RE: [PATCH] fix session caching

[MATHIHALLI,MADHUSUDAN (HP-Cupertino,ex1)]

Oops.. I forgot to put in the explaination itself :-)..

< From Geoff's mail >
< ... snip ... >
So, the fix is to change mod_ssl to force OpenSSL to ignore process
local-caching and to always get/set/delete sessions using mod_ssl's
callbacks.

The latest version of mod_ssl (2.8.4), at about line 604 of
ssl_engine_init.c,
is where the cache options are set for OpenSSL when caching isn't completely
disabled. Ie.
<..snip..>

-----Original Message-----
From: MATHIHALLI,MADHUSUDAN (HP-Cupertino,ex1)
[mailto:[EMAIL PROTECTED]]
Sent: Friday, August 24, 2001 3:09 PM
To: '[EMAIL PROTECTED]'
Subject: [PATCH] fix session caching


Hi,
        The "possible security fix" that Geoff Thorpe had posted sometime
back on the modssl-users mailing list (I can provide more details if
required)..

Index: ssl_engine_init.c
===================================================================
RCS file: /home/cvspublic/httpd-2.0/modules/ssl/ssl_engine_init.c,v
retrieving revision 1.11
diff -u -r1.11 ssl_engine_init.c
--- ssl_engine_init.c   2001/08/24 04:08:04     1.11
+++ ssl_engine_init.c   2001/08/24 21:40:17
@@ -542,7 +542,8 @@
     if (mc->nSessionCacheMode == SSL_SCMODE_NONE)
         SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
     else
-        SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER);
+        SSL_CTX_set_session_cache_mode(ctx,
+                SSL_SESS_CACHE_SERVER | SSL_SESS_CACHE_NO_INTERNAL_LOOKUP);
 
     /*
      *  Configure callbacks for SSL context