httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 47055] SSLVerifyClient + Directory doesn't use cache sessions
Date Wed, 16 Dec 2009 20:36:12 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=47055

--- Comment #47 from Joe Orton <jorton@redhat.com> 2009-12-16 12:36:07 UTC ---
Nothing has changed in mod_ssl on this front.  It may be that the following
change in OpenSSL 0.9.8f is shaking problems out of the woodwork here:

  *) In the SSL/TLS server implementation, be strict about session ID
     context matching (which matters if an application uses a single
     external cache for different purposes).  Previously,
     out-of-context reuse was forbidden only if SSL_VERIFY_PEER was
     set.  This did ensure strict client verification, but meant that,
     with applications using a single external cache for quite
     different requirements, clients could circumvent ciphersuite
     restrictions for a given session ID context by starting a session
     in a different context.
     [Bodo Moeller]

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message