httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 47055] SSLVerifyClient + Directory doesn't use cache sessions
Date Mon, 28 Sep 2009 17:53:51 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=47055

--- Comment #39 from Joe Orton <jorton@redhat.com> 2009-09-28 10:53:42 PDT ---
Let me restate my earlier comment: I think it must be true that either all the
calls to SSL_set_session_id_context in mod_ssl are unnecessary, or, removing
any of them is a security issue.  i.e. the proposed patch is either incomplete
or insecure.

I would presume it is insecure until proved otherwise.  The session id context
stuff is there to prevent a session in one security context (vhost, location
context) being resumed in a different one.  Note that the mod_ssl ACL hooks may
not occur after a session resumption since a client can initiate a
ChangeCipherSpec independently of the what's happening in the app_data layer.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message