https://issues.apache.org/bugzilla/show_bug.cgi?id=49277
Summary: Expose a variable to identify SSL Session renegotiated
Product: Apache httpd-2
Version: 2.3-HEAD
Platform: All
OS/Version: All
Status: NEW
Severity: enhancement
Priority: P2
Component: mod_ssl
AssignedTo: [email protected]
ReportedBy: [email protected]
With the new variable introduced in 2.3 (trunk) SSL_SESSION_RESUMED, a basic
point is missing: when a SSL_SESSION_ID is really new or is renegotiated, like
in
Prior SSL_SESSION_ID | Current SSL_SESSION_ID | Status
- | AAAAAAAAAAAA | Initial
AAAAAAAAAAAA | BBBBBBBBBBBB | Renegotiated
BBBBBBBBBBBB | CCCCCCCCCCCC | Renegotiated
CCCCCCCCCCCC | DDDDDDDDDDDD | Renegotiated
Achieve can be possible, once that the client send this information on SSL
Client Hello, on Initial it don't send a SSL_SESSION_ID (Session ID lenght =
0), but on subsequent connections it send in Client Hello with the SessionID,
until a renegotiation be force by the server (once that still valid for the
client, but not for the server, because SSLSessionCacheTimeout), and this way
creating a new SSL_SESSION_ID.
This can be very helpful in differentiating the first SSL_SESSION_ID from the
new ones renegotiated, for a better logout control (to don't allow a user reuse
a token/smartcard plugged on computer to gain access in the application after
the user click on logout).
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
