>
> Hey Pandit,
>
>
Sorry for sending out the previous before it was complete. So here it
goes....
> From what I understand the vulnerability can apply if:
>
> 1) Internal session caching is *not* disable - This means the session
> cache is mantained in SSL_CTX.
> 2) Internal session cache Lookup is *not* disabled - This means that the
> ssl code will lookup the session cache on receiving ClientHello with valid
> session Id.
> 3) Your application is designed such that you create a SSL_CTX and multiple
> threads can access it. In this case multiple threads could be accessing the
> same session object (from session cache). The function
> ssl_parse_clienthello_tlsext in t1_lib.c has unsynchronized access to
> members in session object which could cause the vulnerability.
>
> David/other experinced openssl users correct me if you think this
> understanding is incottect.
>
> Regards,
>
Nivedita
> On Thu, Nov 18, 2010 at 7:26 AM, Pandit Panburana <ppanb...@yahoo.com>wrote:
>
>> Hi,
>>
>> I am not clear about the condition that vulnerability when using
>> internal session caching mechanism. Is it the same thing as TLS session
>> caching or this is some thing different?
>>
>> Thank you,
>> - Pandit
>>
>> ------------------------------
>> *From:* David Schwartz <dav...@webmaster.com>
>> *To:* openssl-users@openssl.org
>> *Cc:* Nivedita Melinkeri <nivedita...@gmail.com>
>> *Sent:* Wed, November 17, 2010 4:15:36 AM
>> *Subject:* Re: Question regarding OpenSSL Security Advisory
>>
>> On 11/16/2010 11:06 PM, Nivedita Melinkeri wrote:
>>
>> > Hi,
>> > I had some questions about the latest security advisory. I understand
>> > that this applies to multi-threaded application while using ssl
>> sessions.
>>
>> Correct.
>>
>> > If the application is written thread safe using
>> > CRYPTO_set_locking_callback functions will the vulnerability still apply
>> ?
>>
>> If it didn't, it wouldn't be a vulnerability at all.
>>
>> > If the ssl code calls the locking callback function before accessing the
>> > internal session cache then the vulnerability should not
>> > apply to above mentioned applications.
>>
>> Right, it shouldn't, but it does. That's what makes it a vulnerability.
>> Code not working under conditions where it cannot be expected to work is not
>> a vulnerability, it's simply misuse. This is a vulnerability because it
>> affects applications that use the code correctly.
>>
>> DS
>>
>> ______________________________________________________________________
>> OpenSSL Project http://www.openssl.org
>> User Support Mailing List openssl-users@openssl.org
>> Automated List Manager majord...@openssl.org
>>
>>
>
