On Thu, Aug 01, 2002 at 02:17:20AM -0400, Scott Gifford wrote: > I've done some work on running SSL/TLS code as a separate process in a > chroot jail as an unprivileged user, communicating with the daemon > it's doing encryption for via UNIX domain sockets. This approach > massively mitigates the possible damages from the bugs discovered in > the last day or two. > > OpenSSL is good code, but it's over 200,000 lines. It makes sense to > isolate it from the special privileges daemons often have. > > The work I've done is with stunnel. See: > > http://www.suspectclass.com/~sgifford/stunnel/ > http://www.suspectclass.com/~sgifford/stunnel/stunnel-patches.txt > >http://www.suspectclass.com/~sgifford/stunnel/stunnel3.22+paranoia0.1-openfd0.1.patch > > for the patch to stunnel (and some related patches; I'll be happy to > split out just the paranoia patch if anybody wants it without the > others), and the various README files in: > > http://www.suspectclass.com/~sgifford/stunnel-tlsproxy/
... We add URIs of applications and add-ons to our web-pages in the "Related" section. Please propose an entry if you want a link to be added. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]