httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Orton <>
Subject Re: [PATCH] Allow for internal OpenSSL Session Cache
Date Fri, 08 Jul 2005 15:10:50 GMT
On Tue, Jul 05, 2005 at 01:32:54PM -0400, Jim Jagielski wrote:
> I've run into this with some "broken" browsers. Basically, they
> require a non-null SessionID in the SSL transaction. If, for whatever
> reason, we disable the external SSL Session Cache, these
> browsers reports errors when connecting to the SSL vhost.
> This adds a new argument to SSLSessionCache which says "disable any
> external session cache, but use OpenSSL's internal one" which makes
> OpenSSL send the SessionID parameter again.

Is the session cache in this mode bounded in memory use, i.e. does it
handle session expiry properly?  The memory leaks in the shm* caches
that got fixed a while back were caused by the internal session cache
which was never getting purged and just grew in size indefinitely.

But, anyway, it's very well known that MSIE barfs if you turn off the 
SSL session cache, that's why you don't do that.  The question is 
begged... why were you turning off the session cache?

This seems a bit like a shot-yourself-in-the-foot situation.  Adding 
*more* config options as a response to people setting config options 
incorrectly in the first place doesn't seem very sensible to me.



View raw message