This is the session contextid too long problem which apparently has already been fixed by the mod_ssl folks. I'm fixing it temporarily by summarily truncating the name since my understanding is that the key just needs to be unique and does not have to match the name of the website. mod_ssl has a more elegant solution using an md5 hash. I'm requesting that you incorporate their current version of mod_ssl with apache 2.0.35 or 2.0.36 or whatever or please explain why it isn't there already. Thanks!
Apache 2.0.35 was already mostly up-to-date with respect to mod_ssl 2.8.8-1.3.24. Apache 2.0.36 will contain the remaining changes. Is the patch you refer to present in 2.8.8? If so, this should be fixed now in Apache 2.0.36. If not, where is this patch?
If I look at the source code for mod_ssl 2.8.8-1.3.24 it does look like the md5 change is in ssl_engine_kernel.c. This ssl_engine_kernel.c was last changed on March 27, 2002 which is over a month ago. So I'll accept your assertion that the fix will be in Apache 2.0.36. Thanks!
Can you give me a specific line number? I still can't find the change you're talking about in modssl 2.8.8 to be sure it's in Apache 2.0.36. Thanks!
AHA! Found it. And it's not in yet for some strange reason. Hmph. Okay, well, I'll get the change committed today and *hopefully* it will be in 2.0.36, but the schedule is pretty tight on that.
So apparently this is not NEW functionality in modssl 2.8.8, which is why I didn't find it before. It's functionality that was removed between Apache 2.0.33 and 2.0.34 as a "minor performance improvement", obviously unaware of this unintended side-effect. The following patch reverts to the MD5 behavior. That change has been reverted. Thanks for using Apache!
=================================================================== RCS file: /home/cvspublic/httpd-2.0/modules/ssl/mod_ssl.c,v retrieving revision 1.63 retrieving revision 1.64 diff -u -r1.63 -r1.64 --- httpd-2.0/modules/ssl/mod_ssl.c 2002/04/07 03:37:35 1.63 +++ httpd-2.0/modules/ssl/mod_ssl.c 2002/04/30 17:10:12 1.64 @@ -279,6 +279,7 @@ SSLSrvConfigRec *sc = mySrvConfig(c->base_server); SSL *ssl; SSLConnRec *sslconn = myConnConfig(c); + char *vhost_md5; modssl_ctx_t *mctx; /* @@ -334,12 +335,13 @@ return DECLINED; /* XXX */ } - if (!SSL_set_session_id_context(ssl, - (unsigned char *)sc->vhost_id, - sc->vhost_id_len)) + vhost_md5 = ap_md5_binary(c->pool, sc->vhost_id, sc->vhost_id_len); + + if (!SSL_set_session_id_context(ssl, (unsigned char *)vhost_md5, + MD5_DIGESTSIZE*2)) { ssl_log(c->base_server, SSL_LOG_ERROR|SSL_ADD_SSLERR, - "Unable to set session id context to `%s'", sc->vhost_id); + "Unable to set session id context to `%s'", vhost_md5); c->aborted = 1;
Well, at least I know what to do if it is not in 2.0.36. Thanks!
It got tagged in to 2.0.36 today, so it _will_ be a part of that release.