On Thu, 11 Mar 1999, Ralf S. Engelschall wrote:
> > think the example configuration does that). Question: Can this lead
> > to clients using the wrong session on one virtual host (thus possibly
> > bypassing client authorization, or using a session established with a
> > client certificate from a CA not accepted by the current server)?
> Hmmm.... interesting questions. I've to think about this topic and check the
> code of OpenSSL and mod_ssl to be able to give a good answer. At least one
> thing is true: The SSL layer doesn't have any knowledge of the HTTP layer. But
> I've still no clue whether this (under your imagined situation) could actually
> lead to security problems for the server. Does anybody already know more on
> this topic and can give an answer?
Yes this can happen. But hacker must write his own program. This is very
easy. If anybody needs that program I can write it. Solution: do not use
cache or each virtual server should have own cache.
Sorry for my poor english.
Adas.
[EMAIL PROTECTED]
______________________________________________________________________
Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
