After a call to SSL_read openssl keeps a copy of the decrypted data in
memory, e.g., in

ssl->s3->rbuf.buf

A tools like gcore and strings can grab snapshots of a running process
and possibly gather sensitive data.

There does not seem to be any API in openssl to force it to zeroize
it's read buffer, but, there must be, musn't there?

Or, how do you protect a process using openssl from such attacks?

Greg Silverman
HP/Atalla
Cupertino, CA