httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ruediger Pluem <rpl...@apache.org>
Subject Re: [PATCH] mod_ssl: improving session caching for SNI configurations
Date Wed, 04 Nov 2009 17:16:00 GMT


On 11/04/2009 05:59 PM, Kaspar Brand wrote:
> Ruediger Pluem wrote:

>>> 2) In the SNI callback, it adjusts OpenSSL's session id context - which
>>> makes sure that the session can be properly resumed. (With the current
>>> mod_ssl code, this context is always tied to the first vhost, possibly
>>> resulting in incorrect resumption behavior.)
>> Can you please elaborate in more detail why this shouldn't be done when
>> we have done renegotiations so far?
> 
> When ssl_hook_Access triggers a renegotation, it sets the session id
> context to a request-specific id, before calling SSL_renegotiate (to
> limit session reuse to this specific request). If we would overwrite the
> context during that renegotation (when an SNI extension is encountered
> and therefore the callback executed), then this coupling would get lost.

Thanks for explaining. Makes sense.

I would like to see your comment on Steves comment regarding the usage of
SSL_CTX_set_tlsext_ticket_keys.

Regards

RĂ¼diger

Mime
View raw message