This could be interesting while doing code audits and while looking for
-------- Forwarded Message --------
Subject: [oss-security] TLS testing results - OS distro vulnerabilities
Date: Sat, 20 Aug 2016 16:50:29 +0000
From: Mauri Miettinen <Mauri.Miettinen(a)student.oulu.fi>
To: oss-security(a)lists.openwall.com <oss-security(a)lists.openwall.com>
CC: ouspg(a)ee.oulu.fi <ouspg(a)ee.oulu.fi>
To whom it may concern,
We developed a tool to check if languages and libraries verify TLS
While testing this tool we did a shootout against supported versions of the
some major Linux distributions.
Results are available from:
It seems it may be unsafe to do TLS in some of the common distros.
E.g. the native Python version in the distros varies, and not all fixes have
been backported. In these cases Python still doesn't always have certificate
checking enabled by default.
We have contacted Python developers about the results.
They gave us a couple of good pointers on how configuration could be
used to mitigate the issues in some of the distributions. We are afraid
this is still a hazard where neither software developers or users realize
that code that works well for the developer may not be safe for the users.
Would you have any other resources, advice or pointers we should
document when communicating about this in the TryTLS project?
PS. Results have indications of weak crypto issues as well.
I am Yigit (FAS: yigitcakar, IRC: ycakar)
My main interests lie in the realm of development and machine learning,
especially natural language generation. I have always been interested in
security as a layman, and I have been thinking about branching out to
I am almost a complete newbie when it comes to OS security, but I am a
willing student and I'd like to assist the team however I can.
I am reading RHEL 7 security guide and will move on to other items in the
training section of security team apprenticeship wiki.
Any advice is greatly appreciated.
fingerprint: 3444 99F4 7F0B DF9F D22D C6FF D0D8 D5C6 BF2C 7C4E
Hello my name is Daniel, my FAS ID is prngseed.
I am very interested in the field of security, recently with a lot of
interest in crypto protocols and code audit. I have a career as Linux
administrator and a master degree focused on infrastructure security.
I want to join the fedora project and in specific in the security team
because I like the Fedora approach, implementing new things, and
leading the linux ecosystem in terms of technology.
My name is Tiago (FAS: tiagovieira, IRC: tmoreira). I would like to join
the Fedora Security Team. I don't have professional experience with a
security job title, despite all side works in the past years doing a lot
on securing servers and services, identity management for small and
medium companies, risk analysis and assisting developers on writing
secure code (making all efforts to avoid the OWASP top 10).
I applied for the infra team as well, I wanted to get involved with
the Fedora infrastructure and services, and getting focused on security
as I learn more all the services Fedora offers.
My interests are: security awareness, risk analysis, cloud security,
identity management and security development practices.
I've got a PG diploma in software and systems security from Univ. of
Oxford (UK), RHCSA and RHCE certification and currently I work at
My GPG fingerprint is below (signature) and my public key is attached.
Hopefully I would be of assistance to the sec team on providing the
utmost secure environment to Fedora.
I will participate in the meeting tomorrow (Aug 18th) and I'm looking
forward to participating in the apprenticeship.
Tiago M. Vieira, RHCE
fingerprint = 2525 D9C5 A152 54C0 575F 102E 2CB8 A45A E245 073D
I don't think we've held a meeting where everyone has been able to make
it in a LONG time. Lets do this one more time...
Please include your FAS name/IRC name with your real name so I know who
is answering the survey.
I've made a few changes to the organization of our wiki pages and I'm
hoping the reorganization of this information will make it easier to
First, I moved the main page to a category page. This has the
benefit of reducing the clicks necessary when navigating through
categories. This also allows quick access to our other pages as all
pages that fall under the category of "Security Team" will show up at
the bottom of the page.
Next, I moved our work flow from the main page to it's own page and
added more categories for work flow. These are areas that I want to
continue to develop so we'll work on that more in the future.
Last, I created a page that shows all our tasks, broken down by
mission. For established members this will be the go-to page for
finding things to work on.
If anyone sees a way to further improve these pages please do it!
 It's a wiki, BE BOLD!