[cryptography] anyone got a "how not to use OpenSSL" list?

Warren Kumari warren at kumari.net
Wed Oct 10 16:29:47 EDT 2012


On Oct 10, 2012, at 3:56 PM, Patrick Mylund Nielsen <cryptography at patrickmylund.com> wrote:

> One thing that I've sadly seen more times than I can shake a stick at
> is people leaving in aNULL/eNULL, or not including !aNULL:!eNULL in
> their cipher suite list.

So, a number of years ago (~1999) I worked for a registrar.
We had a number of load balanced webservers, some doing http and others doing SSL (for billing and such). 
One of our brighter sys-admin folk (lets call him Fred) notices one day that the https servers always run hotter and can only handle around 1/2 the connections as the plain http ones. This offends / puzzles him and so he decides to make this the big project that will get him promoted...

I'm not really paying much attention, but know that he's off muting with Apache configs on the  SSL boxen (mainly because they keep falling out of the load-balancer pool). After a week or two of dinking around he comes and shows me some pretty graphs of how much better the load now is on the https machines -- I nod, give him a pat on the head and go back to reading slashdot….

A few weeks later I'm running Ethereal / tcpdump to troubleshoot some issue or other, and suddenly see some payload that looks suspiciouly like a credit card number and name in plain-text… 

Guess what his optimization was… Yup, he tried every combination of things in SSLCipherSuite and simply chose the one with the lest CPU...

The fun bit was that browsers (I think Netscape / IE at the time) would happily give you the lock icon… 

W

> 
> On Wed, Oct 10, 2012 at 6:34 PM,
> <travis+ml-rbcryptography at subspacefield.org> wrote:
>> I want to find common improper usages of OpenSSL library for SSL/TLS.
>> 
>> Can be reverse-engineered from a "how to properly use OpenSSL" FAQ,
>> probably, but would prefer information to the first point rather than
>> its complement.
>> --
>> http://www.subspacefield.org/~travis/
>> Any sufficiently advanced magic is indistinguishable from reality.
>> 
>> _______________________________________________
>> cryptography mailing list
>> cryptography at randombit.net
>> http://lists.randombit.net/mailman/listinfo/cryptography
>> 
> _______________________________________________
> cryptography mailing list
> cryptography at randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography
> 




More information about the cryptography mailing list