One more thing. I can see this on 2.0.54 with OpenSSL at 0.9.7d on AIX
as well.
I think there is something masking this problem on other platforms, or I
have been building this in some weird and mysterious way you guys don't
do (highly unlikely I think).
Regards,
Per
Phil Ehrens wrote:
So what are the next steps...is this being highlighted as a risk anywhere?
I am surprised that this doesn't get onto the main security page if it
is a risk...how else would anyone find out about it and take
preventative measures?
Regards,
Per
Phil Ehrens wrote:
Interesting. Must be an Ap
I was asked to renew an SSL certificate on our server, running Apache
2.0.52/Unix. So prior to me touching anything, the SSL stuff was
working.
I did a new CSR, generated a new key, and installed a new cert.crt
with appropriate changes to httpd.conf (I put them in a new
directory).
The te
Hi all,
nevermind, i m using ssl_scache_remove() now, to invalidate the session,
thats working perfectly.
mod_ssl stores a copy of the session in the cache, so any changes to the
session object are lost when it gets retrieved from the cache again. i
also noticed the openssl cacheoperation ca