I’m trying to implement SSL session resumption (aka RFC 5077) between a low power device and a cloud server. In between the first and subsequent connections, my device completely loses power, and as such cannot retain anything in RAM.
For this to work, according to this post: https://tls.mbed.org/discussions/generic/resumed-tls-handshake one has to store the result of
mbedtls_ssl_get_session to some sort of non-volatile memory and then restore it again using
mbedtls_ssl_set_session. However, the
mbedtls_ssl_session structure is fairly complex and contains several heap pointers.
Is there any functionality in mbedtls to serialize this structure into a byte string for easy storage purposes? Or is this something I should implement myself?
I can see that there is something for writing tickets to a byte string, but nothing for writing the entire session structure.
To be clear, the structure which is bothering me is really the peer_cert member aka
mbedtls_x509_crt which contains many heap pointers and even a linked list!
@jeremyherbert Thank you for your question!
You are correct, and as mentioned in the documentation for [
* \note Only the server certificate is copied, and not the full chain,
* so you should not attempt to validate the certificate again
* by calling \c mbedtls_x509_crt_verify() on it.
* Instead, you should use the results from the verification
* in the original handshake by calling \c mbedtls_ssl_get_verify_result()
* after loading the session again into a new SSL context
* using \c mbedtls_ssl_set_session().
You could look at the examples of the
mbedtls_ssl_cache_set() to see how the session cache is used, and what
data you need to store in the NV memory.
I hope this answers your question
Mbed TLS Team member