Re: OpenSSL Security Altert - Remote Buffer Overflows

[Scott Gifford <sgifford () suspectclass com>]

"Ben Laurie" <ben () algroup co uk> writes:

> OpenSSL Security Advisory [30 July 2002]
>
> This advisory consists of two independent advisories, merged, and is
> an official OpenSSL advisory.

I've done some work on running SSL/TLS code as a separate process in a
chroot jail as an unprivileged user, communicating with the daemon
it's doing encryption for via UNIX domain sockets.  This approach
massively mitigates the possible damages from the bugs discovered in
the last day or two.

OpenSSL is good code, but it's over 200,000 lines.  It makes sense to
isolate it from the special privileges daemons often have.

The work I've done is with stunnel.  See:

    http://www.suspectclass.com/~sgifford/stunnel/stunnel-patches.txt
    http://www.suspectclass.com/~sgifford/stunnel/stunnel3.22+paranoia0.1-openfd0.1.patch 

for the patch to stunnel (and some related patches; I'll be happy to
split out just the paranoia patch if anybody wants it without the
others), and the various README files in:

    http://www.suspectclass.com/~sgifford/stunnel-tlsproxy/

for some examples.  It currently works fine, has been tested with
several SSL/TLS clients, and has been in production use at a client's
site for about a month.

The stuff that's there right now isn't real user-friendly, but
hopefully these patches or something similar will get incorporated
into stunnel sometime in the near future, and then things will get a
little easier; if there's an interest I can write up some more
documentation.

Please send along any comments, questions, criticisms, etc.

-----ScottG.