While working on an Apache 2.0 connection handler to implement EPP within Apache (see https://sourceforge.net/projects/aepps/) I noticed the following: If I turn on StdEnvVars httpd will dump core in ssl_var_lookup_ssl as SSL_get_session returns a NULL pointer. After spending an afternoon with gdb, etherreal and ssl-telnet I have no clue why connecting with ssl-telnet to an SSL/HTTP port gives me a non-NULL session variable whereas using the same client to connect to my connection-handler returns a NULL value. I'm using openssl 0.9.6g. To work around the issue until I eventually find the real cause, I applied the folllowing patch to my 2.0.43 source-tree: --- ssl_engine_vars.c 2002/12/04 11:27:14 1.1 +++ ssl_engine_vars.c 2002/12/04 11:27:34 @@ -280,7 +280,8 @@ else if (ssl != NULL && strcEQ(var, "SESSION_ID")) { char buf[SSL_SESSION_ID_STRING_LEN]; SSL_SESSION *pSession = SSL_get_session(ssl); - result = apr_pstrdup(p, SSL_SESSION_id2sz( + if (pSession) + result = apr_pstrdup(p, SSL_SESSION_id2sz( SSL_SESSION_get_session_id(pSession), SSL_SESSION_get_session_id_length(pSession), buf, sizeof(buf))); I'm not sure whether this is an issue with mod_ssl, my connection-handler or openssl. As the patch is simple enough, I would recommend to apply it to the offcial tree in any case. cheers, /ol
Ah, I just found a repro case for SSL_get_session returning NULL: when serving the "you sent a plain HTTP request over an SSL connection" error message. Thanks for the patch! It's committed to 2.1 and will be proposed for backport for 2.0.