httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mike Pechkin <>
Subject [users@httpd] SSLVerifyClient in apache + openssl - 2
Date Fri, 17 Apr 2009 21:17:15 GMT

I've wrote here some days ago:

I've digged the issue:
Note from CHANGES of openssl 0.9.8f:
  *) In the SSL/TLS server implementation, be strict about session ID
     context matching (which matters if an application uses a single
     external cache for different purposes).  Previously,
     out-of-context reuse was forbidden only if SSL_VERIFY_PEER was
     set.  This did ensure strict client verification, but meant that,
     with applications using a single external cache for quite
     different requirements, clients could circumvent ciphersuite
     restrictions for a given session ID context by starting a session
     in a different context.
     [Bodo Moeller]

If I disable strict in openssl's source (ssl_sess.c) apache starting work
again. Any comments?
If the issue you can contact me by email and I can test your patch.


View raw message