Hello OpenSSL developers, I'm trying to ensure that sensitive data (passwords, ...) are not kept in clear-text in process memory and I have found that all data sent to or received from OpenSSL is kept in memory...
This is a problem as data sent or received from an SSL connection may contain sensitive information that we don't want to keep in process memory. Notes: - This is only the case when using SSLv3 or TLSv1. When using SSLv2, data is not kept in memory. - I am using version 0.9.8k-7ubuntu8.6 from Ubuntu Lucid. If this is related to a security fix, I think it is up to date. Reproduction is easy: - Use 'openssl client -tls1 -connect hostname:443' to connect to an SSL server - Send data in TLS connection - Force generation of core file (kill -SEGV for example) - Inspect core file, received and sent data will be present Is there a reason for which OpenSSL may need to keep that data? Is there an option to alter its behavior? [ http://stackoverflow.com/questions/5746343/why-openssl-may-keep-received-written-data-in-memory] -- Math
