OSTIF and Trail of Bits Complete Audit of OpenSSL
OpenSSL would like to announce the publication of the final report of a recent security audit conducted on the OpenSSL software library.
The audit was organized by the Open Source Technology Improvement Fund (OSTIF), and carried out by Trail of Bits. Special thanks to OpenSSF Project Alpha Omega for funding the effort.
OSTIF is a non-profit organisation dedicated to providing funding for security audits to open source security projects. Trail of Bits, an OSTIF partner organisation, is an experienced auditor of open source security software. Working together over the past months, OSTIF and Trail of Bits have conducted an audit of the OpenSSL software library for potential vulnerabilities or bugs.
This audit focused on the libcrypto component of OpenSSL and delivered the following outputs:
- 24 findings with a security impact (none of which warranted
allocating a CVE)
- 4 Medium Severity
- 6 Low Severity
- 14 Informational
- The development and addition of 4 fuzzers
- A codebase maturity evaluation
Overall, the audit found that OpenSSL is defensively implemented and well tested, with an extensive testing suite already in use at the time of auditing. The audit delivered further security hardening guidance to improve its security practices and resolve identified issues.
OpenSSL would like to thank OSTIF for funding this audit and Max Ammann, Fredrik Dahlgren, Spencer Michael, Jim Miller, and Jeff Braswell from Trail of Bits for conducting a detailed and thorough audit.
The official report will be released at the end of May, and a link published to our blog.