5

I would like to know how I can be sure that I am using openSSL the right way. You all know how the openSSL documentation is hard to read.

I know that everybody has different goals when using this library, but is there a way to test that for instance a bad certificate won't be accepted, that only some cipher suites can be used, that only TLSv1.2 is used, etc.

I am looking for tools, either free or commercial, or some checklists, or things like that.

Basically, I want to test my software. I know that the security of a protocol is hard to guarantee, and the implementation of it is also not easy to check. But what I'm asking is, assuming those two conditions are met by openssl, what can I do on my side?

To be precise, my software is not a website, it is for a custom application. So the protocol above TLS would be unique. But I guess in the grand scheme of things, my question also holds and is more pertinent for websites, so don't hesitate to mention solutions for that case :)

Jacques
  • 595
  • 1
  • 5
  • 12
  • 1
    so, things like: how your implementation handles expired/revoked certs, invalid certs? As for cipher suites, most vuln scanners will do that. – schroeder Mar 11 '15 at 23:35
  • yes @schroeder Thanks for the vuln scanners, I will look into that. – Jacques Mar 12 '15 at 03:20
  • 1
    If you are setting up a SSL/TLS server on the Internet www.ssllabs.com/ssltest will do a pretty thorough test with very nice display of the things that can be checked externally; that's not everything but it's a solid start. – dave_thompson_085 Mar 12 '15 at 09:42
  • @dave_thompson_085 Hi Dave, Actually I am making a proprietary application with a custom protocol on top of TLS. But thank you very much for your answer. Your link is really interesting. Actually it answers the follow-up question I had in my head: are there statistics on how well is TLS implemented/configured. – Jacques Mar 12 '15 at 13:10
  • 1
    I don't think that this question is offtopic. In one of my projects I make heavy use of openSSL and I can tell you it is really hard to use it. Bad and inconsistent documentation lead to the point that I had to try and error whether I used some routines in the right way. And even if your SW is handling certs in the right way, this does not necessarily imply that your implementation is correct or secure. Let me give you some tips: Use the principles of secure and defensive programming, write test vectors, penetrate your SW against bad inputs, check, explain and discuss your code with colleagues – rralf Mar 13 '15 at 09:03

0 Answers0