[cryptography] anyone got a "how not to use OpenSSL" list?

Florian Weimer fw at deneb.enyo.de
Tue Oct 16 16:01:42 EDT 2012


* Ryan Sleevi:

> Here's a quick list off the top of my head from having poked around
> various languages' bindings (Python, Perl, PHP, etc), from having seen
> various "rebranded" OpenSSL-using products, and from various "I just want
> to do HTTPS"

Here's another one I came across: do not use the d2i_*_fp and
d2i_*_bio ASN.1 decoders because they have received considerably less
attention than their d2i_* cousins (which are exposed through TLS
certificate parsing) and probably still have bugs.



More information about the cryptography mailing list