Return-Path: Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: (qmail 17856 invoked from network); 17 Nov 2009 19:03:45 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 17 Nov 2009 19:03:45 -0000 Received: (qmail 37016 invoked by uid 500); 17 Nov 2009 19:03:44 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 36930 invoked by uid 500); 17 Nov 2009 19:03:43 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 36921 invoked by uid 99); 17 Nov 2009 19:03:43 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 17 Nov 2009 19:03:43 +0000 X-ASF-Spam-Status: No, hits=1.2 required=10.0 tests=SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (nike.apache.org: local policy) Received: from [213.41.78.210] (HELO smtp-ft1.fr.colt.net) (213.41.78.210) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 17 Nov 2009 19:03:33 +0000 Received: from smtp-ex1.fr.colt.net (smtp-ex1.fr.colt.net [213.41.78.194]) by smtp-ft1.fr.colt.net (8.14.3/8.14.3/Debian-5) with ESMTP id nAHJ3CiU027629 for ; Tue, 17 Nov 2009 20:03:12 +0100 Received: from host.104.92.68.195.rev.coltfrance.com ([195.68.92.104] helo=[172.30.24.37]) by smtp-ex1.fr.colt.net with esmtp (Exim) (envelope-from ) id 1NATKZ-0005GN-11 for ; Tue, 17 Nov 2009 20:03:13 +0100 Message-ID: <4B02F368.1050600@free.fr> Date: Tue, 17 Nov 2009 20:03:04 +0100 From: Jean-Marc Desperrier User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.6pre) Gecko/20091112 SeaMonkey/2.0.1pre MIME-Version: 1.0 To: dev@httpd.apache.org Subject: Re: TLS renegotiation disabling : mod_ssl and OpenSSL 0.9.8l References: <4AF988B2.1000808@free.fr> <200911152253.05879.sf@sfritsch.de> <4B0144F7.5040908@free.fr> <4B01A630.7080007@free.fr> <4B01CC43.5050007@kippdata.de> In-Reply-To: <4B01CC43.5050007@kippdata.de> Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit X-Warning: IP [195.68.92.104] is listed at dnsbl.sorbs.net (127.0.0.10: Dynamic IP Addresses See: http://www.sorbs.net/lookup.shtml?195.68.92.104) X-ACL-Warn: 1/1 recipients OK. X-Virus-Checked: Checked by ClamAV on apache.org Rainer Jung wrote: > In the presence of the > session ticket extension, session IDs observed on the server are no > longer a good measurement for session reuse. Nice remark, except it's not that, it's really broken. With "session tickets off" (confirmed by the absence of the session ticket extension in the client hello), it's still the same behaviour. Apache 2.2.11/openssl 0.9.8i does not have session tickets enabled in my setup. This being said : The idea of using non-constant SSL session ID in the specification of the session ticket extension was really *bad*.