Apache 2.x : Terminate SSL Session from own module ?
Hi all, i try to terminate a session in my own module by setting the creation time and flushing the cache, unfortunately by the next request from the same client i get the same session again. (actually it seems to take it from the cache (ignoring the openssl sessioncache attributes). is there any way i can force mod_ssl to explicitly invalidate a session so it will get deleted from the cache aswell ? the code is use is basically: r-connection-keepalive = -1; ssl_sess = SSL_get_session(ssl); ssl_ctx = SSL_get_SSL_CTX(ssl); SSL_CTX_remove_session(ssl_ctx, ssl_sess); SSL_SESSION_set_time(ssl_sess, 0); SSL_CTX_flush_sessions(ssl_ctx, time(0)); ssl_sess-not_resumable = 1; anyone has a hint for me what i am doing wrong or what i additionally need to do to get rid of the session ? thanks Serge __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Does Mod_SSL use SSL_get_shared_ciphers()?
Phil Ehrens: I just checked a couple different versions and did not see that function. I posted a question about this to the apache security mailbox, but nobody responded. I guess that is inline with the policy for that mailbox even if I find it somewhat unhelpful, considering that SSL isn't completely a rarity when using Apache. The reason I am concerned is because mod_ssl indirectly references SSL_get_shared_ciphers. It is in use. You can see this if you use something like nm and grep for this function. So is mod_ssl vulnerable? Is the functionality insulated and not possible to trigger from the mod_ssl user scenario, or is it? If anyone have any ideas please let me know! Regards, Per Olausson __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Does Mod_SSL use SSL_get_shared_ciphers()?
Per Olausson wrote: Phil Ehrens: I just checked a couple different versions and did not see that function. I posted a question about this to the apache security mailbox, but nobody responded. I guess that is inline with the policy for that mailbox even if I find it somewhat unhelpful, considering that SSL isn't completely a rarity when using Apache. The reason I am concerned is because mod_ssl indirectly references SSL_get_shared_ciphers. It is in use. You can see this if you use something like nm and grep for this function. So is mod_ssl vulnerable? Is the functionality insulated and not possible to trigger from the mod_ssl user scenario, or is it? If anyone have any ideas please let me know! The symbol is not defined in mod_ssl on any of my Linux or Solaris systems, all of which are running Apache-2.0.55. What version are you looking at? __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]