On Thu, Aug 01, 2002 at 02:17:20AM -0400, Scott Gifford wrote:
> I've done some work on running SSL/TLS code as a separate process in a
> chroot jail as an unprivileged user, communicating with the daemon
> it's doing encryption for via UNIX domain sockets. This approach
> massively mitigates the possible damages from the bugs discovered in
> the last day or two.
>
> OpenSSL is good code, but it's over 200,000 lines. It makes sense to
> isolate it from the special privileges daemons often have.
>
> The work I've done is with stunnel. See:
>
> http://www.suspectclass.com/~sgifford/stunnel/
> http://www.suspectclass.com/~sgifford/stunnel/stunnel-patches.txt
>
>http://www.suspectclass.com/~sgifford/stunnel/stunnel3.22+paranoia0.1-openfd0.1.patch
>
> for the patch to stunnel (and some related patches; I'll be happy to
> split out just the paranoia patch if anybody wants it without the
> others), and the various README files in:
>
> http://www.suspectclass.com/~sgifford/stunnel-tlsproxy/
...
We add URIs of applications and add-ons to our web-pages in the "Related"
section. Please propose an entry if you want a link to be added.
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
