On Wed, Aug 11, 1999, [EMAIL PROTECTED] wrote:
> > Our QA team noticed that a browser had connected to the server
using a
> > particular cipher, the server was then configured to not allow that
cipher,
> > the server was re-started, and the browser was able to resume its
session
> > using the now dis-allowed cipher.
I tend to agree with David that it would be nice to keep it... couldn't
we just specify in a doc somewhere that if you change the cipher suite
to one more restrictive, that you should nuke your session cache before
restarting the server? I tend to see this case as happening in an
exceedingly small number of server restarts, so this seems to make the
most sense to me. Thoughts?
-cliff
Cliff Woolley
Central Systems Software Administrator
Washington and Lee University
http://www.wlu.edu/~jwoolley/
Work: (540) 463-8089
Pager: (540) 462-3472
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
