bugzilla at apache
May 9, 2008, 2:50 AM
Post #1 of 1
(29 views)
Permalink
|
|
[Bug 44961] New: SSL session resumption does not properly work with openssl > 0.9.8f
|
|
https://issues.apache.org/bugzilla/show_bug.cgi?id=44961
Summary: SSL session resumption does not properly work with
openssl > 0.9.8f
Product: Apache httpd-2
Version: 2.0-HEAD
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: mod_ssl
AssignedTo: bugs[at]httpd.apache.org
ReportedBy: Hartmut.Keil[at]adnovum.ch
In the method 'int ssl_hook_Access(request_rec *r)' the session id context will
set again in case of a full renegotiation [1].
And since openssl/0.9.8f the context check of a SSL session has been
restricted,
see [2].
That has the effect, that ssl session caching does not work, if the ssl session
has been established by a full renegotiation. (unless a third party ssl session
cache is used, that is correcting the session id context)
I think the initial reason for changing the session id context was to avoid
session resumption if a client cert is requested (SSL_VERIFY_PEER).
But since the option SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION has been
introduced, that is not longer necessary.
So it would propose the following change:
--- 617,627 ----
"Performing full renegotiation: "
"complete handshake protocol");
+ #ifndef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
SSL_set_session_id_context(ssl,
(unsigned char *)&id,
sizeof(id));
+ #endif
SSL_renegotiate(ssl);
SSL_do_handshake(ssl);
[1] file ssl_engine_kernel.c line 620
request_rec *id = r->main ? r->main : r;
/* do a full renegotiation */
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
"Performing full renegotiation: "
"complete handshake protocol");
SSL_set_session_id_context(ssl,
(unsigned char *)&id,
sizeof(id));
[2] http://www.openssl.org/news/changelog.html
Changes between 0.9.8e and 0.9.8f [11 Oct 2007]
...
...
*) In the SSL/TLS server implementation, be strict about session ID
context matching (which matters if an application uses a single
external cache for different purposes). Previously,
out-of-context reuse was forbidden only if SSL_VERIFY_PEER was
set. This did ensure strict client verification, but meant that,
with applications using a single external cache for quite
different requirements, clients could circumvent ciphersuite
restrictions for a given session ID context by starting a session
in a different context.
[Bodo Moeller]
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe[at]httpd.apache.org
For additional commands, e-mail: bugs-help[at]httpd.apache.org
|
