On 08/25/2016 04:33 PM, Tom Ritter wrote: > NCC Group has prepared (or begun preparing) a patch that integrates > fuzzing of OpenSSL.
Exciting stuff, most of which I will ignore for now and ask a targeted question. > - Because ossltest cooks MD5 to output a constant value, OpenSSL's RNG > becomes constant. Is it specifically MD5 and not SHA1? That would be worrisome, as I thought rand_lcl.h would be setting up for USE_SHA1_RAND by default, not md5. -Ben > This causes an error in ssl/ssl_sess.c:generate_session_id() because > it always generates a colliding Session ID. This breaks renegotiation > in the test harness. I haven't thought of an elegant way to resolve this. >
-- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev