2012/10/26 John Case <c...@sdf.org>: [...] > And the hackernews discussion led me to "OpenSSL is written by monkeys": > > http://www.peereboom.us/assl/assl/html/openssl.html > > So, given what is in the stanford report and then reading this rant about > openssl, I am wondering just how bad openssl is ? I've never had to > implement it or code with it, so I really have no idea. > > How long has it been "understood" that it's a mess (if it is indeed a mess) > ? How dangerous is it ?
OpenSSL *is* a mess. It's hard to correctly use the library, the learning curve is steep, mistakes are easy to achieve, and the code is hard to read. The lot of #ifdef ... is needed so you can compile the library with your own subset of functionalities. I use OpenSSL since a little more than a decade, and I consider it as a swiss knife. It's not a "become an SSL server/client"-type library, you've got functions to do crypto, big numbers, ASN.1, X.520, X.509, PKCS#xx, TLS, etc. Add to it abstractions like the BIO layer, ENGINE layer, EVP layer, and you have something horrible but powerful. Each of these subjects is horrible to code from scratch, anyway. Writing code to be a CA and publish certificates in an LDAP without knowing the API, in less than a week is a challenge in itself. I wouldn't be surprised if he wrote the same thing about libNSS or BouncyCastle. -- Erwann. _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
