On Thu, Mar 11, 1999, Bodo Moeller wrote:
> mod_ssl's dbm session cache can be shared between virtual hosts (and I
> think the example configuration does that). Question: Can this lead
> to clients using the wrong session on one virtual host (thus possibly
> bypassing client authorization, or using a session established with a
> client certificate from a CA not accepted by the current server)?
> If so (and that is my impression from reading the code, but I don't
> have enough knowledge on the software's architecture), the manuals and
> examples should contain appropriate warnings. Otherwise, the source
> code should have comments saying why this can't happen.
Hmmm.... interesting questions. I've to think about this topic and check the
code of OpenSSL and mod_ssl to be able to give a good answer. At least one
thing is true: The SSL layer doesn't have any knowledge of the HTTP layer. But
I've still no clue whether this (under your imagined situation) could actually
lead to security problems for the server. Does anybody already know more on
this topic and can give an answer?
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
______________________________________________________________________
Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
