Hello- I am trying on integrating OpenSSL into a POP3 daemon that I've been contributing to, and a security concern has come up that I hadn't considered but has me curios. Basically, as with most POP3 daemons, after authentication, the program forks an external process and does a setuid to the authenticated user's UID. This behavior is fairly ubiquitous in these types of daemons, as it helps the daemon deal with some other security issues.
However, with SSL it allows for the possibility that a user logged into the system could launch a debugger and hook into the fork()'d process, and view some of the cryptographic information. Would this expose the private key used during the key exchange to be seen by an unauthorized user? Is it possible that we could free the memory used to store the private key before the fork() and avoid this issue? I admit that I don't have enough knowledge of SSL/TLS to know whether the private key is used during renegotiation. I looked through the RFC (2246), and couldn't find a definitive answer (although, this could be because I started getting confused). Please excuse my ignorance, and any help you could give be would be much appreciated. Thanks. Ben ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
