On 09.11.2009 23:28, Rainer Jung wrote: > I did a first try on backporting the CVE-2009-3555 patch to 2.0: > > http://people.apache.org/~rjung/patches/cve-2009-3555_httpd_2_0_x.patch > > I hadn't yet time for intensive testing, but first tests looked OK. > I noticed I couldn't log the SSL_SESSION_ID, but maybe that was a > Windows thing. Hadn't yet time and access to test on Unix resp. test on > Windows without patch.
Testing looked good, client initiated reneg is not allowed, server side reneg worked. The previously observed missing SSL_SESSION_ID in the access logs was due to the client using TLS session ticket extension in combination with HTTP-Keepalive. I'll add it to 2.0.x STATUS soon. Regards, Rainer
