httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 47055] SSLVerifyClient + Directory doesn't use cache sessions
Date Sun, 11 Oct 2009 15:24:25 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=47055

--- Comment #40 from rm4dillo <rm4dillo@gmail.com> 2009-10-11 08:24:17 UTC ---
(In reply to comment #39)
> Let me restate my earlier comment: I think it must be true that either all the
> calls to SSL_set_session_id_context in mod_ssl are unnecessary, or, removing
> any of them is a security issue.  i.e. the proposed patch is either incomplete
> or insecure.
> 
> I would presume it is insecure until proved otherwise.  The session id context
> stuff is there to prevent a session in one security context (vhost, location
> context) being resumed in a different one.  Note that the mod_ssl ACL hooks may
> not occur after a session resumption since a client can initiate a
> ChangeCipherSpec independently of the what's happening in the app_data layer.

Hello, sorry for answering so late.

For the first part, maybe you're right and then we should use Mike's patch.
I don't have a deep knowledge of mod_ssl but I don't totally agree with you
about the ACL hooks issue as for a particular request we keep using the same
context as the context id is the request structure address and quick
renegotiation has nothing to do with this. In addition to this
"modssl_set_verify" is called in "ssl_hook_Access" so even if a resumption
happens the verification will still be done, so what's the security issue if a
ChangeCipherSpec happens?

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message