On Fri, Mar 12, 1999, Adam Hernik wrote:
> On Thu, 11 Mar 1999, Ralf S. Engelschall wrote:
>
> > > think the example configuration does that). Question: Can this lead
> > > to clients using the wrong session on one virtual host (thus possibly
> > > bypassing client authorization, or using a session established with a
> > > client certificate from a CA not accepted by the current server)?
>
> > Hmmm.... interesting questions. I've to think about this topic and check the
> > code of OpenSSL and mod_ssl to be able to give a good answer. At least one
> > thing is true: The SSL layer doesn't have any knowledge of the HTTP layer. But
> > I've still no clue whether this (under your imagined situation) could actually
> > lead to security problems for the server. Does anybody already know more on
> > this topic and can give an answer?
>
> Yes this can happen. But hacker must write his own program. This is very
> easy. If anybody needs that program I can write it. Solution: do not use
> cache or each virtual server should have own cache.
When this is the case, then it gets hard for an OpenSSL application. Because
AFAIK the in-core cache of OpenSSL (per server process) cannot be devided into
separate instances (for each virtual server) by the application. So, it seems
like OpenSSL has to support such separate caches. The application (like
mod_ssl) has no chance here unless the library supports it, I think.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
______________________________________________________________________
Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
