SSL_SESSION_free(session) needs to be called by remove_session_cb, otherwise a memory leak occurs. This leak is normally small but if client cert auth is used then it is very large as the session contains the certificates.