Hello,
I recently caught up with the state of SSLeay. I've read the
openssl organization's web page, and its high on presentation,
but very low on content. I would like to know if any of your
efforts cover the following, IMHO, neccesary directions for
SSLeay:
* clean and polish the installation and build process. perl
is unacceptable. hand editing is unacceptable. hard coded
paths to /usr/local/ssl are unacceptable. there is a lot of
clutter that seems unneccesary, and without any documentation
it is hard to tell what is worth looking at, and what should
be ignored. I want to see real Makefiles, with a real configure
that sets things up properly. And disabling the eNULL cipher
"to protect people" is just silly.
* Obviously, everyone wants documentation, but I don't see that
as the solution to many problems, because SSL is a mechanism
for implementing most of the details involved with secure
communications, but that doesn't tell me, the application writer,
how to insert it into my program. The assortment of question
and answers to be found in various mailing list archives is
close to useless in this regard. I'm not talking about "server
structure", there is an example of that. I'm talking about
"application level security policy" for non-HTTP applications.
I'm currently writing an application which uses SSLeay-0.9.0b and
I've got all the read, write, connect, and accept calls in place,
but I'm at an impass--I have no idea how to implement a security
policy. I must deal with user-level interactions for certificate
management, protocol and cipher negotation, and various other low-level
details related to the SSL protocol. The current level of explanation
for various certificate management tasks is way too high for me to
expect my application's users to understand. This is a great barrier,
and I'm stuck. I need an extremely easy path to application integration
at the level where I can configure a few path names and the rest will
be taken care of. The current set of tools for making and requesting
certificates is horrible, and there's no way I'm going to expose this
outside of my application. I want a simple explanation of the C-library
calls I make to tie all of this together--to make a new certificate, etc.
I'm not using HTTP, and I could care less about various vendor-related
how-tos. I have an application, and need security policy. Can anyone
help, this is a severe problem with SSLeay right now, and I'm busy with
other things. I don't want my application configured through ssleay.cnf,
the whole apparatus is ugly. Who's working on this? If money could
be offered to complete this task, is anyone interested?
My application is PRCS version 2, a version control system.
-josh
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
