|Summary:||Expose a variable to identify SSL Session renegotiated|
|Product:||Apache httpd-2||Reporter:||Klaubert <klaubert>|
|Component:||mod_ssl||Assignee:||Apache HTTPD Bugs Mailing List <bugs>|
Description Klaubert 2010-05-12 09:54:13 UTC
With the new variable introduced in 2.3 (trunk) SSL_SESSION_RESUMED, a basic point is missing: when a SSL_SESSION_ID is really new or is renegotiated, like in Prior SSL_SESSION_ID | Current SSL_SESSION_ID | Status - | AAAAAAAAAAAA | Initial AAAAAAAAAAAA | BBBBBBBBBBBB | Renegotiated BBBBBBBBBBBB | CCCCCCCCCCCC | Renegotiated CCCCCCCCCCCC | DDDDDDDDDDDD | Renegotiated Achieve can be possible, once that the client send this information on SSL Client Hello, on Initial it don't send a SSL_SESSION_ID (Session ID lenght = 0), but on subsequent connections it send in Client Hello with the SessionID, until a renegotiation be force by the server (once that still valid for the client, but not for the server, because SSLSessionCacheTimeout), and this way creating a new SSL_SESSION_ID. This can be very helpful in differentiating the first SSL_SESSION_ID from the new ones renegotiated, for a better logout control (to don't allow a user reuse a token/smartcard plugged on computer to gain access in the application after the user click on logout).
Comment 1 Dennis Clarke 2014-03-26 22:05:05 UTC