Hi, in [1] nCipher recently released a security advisory about a problem in the CHIL library. The random cache of the library was not properly cleared, possibly resulting in non-unique random data in child processes using a certain library function.
We believe the OpenCA is NOT affected by the problem. Rationale: The advisory states that single process applications are not affected, the same holds true for applications that do not fork immediately after calling HWCryptoHook_RandomBytes(). OpenCA's nCipher HSM driver uses the CHIL (hwcrhk) library to interface with OpenSSL, but it does so using the OpenSSL command line binary, not via a custom binary that binds the hwcrhk library. In addition OpenCA does not fork after calling the OpenSSL binary with the CHIL engine. However, users who are using the defective driver software should upgrade according to nCipher recommendations. Please note that if you are also using the nCipher module with mod_ssl to store the web server private key in the HSM, the bug might affect web server security (NOT OpenCA) as stated in the advisory. Martin Bartosch [1] http://www.ncipher.com/support/advisories/advisory11.html ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf _______________________________________________ Openca-Users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openca-users
