On Oct 26, 2011, at 6:06 AM, Hiroshi Nakamura wrote: > On 10/26/2011 11:39 AM, Eric Hodel wrote: >> Net::HTTP objects can be reused. You may start and finish a >> connection as many times as you like (the net-http-persistent gem >> works this way). >=20 > OK, so it's just I was wrong. I felt that I saw an issue for > restarting Net::HTTP with #start after #finish, but I cannot find a > ticket. I'm just confusing it with another issue. Either it's > already fixed. >=20 >> Currently the SSLSession can only be initialized once due to >> OpenSSL restrictions. To change the values you must make a new >> Net::HTTP object, so I think changing this behavior (if it is >> needed) is a separate issue. >=20 > SSLSocket --<>> SSLContext <<>-- Session > <> A > | | > +------------------------------+ >=20 > You can't modify SSLContext after you create SSLSocket. You must > create new SSLContext for new SSLSocket if you need to update ssl > params. It might conflict with semantics of Net::HTTP object, thought > I don't have any idea what Net::HTTP object should know. With net/http in 1.9.3, modifying SSL parameters after Net::HTTP#start = has no effect. Adding it as a new feature is not difficult, though = (delete two lines). It does not cause any conflicts for Net::HTTP that = I can see. >> I will update the patch to check for the timeout, I did not know it >> existed. >=20 > OpenSSL has a client session cache in SSLContext but it's not so > useful because you need to keep Sessions by yourself, and pick proper > Session for each server. Here's a sample usage of client session = cache: >=20 > = https://github.com/nahi/httpclient/commit/7fc04933961ea3ea5a2aa595172ca7cd= 29a718f5 >=20 > You would want to implement session cache instead. I think enabling the session cache is useless for net/http because it is = single-connection oriented. Instead, just using an ivar to store the = session is OK. In http://www.openssl.org/docs/ssl/SSL_CTX_set_session_cache_mode.html, = enabling SSL_SESS_CACHE_CLIENT says: > Client sessions are added to the session cache. As there is no = reliable way for the OpenSSL library to know whether a session should be = reused or which session to choose (due to the abstract BIO layer the SSL = engine does not have details about the connection), the application must = select the session to be reused by using the SSL_set_session(3) = function. This option is not activated by default. I think for net/http the client session cache is useless. net/http only = connects to one server per instance and will only have one context alive = at a time, so the cache will not hold more than one session at a time. Instead of jumping through the hoops of the client session cache = (cache-managing class, callbacks) it will be easier to store the session = in an instance variable after connect() and SSL negotiation (since there = can only ever be one item in the cache for net/http) and apply the = session from the ivar via SSL_set_session (SSLSocket#session=3D) when we = call connect() again. According to SSL_SESS_CACHE_CLIENT we need to do the manual set anyways, = so I don't think we should bother with a lot of work to store one thing = when an instance variable works just fine. I think for httpclient the cache makes more sense because it manages = multiple connections in a single instance. > FYI: In contrast to the client session cache, the server session cache > is very useful and everyone should use it whenever you need a server > session cache. Agreed! Fortunately it is the default.