The openssl site show they are up to openssl-0.9.8j and there is a
1.0.0-beta2 now. Unfortunately g,h,i and J haven't hit the
repositories I'm using yet.
A change that might help/change the problem:
rev H
*) Fix double free in TLS server name extensions which could lead to
a remote crash found by Codenomicon TLS test suite (CVE-2008-0891)
[Joe Orton]
I never saw any crashes though, just long hangs.
My thoughts (from too many years of debugging real-time interrupt code):
1) We are dealing with threads here so bad magic can happen during an
interrupt.
2) The exact bug producing behavior is different with each system
combination we've seen. So some random data / timing is involved.
3) Every time I've seen a bug with like this there has been a pointer
to a moveable block or a discarded block of memory or the pointer was
changed during an interrupt.
4) The likelihood of the error being in openssl is pretty low as it is
heavily used and this bug would have shown up in other uses than ASSP's.
Just read through the Net:SSLeay documents and found this red flag
(just above Diagnostics):
"The high level API functions use a global file handle SSLCAT_S
internally. This really should not be a problem because there is no
way to interleave the high level API functions, unless you use threads
(but threads are not very well supported in perl anyway (as of version
5.6.1). However, you may run into problems if you call undocumented
internal functions in an interleaved fashion."
That may mean that Net::SSLeay is not thread safe. It certainly means
it hasn't been worked on in a long time.
Alan
------------------------------------------------------------------------------
Stay on top of everything new and different, both inside and
around Java (TM) technology - register by April 22, and save
$200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
300 plus technical and hands-on sessions. Register today.
Use priority code J9JMT32. http://p.sf.net/sfu/p
_______________________________________________
Assp-test mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/assp-test
