Ruediger Pluem wrote:
> I guess your current patch fails on trunk since
> myModConfig(s))->nSessionCacheMode
> is no longer present in trunk
Oops, you're right - my bad. I didn't compile trunk with that last
change applied, obviously. For trunk, it should be
if ((myModConfig(s))->sesscache_mode != SSL_SESS_CACHE_OFF) {
instead.
>> 2) In the SNI callback, it adjusts OpenSSL's session id context - which
>> makes sure that the session can be properly resumed. (With the current
>> mod_ssl code, this context is always tied to the first vhost, possibly
>> resulting in incorrect resumption behavior.)
>
> Can you please elaborate in more detail why this shouldn't be done when
> we have done renegotiations so far?
When ssl_hook_Access triggers a renegotation, it sets the session id
context to a request-specific id, before calling SSL_renegotiate (to
limit session reuse to this specific request). If we would overwrite the
context during that renegotation (when an SNI extension is encountered
and therefore the callback executed), then this coupling would get lost.
Kaspar
