On 11/04/2009 05:59 PM, Kaspar Brand wrote: > Ruediger Pluem wrote:
>>> 2) In the SNI callback, it adjusts OpenSSL's session id context - which >>> makes sure that the session can be properly resumed. (With the current >>> mod_ssl code, this context is always tied to the first vhost, possibly >>> resulting in incorrect resumption behavior.) >> Can you please elaborate in more detail why this shouldn't be done when >> we have done renegotiations so far? > > When ssl_hook_Access triggers a renegotation, it sets the session id > context to a request-specific id, before calling SSL_renegotiate (to > limit session reuse to this specific request). If we would overwrite the > context during that renegotation (when an SNI extension is encountered > and therefore the callback executed), then this coupling would get lost. Thanks for explaining. Makes sense. I would like to see your comment on Steves comment regarding the usage of SSL_CTX_set_tlsext_ticket_keys. Regards RĂ¼diger