On Sat, Feb 11, 2006, Steve Thompson wrote: > > A later phase can, in some circumstances, require that the server change > its effective UID to that of user Y in order to be able to write into the > file system in an area to which only Y has write access. Data written to > the file system arrives on an SSL connection established before the UID > was changed, but that data is partly read from the connection while the > effective UID is that of user Y. The question: I am concerned that SSL > might have recourse to access the original key and certificate files some > time during this process, for example, if a renegotiation is requested by > the client. This would of course not work since user Y cannot open these > files. Is this a likely possibility, or is everything that SSL requires > already in memory of a result of the initial context setup? >
The files are openened, read and converted to structures *once* initially. After that only the in memory structures are accessed. The only case where certificates or CRLs can be dynamically loaded is when you specify a directory for the verify location. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
