https://issues.apache.org/bugzilla/show_bug.cgi?id=47055
--- Comment #47 from Joe Orton <[email protected]> 2009-12-16 12:36:07 UTC --- Nothing has changed in mod_ssl on this front. It may be that the following change in OpenSSL 0.9.8f is shaking problems out of the woodwork here: *) In the SSL/TLS server implementation, be strict about session ID context matching (which matters if an application uses a single external cache for different purposes). Previously, out-of-context reuse was forbidden only if SSL_VERIFY_PEER was set. This did ensure strict client verification, but meant that, with applications using a single external cache for quite different requirements, clients could circumvent ciphersuite restrictions for a given session ID context by starting a session in a different context. [Bodo Moeller] -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
