You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I think it could be valuable to export the SSL_OP_CLEANSE_PLAINTEXT option,introduced in OpenSSL 3 that enable to configure the library to perform secure clean of plaintext buffers
By default TLS and QUIC SSL objects keep a copy of received plaintext application data in a static buffer until it is overwritten by the next portion of data. When enabling SSL_OP_CLEANSE_PLAINTEXT deciphered application data is cleansed by calling OPENSSL_cleanse(3) after passing data to the application. Data is also cleansed when releasing the connection (e.g. SSL_free(3)).
Since OpenSSL only cleanses internal buffers, the application is still responsible for cleansing all other buffers. Most notably, this applies to buffers passed to functions like SSL_read(3), SSL_peek(3) but also like SSL_write(3).
TLS connections do not buffer data to be sent in plaintext. QUIC stream objects do buffer plaintext data to be sent and this option will also cause that data to be cleansed when it is discarded.
This option can be set differently on individual QUIC stream objects and has no effect on QUIC connection objects (except where a default stream is being used)
The text was updated successfully, but these errors were encountered:
I think it could be valuable to export the SSL_OP_CLEANSE_PLAINTEXT option,introduced in OpenSSL 3 that enable to configure the library to perform secure clean of plaintext buffers
Reference: https://www.openssl.org/docs/manmaster/man3/SSL_CTX_clear_options.html
By default TLS and QUIC SSL objects keep a copy of received plaintext application data in a static buffer until it is overwritten by the next portion of data. When enabling SSL_OP_CLEANSE_PLAINTEXT deciphered application data is cleansed by calling OPENSSL_cleanse(3) after passing data to the application. Data is also cleansed when releasing the connection (e.g. SSL_free(3)).
Since OpenSSL only cleanses internal buffers, the application is still responsible for cleansing all other buffers. Most notably, this applies to buffers passed to functions like SSL_read(3), SSL_peek(3) but also like SSL_write(3).
TLS connections do not buffer data to be sent in plaintext. QUIC stream objects do buffer plaintext data to be sent and this option will also cause that data to be cleansed when it is discarded.
This option can be set differently on individual QUIC stream objects and has no effect on QUIC connection objects (except where a default stream is being used)
The text was updated successfully, but these errors were encountered: