> If you are linking to OpenSSL DLLs, then your application isn't statically
> linked against OpenSSL. .lib files can simply be references to exports in .dll files. This is an important point. Can we be absolutely clear? My picture of how this works is that the .lib files contain small stubs so that while the application code has the "illusion" of making a static call to SSL_whatever() in reality that is a tiny stub that actually calls code in a DLL. There is no "functional" code in the .lib, only stubs that link to functional code in the DLLS. Am I wrong? This is a critical point. BTW, thanks for the Shining Light Windows build. It's what I am using. Charles -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Thomas J. Hruska Sent: Tuesday, October 16, 2012 8:02 AM To: openssl-users@openssl.org Subject: Re: Building an "exportable" OpenSSL application On 10/16/2012 7:25 AM, Charles Mills wrote: > I have a Windows-only OpenSSL application developed in VS 2010. I have > now been tasked with creating parallel "regular" and "exportable" > (from the US) distributions of the application. > > I UNDERSTAND YOU CAN'T GIVE LEGAL ADVICE. I'M ONLY LOOKING FOR > TECHNICAL INPUT HERE. > > The application statically links to libeay32XX.lib and ssleay32XX.lib. > The application starts out by calling "applink()." The distribution > includes libeay32.dll and ssleay32.dll. If you are linking to OpenSSL DLLs, then your application isn't statically linked against OpenSSL. .lib files can simply be references to exports in .dll files. > Am I correct in the following premises? > > - All of the actual encryption algorithms are in libeay32.dll? (And > ssleay32.dll?) As I describe my architecture above, my distributed > main executable does not contain actual encryption algorithms; they're > only in the DLL(s)? > > - It should be possible to create and distribute a "weak encryption only" > build of libeay32.dll? Anyone could simply install different binaries and delete yours. > Personal confession/personal advice time: I have 44 years of > experience as a programmer, 40 of it as a successful commercial > product developer, but no knowledge of "make" beyond a grasp of the > purpose and concept. (Most of those 44 years are on a platform with no > tradition of make; the remainder are exclusively with the MS VS IDE > and its predecessors. Make fun of me if you wish.) Question: assuming > I am correct that I need to build my own version of libeay32.dll, do > you think it's a shorter path to learn make, or to try to do it with > MS VS 2010? I am guessing the former. Is there somewhere a "ready to roll" MS VS project that builds the DLLs? No there isn't. Well, okay, there is some ancient VS workspace but no one uses it. It is better to follow the README.WIN32 instructions. > Is there a configure (is that the right term?) option for "weak encryption > only"? I see the no-<specific cipher> flag but is there a no-strong-ciphers > sort of option? I know that SSL_CTX_set_cipher_list() supports the LOW and > EXP keywords so OpenSSL must "know" what are the so-called export ciphers. A better approach is to dynamically link against OpenSSL and then call that function with the export cipher list in your export build. That way, you can easily replace just the OpenSSL DLLs as new versions come out AND it keeps people from replacing your DLLs with other DLLs and causing unintended side effects. It seems cleaner to me anyway. > Would appreciate any additional miscellaneous tips. > > Charles -- Thomas Hruska Shining Light Productions Home of BMP2AVI and Win32 OpenSSL. http://www.slproweb.com/ ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
