[cryptography] Just how bad is OpenSSL ?

Jeffrey Walton noloader at gmail.com
Tue Oct 30 07:58:55 EDT 2012


On Tue, Oct 30, 2012 at 5:03 AM, Ben Laurie <ben at links.org> wrote:
> On Mon, Oct 29, 2012 at 10:34 PM, Jeffrey Walton <noloader at gmail.com> wrote:
>> On Fri, Oct 26, 2012 at 2:29 PM, John Case <case at sdf.org> wrote:
>>>
>>> [SNIP]
>
> Apparently you think the best way to get a secure platform is to apply
> pressure through pointless security standards. I'd suggest your
> efforts might be better spent supplying patches instead. Or, y'know,
> talking to the authors of the s/w in question. You never know, they
> might care.
Ah, OK. My bad.

I've tried supplying patches and filing bug report/enhancement requests.

Here was a gentle patch for spelling corrections in a README -
rejected. http://rt.openssl.org/Ticket/Display.html?user=guest&pass=guest&id=2401.

Here was a patch for Xcode awareness - rejected (is it fair to say
when its sites for years without acknowledgement?).
http://rt.openssl.org/Ticket/Display.html?user=guest&pass=guest&id=2402.

I can't locate a bug report on the use of the uninitialized data.
Perhaps I had the discussion on the developer's mailing list (I know
I'm not imagining it, so my apologies).

I am also aware that patches existed for some time for CCM mode, GCM
mode, and SRP. In the case of GCM, IBM supplied the patches 5 or 10
years earlier. None were acted upon.

The project does not appear to want outside help. If I am drawing the
wrong conclusion, please forgive me.

Jeff



More information about the cryptography mailing list