Hi,
Inspired by Ryan's recent post about related practical
matters, I have a more general question about Sun code
in OpenSSL.
Before Sun Microsystems were acquired by Oracle, they
made a number of contributions to OpenSSL. Those
contributions apparently covered both actual code
(copyr
it present form what the scope of
supporting things like this is, and confusing when I see that version such and
such now "supports foo".
-----Original Message-
From: owner-openssl-us...@openssl.org on behalf of Patrick Patterson
Sent: Wed 12/2/2009 12:33 PM
To: openssl-users@openssl.org
Hi Rene:
Rene Hollan wrote:
>
> 2) Things like OCSP, CRLs, and other SSL "extensions" have always
> stumped me. Is it something the user of the library is responsible
> for, when validating a cert, or can the library do it itself when I
> try to establish an SSL connection, and to what degree can
-Original Message-
From: owner-openssl-us...@openssl.org on behalf of Victor Duchovni
Sent: Wed 12/2/2009 11:29 AM
To: openssl-users@openssl.org
Subject: Re: General question about documentation
On Wed, Dec 02, 2009 at 11:17:44AM -0800, Rene Hollan wrote:
>
> To someone who
On Wed, Dec 02, 2009 at 11:17:44AM -0800, Rene Hollan wrote:
>
> To someone who uses code, it doesn't matter a fig what the designer was
> thinking. It matter what the code does. Then you can decide if it does
> something correctly enough to be usable in the state it's in.
>
My sense is that
n behalf of Mark H. Wood
Sent: Wed 12/2/2009 6:42 AM
To: openssl-users@openssl.org
Subject: Re: General question about documentation
On Tue, Dec 01, 2009 at 02:08:08PM -0800, Randy Turner wrote:
> As an investor, I would rather have my coders use a product with
> documentation to "make
mented differently.
-Original Message-
From: owner-openssl-us...@openssl.org on behalf of Mark H. Wood
Sent: Wed 12/2/2009 6:47 AM
To: openssl-users@openssl.org
Subject: Re: General question about documentation
On Tue, Dec 01, 2009 at 03:23:15PM -0800, Rene Hollan wrote:
> The pro
Great to hear from another former TOPS-20 userI worked on TOPS back in the
early 80s, then VMS of course.
Also reverse-engineered (to some degree, more like reverse-compiled) PDP-8
paper tape. All in all, I'll take the docs. :)
Randy
On Dec 2, 2009, at 6:42 AM, Mark H. Wood wrote:
> On T
On Tue, Dec 01, 2009 at 02:08:08PM -0800, Randy Turner wrote:
> As an investor, I would rather have my coders use a product with
> documentation to "make progress" on the actual goals of the product,
> rather than reverse-engineer the information they're trying to look
> for.
>
> With the former me
On Tue, Dec 01, 2009 at 03:23:15PM -0800, Rene Hollan wrote:
> The problem is that the documentation may not be correct, sending your coders
> on a wild goose chase.
Bah, if the code does not do what the documentation describes then the
*code* is incorrect. Documentation can only be incorrect if
> The problem is that the documentation may not be correct,
> sending your coders on a wild goose chase.
Anything may contain errors. I don't think this is a valid reason for
not
doing it.
> Think of the source code as a safe but boring investment
> (with little barrier to entry), and the d
or it.
From: owner-openssl-us...@openssl.org on behalf of Randy Turner
Sent: Tue 12/1/2009 2:08 PM
To: openssl-users@openssl.org
Subject: Re: General question about documentation
As an investor, I would rather have my coders use a product with documentation
to "make progress"
Randy Turner wrote:
> As an investor, I would rather have my coders use a product with
> documentation to "make progress"
> on the actual goals of the product, rather than reverse-engineer the
> information they're trying to look for.
Obviously, as I already stated below:
>> So would I.
Regar
As an investor, I would rather have my coders use a product with documentation
to "make progress"
on the actual goals of the product, rather than reverse-engineer the
information they're trying to look for.
With the former method, my cost is (n), with the latter method, my cost could
be unboun
Kenneth Goldman wrote:
> 1 - Reading the source is only as reliable as the skill of the reader and
> the comments in the code. I'd rather have the answers than a research
> project.
So would I. But far too often, in code of all kinds, this documentation
doesn't exist. As an investor I would far
owner-openssl-us...@openssl.org wrote on 11/26/2009 06:35:42 PM:
> > Finally, the source code IS the only reliable source of documentation
> > (assuming you can trust your compiler, OS, and hardware to do "the
> > right thing"). It isn't the most CONVENIENT, which is why we desire
> > other forms.
