RE: top 10 mistakes when using libopenssl?
Oh-oh. I'm not calling OpenSSL_add_all_algorithms() or anything real similar. I call SSL_library_init() and SSL_load_error_strings() and set up the Locking callback but that's it. It seems to work. Both my client code and my server code interoperate with non-OpenSLL TLS implementation without error, and report the use of strong SSL/TLS cipher suites. What am I missing? Charles -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Sunday, October 14, 2012 3:56 AM To: openssl-users@openssl.org Subject: Re: top 10 mistakes when using libopenssl? On Sat, Oct 13, 2012, Ken Goldman wrote: On 10/10/2012 8:08 PM, Kyle Hamilton wrote: Suggestions from my experience: If you include the library, #1 for novices has to be: 1 - Using strlen() to get the length of encrypted data. I'd add... Forgetting to call OpenSSL_add_all_algorithms or similar. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: top 10 mistakes when using libopenssl?
On Mon, Oct 15, 2012, Charles Mills wrote: Oh-oh. I'm not calling OpenSSL_add_all_algorithms() or anything real similar. I call SSL_library_init() and SSL_load_error_strings() and set up the Locking callback but that's it. SSL_library_init() counts as similar to OpenSSL_add_all_algorithms() so that's fine. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: top 10 mistakes when using libopenssl?
Whew! g Thanks. Charles -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Monday, October 15, 2012 9:51 AM To: openssl-users@openssl.org Subject: Re: top 10 mistakes when using libopenssl? On Mon, Oct 15, 2012, Charles Mills wrote: Oh-oh. I'm not calling OpenSSL_add_all_algorithms() or anything real similar. I call SSL_library_init() and SSL_load_error_strings() and set up the Locking callback but that's it. SSL_library_init() counts as similar to OpenSSL_add_all_algorithms() so that's fine. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: top 10 mistakes when using libopenssl?
On Sat, Oct 13, 2012, Ken Goldman wrote: On 10/10/2012 8:08 PM, Kyle Hamilton wrote: Suggestions from my experience: If you include the library, #1 for novices has to be: 1 - Using strlen() to get the length of encrypted data. I'd add... Forgetting to call OpenSSL_add_all_algorithms or similar. Not using a temporary variable when calling i2d_FOO. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: top 10 mistakes when using libopenssl?
On 10/10/2012 8:08 PM, Kyle Hamilton wrote: Suggestions from my experience: If you include the library, #1 for novices has to be: 1 - Using strlen() to get the length of encrypted data. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: top 10 mistakes when using libopenssl?
- Original Message - From: Kyle Hamilton aerow...@gmail.com To: openssl-...@openssl.org; openssl-users openssl-users@openssl.org Sent: Thursday, October 11, 2012 3:08 AM Subject: Re: top 10 mistakes when using libopenssl? Suggestions from my experience: -Failing to verify the certificate after calling SSL_accept() -Failing to verify minimum cipher strength for the application -Failing to understand that the NULL suites give nothing and only take extra bytes eNULL suites provides authentication, they are not useless (as long as there is no requirement for secrecy). They can be used to ensure that data in transit does not get tampered with. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: top 10 mistakes when using libopenssl?
Suggestions from my experience: -Failing to verify the certificate after calling SSL_accept() -Failing to verify minimum cipher strength for the application -Failing to understand that the NULL suites give nothing and only take extra bytes -Misunderstanding that DN=CN:CA1;DN=CN:you does NOT match DN=CN:CA2;DN=CN:you -Failing to support STARTTLS One I dread having to correct: -Using aNULL:eNULL solely for data stream compression -Kyle H On Wed, Oct 10, 2012 at 1:29 PM, travis+ml-openssl-...@subspacefield.org wrote: So, I'm curious, if anyone has compiled (or wants to volunteer pieces of) a list of mistakes that developers make when using libopenssl (for SSL/TLS). I mean source code issues, not operational/evironmental/PKI. If that's not available, I'm sure I can develop one from reading a well-written howto on how to use it... any subtleties that won't prevent it from working but will prevent it from being secure are valuable. But it'd be easier if I had the first list, not its complement. :-) -- http://www.subspacefield.org/~travis/ Any sufficiently advanced magic is indistinguishable from reality. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
