On 10/28/11 12:39 PM, Eric S. Eberhard wrote:
I have an easy solution I use because not only do you have the problem with
admins not having the library installed, you have the problem of them having the
wrong version installed for something they need. Your app or theirs won't work.
Or yours will, and they update openssl and it no longer does. And some places
with strict security policies won't let you install things like openssl (but if
they want your app they have to install it!). I simply build the static
libraries and link them in. This means nothing need exist on the target machine
and that you have a more stable product because you have tested against the
library version you have static linked. You could argue it makes the program
bigger and my answer is -- say what? My iPod could handle my entire business
suite and data (for disk space, not actually running) -- so who cares. I have
found this is often the easiest way to go. I also make a small wrapper that only
builds certs from openssl and uses a different name, again making it appear to
be my software. I also allow them to use a Web interface to my site to make a
cert and download it. Eric
Static linking is something that we looked at a while back. Some other
folks have convinced me that static linking may not the best way to go.
- You have to keep up with security updates. If you link against
the system libraries, then security vulnerabilities can be handled
at the OS level. OS vendors try hard not to break backward
compatibility, but I suppose time will tell if this will come
back to bite us ;)
- I don't have a complete answer on this yet, but it would seem
to me that dynamic linking against crypto libraries instead of
shipping those bits (static link) would make life easier from a
US export side, but I am no lawyer!
- If I am not mistaken, linking against system OpenSSL libraries
allows you to work around the GNU licensing conflict which
had me worried early on as I looked to adopting OpenSSL.
Again, I'm no lawyer!
Relying on OS configuration is more difficult, especially for Linux, as I need
to now build against many linux distro's to get things right. Thanks
to virtual environments, this is at least manageable.
At 11:09 AM 10/28/2011, Kristen J. Webb wrote:
After all my wrangling, I'm leaning towards just using client certs.
Is it a reasonable assumption that on UNIX'es these days I can
expect to find libssl.so AND the openssl command line?
If not, is it reasonable to assume that A sysadmin will
install openssl to get my app to work?
Otherwise, it would seem that something as easy and well
documented as creating a CSR could be a lot more coding...
Many thanks for all the useful comments!
Kris
On 10/27/11 7:20 AM, Michael S. Zick wrote:
On Wed October 26 2011, Kristen J. Webb wrote:
Having an app that can use certs, it
appears, is nothing compared with how to deploy it and manage those certs ;)
A general truism not specific to "certs".
Recognizing (or implementing) a "need for trust" is one thing;
Determining (or establishing) what is to be trusted is quite another.
Consider:
Your roof leaks.
Its easy to find a contractor who claims they will fix it.
Its an entirely different matter to find one you can __trust__ to do
the job correctly and to your satisfaction.
Mike
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
--
Mr. Kristen J. Webb
Teradactyl LLC.
PHONE: 1-505-242-1091
EMAIL: kw...@teradactyl.com
VISIT: http://www.teradactyl.com
Home of the
True incremental Backup System
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
Eric S. Eberhard
(928) 567-3727 Voice
(928) 567-6122 Fax
(928) 301-7537 Cell
Vertical Integrated Computer Systems, LLC
Metropolis Support, LLC
For Metropolis support and VICS MBA Support!!!! http://www.vicsmba.com
For pictures: http://www.vicsmba.com/ourpics/index.html
(You can see why we love this state :-) )
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
--
Mr. Kristen J. Webb
Teradactyl LLC.
PHONE: 1-505-242-1091
EMAIL: kw...@teradactyl.com
VISIT: http://www.teradactyl.com
Home of the
True incremental Backup System
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
