[cryptography] anyone got a "how not to use OpenSSL" list?
fw at deneb.enyo.de
Tue Oct 16 16:01:42 EDT 2012
* Ryan Sleevi:
> Here's a quick list off the top of my head from having poked around
> various languages' bindings (Python, Perl, PHP, etc), from having seen
> various "rebranded" OpenSSL-using products, and from various "I just want
> to do HTTPS"
Here's another one I came across: do not use the d2i_*_fp and
d2i_*_bio ASN.1 decoders because they have received considerably less
attention than their d2i_* cousins (which are exposed through TLS
certificate parsing) and probably still have bugs.
More information about the cryptography