OSTIF is proud to share the results of our security audit of OpenSSL. OpenSSL is a commercial-grade cryptographic communications open source library. With the help of Trail of Bits and the OpenSSL project, this project will run more securely for those looking to perform various SSL-related tasks.
Audit highlights:
This audit of OpenSSL targeted v.3 of the crypto library, which featured a new provider architecture and eight new cryptographic primitives. To perform this work, the Trail of Bits audit team used manual and automated testing practices to review the code and provide security feedback. Performed during the early fall of 2023, spanning 9 engineer weeks, the resulting final report of the audit describes a defensively implemented and well-tested project, whose maintainers responded quickly to reported issues impacting the security of OpenSSL.
Audit Results:
- 23 findings with a security impact
- 4 Medium Severity
- 6 Low Severity
- 13 Informational
- Developed and added 4 fuzzers
- Codebase Maturity Evaluation
Third-party security audits don’t just create quantitative results but also result in documentation, insights, and recommendations that help project maintainers plan future security work as well as releases and life cycles. No CVEs were issued to the findings of this audit, but further security hardening guidance was given to help this library improve weak or risky practices as well as resolve open security issues. Of the 23 reported concerns 7 were related to data validation, which is an impactful vulnerability in projects whose function allows communication between users. Nonetheless, Trail of Bits noted in their report that OpenSSL supports healthy security practices in their code with an extensive testing suite already employed at the time of auditing.
Thank you to the individuals and groups that made this engagement possible:
- The OpenSSL maintainers and community- notably Neil Horman, Hugo Landau, and Matt Caswell
- Trail of Bits- Max Ammann, Fredrik Dahlgren, Spencer Michael, Jim Miller, and Jeff Braswell
- The OpenSSF Project
Last but not least, a special thank you to OpenSSF Project Alpha-Omega for entrusting OSTIF and funding this effort.
You can read the Audit Report HERE
You can read OpenSSL’s blog HERE
You can read Trail of Bits’ Blog HERE
Everyone around the world depends on open source software. If you’re interested in financially supporting this critical work, contact [email protected].