Unusable short session_id provided - Apache and openssl

So with the latest update for openssl (dev-libs/openssl-0.9.8f), I've been seeing the following in my error_log with SSL sites:

[Tue Oct 23 10:45:46 2007] [error] unusably short session_id provided (0 bytes)
[Tue Oct 23 10:45:52 2007] [error] unusably short session_id provided (0 bytes)
[Tue Oct 23 11:04:13 2007] [error] unusably short session_id provided (0 bytes)
[Tue Oct 23 11:04:14 2007] [error] unusably short session_id provided (0 bytes)
[Tue Oct 23 11:45:57 2007] [error] unusably short session_id provided (0 bytes)
[Tue Oct 23 11:45:57 2007] [error] unusably short session_id provided (0 bytes)
[Tue Oct 23 11:58:26 2007] [error] unusably short session_id provided (0 bytes)

This is definitely a message from Apache related to SSL. In the ssl_scache_shmcb_kill() method in the Apache source code, you can see this chunk of code:

+    if (idlen < 4) {
+        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, "unusably short session_id provided "
+                "(%u bytes)", idlen);
+        goto done;
+    }

I've posted this on the Gentoo forum, but just getting the 'me too' posts. Anybody know more about this? Anybody know how to fix this?

Thanks!

This is a known problem in openssl-0.9.8f, and you can update to openssl-0.9.8g to fix it. Simply add it to your package.keywords/unmask, and make sure to revdep-rebuild when complete.

Links to more info can be found in your gentoo forum post.

Michael S. Moody
Sr. Systems Engineer
Global Systems Consulting
Direct: (650) 265-4154
Web: http://www.GlobalSystemsConsulting.com