While more "proper" uses of OpenSSL vs improper, participates of the discussion might enjoy the following whitepaper and tool release by iSEC Partners and an Academic look at popular non-browser SSL failures (bottom):
https://www.isecpartners.com/blog/2012/10/14/the-lurking-menace-of-broken-tls-validation.html "Everything You’ve Always Wanted to Know About Certificate Validation With OpenSSL": https://www.isecpartners.com/storage/files/everything-you-wanted-to-know-about-openssl.pdf "TLSPretense is a tool for testing certificate and hostname validation as part of an TLS/SSL connection" https://github.com/iSECPartners/tlspretense This was released in tandem with Dan Boneh, M. Georgiev, S. Iyengar, S. Jana, R. Anubhai's SSL paper: "The most dangerous code in the world: validating SSL certificates in non-browser software": https://crypto.stanford.edu/~dabo/pubs/abstracts/ssl-client-bugs.html -Aaron On Wed, Oct 24, 2012 at 8:41 PM, Jeffrey Walton <[email protected]> wrote: > On Wed, Oct 10, 2012 at 1:34 PM, > <[email protected]> wrote: >> I want to find common improper usages of OpenSSL library for SSL/TLS. >> >> Can be reverse-engineered from a "how to properly use OpenSSL" FAQ, >> probably, but would prefer information to the first point rather than >> its complement. >> -- >> http://www.subspacefield.org/~travis/ > Calling RAND_pseudo_bytes instead of RAND_bytes. To make matters > worst, they return slightly different values - 0 means failure for > RAND_bytes; while 0 means "non-cryptographic bytes have been returned" > for RAND_pseudo_bytes. > _______________________________________________ > cryptography mailing list > [email protected] > http://lists.randombit.net/mailman/listinfo/cryptography _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
