> What I will do in any case is to try enabling the session cache in production again (once the next release is out) and watch the situation for a few days. Just as a reminder, that's not going to work if any of the clients want to depend on X.509. Went down the rabbit hole of how OpenSSL manages sessions. It _is_ possible to serialize the peer chain along with `SSL_SESSION` object as part of the application-layer data (allowing OpenSSL to continue to manage the cache). Notes: * How to serialize a sequence of `X509` objects: https://mta.openssl.org/pipermail/openssl-users/2016-July/004048.html * Setter for the session data: https://www.openssl.org/docs/man1.1.1/man3/SSL_set_ex_data.html * How to add a new extension to `SSL_SESSION`: https://www.openssl.org/docs/man1.1.1/man3/CRYPTO_get_ex_new_index.html If I had to guess, it's probably about 2 solid days of development work to put this all together. Alternately, instead of serializing the peer chain, one could look at serializing the `XrdSecEntity` itself. That way you wouldn't have to re-verify certificates upon session resumption. Anyhow, not planning to look too much further here - just wanted to record that it appears to be possible. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/xrootd/xrootd/issues/1252#issuecomment-661607710 ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-DEV list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1