Suggestions from my experience: -Failing to verify the certificate after calling SSL_accept() -Failing to verify minimum cipher strength for the application -Failing to understand that the NULL suites give nothing and only take extra bytes -Misunderstanding that "DN=CN:CA1;DN=CN:you" does NOT match "DN=CN:CA2;DN=CN:you" -Failing to support STARTTLS
One I dread having to correct: -Using aNULL:eNULL solely for data stream compression -Kyle H On Wed, Oct 10, 2012 at 1:29 PM, <travis+ml-openssl-...@subspacefield.org> wrote: > So, I'm curious, if anyone has compiled (or wants to volunteer pieces > of) a list of mistakes that developers make when using libopenssl (for > SSL/TLS). I mean source code issues, not > operational/evironmental/PKI. > > If that's not available, I'm sure I can develop one from reading a > well-written howto on how to use it... any subtleties that won't > prevent it from working but will prevent it from being secure are > valuable. > > But it'd be easier if I had the first list, not its complement. :-) > -- > http://www.subspacefield.org/~travis/ > Any sufficiently advanced magic is indistinguishable from reality. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
