Hi, I am not clear about the condition that vulnerability when using internal session caching mechanism. Is it the same thing as TLS session caching or this is some thing different?
Thank you, - Pandit ________________________________ From: David Schwartz <dav...@webmaster.com> To: openssl-users@openssl.org Cc: Nivedita Melinkeri <nivedita...@gmail.com> Sent: Wed, November 17, 2010 4:15:36 AM Subject: Re: Question regarding OpenSSL Security Advisory On 11/16/2010 11:06 PM, Nivedita Melinkeri wrote: > Hi, > I had some questions about the latest security advisory. I understand > that this applies to multi-threaded application while using ssl sessions. Correct. > If the application is written thread safe using > CRYPTO_set_locking_callback functions will the vulnerability still apply ? If it didn't, it wouldn't be a vulnerability at all. > If the ssl code calls the locking callback function before accessing the > internal session cache then the vulnerability should not > apply to above mentioned applications. Right, it shouldn't, but it does. That's what makes it a vulnerability. Code not working under conditions where it cannot be expected to work is not a vulnerability, it's simply misuse. This is a vulnerability because it affects applications that use the code correctly. DS ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
