Re: Netscape/OpenSSL Cipher Forcing Bug - Openssl

This is a discussion on Re: Netscape/OpenSSL Cipher Forcing Bug - Openssl ; On Wed, May 28, 2008 at 03:37:06PM -0400, Sojanna.Mun@cancer.org wrote: > A malicious legitimate client can enforce a ciphersuite not supported by > the server to be used for a session between the client and the server. This > can ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Re: Netscape/OpenSSL Cipher Forcing Bug

  1. Re: Netscape/OpenSSL Cipher Forcing Bug

    On Wed, May 28, 2008 at 03:37:06PM -0400, Sojanna.Mun@cancer.org wrote:

    > A malicious legitimate client can enforce a ciphersuite not supported by
    > the server to be used for a session between the client and the server. This
    > can result in disclosure of sensitive information.


    If a malicious client is determined to leak sensitive data, surely it can
    just email it in the clear to Matt Drudge. What is the real threat-model
    for this issue? Is the selected cipher-suite in fact likely to be weaker
    without the legitimate client being "malicious"?

    --
    Viktor.
    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


  2. Strategy for freeing EVP and RSA keys

    I'd like confirmation that I understand how to free RSA keys.

    I create an RSA *key. I then use it to create an EVP_PKEY
    using EVP_PKEY_new() and EVP_PKEY_assign_RSA().

    Later, want to free everything.

    I _think_ that EVP_PKEY_free() will free both the EVP_PKEY and the
    RSA objects. Is that correct - that there's an implied free of the RSA
    object?

    If so, is this the correct strategy:

    If the EVP_PKEY was created correctly
    free the EVP_KEY
    else if the RSA key created correctly
    free the RSA key

    --
    Ken Goldman kgold@watson.ibm.com
    914-784-7646 (863-7646)
    __________________________________________________ ____________________
    OpenSSL Project http://www.openssl.org
    User Support Mailing List openssl-users@openssl.org
    Automated List Manager majordomo@openssl.org


+ Reply to Thread