Brian Geffon created TS-3125:
--------------------------------
Summary: SSL ctx is set to a constant allowing for potential
inappropriate session reuse.
Key: TS-3125
URL: https://issues.apache.org/jira/browse/TS-3125
Project: Traffic Server
Issue Type: Bug
Components: Core, SSL
Reporter: Brian Geffon
We have the following chunk of code in TS
{code}
// XXX I really don't think that this is a good idea. We should be setting
this a some finer granularity,
// possibly per SSL CTX. httpd uses md5(host:port), which seems reasonable.
session_id_context = 1;
SSL_CTX_set_session_id_context(ctx, (const unsigned char *)
&session_id_context, sizeof(session_id_context));
{code}
This is 100% broken and needs to be fixed. I believe [[email protected]]
raised concerns about this in the past, after reading OpenSSL documentation
this is completely broken.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
