Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3008)
the same session id already exists, the old session is removed by calling
L<SSL_SESSION_free(3)>.
-SSL_CTX_remove_session() removes the session B<c> from the context B<ctx>.
-L<SSL_SESSION_free(3)> is called once for B<c>.
+SSL_CTX_remove_session() removes the session B<c> from the context B<ctx> and
+marks it as non-resumable. L<SSL_SESSION_free(3)> is called once for B<c>.
SSL_add_session() and SSL_remove_session() are synonyms for their
SSL_CTX_*() counterparts.
function will be invoked multiple times.
In TLSv1.3 it is recommended that each SSL_SESSION object is only used for
-resumption once.
+resumption once. One way of enforcing that is for applications to call
+L<SSL_CTX_remove_session(3)> after a session has been used.
The remove_session_cb() is called, whenever the SSL engine removes a session
from the internal cache. This happens when the session is removed because