[jira] [Reopened] (TS-3082) ATS does not bind sessions to SNI names.

James Peach (JIRA) Wed, 08 Oct 2014 15:49:40 -0700

     [ 
https://issues.apache.org/jira/browse/TS-3082?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


James Peach reopened TS-3082:
-----------------------------

This is not about session caching, it's about remapping. When a SSL session is 
bound to a SNI name, you should not be able to use that to send requests to a 
different Host.

> ATS does not bind sessions to SNI names.
> ----------------------------------------
>
>                 Key: TS-3082
>                 URL: https://issues.apache.org/jira/browse/TS-3082
>             Project: Traffic Server
>          Issue Type: Bug
>          Components: SSL
>            Reporter: Alexey Ivanov
>            Assignee: Brian Geffon
>            Priority: Critical
>              Labels: security
>             Fix For: 5.2.0
>
>
> More information in paper:
> Virtual Host Confusion: Weaknesses and Exploits. Black Hat 2014 Report
> http://bh.ht.vc/vhost_confusion.pdf



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Reopened] (TS-3082) ATS does not bind sessions to SNI names.

Reply via email to