The problem with the OpenSSLDie() function is not that it is not being
exported.  The problem is that it calls abort() which terminates the
application that is using OpenSSL as a library.  This opens up a
wonderful denial of service attack.  That is what Arne Ansper started
to address with his patch.

> On windows It can be fixed by adding the following in the code
> __declspec( dllexport ) before the OpenSSLDie function? I am not sure 
> if it is safe?
> 
> [[EMAIL PROTECTED] - Thu Aug  1 16:14:14 2002]:
> 
> > On Tue, Jul 30, 2002 at 06:08:46PM +0300, Arne Ansper wrote:
> > 
> > > attached is a patch for openssl-0.9.6e that removes the usage of 
> die.
> > > please review it carefully. all changes are localized but the 
> action i
> > > take in some places where error reporting is not possible might be 
> little
> > > bit wrong (i.e. in ssl2_generate_key_material(). this is void 
> function, so
> > > i cannot indicate error).
> > 
> > Thanks for the patch.  For static functions, you can safely change
> > void into int so that you can indicate the errors properly.
> > 
> 



 Jeffrey Altman * Sr.Software Designer     Kermit 95 2.0 GUI available now!!!
 The Kermit Project @ Columbia University  SSH, Secure Telnet, Secure FTP, HTTP
 http://www.kermit-project.org/            Secured with MIT Kerberos, SRP, and 
 [EMAIL PROTECTED]               OpenSSL.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to