SSLVerifyClient in apache + openssl - 2

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: users@xxxxxxxxxxxxxxxx
Subject: SSLVerifyClient in apache + openssl - 2
From: Mike Pechkin <mike.pechkin@xxxxxxxxx>
Date: Sat, 18 Apr 2009 00:17:15 +0300
Reply-to: users@xxxxxxxxxxxxxxxx

hi,

I've wrote here some days ago:
http://marc.info/?l=apache-httpd-users&m=123979308812574&w=2

I've digged the issue:
Note from CHANGES of openssl 0.9.8f:
*) In the SSL/TLS server implementation, be strict about session ID
     context matching (which matters if an application uses a single
     external cache for different purposes). Previously,
     out-of-context reuse was forbidden only if SSL_VERIFY_PEER was
     set. This did ensure strict client verification, but meant that,
     with applications using a single external cache for quite
     different requirements, clients could circumvent ciphersuite
     restrictions for a given session ID context by starting a session
     in a different context.
     [Bodo Moeller]

If I disable strict in openssl's source (ssl_sess.c) apache starting work again. Any comments?
If the issue you can contact me by email and I can test your patch.

--mpech

Prev by Date: Re: load balancing with Apache for Tomcat workers
Next by Date: jmeter loading problem
Previous by thread: load balancing with Apache for Tomcat workers
Next by thread: jmeter loading problem
Index(es):
- Date
- Thread

[Index of Archives] [Open SSH Users] [Linux ACPI] [Linux Kernel] [Linux Laptop] [Kernel Newbies] [Security] [Netfilter] [Bugtraq] [Squid] [Yosemite News] [MIPS Linux] [ARM Linux] [Linux Security] [Linux RAID] [Samba] [Video 4 Linux] [Device Mapper]