Re: Doubt about OpenSSL library initialization in an HTTP client application

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Thanks for replying!

I found two libraries at application's directory: libeay32.dll and ssleay32.dll, both with file version 0.9.8.14 and product version 0.9.8n.

I totally agree about properly initializing the random number generator, however I don't know how to do that yet. That code I'm using is a third party Pascal binding for the OpenSSL C library, and I've noticed that many other packages was based on that implementation too (eg: https://github.com/graemeg/freepascal/blob/master/packages/openssl/src/openssl.pas#L4442 - it seems based on an old LibOpenSsl version).

The application I'm fixing uses the same file this link above, and I can edit it without problems. I removed the line RAND_screen and now the application initializes fast, but I'm not sure if it will turn my application vulnerable.

If I get to solve it I will try some patch sharing it to the authors of these bindings.

On Sat, Dec 3, 2016 at 2:34 PM, Salz, Rich <rsalz@xxxxxxxxxx> wrote:

What version of openssl are you using?  Current versions do not call RAND_screen or other long-term heap-walking on Windows.

 

You absolutely *must* properly initialize the random number generator.  If you fail to do that, attackers can guess the keys that you use.  You will be providing only the illusion of security.

 

Please pass this along to that other app.  What it, and you, are doing is horrible.

 

-- 

Senior Architect, Akamai Technologies

Member, OpenSSL Dev Team

IM: richsalz@xxxxxxxxx Twitter: RichSalz


--
Silvio Clécio
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux