Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Make `SSL_SESSION_cmp` use `CRYPTO_memcmp` #591
There could be potential issues with leaking session ids between clients, using a timing attack. This patch doesn't guarantee constant time for
For example, if one was attempting to determine the number of active SSL sessions on a server, this would largely thwart such an attacker.
To be clear: I do not believe this is a significant security issue, but rather a place where we might be able to more closely match a developer's expectations of the function.
For reference, see: