Hey Pandit, >From what I understand the vulnerability can apply if:
1) Internal session caching is *not* disable - This means the session cache is mantained in SSL_CTX. 2) Internal Lookup is not disabled - This means that the ssl code will lookup the session cache on receiving ClientHello with valid session Id. 3) Your application is designed such that you create a SSL_CTX and multiple threads can access it. In this case multiple threads could be accessing the same session object (from session cache). T he function in t1_lib.c On Thu, Nov 18, 2010 at 7:26 AM, Pandit Panburana <ppanb...@yahoo.com>wrote: > Hi, > > I am not clear about the condition that vulnerability when using > internal session caching mechanism. Is it the same thing as TLS session > caching or this is some thing different? > > Thank you, > - Pandit > > ------------------------------ > *From:* David Schwartz <dav...@webmaster.com> > *To:* openssl-users@openssl.org > *Cc:* Nivedita Melinkeri <nivedita...@gmail.com> > *Sent:* Wed, November 17, 2010 4:15:36 AM > *Subject:* Re: Question regarding OpenSSL Security Advisory > > On 11/16/2010 11:06 PM, Nivedita Melinkeri wrote: > > > Hi, > > I had some questions about the latest security advisory. I understand > > that this applies to multi-threaded application while using ssl sessions. > > Correct. > > > If the application is written thread safe using > > CRYPTO_set_locking_callback functions will the vulnerability still apply > ? > > If it didn't, it wouldn't be a vulnerability at all. > > > If the ssl code calls the locking callback function before accessing the > > internal session cache then the vulnerability should not > > apply to above mentioned applications. > > Right, it shouldn't, but it does. That's what makes it a vulnerability. > Code not working under conditions where it cannot be expected to work is not > a vulnerability, it's simply misuse. This is a vulnerability because it > affects applications that use the code correctly. > > DS > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > >
