Dear OpenSSL project, you can do better

03 Nov, 2022

The OpenSSL project has just two patched two stack overflow vulnerabilities. Thankfully they were not as severe as first communicated. But yes, two stack overflows in 2022, which were added recently, not like super old code. Here is a snippet of the code and fixes:

Snippets for CVE-2022–3602 and CVE-2022–3786 fixes

Looking at the code and fixes, it simply seems that OpenSSL is a doomed project that will never learn. All modern and robust TLS libraries, even forks of OpenSSL, are replacing custom parsing code with safer alternatives using simple buffer constructs. Here is a recent snippet from BoringSSL:

Structured parsing in BoringSSL

Dear OpenSSL project, you can do better. And vendors, stop using OpenSSL in your VPN, load balancer, ADC, WAF, etc. products.