[
https://issues.apache.org/jira/browse/TS-3125?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14167378#comment-14167378
]
ASF subversion and git services commented on TS-3125:
-----------------------------------------------------
Commit 5146b1261c4a6258ac0aab7a7a6f1bb980cd76bc in trafficserver's branch
refs/heads/master from [~briang]
[ https://git-wip-us.apache.org/repos/asf?p=trafficserver.git;h=5146b12 ]
TS-3080: We don't need to verify SNI names when properly setting the session
context (TS-3125)
> SSL ctx is set to a constant allowing for potential inappropriate session
> reuse.
> --------------------------------------------------------------------------------
>
> Key: TS-3125
> URL: https://issues.apache.org/jira/browse/TS-3125
> Project: Traffic Server
> Issue Type: Bug
> Components: Core, SSL
> Reporter: Brian Geffon
> Assignee: Brian Geffon
> Fix For: 5.2.0
>
> Attachments: ssl-session-ctx-id.patch
>
>
> We have the following chunk of code in TS
> {code}
> // XXX I really don't think that this is a good idea. We should be
> setting this a some finer granularity,
> // possibly per SSL CTX. httpd uses md5(host:port), which seems
> reasonable.
> session_id_context = 1;
> SSL_CTX_set_session_id_context(ctx, (const unsigned char *)
> &session_id_context, sizeof(session_id_context));
> {code}
> This is 100% broken and needs to be fixed. I believe [[email protected]]
> raised concerns about this in the past, after reading OpenSSL documentation
> this is completely broken.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
