From bugs-return-33985-apmail-httpd-bugs-archive=httpd.apache.org@httpd.apache.org Mon Sep 28 17:54:16 2009 Return-Path: Delivered-To: apmail-httpd-bugs-archive@www.apache.org Received: (qmail 40559 invoked from network); 28 Sep 2009 17:54:15 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 28 Sep 2009 17:54:15 -0000 Received: (qmail 89385 invoked by uid 500); 28 Sep 2009 17:54:15 -0000 Delivered-To: apmail-httpd-bugs-archive@httpd.apache.org Received: (qmail 89341 invoked by uid 500); 28 Sep 2009 17:54:15 -0000 Mailing-List: contact bugs-help@httpd.apache.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: Reply-To: "Apache HTTPD Bugs Notification List" List-Id: Delivered-To: mailing list bugs@httpd.apache.org Received: (qmail 89329 invoked by uid 99); 28 Sep 2009 17:54:15 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 28 Sep 2009 17:54:15 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=10.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.140] (HELO brutus.apache.org) (140.211.11.140) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 28 Sep 2009 17:54:12 +0000 Received: by brutus.apache.org (Postfix, from userid 33) id 7856F234C044; Mon, 28 Sep 2009 10:53:51 -0700 (PDT) From: bugzilla@apache.org To: bugs@httpd.apache.org Subject: DO NOT REPLY [Bug 47055] SSLVerifyClient + Directory doesn't use cache sessions X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Apache httpd-2 X-Bugzilla-Component: mod_ssl X-Bugzilla-Keywords: PatchAvailable X-Bugzilla-Severity: blocker X-Bugzilla-Who: jorton@redhat.com X-Bugzilla-Status: NEW X-Bugzilla-Priority: P1 X-Bugzilla-Assigned-To: bugs@httpd.apache.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Changed-Fields: In-Reply-To: References: X-Bugzilla-URL: https://issues.apache.org/bugzilla/ Auto-Submitted: auto-generated Content-Type: text/plain; charset="UTF-8" MIME-Version: 1.0 Message-Id: <20090928175351.7856F234C044@brutus.apache.org> Date: Mon, 28 Sep 2009 10:53:51 -0700 (PDT) X-Virus-Checked: Checked by ClamAV on apache.org https://issues.apache.org/bugzilla/show_bug.cgi?id=47055 --- Comment #39 from Joe Orton 2009-09-28 10:53:42 PDT --- Let me restate my earlier comment: I think it must be true that either all the calls to SSL_set_session_id_context in mod_ssl are unnecessary, or, removing any of them is a security issue. i.e. the proposed patch is either incomplete or insecure. I would presume it is insecure until proved otherwise. The session id context stuff is there to prevent a session in one security context (vhost, location context) being resumed in a different one. Note that the mod_ssl ACL hooks may not occur after a session resumption since a client can initiate a ChangeCipherSpec independently of the what's happening in the app_data layer. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org For additional commands, e-mail: bugs-help@httpd.apache.org