7ASecurity is proud to share the results of our security audit of DEfO. DEfO is an open source implementation of Encrypted ClientHello (ECH) for OpenSSL, and provides proof-of-concept implementations for clients and servers used for demonstration and interoperability testing. In collaboration with The Open Source Technology Improvement Fund and with funding support from the Sovereign Tech Fund, this project received custom security testing and threat-model documentation, contributing to DEfO's ongoing security and development work.
Audit Process:
An audit team of 6 senior auditors from 7ASecurity carried out this engagement in November and December 2025, dedicating 35 working days to 4 work packages. This was a whitebox assessment, with 7ASecurity receiving access to documentation and source code. The auditors reviewed the DEfO ECH patchset and OpenSSL Core Integration, performed automated and manual code review with active tests, executed a configuration and regression review against OpenSSL hardening, and produced a lightweight threat model for OpenSSL ECH clients and servers.
Audit Results:
- 5 Findings with Security Impact
- 2 High
- 3 Medium
- 6 Hardening Recommendations
- 11 Total Issues Documented
- Lightweight Threat Model
Despite the number of findings encountered in this exercise, the DEfO solution defended itself well against a broad range of attack vectors. In the report conclusion, the auditors highlighted the project's well-organized source code, comprehensive documentation, use of mature OpenSSL primitives, and the responsiveness of the DEfO team throughout the engagement. Continued cycles of security testing and hardening are expected to further strengthen the project over time.
Thank you to the individuals and groups that made this engagement possible:
- OpenSSL DEfO community and maintainers, especially: Kerry Hartnett, Stephen Farrell, and the rest of the DEfO team
- OSTIF: Derek Zimmer, Amir Montazery, Helen Woeste, and Tom Welter
- 7ASecurity: Abraham Aranguren, Daniel Ortiz, Dariusz Jastrzębski, Dheeraj Joshi, Miroslav Štampar, and Szymon Grzybowski
- Sovereign Tech Fund
You can read the Audit Report HERE
You can read OSTIF's Blog HERE
Everyone around the world depends on open source software. If you're interested in financially supporting this critical work, reach out to contactus@ostif.org.
