[cryptography] anyone got a "how not to use OpenSSL" list?

Jeffrey Walton noloader at gmail.com
Sat Oct 27 15:38:28 EDT 2012


On Wed, Oct 10, 2012 at 1:34 PM,
<travis+ml-rbcryptography at subspacefield.org> wrote:
> I want to find common improper usages of OpenSSL library for SSL/TLS.
>
> Can be reverse-engineered from a "how to properly use OpenSSL" FAQ,
> probably, but would prefer information to the first point rather than
> its complement.
> --
> http://www.subspacefield.org/~travis/
> Any sufficiently advanced magic is indistinguishable from reality.
Well, I just saw a new one: pinning a CA.
http://www.isecpartners.com/blog/2012/10/14/the-lurking-menace-of-broken-tls-validation.html.

They also failed open (rather than closed) on hostname verification.

Sigh....

Jeff



More information about the cryptography mailing list