httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 47055] SSLVerifyClient + Directory doesn't use cache sessions
Date Mon, 28 Sep 2009 17:53:51 GMT

--- Comment #39 from Joe Orton <> 2009-09-28 10:53:42 PDT ---
Let me restate my earlier comment: I think it must be true that either all the
calls to SSL_set_session_id_context in mod_ssl are unnecessary, or, removing
any of them is a security issue.  i.e. the proposed patch is either incomplete
or insecure.

I would presume it is insecure until proved otherwise.  The session id context
stuff is there to prevent a session in one security context (vhost, location
context) being resumed in a different one.  Note that the mod_ssl ACL hooks may
not occur after a session resumption since a client can initiate a
ChangeCipherSpec independently of the what's happening in the app_data layer.

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message