[cryptography] anyone got a "how not to use OpenSSL" list?

Aaron Grattafiori aaron at digitalinfinity.net
Thu Oct 25 14:49:23 PDT 2012 

While more "proper" uses of OpenSSL vs improper, participates of the
discussion might enjoy the following whitepaper and tool release by
iSEC Partners and an Academic look at popular non-browser SSL failures
(bottom):

https://www.isecpartners.com/blog/2012/10/14/the-lurking-menace-of-broken-tls-validation.html

"Everything Youbve Always Wanted to Know About Certificate Validation
With OpenSSL":
https://www.isecpartners.com/storage/files/everything-you-wanted-to-know-about-openssl.pdf

"TLSPretense is a tool for testing certificate and hostname validation
as part of an TLS/SSL connection"
https://github.com/iSECPartners/tlspretense

This was released in tandem with Dan Boneh, M. Georgiev, S. Iyengar,
S. Jana, R. Anubhai's SSL paper:
"The most dangerous code in the world: validating SSL certificates in
non-browser software":
https://crypto.stanford.edu/~dabo/pubs/abstracts/ssl-client-bugs.html

-Aaron

On Wed, Oct 24, 2012 at 8:41 PM, Jeffrey Walton <noloader at gmail.com> wrote:
> On Wed, Oct 10, 2012 at 1:34 PM,
> <travis+ml-rbcryptography at subspacefield.org> wrote:
>> I want to find common improper usages of OpenSSL library for SSL/TLS.
>>
>> Can be reverse-engineered from a "how to properly use OpenSSL" FAQ,
>> probably, but would prefer information to the first point rather than
>> its complement.
>> --
>> http://www.subspacefield.org/~travis/
> Calling RAND_pseudo_bytes instead of RAND_bytes. To make matters
> worst, they return slightly different values - 0 means failure for
> RAND_bytes; while 0 means "non-cryptographic bytes have been returned"
> for RAND_pseudo_bytes.
> _______________________________________________
> cryptography mailing list
> cryptography at randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography
_______________________________________________
cryptography mailing list
cryptography at randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE

More information about the cypherpunks-legacy mailing list