I have an easy solution I use because not only do you have the
problem with admins not having the library installed, you have the
problem of them having the wrong version installed for something they
need. Your app or theirs won't work. Or yours will, and they update
openssl and it no longer does. And some places with strict security
policies won't let you install things like openssl (but if they want
your app they have to install it!). I simply build the static
libraries and link them in. This means nothing need exist on the
target machine and that you have a more stable product because you
have tested against the library version you have static linked. You
could argue it makes the program bigger and my answer is -- say
what? My iPod could handle my entire business suite and data (for
disk space, not actually running) -- so who cares. I have found this
is often the easiest way to go. I also make a small wrapper that
only builds certs from openssl and uses a different name, again
making it appear to be my software. I also allow them to use a Web
interface to my site to make a cert and download it. Eric
At 11:09 AM 10/28/2011, Kristen J. Webb wrote:
After all my wrangling, I'm leaning towards just using client certs.
Is it a reasonable assumption that on UNIX'es these days I can
expect to find libssl.so AND the openssl command line?
If not, is it reasonable to assume that A sysadmin will
install openssl to get my app to work?
Otherwise, it would seem that something as easy and well
documented as creating a CSR could be a lot more coding...
Many thanks for all the useful comments!
Kris
On 10/27/11 7:20 AM, Michael S. Zick wrote:
On Wed October 26 2011, Kristen J. Webb wrote:
Having an app that can use certs, it
appears, is nothing compared with how to deploy it and manage those certs ;)
A general truism not specific to "certs".
Recognizing (or implementing) a "need for trust" is one thing;
Determining (or establishing) what is to be trusted is quite another.
Consider:
Your roof leaks.
Its easy to find a contractor who claims they will fix it.
Its an entirely different matter to find one you can __trust__ to do
the job correctly and to your satisfaction.
Mike
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
--
Mr. Kristen J. Webb
Teradactyl LLC.
PHONE: 1-505-242-1091
EMAIL: kw...@teradactyl.com
VISIT: http://www.teradactyl.com
Home of the
True incremental Backup System
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
Eric S. Eberhard
(928) 567-3727 Voice
(928) 567-6122 Fax
(928) 301-7537 Cell
Vertical Integrated Computer Systems, LLC
Metropolis Support, LLC
For Metropolis support and VICS MBA Support!!!! http://www.vicsmba.com
For pictures: http://www.vicsmba.com/ourpics/index.html
(You can see why we love this state :-) )
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org