Still using it for ASN.1 is quite sad, given ASN.1 is where a fair few security ... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		gsnedders on June 30, 2015 \| parent \| context \| favorite \| on: Introducing s2n, a New Open-Source TLS Implementat... Still using it for ASN.1 is quite sad, given ASN.1 is where a fair few security bugs have been. If I'm not mistaken, this includes CVE-2015-0286, CVE-2015-0287, CVE-2012-2110, CVE-2009-0590, CVE-2009-0789, and CVE-2006-2937 from the last decade (and more if you go further back). The ciphers are pretty damned solid — the ASN.1 code… not so much. I'd argue that the ASN.1 parsing and the like is one of the areas that sorely needs replacing in OpenSSL, precisely because it has had so many vulnerabilities found in it over the years.

userbinator on June 30, 2015 [–]

Incidentally, Fabrice Bellard has written a small ASN.1 compiler:

http://bellard.org/ffasn1/

However, he does not want to give it away.

ASN.1 is a rather hairy standard overall, but AFAIK only a part of it is needed for TLS.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact