Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20030411103727.GB18123@finlandia.infodrom.north.de>
Date: Fri, 11 Apr 2003 12:37:27 +0200
From: Martin Schulze <joey@...odrom.org>
To: xvendor@...ts.openwall.com
Subject: Re: openssl blinding and threads?

Martin Schulze wrote:
> Ryan W. Maple wrote:
> > > On Wed, Apr 09, 2003 at 09:38:11AM -0700, Seth Arnold wrote:
> > > > Yesterday, I saw someone on IRC mention that Red Hat's OpenSSL update
> > > > (either to turn on blinding, or the oracle fix) broke threading, backed up
> > > > with the idea that recompiling stunnel to use fork() instead of whatever
> > > > thread library it had been using, caused some problems of his to go away.
> > > >
> > > > I wasn't able to drag out better information from him before he
> > > > dissapeared, but I thought I'd mention it as a heads-up, in case any of
> > > > you run into similar problems.
> > >
> > > There's been some traffic about this on the openssl development list as
> > > well.  Apparently the blinding changes aren't safe for threaded apps,
> > > and fixes are coming in 0.9.6j and 0.9.7b (and should be in the current
> > > snapshots, too), probably Thursday.
> > 
> > This looks like it here:
> > 
> >   http://marc.theaimsgroup.com/?l=openssl-cvs&m=104927702431768&w=2
> 
> If you use it, use the 'Download message RAW' link since the url above
> contains a broken patch, the raw message contains the correct one (or
> at least one without that showstopper).

Sorry, I guess I made a fool out of myself.  The superflous [8] is a
numbered link which was inserted for [0] arbitrarily and lynx displayed
links numbered.  However, still very confusing if lynx with numbered
links is your main browser.

Regards,

	Joey

-- 
The only stupid question is the unasked one.

Powered by blists - more mailing lists

Please check out the xvendor mailing list charter.