Thank you David and Nivedita. I think I got it. -Pandit
________________________________ From: Nivedita Melinkeri <[email protected]> To: Pandit Panburana <[email protected]> Cc: [email protected] Sent: Thu, November 18, 2010 1:53:22 PM Subject: Re: Question regarding OpenSSL Security Advisory Hey Pandit, > Sorry for sending out the previous before it was complete. So here it goes.... >From what I understand the vulnerability can apply if: > >1) Internal session caching is not disable - This means the session cache is >mantained in SSL_CTX. >2) Internal session cache Lookup is not disabled - This means that the ssl >code >will lookup the session cache on receiving ClientHello with valid session Id. >3) Your application is designed such that you create a SSL_CTX and multiple >threads can access it. In this case multiple threads could be accessing the >same >session object (from session cache). The function ssl_parse_clienthello_tlsext >in t1_lib.c has unsynchronized access to members in session object which could >cause the vulnerability. >David/other experinced openssl users correct me if you think this >understanding >is incottect. > > Regards, Nivedita On Thu, Nov 18, 2010 at 7:26 AM, Pandit Panburana <[email protected]> wrote: > >Hi, >> >> >> I am not clear about the condition that vulnerability when using internal >>session caching mechanism. Is it the same thing as TLS session caching or >>this >>is some thing different? >> >> >>Thank you, >>- Pandit >> >> >> ________________________________ From: David Schwartz <[email protected]> >>To: [email protected] >>Cc: Nivedita Melinkeri <[email protected]> >>Sent: Wed, November 17, 2010 4:15:36 AM >>Subject: Re: Question regarding OpenSSL Security Advisory >> >> >>On 11/16/2010 11:06 PM, Nivedita Melinkeri wrote: >> >>> Hi, >>> I had some questions about the latest security advisory. I understand >>> that this applies to multi-threaded application while using ssl sessions. >> >>Correct. >> >>> If the application is written thread safe using >>> CRYPTO_set_locking_callback functions will the vulnerability still apply ? >> >>If it didn't, it wouldn't be a vulnerability at all. >> >>> If the ssl code calls the locking callback function before accessing the >>> internal session cache then the vulnerability should not >>> apply to above mentioned applications. >> >>Right, it shouldn't, but it does. That's what makes it a vulnerability. Code >>not >>working under conditions where it cannot be expected to work is not a >>vulnerability, it's simply misuse. This is a vulnerability because it affects >>applications that use the code correctly. >> >>DS >> >> >>______________________________________________________________________ >>OpenSSL Project http://www.openssl.org/ >>User Support Mailing List [email protected] >>Automated List Manager [email protected] >> >> >
