mbedTLS - session resumption - what is the correct way to remove session IDs from the cache?

When dealing with the session cache, I see that there are 6 functions defined in ssl_cache.h:

  • mbedtls_ssl_cache_init
  • mbedtls_ssl_cache_get
  • mbedtls_ssl_cache_set
  • mbedtls_ssl_cache_set_timeout
  • mbedtls_ssl_cache_set_max_entries
  • mbedtls_ssl_cache_free

What I want to know is, how can I delete a specific session from the cache? There is no “remove” function defined. I don’t necessarily want to remove all items from the cache, just one. Any advice on how to do that?

Hi @ericode
Thank you for your question!
As you mentioned, there isn’t an API for removing a specific session ID.
However, since you control your mbedtls_ssl_cache_context structure, as it is given as the API, you can have your own function that removes the specific session with the relevant id, from the chain of sessions. In addition, since you provide the set and get cache functions as callbacks when you call mbedtls_ssl_conf_session_cache(), you can supply different callbacks that adjust to your needs.

However, may I know your use case? What’s the purpose of removing specific cache entries?
Note that current implementation does remove sessions if they expire, as they are overwritten if they expire. See here.
Regards,
Mbed TLS Team member
Ron

Regarding the use case: We are using TLS with pre-shared keys (rather than certificates) for devices that a client application can login to. In the situation where the user info has changed (e.g. the pre-shared key has changed), we don’t want them to be able to resume the past session (that was authenticated using the old pre-shared key). So I believe removing the session info from the cache for that user (in our application above the mbedTLS library we keep track of the user to session ID mapping) is what should be done.

Since I have control of the mbedtls_ssl_cache_context structure, would removing an entry best be done by changing the cache entry’s timestamp to something far in the past to force it to be considered expired, or is there some other easy way to mark the cache entry as invalid?

Hi @ericode

Since I have control of the mbedtls_ssl_cache_context structure, would removing an entry best be done by changing the cache entry’s timestamp to something far in the past to force it to be considered expired, or is there some other easy way to mark the cache entry as invalid?

I think that your suggestion for modifying the timestamp may be the simplest way to revoke the ticket. As I understand the mbedtls_ssl_cache_set() function, there is a possibility of having more than one entry for same session id, but when getting the cache entry, the loop iterates for the first session with the relevant id with valid timestamp and ciphersuite. You will probably need to set the timestamp of the cache entry for that specific session for all entries with same id.
Regards

Thank you for the help Ron!