diff --git a/NEWS b/NEWS
index 69b01e64..747bcc15 100644
--- a/NEWS
+++ b/NEWS
@@ -11,6 +11,7 @@ NEWS
   * [stat-cache] FAM: fix use after free (CVE-2013-4560)
   * [stat-cache] fix FAM cleanup/fdevent handling
   * [core] check success of setuid,setgid,setgroups (CVE-2013-4559)
+  * [ssl] fix regression from CVE-2013-4508 (client-cert sessions were broken)
 
 - 1.4.33 - 2013-09-27
   * mod_fastcgi: fix mix up of "mode" => "authorizer" in other fastcgi configs (fixes #2465, thx peex)
diff --git a/src/network.c b/src/network.c
index 4b8f75f6..14f2ebdb 100644
--- a/src/network.c
+++ b/src/network.c
@@ -741,6 +741,14 @@ int network_init(server *srv) {
 			return -1;
 		}
 
+		/* completely useless identifier; required for client cert verification to work with sessions */
+		if (0 == SSL_CTX_set_session_id_context(s->ssl_ctx, (const unsigned char*) CONST_STR_LEN("lighttpd"))) {
+			log_error_write(srv, __FILE__, __LINE__, "ss:s", "SSL:",
+				"failed to set session context",
+				ERR_error_string(ERR_get_error(), NULL));
+			return -1;
+		}
+
 		if (s->ssl_empty_fragments) {
 #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
 			ssloptions &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;