While more "proper" uses of OpenSSL vs improper, participates of the
discussion might enjoy the following whitepaper and tool release by
iSEC Partners and an Academic look at popular non-browser SSL failures
(bottom):
https://www.isecpartners.com/blog/2012/10/14/the-lurking-menace-of-broken-tl...
"Everything Youbve Always Wanted to Know About Certificate Validation
With OpenSSL":
https://www.isecpartners.com/storage/files/everything-you-wanted-to-know-abo...
"TLSPretense is a tool for testing certificate and hostname validation
as part of an TLS/SSL connection"
https://github.com/iSECPartners/tlspretense
This was released in tandem with Dan Boneh, M. Georgiev, S. Iyengar,
S. Jana, R. Anubhai's SSL paper:
"The most dangerous code in the world: validating SSL certificates in
non-browser software":
https://crypto.stanford.edu/~dabo/pubs/abstracts/ssl-client-bugs.html
-Aaron
On Wed, Oct 24, 2012 at 8:41 PM, Jeffrey Walton
On Wed, Oct 10, 2012 at 1:34 PM,
wrote: I want to find common improper usages of OpenSSL library for SSL/TLS.
Can be reverse-engineered from a "how to properly use OpenSSL" FAQ, probably, but would prefer information to the first point rather than its complement. -- http://www.subspacefield.org/~travis/ Calling RAND_pseudo_bytes instead of RAND_bytes. To make matters worst, they return slightly different values - 0 means failure for RAND_bytes; while 0 means "non-cryptographic bytes have been returned" for RAND_pseudo_bytes.
cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE