https://issues.apache.org/bugzilla/show_bug.cgi?id=47055
--- Comment #40 from rm4dillo <[email protected]> 2009-10-11 08:24:17 UTC --- (In reply to comment #39) > Let me restate my earlier comment: I think it must be true that either all the > calls to SSL_set_session_id_context in mod_ssl are unnecessary, or, removing > any of them is a security issue. i.e. the proposed patch is either incomplete > or insecure. > > I would presume it is insecure until proved otherwise. The session id context > stuff is there to prevent a session in one security context (vhost, location > context) being resumed in a different one. Note that the mod_ssl ACL hooks > may > not occur after a session resumption since a client can initiate a > ChangeCipherSpec independently of the what's happening in the app_data layer. Hello, sorry for answering so late. For the first part, maybe you're right and then we should use Mike's patch. I don't have a deep knowledge of mod_ssl but I don't totally agree with you about the ACL hooks issue as for a particular request we keep using the same context as the context id is the request structure address and quick renegotiation has nothing to do with this. In addition to this "modssl_set_verify" is called in "ssl_hook_Access" so even if a resumption happens the verification will still be done, so what's the security issue if a ChangeCipherSpec happens? -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
