OpenSSL Security issues

Alan DeKok aland at deployingradius.com
Tue Apr 8 21:35:16 CEST 2014


Arran Cudbard-Bell wrote:
> To be fair OpenSSL don't seem to be taking security seriously,
> this should have been caught by static analysis... except that
> code only gets submitted to Coverity sporadically, and they don't
> like using it because of the high rate of false positives.

  Valgrind is almost useless with FreeRADIUS && OpenSSL, because of the
massive amounts of complaints about OpenSSL issues.

> You know what causes high rates of false positives? Weird fucked
> up code...

  Yes.  Valgrind isn't perfect, but I'd be surprised if all of it's
complaints about OpenSSL are wrong.

  Alan DeKok.


More information about the Freeradius-Users mailing list