On 11/16/2010 11:06 PM, Nivedita Melinkeri wrote:
Hi, I had some questions about the latest security advisory. I understand that this applies to multi-threaded application while using ssl sessions.
Correct.
If the application is written thread safe using CRYPTO_set_locking_callback functions will the vulnerability still apply ?
If it didn't, it wouldn't be a vulnerability at all.
If the ssl code calls the locking callback function before accessing the internal session cache then the vulnerability should not apply to above mentioned applications.
Right, it shouldn't, but it does. That's what makes it a vulnerability. Code not working under conditions where it cannot be expected to work is not a vulnerability, it's simply misuse. This is a vulnerability because it affects applications that use the code correctly.
DS ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org