Re: OpenSSL CVE-2010-3864

Steve Hinchman · ‎11-23-2010

Before version 9.08p is released by HP for distribution, the recommended fix is:

1. Confirm that internal session caching is disabled or
2. the implementation is not multi-threaded.

Can someone please tell me how perform step 1 and verify step 2.

Regards,
Steve Hinchman

vaasusworld · ‎11-23-2010

Hi,

Generally you can enables/disables session caching by setting the mode in â SSL_CTX_set_session_cache_mode (SSL_CTX ctx, long mode)â function.

Mode "SSL_SESS_CACHE_OFF" means, no session caching for client or server takes place.

The default mode is SSL_SESS_CACHE_SERVER, means it is enabled by default.

You can find more information in the below link...

http://www.openssl.org/docs/ssl/SSL_CTX_set_session_cache_mode.html

Thanks & Regards,
Vasu

vaasusworld · ‎11-23-2010

Hi,

OpenSSL can also be used in multi-threaded applications.

Regards,
Vasu

Steve Hinchman · ‎11-24-2010

Vasu,

Thanks for the replies.

So, if I understand correctly, both issues are dependent upon the application calling/using OpenSSL's TSL, correct?

For example, does Tomcat need to be configured to enable/disable internal session caching? Or is it set by application using Tomcat?

Regards,
Steve

vaasusworld · ‎11-27-2010

>> So, if I understand correctly, both issues are dependent upon the application calling/using OpenSSL's TSL, correct?

The answer is YES.

Regards,
Vasu

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Discussions

Forums

Discussions

Forums

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: OpenSSL CVE-2010-3864

OpenSSL CVE-2010-3864