1 files changed, 12 insertions, 2 deletions

diff --git a/crypto/openssl/doc/ssl/d2i_SSL_SESSION.pod b/crypto/openssl/doc/ssl/d2i_SSL_SESSION.pod
index 9a1ba6c47b21..0321a5a36f2e 100644
--- a/crypto/openssl/doc/ssl/d2i_SSL_SESSION.pod
+++ b/crypto/openssl/doc/ssl/d2i_SSL_SESSION.pod
@@ -30,7 +30,17 @@ session data on disk or into a database, it must be transformed into
 a binary ASN1 representation.
 
 When using d2i_SSL_SESSION(), the SSL_SESSION object is automatically
-allocated.
+allocated. The reference count is 1, so that the session must be
+explicitly removed using L<SSL_SESSION_free(3)|SSL_SESSION_free(3)>,
+unless the SSL_SESSION object is completely taken over, when being called
+inside the get_session_cb() (see
+L<SSL_CTX_sess_set_get_cb(3)|SSL_CTX_sess_set_get_cb(3)>).
+
+SSL_SESSION objects keep internal link information about the session cache
+list, when being inserted into one SSL_CTX object's session cache.
+One SSL_SESSION object, regardless of its reference count, must therefore
+only be used with one SSL_CTX object (and the SSL objects created
+from this SSL_CTX object).
 
 When using i2d_SSL_SESSION(), the memory location pointed to by B<pp> must be
 large enough to hold the binary representation of the session. There is no
@@ -50,7 +60,7 @@ When the session is not valid, B<0> is returned and no operation is performed.
 
 =head1 SEE ALSO
 
-L<ssl(3)|ssl(3)>,
+L<ssl(3)|ssl(3)>, L<SSL_SESSION_free(3)|SSL_SESSION_free(3)>,
 L<SSL_CTX_sess_set_get_cb(3)|SSL_CTX_sess_set_get_cb(3)>
 
 =cut