there is no minimum length for session IDs

 Changes between 0.9.6g and 0.9.6h  [xx XXX xxxx]

  *) Don't impose a 16-byte length minimum on session IDs in ssl/s3_clnt.c

     (the SSL 3.0 and TLS 1.0 specifications allow any length up to 32 bytes).

     [Bodo Moeller]

  *) Fix race condition in SSLv3_client_method().

     [Bodo Moeller]

  *) Reorder cleanup sequence in SSL_CTX_free(): only remove the ex_data after

     the cached sessions are flushed, as the remove_cb() might use ex_data

     contents. Bug found by Sam Varshavchik <mrsam@courier-mta.com>

	if (init)

		{

		init=0;

		memcpy((char *)&SSLv3_client_data,(char *)sslv3_base_method(),

			sizeof(SSL_METHOD));

		SSLv3_client_data.ssl_connect=ssl3_connect;

		SSLv3_client_data.get_ssl_method=ssl3_get_client_method;

		init=0;

		}

	return(&SSLv3_client_data);

	}

	/* get the session-id */

	j= *(p++);

       if(j > sizeof s->session->session_id)

	if ((j > sizeof s->session->session_id) || (j > SSL3_SESSION_ID_SIZE))

		{

		al=SSL_AD_ILLEGAL_PARAMETER;

               SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,

                      SSL_R_SSL3_SESSION_ID_TOO_LONG);

		SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SSL3_SESSION_ID_TOO_LONG);

		goto f_err;

		}

	if ((j != 0) && (j != SSL3_SESSION_ID_SIZE))

		{

		/* SSLref returns 16 :-( */

		if (j < SSL2_SSL_SESSION_ID_LENGTH)

			{

			al=SSL_AD_ILLEGAL_PARAMETER;

			SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_SSL3_SESSION_ID_TOO_SHORT);

			goto f_err;

			}

		}

	if (j != 0 && j == s->session->session_id_length

	    && memcmp(p,s->session->session_id,j) == 0)

	    {

	    if(s->sid_ctx_length != s->session->sid_ctx_length

	       || memcmp(s->session->sid_ctx,s->sid_ctx,s->sid_ctx_length))

		{

		/* actually a client application bug */

		al=SSL_AD_ILLEGAL_PARAMETER;

		SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);

		goto f_err;