Re: Announcement: OpenSSL 0.9.6e (Security related upgrade)

Wed, 31 Jul 2002 22:57:31 -0700 

Lutz Jaenicke <[EMAIL PROTECTED]> writes:

>   OpenSSL version 0.9.6e released
>   ===============================
> 
>   OpenSSL - The Open Source toolkit for SSL/TLS
>   http://www.openssl.org/
> 
>   The OpenSSL project team is pleased to announce the release of version
>   0.9.6e of our open source toolkit for SSL/TLS.  This new OpenSSL version
>   is a security and bugfix release and incorporates several changes to the
>   toolkit (for a complete list see http://www.openssl.org/source/exp/CHANGES).
> 
>   The most significant changes are:
> 
>       o Important security related bugfixes.
>       o Various SSL/TLS library bugfixes.

I've done some work on running SSL/TLS code as a separate process in a
chroot jail as an unprivileged user, communicating with the daemon
it's doing encryption for via UNIX domain sockets.  This approach
massively mitigates the possible damages from the bugs discovered in
the last day or two.

OpenSSL is good code, but it's over 200,000 lines.  It makes sense to
isolate it from the special privileges daemons often have.

The work I've done is with stunnel.  See:

    http://www.suspectclass.com/~sgifford/stunnel/
    http://www.suspectclass.com/~sgifford/stunnel/stunnel-patches.txt
    
http://www.suspectclass.com/~sgifford/stunnel/stunnel3.22+paranoia0.1-openfd0.1.patch 

for the patch to stunnel (and some related patches; I'll be happy to
split out just the paranoia patch if anybody wants it without the
others), and the various README files in:

    http://www.suspectclass.com/~sgifford/stunnel-tlsproxy/

for some examples.  It currently works fine, has been tested with
several SSL/TLS clients, and is in production use at a client's site
for about a month.

The stuff that's there right now isn't real user-friendly, but
hopefully these patches or something similar will get incorporated
into stunnel sometime in the near future, and then things will get a
little easier; if there's an interest I can write up some more
documentation.

Please send along any comments, questions, criticisms, etc. to me or
to the list.

-----ScottG.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to