Sent: Fri 11/27/2009 2:46 AM
To: openssl-users@openssl.org
Subject: RE: General question about documentation
Hi All,
> Rene Hollan wrote:
> >
> > Oh, you need to dig deeper, to understand the semantics and
> not just
> > the syntax of those APIs.
> >
&
Hi All,
> Rene Hollan wrote:
> >
> > Oh, you need to dig deeper, to understand the semantics and
> not just
> > the syntax of those APIs.
> >
> > I didn't say using the source as documentation was
> convenient, but it
> > is possible, to any degree of detail you want.
> >
> > To wit: given th
This is an example of a relatively common use-case that I was alluding to in a
previous email...it would be nice to not have to figure this out either by
guessing, reverse-engineering something, or other sub-optimal form of
development strategy
Randy
On Nov 26, 2009, at 4:03 PM, John R P
Yes, I noted that usage of the APIs in combination with common use-cases is
more appropriate, but this doesn't obviate the need for per-API documentation,
as has occurred so far on the openssl website.
And I agree with the previous point that we should be trying to collectively
figure out how
From: "John R Pierce"
this task was very easy in Java, as Java's SecureSocket hides all the
complexity, up to and including full support for PKCS#11 plugins.
Weren't you lucky.
I gave up trying to do that sort of thing in Java when I ran across its
habit of doing reverse DNS lookups on eve
Rene Hollan wrote:
Oh, you need to dig deeper, to understand the semantics and not just
the syntax of those APIs.
I didn't say using the source as documentation was convenient, but it
is possible, to any degree of detail you want.
To wit: given the source code, it is possible to create doc
ohn R Pierce
Sent: Thu 11/26/2009 3:35 PM
To: openssl-users@openssl.org
Subject: Re: General question about documentation
> Finally, the source code IS the only reliable source of documentation
> (assuming you can trust your compiler, OS, and hardware to do "the
> right thing&q
Finally, the source code IS the only reliable source of documentation
(assuming you can trust your compiler, OS, and hardware to do "the
right thing"). It isn't the most CONVENIENT, which is why we desire
other forms.
the implementation details of the 250-odd API entry points in libssl.so
iling list archive.
>
>
>
> -Original Message-
> From: owner-openssl-us...@openssl.org on behalf of Randy Turner
> Sent: Thu 11/26/2009 11:38 AM
> To: openssl-users@openssl.org
> Subject: Re: General question about documentation
>
>
> That's a gre
Turner
Sent: Thu 11/26/2009 11:38 AM
To: openssl-users@openssl.org
Subject: Re: General question about documentation
That's a great idea Mark and Will, I would be happy to contribute anything
that I learn about the toolkit.
There have been a wide range of comments from people saying "look
t;> [mailto:owner-openssl-us...@openssl.org] On Behalf Of Mark
>> Sent: Wednesday, November 25, 2009 3:27 AM
>> To: openssl-users@openssl.org
>> Subject: RE: General question about documentation
>>
>>> I would like to post a general observation regarding users of
...@openssl.org] On Behalf Of Mark
> Sent: Wednesday, November 25, 2009 3:27 AM
> To: openssl-users@openssl.org
> Subject: RE: General question about documentation
>
> > I would like to post a general observation regarding users of the
> > OpenSSL toolkit.
>
> [snip st
> I would like to post a general observation regarding users of
> the OpenSSL toolkit.
[snip stuff about documentation]]
A long time ago it was suggested to use a wiki for this purpose. Can
this
idea be resurrected?
Mark.
__
O
ode. But no one owes it to anyone.
-Original Message-
From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Tim Ward
Sent: Wednesday, November 25, 2009 12:59 AM
To: openssl-users@openssl.org
Subject: Re: General question about documentation
F
On Tue November 24 2009, Graham Leggett wrote:
> Tim Ward wrote:
>
> In the really big corporates I have been involved with, they have all
> demanded either source code with the product or the source in escrow
> before they will consider using it.
>
My experience also.
One of the best argument
On Tue, Nov 24, 2009 at 06:27:19PM -0800, John R Pierce wrote:
> openssl docs should go way beyond that, and include tutorials of the 'right
> way' to do a wide range of the sorts of things that SSL/TLS programs need
> to do.
