On 11/16/2010 11:06 PM, Nivedita Melinkeri wrote:
Hi,
I had some questions about the latest security advisory. I understand
that this applies to multi-threaded application while using ssl sessions.
Correct.
If the application is written thread safe using
CRYPTO_set_locking_callback functions will the vulnerability still apply ?
If it didn't, it wouldn't be a vulnerability at all.
If the ssl code calls the locking callback function before accessing the
internal session cache then the vulnerability should not
apply to above mentioned applications.
Right, it shouldn't, but it does. That's what makes it a vulnerability.
Code not working under conditions where it cannot be expected to work is
not a vulnerability, it's simply misuse. This is a vulnerability because
it affects applications that use the code correctly.
DS
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org