httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "MATHIHALLI,MADHUSUDAN (HP-Cupertino,ex1)" <madhusudan_mathiha...@hp.com>
Subject RE: [PATCH] fix session caching
Date Fri, 24 Aug 2001 22:19:54 GMT
Oops.. I forgot to put in the explaination itself :-)..

< From Geoff's mail >
< ... snip ... >
So, the fix is to change mod_ssl to force OpenSSL to ignore process
local-caching and to always get/set/delete sessions using mod_ssl's
callbacks.

The latest version of mod_ssl (2.8.4), at about line 604 of
ssl_engine_init.c,
is where the cache options are set for OpenSSL when caching isn't completely
disabled. Ie.
<..snip..>

-----Original Message-----
From: MATHIHALLI,MADHUSUDAN (HP-Cupertino,ex1)
[mailto:madhusudan_mathihalli@hp.com]
Sent: Friday, August 24, 2001 3:09 PM
To: 'dev@httpd.apache.org'
Subject: [PATCH] fix session caching


Hi,
	The "possible security fix" that Geoff Thorpe had posted sometime
back on the modssl-users mailing list (I can provide more details if
required)..

Index: ssl_engine_init.c
===================================================================
RCS file: /home/cvspublic/httpd-2.0/modules/ssl/ssl_engine_init.c,v
retrieving revision 1.11
diff -u -r1.11 ssl_engine_init.c
--- ssl_engine_init.c   2001/08/24 04:08:04     1.11
+++ ssl_engine_init.c   2001/08/24 21:40:17
@@ -542,7 +542,8 @@
     if (mc->nSessionCacheMode == SSL_SCMODE_NONE)
         SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
     else
-        SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER);
+        SSL_CTX_set_session_cache_mode(ctx,
+                SSL_SESS_CACHE_SERVER | SSL_SESS_CACHE_NO_INTERNAL_LOOKUP);
 
     /*
      *  Configure callbacks for SSL context

Mime
View raw message