That's what books are for. Don't confuse reference documentation with
From: "Graham Leggett"
Use the source: while not the easiest to read it is the most accurate
documentation available at any given time. (No, this is not a
justification for a lack of or bad documentation).
The objection, and it's a major one, to reverse engineering the API from the
source is
Rene Hollan wrote:
Crypto is hard... mostly because X509 is a dog's breakfast of committee
compromisitis.
That said, openssl docs should AT LEAST address one who is familiar with X509.
openssl docs should go way beyond that, and include tutorials of the
'right way' to do a wide range of t
Ward
Sent: Tuesday, November 24, 2009 1:37 PM
To: openssl-users@openssl.org
Subject: Re: General question about documentation
From: "Randy Turner"
>
> From the length of some of the threads I've read in the past, a number
> of developers seem to be burning a lot of developm
Tim Ward wrote:
> Yes indeed. This is why I often go for commercial software in preference
> fo "free" - it took me a day and a half to get a working Visual Studio
> 2005 debug DLL built, at a cost to my client of ... er ... well ... none
> of anyone else's business really, but lots more than any
From: "Randy Turner"
From the length of some of the threads I've read in the past, a number
of developers seem to be burning a lot of development hours "guessing"
at how functions are supposed to work
Yes indeed. This is why I often go for commercial software in preference fo
"free" - it too
I would like to post a general observation regarding users of the OpenSSL
toolkit.
A number of the questions hitting this list, are somewhat detailed, and
sometimes deal with interesting corner cases regarding the use of the toolkit.
However, a large number of questions hitting this list have
They are two different network protocols which both implement
cryptography.
OpenSSL is primarily used by developers behind the scenes and not
directly by users (though there is an "openssl" command-line tool that
exposes many of OpenSSL's capabilities). I assume the "command prompt
featur
ext:
http://www.nabble.com/General-Question-tp24560601p24560630.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
__
OpenSSL Project http://www.openssl.or
Hi All,
I still new in openssl.
May I know what different between openssh and openssl?
They look a same.
May I know how to use the openssl?
Do they have any command prompt feature?
Thanks
-fsloke
Hi Justin,
You've been extremely helpful! Thank you very much!
--- Justin Karneges <[EMAIL PROTECTED]> wrote:
> Hi,
>
> If you just want to compare fingerprints, you can
> avoid X509_STORE entirely.
> In OpenSSL, a verification failure doesn't mean the
> connection stops. This
> is how a
Hi,
If you just want to compare fingerprints, you can avoid X509_STORE entirely.
In OpenSSL, a verification failure doesn't mean the connection stops. This
is how apps are able to show those "do you want to continue?" prompts to the
user after verification problems.
So just use an empty X509
Thank you Justin!
Just to nail down my understanding of your last
paragraph - you said "just compare the fingerprint of
the certificate with your list of allowed
fingerprints" - My question is, would this be done in
my verify callback function? (int
(*verify_callback)(int, X509_STORE_CTX *)) ?
On Thursday 27 October 2005 07:25, M G wrote:
> Hi list,
>
> My goal is to create mutual authentication for small business (each client
> app is also a server that can share data securely), is there a way to use
> SSL the "normal" way i.e., to create an X509 store, set verify function,
> use certif
Hi list,
My goal is to create mutual authentication for small business (each client app is also a server that can share data securely), is there a way to use SSL the "normal" way i.e., to create an X509 store, set verify function, use certificates, etc, ... but not require usrs to sign with a CA
hi all,
I have a basic question about the PKCS#7 format. I am new in this field and
need some informations about.
I want to sign some files. I knew that I can create detached signatures
for each single file.
file1.txt -> file1.txt.p7s
file2.txt -> file2.txt.p7s
The question is: Can I create a s
>> a) How does a web browser (say Netscape) that does not want to concern the
>> user with cryptographic details manage an RSA private key for the initiation
>> of an SSL session? I'm specifically interested in knowing whether it
>> creates a key once and stores it on the disk, if it creates a ke
Brian Doyle <[EMAIL PROTECTED]> writes:
> I have several questions regarding SSL connection initiation. Thanks in
> advance for your help, this list is great!
>
> They are:
>
> a) How does a web browser (say Netscape) that does not want to concern the
> user with cryptographic details manag
Hello,
I have several questions regarding SSL connection initiation. Thanks in
advance for your help, this list is great!
They are:
a) How does a web browser (say Netscape) that does not want to concern the
user with cryptographic details manage an RSA private key for the initiation
of an
50 matches
Mail list logo
