on Friday, October 24, 2008, 1:43:18 PM Hans wrote:
So, if you feel that this is something that needs to be addressed, can you provide us with a patch, either to the source code or to the documentation? A documentation patch could consist of a short summary of your security analysis and a description how the concerned user can make the server more secure.
Hi.
My suggestion is in the patch attached. It introduces new variable *session-secretizer* which is supposed to be set by the concerned user to some secret value. *session-secretizer* is used as a part of *session-secret*. If it is not set, *session-secret* is generated as before, but a WARN is issued.
Perhaps *session-secretizer* is a stupid name, but I was not able to contrive anything better, taking into account that *session-secret* is already busy.
Also attached is a small patch to cl+ssl in your repository that makes it compilable on sbcl win32.
Best regards, - Anton