[TS-3125] SSL ctx is set to a constant allowing for potential inappropriate session reuse. - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 5.2.0
Component/s: Core, SSL
Labels:
None

Description

We have the following chunk of code in TS

    // XXX I really don't think that this is a good idea. We should be setting this a some finer granularity,
    // possibly per SSL CTX. httpd uses md5(host:port), which seems reasonable.
    session_id_context = 1;
    SSL_CTX_set_session_id_context(ctx, (const unsigned char *) &session_id_context, sizeof(session_id_context));

This is 100% broken and needs to be fixed. I believe jpeach@apache.org raised concerns about this in the past, after reading OpenSSL documentation this is completely broken.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

ssl-session-ctx-id.patch
09/Oct/14 23:54
3 kB
Brian Geffon

Activity

People

Assignee:: Brian Geffon

Reporter:: Brian Geffon

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 09/Oct/14 22:23

Updated:: 15/Oct/14 00:51

Resolved:: 10/Oct/14 20:01