Full_Name: Ryu Inada Version: 2.4.9 OS: Solaris 7/Windows NT 4.0 SP5 Submission from: iijgw.fujixerox.co.jp (202.32.191.4) In pkg.sslmod/ssl_engine_kernel.c, line 188 and pkg.sslmod/ssl_engine_ext.c, line=315. SSL_set_sessin_id_context() was called but, not checked return value. In OpenSSL 0.9.4's SSL_set_session_id_context() code, restrict session id context to 32 octets. And I think mod_ssl's session id context is currently generated from hostname + portnumber, like "foo.bar.foo2.bar2.com:443". If hostname is longer than 28octets, SSL_set_session_id_context() failed, and session id context is not initialized. This make apache servers mulfunctioned on SSL communication. It must be fixed like a something like SSL_set_session_id_context(ssl, hash(cpVHostID), HASH_VALUE_LEN); ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
