https://issues.apache.org/bugzilla/show_bug.cgi?id=47055
--- Comment #39 from Joe Orton <[email protected]> 2009-09-28 10:53:42 PDT --- Let me restate my earlier comment: I think it must be true that either all the calls to SSL_set_session_id_context in mod_ssl are unnecessary, or, removing any of them is a security issue. i.e. the proposed patch is either incomplete or insecure. I would presume it is insecure until proved otherwise. The session id context stuff is there to prevent a session in one security context (vhost, location context) being resumed in a different one. Note that the mod_ssl ACL hooks may not occur after a session resumption since a client can initiate a ChangeCipherSpec independently of the what's happening in the app_data layer. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
