mod_ssl's dbm session cache can be shared between virtual hosts (and I
think the example configuration does that). Question: Can this lead
to clients using the wrong session on one virtual host (thus possibly
bypassing client authorization, or using a session established with a
client certificate from a CA not accepted by the current server)?
If so (and that is my impression from reading the code, but I don't
have enough knowledge on the software's architecture), the manuals and
examples should contain appropriate warnings. Otherwise, the source
code should have comments saying why this can't happen.
______________________________________________________________________
Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
