httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 49277] New: Expose a variable to identify SSL Session renegotiated
Date Wed, 12 May 2010 13:54:15 GMT

           Summary: Expose a variable to identify SSL Session renegotiated
           Product: Apache httpd-2
           Version: 2.3-HEAD
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: enhancement
          Priority: P2
         Component: mod_ssl

With the new variable introduced in 2.3 (trunk) SSL_SESSION_RESUMED, a basic
point is missing: when a SSL_SESSION_ID is really new or is renegotiated, like

Prior SSL_SESSION_ID | Current SSL_SESSION_ID  | Status
  -                  | AAAAAAAAAAAA            | Initial
AAAAAAAAAAAA         | BBBBBBBBBBBB            | Renegotiated
BBBBBBBBBBBB         | CCCCCCCCCCCC            | Renegotiated
CCCCCCCCCCCC         | DDDDDDDDDDDD            | Renegotiated

Achieve can be possible, once that the client send this information on SSL
Client Hello, on Initial it don't send a SSL_SESSION_ID (Session ID lenght =
0), but on subsequent connections it send in Client Hello with the SessionID,
until a renegotiation be force by the server (once that still valid for the
client, but not for the server, because SSLSessionCacheTimeout), and this way
creating a new SSL_SESSION_ID.

This can be very helpful in differentiating the first SSL_SESSION_ID from the
new ones renegotiated, for a better logout control (to don't allow a user reuse
a token/smartcard plugged on computer to gain access in the application after
the user click on logout).

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message