Re: [cryptography] anyone got a "how not to use OpenSSL" list?

While more "proper" uses of OpenSSL vs improper, participates of the discussion might enjoy the following whitepaper and tool release by iSEC Partners and an Academic look at popular non-browser SSL failures (bottom): https://www.isecpartners.com/blog/2012/10/14/the-lurking-menace-of-broken-tl... "Everything Youbve Always Wanted to Know About Certificate Validation With OpenSSL": https://www.isecpartners.com/storage/files/everything-you-wanted-to-know-abo... "TLSPretense is a tool for testing certificate and hostname validation as part of an TLS/SSL connection" https://github.com/iSECPartners/tlspretense This was released in tandem with Dan Boneh, M. Georgiev, S. Iyengar, S. Jana, R. Anubhai's SSL paper: "The most dangerous code in the world: validating SSL certificates in non-browser software": https://crypto.stanford.edu/~dabo/pubs/abstracts/ssl-client-bugs.html -Aaron On Wed, Oct 24, 2012 at 8:41 PM, Jeffrey Walton <noloader@gmail.com> wrote:

On Wed, Oct 10, 2012 at 1:34 PM, <travis+ml-rbcryptography@subspacefield.org> wrote:

...

I want to find common improper usages of OpenSSL library for SSL/TLS.

Can be reverse-engineered from a "how to properly use OpenSSL" FAQ, probably, but would prefer information to the first point rather than its complement. -- http://www.subspacefield.org/~travis/ Calling RAND_pseudo_bytes instead of RAND_bytes. To make matters worst, they return slightly different values - 0 means failure for RAND_bytes; while 0 means "non-cryptographic bytes have been returned" for RAND_pseudo_bytes.

---

cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography

cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE