[cryptography] anyone got a "how not to use OpenSSL" list?

Aaron Grattafiori aaron at digitalinfinity.net
Thu Oct 25 17:49:23 EDT 2012


While more "proper" uses of OpenSSL vs improper, participates of the
discussion might enjoy the following whitepaper and tool release by
iSEC Partners and an Academic look at popular non-browser SSL failures
(bottom):

https://www.isecpartners.com/blog/2012/10/14/the-lurking-menace-of-broken-tls-validation.html

"Everything You’ve Always Wanted to Know About Certificate Validation
With OpenSSL":
https://www.isecpartners.com/storage/files/everything-you-wanted-to-know-about-openssl.pdf

"TLSPretense is a tool for testing certificate and hostname validation
as part of an TLS/SSL connection"
https://github.com/iSECPartners/tlspretense

This was released in tandem with Dan Boneh, M. Georgiev, S. Iyengar,
S. Jana, R. Anubhai's SSL paper:
"The most dangerous code in the world: validating SSL certificates in
non-browser software":
https://crypto.stanford.edu/~dabo/pubs/abstracts/ssl-client-bugs.html

-Aaron

On Wed, Oct 24, 2012 at 8:41 PM, Jeffrey Walton <noloader at gmail.com> wrote:
> On Wed, Oct 10, 2012 at 1:34 PM,
> <travis+ml-rbcryptography at subspacefield.org> wrote:
>> I want to find common improper usages of OpenSSL library for SSL/TLS.
>>
>> Can be reverse-engineered from a "how to properly use OpenSSL" FAQ,
>> probably, but would prefer information to the first point rather than
>> its complement.
>> --
>> http://www.subspacefield.org/~travis/
> Calling RAND_pseudo_bytes instead of RAND_bytes. To make matters
> worst, they return slightly different values - 0 means failure for
> RAND_bytes; while 0 means "non-cryptographic bytes have been returned"
> for RAND_pseudo_bytes.
> _______________________________________________
> cryptography mailing list
> cryptography at randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography



More information about the cryptography mailing list