httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kaspar Brand <httpd-dev.2...@velox.ch>
Subject Re: [PATCH] mod_ssl: improving session caching for SNI configurations
Date Wed, 04 Nov 2009 16:59:24 GMT
Ruediger Pluem wrote:
> I guess your current patch fails on trunk since myModConfig(s))->nSessionCacheMode
> is no longer present in trunk

Oops, you're right - my bad. I didn't compile trunk with that last
change applied, obviously. For trunk, it should be

    if ((myModConfig(s))->sesscache_mode != SSL_SESS_CACHE_OFF) {

instead.

>> 2) In the SNI callback, it adjusts OpenSSL's session id context - which
>> makes sure that the session can be properly resumed. (With the current
>> mod_ssl code, this context is always tied to the first vhost, possibly
>> resulting in incorrect resumption behavior.)
> 
> Can you please elaborate in more detail why this shouldn't be done when
> we have done renegotiations so far?

When ssl_hook_Access triggers a renegotation, it sets the session id
context to a request-specific id, before calling SSL_renegotiate (to
limit session reuse to this specific request). If we would overwrite the
context during that renegotation (when an SNI extension is encountered
and therefore the callback executed), then this coupling would get lost.

Kaspar

Mime
View raw message