While more "proper" uses of OpenSSL vs improper, participates of the discussion might enjoy the following whitepaper and tool release by iSEC Partners and an Academic look at popular non-browser SSL failures (bottom): https://www.isecpartners.com/blog/2012/10/14/the-lurking-menace-of-broken-tl... "Everything Youbve Always Wanted to Know About Certificate Validation With OpenSSL": https://www.isecpartners.com/storage/files/everything-you-wanted-to-know-abo... "TLSPretense is a tool for testing certificate and hostname validation as part of an TLS/SSL connection" https://github.com/iSECPartners/tlspretense This was released in tandem with Dan Boneh, M. Georgiev, S. Iyengar, S. Jana, R. Anubhai's SSL paper: "The most dangerous code in the world: validating SSL certificates in non-browser software": https://crypto.stanford.edu/~dabo/pubs/abstracts/ssl-client-bugs.html -Aaron On Wed, Oct 24, 2012 at 8:41 PM, Jeffrey Walton wrote:

On Wed, Oct 10, 2012 at 1:34 PM, wrote:

...

I want to find common improper usages of OpenSSL library for SSL/TLS.

Can be reverse-engineered from a "how to properly use OpenSSL" FAQ, probably, but would prefer information to the first point rather than its complement. -- http://www.subspacefield.org/~travis/ Calling RAND_pseudo_bytes instead of RAND_bytes. To make matters worst, they return slightly different values - 0 means failure for RAND_bytes; while 0 means "non-cryptographic bytes have been returned" for RAND_pseudo_bytes.

---

cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography

cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE