"Ben Laurie" <benat_private> writes: > OpenSSL Security Advisory [30 July 2002] > > This advisory consists of two independent advisories, merged, and is > an official OpenSSL advisory. I've done some work on running SSL/TLS code as a separate process in a chroot jail as an unprivileged user, communicating with the daemon it's doing encryption for via UNIX domain sockets. This approach massively mitigates the possible damages from the bugs discovered in the last day or two. OpenSSL is good code, but it's over 200,000 lines. It makes sense to isolate it from the special privileges daemons often have. The work I've done is with stunnel. See: http://www.suspectclass.com/~sgifford/stunnel/stunnel-patches.txt http://www.suspectclass.com/~sgifford/stunnel/stunnel3.22+paranoia0.1-openfd0.1.patch for the patch to stunnel (and some related patches; I'll be happy to split out just the paranoia patch if anybody wants it without the others), and the various README files in: http://www.suspectclass.com/~sgifford/stunnel-tlsproxy/ for some examples. It currently works fine, has been tested with several SSL/TLS clients, and has been in production use at a client's site for about a month. The stuff that's there right now isn't real user-friendly, but hopefully these patches or something similar will get incorporated into stunnel sometime in the near future, and then things will get a little easier; if there's an interest I can write up some more documentation. Please send along any comments, questions, criticisms, etc. -----ScottG.
This archive was generated by hypermail 2b30 : Thu Aug 01 2002 - 14:49:57 PDT