httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jean-Marc Desperrier <>
Subject Re: TLS renegotiation disabling : mod_ssl and OpenSSL 0.9.8l
Date Tue, 17 Nov 2009 19:03:04 GMT
Rainer Jung wrote:
>  In the presence of the
> session ticket extension, session IDs observed on the server are no
> longer a good measurement for session reuse.

Nice remark, except it's not that, it's really broken. With "session 
tickets off" (confirmed by the absence of the session ticket extension 
in the client hello), it's still the same behaviour. Apache 
2.2.11/openssl 0.9.8i does not have session tickets enabled in my setup.

This being said :  The idea of using non-constant SSL session ID in the 
specification of the session ticket extension was really *bad*.

View raw message