hi,
I've wrote here some days ago:
http://marc.info/?l=apache-httpd-users&m=123979308812574&w=2
I've digged the issue:
Note from CHANGES of openssl 0.9.8f:
*) In the SSL/TLS server implementation, be strict about session ID
context matching (which matters if an application uses a single
external cache for different purposes). Previously,
out-of-context reuse was forbidden only if SSL_VERIFY_PEER was
set. This did ensure strict client verification, but meant that,
with applications using a single external cache for quite
different requirements, clients could circumvent ciphersuite
restrictions for a given session ID context by starting a session
in a different context.
[Bodo Moeller]
If I disable strict in openssl's source (ssl_sess.c) apache starting work
again. Any comments?
If the issue you can contact me by email and I can test your patch.
--mpech
