cURL / Mailing Lists / curl-library / Single Mail


Re: Custom OpenSSL crypto engine not known to cURL

From: Petr Pisar <>
Date: Thu, 1 Apr 2010 23:16:18 +0200

On Thu, Apr 01, 2010 at 09:11:04AM +0200, Daniel Stenberg wrote:
> On Thu, 1 Apr 2010, Camille Moncelier wrote:
> > You could set up some _evil_ openssl engine and set init = 1 so openssl
> > try to initialize it automatically and TADA, (Bonus points if the
> > application is setuid root) :-)
> Assuming an app wants to support custom crypto engines as Petr Pisar enabled
> with his patch, and assuming the app runs as setuid root. How can the app
> limit what evilness a user can trick it into doing?
Unset OPENSSL_CNF. The same applies to NSS as user could supply custom NSS
database (that can load PKCS#11 engines too).

In case of OpenSSL, this forces user to use system wide configuration that is
under sole control of superuser.

-- Petr

List admin:

  • application/pgp-signature attachment: stored
Received on 2010-04-01