KSSL session reuse bugs
Stefan Rompf
srompf at isg.de
Thu Oct 23 09:31:24 BST 2003
Hi,
> But didn't Stefan say that the sessions can be keyed to a host/port
> combination? In that case you don't need to send the session id around but
> you can just use the url to lookup the session id in kssld when doing the
> request.
we should not store the sessions KDE-wide. The solution you suggested would
give everybody who can type "dcop kded kssld" (and has some SSL knowledge)
the possibility to negotiate weak sessions and make applications use them.
That would open a gaping security hole.
So I think the scope of a session must be limited to the io-slave or the
application. For the current implementation, George decided for application,
IMHO the right choice.
Stefan
--
"doesn't work" is not a magic word to explain everything.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1691 bytes
Desc: signature
URL: <http://mail.kde.org/pipermail/kde-core-devel/attachments/20031023/02ee6f42/attachment.bin>
More information about the kde-core-devel
mailing list