Oops.. I forgot to put in the explaination itself :-).. < From Geoff's mail > < ... snip ... > So, the fix is to change mod_ssl to force OpenSSL to ignore process local-caching and to always get/set/delete sessions using mod_ssl's callbacks. The latest version of mod_ssl (2.8.4), at about line 604 of ssl_engine_init.c, is where the cache options are set for OpenSSL when caching isn't completely disabled. Ie. <..snip..> -----Original Message----- From: MATHIHALLI,MADHUSUDAN (HP-Cupertino,ex1) [mailto:[EMAIL PROTECTED]] Sent: Friday, August 24, 2001 3:09 PM To: '[EMAIL PROTECTED]' Subject: [PATCH] fix session caching Hi, The "possible security fix" that Geoff Thorpe had posted sometime back on the modssl-users mailing list (I can provide more details if required).. Index: ssl_engine_init.c =================================================================== RCS file: /home/cvspublic/httpd-2.0/modules/ssl/ssl_engine_init.c,v retrieving revision 1.11 diff -u -r1.11 ssl_engine_init.c --- ssl_engine_init.c 2001/08/24 04:08:04 1.11 +++ ssl_engine_init.c 2001/08/24 21:40:17 @@ -542,7 +542,8 @@ if (mc->nSessionCacheMode == SSL_SCMODE_NONE) SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF); else - SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER); + SSL_CTX_set_session_cache_mode(ctx, + SSL_SESS_CACHE_SERVER | SSL_SESS_CACHE_NO_INTERNAL_LOOKUP); /* * Configure callbacks for SSL context
RE: [PATCH] fix session caching
MATHIHALLI,MADHUSUDAN (HP-Cupertino,ex1) Fri, 24 Aug 2001 19:52:02 -0700
- [PATCH] fix session caching MATHIHALLI,MADHUSUDAN (HP-Cupertino,ex1)
- [PATCH] fix session caching MATHIHALLI,MADHUSUDAN (HP-Cupertino,ex1)