On Tue, Jul 30, 2002 at 03:50:17PM +0300, Arne Ansper wrote: >> These patches are known to apply correctly but have not been >> thoroughly tested.
> As I understand it, OpenSSL will call abort() when it detects attack > against any hole in SSL. Not quite. The attacks against known holes are shielded by proper error handling. The 'die()' lines that might call 'abort()' are essentially 'assert()' lines, and they are just for additional protection: There should be now way for an attacker to trigger an 'abort()', but if there is still some problem left, an 'abort()' is better than a buffer overflow. (The reason that we are using 'abort()' now instead of generating 'internal error' error message is that we wanted to release the fix as soon as possible.) -- Bodo Möller <[EMAIL PROTECTED]> PGP http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller/0x36d2c658.html * TU Darmstadt, Theoretische Informatik, Alexanderstr. 10, D-64283 Darmstadt * Tel. +49-6151-16-6628, Fax +49-6151-16-6036 ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
