Don't put sessions from renegotiations in the cache.

Rather than rely on Chromium to query SSL_initial_handshake_complete in the
callback (which didn't work anyway because the callback is called afterwards),
move the logic into BoringSSL. BoringSSL already enforces that clients never
offer resumptions on renegotiation (it wouldn't work well anyway as client
session cache lookup is external), so it's reasonable to also implement
in-library that sessions established on a renegotiation are not cached.

Add a bunch of tests that new_session_cb is called when expected.


Change-Id: I42d44c82b043af72b60a0f8fdb57799e20f13ed5
Reviewed-by: Adam Langley <>
7 files changed