Peter: On 29/03/10 1:15 AM, Peter Waltenberg wrote: > > Sure - it works if you have a simple application, main -> OpenSSL > even main ->lib doing SSL -> OpenSSL still works. > > What's giving us grief (and I suspect the person who first raised this > grief) is: > main -> lib that needs SSL to do client server comms -> OpenSSL > -> Another lib that does client server comms. ->OpenSSL > -> Another lib that does crypto ->OpenSSL > > All the libraries of the big fat composite application expect to be able to > access OpenSSL's function, all were created independently - the top level > app doesn't do SSL or crypto. at all - it just uses libraries that need to > do SSL or crypto to function. > This is a rather specious argument - if an application uses SSL at the lower layers, there has to be some method for that application to at least tell OpenSSL which CA Certificates to use - and yes, it COULD have a wrapper/higher level lib that sets up those locations (like I think OpenLDAP can), but I would consider that a HORRIBLE design flaw of that higher library to not expose SOME method to set the trust store (and revocation information, etc.) globally for the application - otherwise, in the situation that you mention, the poor admin COULD end up with an application where it is almost impossible to troubleshoot why certain connections are failing i.e.: Why do my LDAPS connections work, but my HTTPS don't? (assuming that LDAP is provided by one lib, and HTTP by another). So I would argue that it is the higher level libs problem to:
1: Set threading correctly and consistently on all of it's SUB library dependencies with the model the higher level app tells it to. 2: Expose enough controls that allow for a higher level app to set keys, cert stores, and revocation information locations. If those libraries DON'T do both of the above (and OpenSSL can certainly accommodate both today), then the bugs/feature requests to enable both of these functionalities should be filed there. I'm not one of the "core" devels, but this is just my 0.02 worth. Patrick. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
