[cryptography] anyone got a "how not to use OpenSSL" list?

Ben Laurie ben at links.org
Sun Oct 28 06:52:05 EDT 2012


On Sat, Oct 27, 2012 at 8:38 PM, Jeffrey Walton <noloader at gmail.com> wrote:
> On Wed, Oct 10, 2012 at 1:34 PM,
> <travis+ml-rbcryptography at subspacefield.org> wrote:
>> I want to find common improper usages of OpenSSL library for SSL/TLS.
>>
>> Can be reverse-engineered from a "how to properly use OpenSSL" FAQ,
>> probably, but would prefer information to the first point rather than
>> its complement.
>> --
>> http://www.subspacefield.org/~travis/
>> Any sufficiently advanced magic is indistinguishable from reality.
> Well, I just saw a new one: pinning a CA.
> http://www.isecpartners.com/blog/2012/10/14/the-lurking-menace-of-broken-tls-validation.html.
>
> They also failed open (rather than closed) on hostname verification.

Wrong link? I see no mention of pinning there. OTOH, I'm pleased to
see certificate validation code ... if only it had unit tests!



More information about the cryptography mailing list