kept, SSL_get1_session() will increment the reference 71e71b7053SJung-uk Kimcount, so that the session will not be implicitly removed by other operations 72e71b7053SJung-uk Kimbut stays in memory. In order to remove the session 73e71b7053SJung-uk KimL<SSL_SESSION_free(3)> must be explicitly called once 74e71b7053SJung-uk Kimto decrement the reference count again. 75e71b7053SJung-uk Kim 76e71b7053SJung-uk KimSSL_SESSION objects keep internal link information about the session cache 77e71b7053SJung-uk Kimlist, when being inserted into one SSL_CTX object's session cache. 78e71b7053SJung-uk KimOne SSL_SESSION object, regardless of its reference count, must therefore 79e71b7053SJung-uk Kimonly be used with one SSL_CTX object (and the SSL objects created 80e71b7053SJung-uk Kimfrom this SSL_CTX object). 81e71b7053SJung-uk Kim 82e71b7053SJung-uk Kim=head1 RETURN VALUES 83e71b7053SJung-uk Kim 84e71b7053SJung-uk KimThe following return values can occur: 85e71b7053SJung-uk Kim 86e71b7053SJung-uk Kim=over 4 87e71b7053SJung-uk Kim 88e71b7053SJung-uk Kim=item NULL 89e71b7053SJung-uk Kim 90e71b7053SJung-uk KimThere is no session available in B<ssl>. 91e71b7053SJung-uk Kim 92e71b7053SJung-uk Kim=item Pointer to an SSL_SESSION 93e71b7053SJung-uk Kim 94e71b7053SJung-uk KimThe return value points to the data of an SSL session. 95e71b7053SJung-uk Kim 96e71b7053SJung-uk Kim=back 97e71b7053SJung-uk Kim 98e71b7053SJung-uk Kim=head1 SEE ALSO 99e71b7053SJung-uk Kim 100e71b7053SJung-uk KimL<ssl(7)>, L<SSL_free(3)>, 101e71b7053SJung-uk KimL<SSL_clear(3)>, 102e71b7053SJung-uk KimL<SSL_SESSION_free(3)> 103e71b7053SJung-uk Kim 104e71b7053SJung-uk Kim=head1 COPYRIGHT 105e71b7053SJung-uk Kim 106b2bf0c7eSJung-uk KimCopyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. 107e71b7053SJung-uk Kim 108*b077aed3SPierre ProncheryLicensed under the Apache License 2.0 (the "License"). You may not use 109e71b7053SJung-uk Kimthis file except in compliance with the License. You can obtain a copy 110e71b7053SJung-uk Kimin the file LICENSE in the source distribution or at 111e71b7053SJung-uk KimL<https://www.openssl.org/source/license.html>. 112e71b7053SJung-uk Kim 113e71b7053SJung-uk Kim=cut 114