It seems I put an answer in the wrong place. The previous one was for the
"encryption server key...".
Sorry for the mix up.
-----Original Message-----
From: Ralf S. Engelschall <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Date: Thursday, March 11, 1999 12:05 PM
Subject: Re: Session Cache security
>On Thu, Mar 11, 1999, Bodo Moeller wrote:
>
>> mod_ssl's dbm session cache can be shared between virtual hosts (and I
>> think the example configuration does that). Question: Can this lead
>> to clients using the wrong session on one virtual host (thus possibly
>> bypassing client authorization, or using a session established with a
>> client certificate from a CA not accepted by the current server)?
>> If so (and that is my impression from reading the code, but I don't
>> have enough knowledge on the software's architecture), the manuals and
>> examples should contain appropriate warnings. Otherwise, the source
>> code should have comments saying why this can't happen.
>
>Hmmm.... interesting questions. I've to think about this topic and check
the
>code of OpenSSL and mod_ssl to be able to give a good answer. At least one
>thing is true: The SSL layer doesn't have any knowledge of the HTTP layer.
But
>I've still no clue whether this (under your imagined situation) could
actually
>lead to security problems for the server. Does anybody already know more on
>this topic and can give an answer?
> Ralf S. Engelschall
> [EMAIL PROTECTED]
> www.engelschall.com
>______________________________________________________________________
>Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/
>Official Support Mailing List [EMAIL PROTECTED]
>Automated List Manager [EMAIL PROTECTED]
>
______________________________________________________________________
Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]