On Thu, Apr 17, 2014 at 09:40:57AM +0200, Peter Malone via RT wrote:
> I believe the following memcmp call is vulnerable to a remote timing
> attack.
>
> https://github.com/openssl/openssl/blob/master/ssl/ssl_lib.c#L1974
>
> static int ssl_session_cmp(const SSL_SESSION *a,const SSL_SESSION *b)
The session-id is sent by the TLS client in the clear in the client
TLS HELLO message. Attackers can already learn valid session-ids
by monitoring the network. The session-id is not a secret. This
"timing attack" is pointless.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
