On Sat, Oct 27, 2012 at 8:38 PM, Jeffrey Walton <[email protected]> wrote: > On Wed, Oct 10, 2012 at 1:34 PM, > <[email protected]> wrote: >> I want to find common improper usages of OpenSSL library for SSL/TLS. >> >> Can be reverse-engineered from a "how to properly use OpenSSL" FAQ, >> probably, but would prefer information to the first point rather than >> its complement. >> -- >> http://www.subspacefield.org/~travis/ >> Any sufficiently advanced magic is indistinguishable from reality. > Well, I just saw a new one: pinning a CA. > http://www.isecpartners.com/blog/2012/10/14/the-lurking-menace-of-broken-tls-validation.html. > > They also failed open (rather than closed) on hostname verification.
Wrong link? I see no mention of pinning there. OTOH, I'm pleased to see certificate validation code ... if only it had unit tests! _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
