[prev in list] [next in list] [prev in thread] [next in thread] 

List:       apache-httpd-bugs
Subject:    DO NOT REPLY [Bug 47055] SSLVerifyClient + Directory doesn't use
From:       bugzilla () apache ! org
Date:       2009-09-28 17:53:51
Message-ID: 20090928175351.7856F234C044 () brutus ! apache ! org
[Download RAW message or body]

https://issues.apache.org/bugzilla/show_bug.cgi?id=47055

--- Comment #39 from Joe Orton <jorton@redhat.com> 2009-09-28 10:53:42 PDT ---
Let me restate my earlier comment: I think it must be true that either all the
calls to SSL_set_session_id_context in mod_ssl are unnecessary, or, removing
any of them is a security issue.  i.e. the proposed patch is either incomplete
or insecure.

I would presume it is insecure until proved otherwise.  The session id context
stuff is there to prevent a session in one security context (vhost, location
context) being resumed in a different one.  Note that the mod_ssl ACL hooks may
not occur after a session resumption since a client can initiate a
ChangeCipherSpec independently of the what's happening in the app_data layer.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[prev in list] [next in list] [prev in thread] [next in thread]