Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
Message-ID: <A5374D237E78D41195810090279CC91A05602CE6@xcup04.cup.hp.com>
From: "MATHIHALLI,MADHUSUDAN (HP-Cupertino,ex1)"
 <madhusudan_mathihalli@hp.com>
To: "'dev@httpd.apache.org'" <dev@httpd.apache.org>
Subject: RE: [PATCH] fix session caching
Date: Fri, 24 Aug 2001 15:19:54 -0700
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Status: O

Oops.. I forgot to put in the explaination itself :-)..

< From Geoff's mail >
< ... snip ... >
So, the fix is to change mod_ssl to force OpenSSL to ignore process
local-caching and to always get/set/delete sessions using mod_ssl's
callbacks.

The latest version of mod_ssl (2.8.4), at about line 604 of
ssl_engine_init.c,
is where the cache options are set for OpenSSL when caching isn't completely
disabled. Ie.
<..snip..>

-----Original Message-----
From: MATHIHALLI,MADHUSUDAN (HP-Cupertino,ex1)
[mailto:madhusudan_mathihalli@hp.com]
Sent: Friday, August 24, 2001 3:09 PM
To: 'dev@httpd.apache.org'
Subject: [PATCH] fix session caching


Hi,
	The "possible security fix" that Geoff Thorpe had posted sometime
back on the modssl-users mailing list (I can provide more details if
required)..

Index: ssl_engine_init.c
===================================================================
RCS file: /home/cvspublic/httpd-2.0/modules/ssl/ssl_engine_init.c,v
retrieving revision 1.11
diff -u -r1.11 ssl_engine_init.c
--- ssl_engine_init.c   2001/08/24 04:08:04     1.11
+++ ssl_engine_init.c   2001/08/24 21:40:17
@@ -542,7 +542,8 @@
     if (mc->nSessionCacheMode == SSL_SCMODE_NONE)
         SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
     else
-        SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER);
+        SSL_CTX_set_session_cache_mode(ctx,
+                SSL_SESS_CACHE_SERVER | SSL_SESS_CACHE_NO_INTERNAL_LOOKUP);
 
     /*
      *  Configure callbacks for SSL context