* ext/openssl/ossl_ssl.c (ossl_sslctx_session_new_cb): Return 0 to

  OpenSSL from the callback for SSL_CTX_sess_set_get_cb().
  Returning 0 means to OpenSSL that the the session is still valid
  (since we created Ruby Session object) and was not freed by us with
  SSL_SESSION_free(). Call SSLContext#remove_session(sess) in
  session_get_cb block if you don't want OpenSSL to cache the session
  internally.
  This potential issue was pointed by Ippei Obayashi. See #4416.

* test/openssl/test_ssl_session.rb (test_ctx_server_session_cb): Test
  it.


git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@32204 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

1 files changed, 8 insertions, 2 deletions

diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c
index fd7b9f5e44..a9f31020eb 100644
--- a/ext/openssl/ossl_ssl.c
+++ b/ext/openssl/ossl_ssl.c
@@ -400,10 +400,16 @@ ossl_sslctx_session_new_cb(SSL *ssl, SSL_SESSION *sess)
     ret_obj = rb_protect((VALUE(*)_((VALUE)))ossl_call_session_new_cb, ary, &state);
     if (state) {
         rb_ivar_set(ssl_obj, ID_callback_state, INT2NUM(state));
-        return 0; /* what should be returned here??? */
     }
 
-    return RTEST(ret_obj) ? 1 : 0;
+    /*
+     * return 0 which means to OpenSSL that the the session is still
+     * valid (since we created Ruby Session object) and was not freed by us
+     * with SSL_SESSION_free(). Call SSLContext#remove_session(sess) in
+     * session_get_cb block if you don't want OpenSSL to cache the session
+     * internally.
+     */
+    return 0;
 }
 
 static VALUE