Mbed forum

Serialize mbedtls_ssl_session for use in RFC 5077 session resumption


(Jeremy Herbert) #1

Hi,

I’m trying to implement SSL session resumption (aka RFC 5077) between a low power device and a cloud server. In between the first and subsequent connections, my device completely loses power, and as such cannot retain anything in RAM.

For this to work, according to this post: https://tls.mbed.org/discussions/generic/resumed-tls-handshake one has to store the result of mbedtls_ssl_get_session to some sort of non-volatile memory and then restore it again using mbedtls_ssl_set_session. However, the mbedtls_ssl_session structure is fairly complex and contains several heap pointers.

Is there any functionality in mbedtls to serialize this structure into a byte string for easy storage purposes? Or is this something I should implement myself?

I can see that there is something for writing tickets to a byte string, but nothing for writing the entire session structure.


(Jeremy Herbert) #2

To be clear, the structure which is bothering me is really the peer_cert member aka mbedtls_x509_crt which contains many heap pointers and even a linked list!


(Ron Eldor) #3

@jeremyherbert Thank you for your question!

You are correct, and as mentioned in the documentation for [mbedtls_ssl_get_session()] (https://github.com/ARMmbed/mbedtls/blob/development/include/mbedtls/ssl.h#L2897):

* \note           Only the server certificate is copied, and not the full chain,
 *                so you should not attempt to validate the certificate again
 *                by calling \c mbedtls_x509_crt_verify() on it.
 *                Instead, you should use the results from the verification
 *                in the original handshake by calling \c mbedtls_ssl_get_verify_result()
 *                after loading the session again into a new SSL context
 *                using \c mbedtls_ssl_set_session().

You could look at the examples of the mbedtls_ssl_cache_get() and mbedtls_ssl_cache_set() to see how the session cache is used, and what data you need to store in the NV memory.
I hope this answers your question
Regards,
Mbed TLS Team member
Ron