On 11/04/2009 05:59 PM, Kaspar Brand wrote:
> Ruediger Pluem wrote:
>>> 2) In the SNI callback, it adjusts OpenSSL's session id context - which
>>> makes sure that the session can be properly resumed. (With the current
>>> mod_ssl code, this context is always tied to the first vhost, possibly
>>> resulting in incorrect resumption behavior.)
>> Can you please elaborate in more detail why this shouldn't be done when
>> we have done renegotiations so far?
>
> When ssl_hook_Access triggers a renegotation, it sets the session id
> context to a request-specific id, before calling SSL_renegotiate (to
> limit session reuse to this specific request). If we would overwrite the
> context during that renegotation (when an SNI extension is encountered
> and therefore the callback executed), then this coupling would get lost.
Thanks for explaining. Makes sense.
I would like to see your comment on Steves comment regarding the usage of
SSL_CTX_set_tlsext_ticket_keys.
Regards
RĂ¼diger
|