Lutz Jaenicke <[EMAIL PROTECTED]> writes: > OpenSSL version 0.9.6e released > =============================== > > OpenSSL - The Open Source toolkit for SSL/TLS > http://www.openssl.org/ > > The OpenSSL project team is pleased to announce the release of version > 0.9.6e of our open source toolkit for SSL/TLS. This new OpenSSL version > is a security and bugfix release and incorporates several changes to the > toolkit (for a complete list see http://www.openssl.org/source/exp/CHANGES). > > The most significant changes are: > > o Important security related bugfixes. > o Various SSL/TLS library bugfixes.
I've done some work on running SSL/TLS code as a separate process in a chroot jail as an unprivileged user, communicating with the daemon it's doing encryption for via UNIX domain sockets. This approach massively mitigates the possible damages from the bugs discovered in the last day or two. OpenSSL is good code, but it's over 200,000 lines. It makes sense to isolate it from the special privileges daemons often have. The work I've done is with stunnel. See: http://www.suspectclass.com/~sgifford/stunnel/ http://www.suspectclass.com/~sgifford/stunnel/stunnel-patches.txt http://www.suspectclass.com/~sgifford/stunnel/stunnel3.22+paranoia0.1-openfd0.1.patch for the patch to stunnel (and some related patches; I'll be happy to split out just the paranoia patch if anybody wants it without the others), and the various README files in: http://www.suspectclass.com/~sgifford/stunnel-tlsproxy/ for some examples. It currently works fine, has been tested with several SSL/TLS clients, and is in production use at a client's site for about a month. The stuff that's there right now isn't real user-friendly, but hopefully these patches or something similar will get incorporated into stunnel sometime in the near future, and then things will get a little easier; if there's an interest I can write up some more documentation. Please send along any comments, questions, criticisms, etc. to me or to the list. -----ScottG. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]