Thank you David and Nivedita. I think I got it.
-Pandit
________________________________
From: Nivedita Melinkeri <nivedita...@gmail.com>
To: Pandit Panburana <ppanb...@yahoo.com>
Cc: openssl-users@openssl.org
Sent: Thu, November 18, 2010 1:53:22 PM
Subject: Re: Question regarding OpenSSL Security Advisory
Hey Pandit,
>
Sorry for sending out the previous before it was complete. So here it
goes....
>From what I understand the vulnerability can apply if:
>
>1) Internal session caching is not disable - This means the session cache is
>mantained in SSL_CTX.
>2) Internal session cache Lookup is not disabled - This means that the ssl
>code
>will lookup the session cache on receiving ClientHello with valid session Id.
>3) Your application is designed such that you create a SSL_CTX and multiple
>threads can access it. In this case multiple threads could be accessing the
>same
>session object (from session cache). The function ssl_parse_clienthello_tlsext
>in t1_lib.c has unsynchronized access to members in session object which could
>cause the vulnerability.
>David/other experinced openssl users correct me if you think this
>understanding
>is incottect.
>
> Regards,
Nivedita
On Thu, Nov 18, 2010 at 7:26 AM, Pandit Panburana <ppanb...@yahoo.com> wrote:
>
>Hi,
>>
>>
>> I am not clear about the condition that vulnerability when using internal
>>session caching mechanism. Is it the same thing as TLS session caching or
>>this
>>is some thing different?
>>
>>
>>Thank you,
>>- Pandit
>>
>>
>>
________________________________
From: David Schwartz <dav...@webmaster.com>
>>To: openssl-users@openssl.org
>>Cc: Nivedita Melinkeri <nivedita...@gmail.com>
>>Sent: Wed, November 17, 2010 4:15:36 AM
>>Subject: Re: Question regarding OpenSSL Security Advisory
>>
>>
>>On 11/16/2010 11:06 PM, Nivedita Melinkeri wrote:
>>
>>> Hi,
>>> I had some questions about the latest security advisory. I understand
>>> that this applies to multi-threaded application while using ssl sessions.
>>
>>Correct.
>>
>>> If the application is written thread safe using
>>> CRYPTO_set_locking_callback functions will the vulnerability still apply ?
>>
>>If it didn't, it wouldn't be a vulnerability at all.
>>
>>> If the ssl code calls the locking callback function before accessing the
>>> internal session cache then the vulnerability should not
>>> apply to above mentioned applications.
>>
>>Right, it shouldn't, but it does. That's what makes it a vulnerability. Code
>>not
>>working under conditions where it cannot be expected to work is not a
>>vulnerability, it's simply misuse. This is a vulnerability because it affects
>>applications that use the code correctly.
>>
>>DS
>>
>>
>>______________________________________________________________________
>>OpenSSL Project http://www.openssl.org/
>>User Support Mailing List openssl-users@openssl.org
>>Automated List Manager majord...@openssl.org
>>
>>
>
