Monoculture

[Ben Laurie]

Thor Lancelot Simon wrote:
> As far as what OpenSSL does, if you simply abandon outright any hope of
> acting as a certificate authority, etc. you can punt a huge amount of
> complexity; if you punt SSL, you'll lose quite a bit more.  As far as the
> programming interface goes, I'd read Eric's book and then think hard about
> what people actually use SSL/TLS for in the real world.  It's horrifying
> to note that OpenSSL doesn't even have a published interface for a some of
> these operations.  For example, there is no simple way to do the most
> common certificate validation operation: take a certificate and an optional
> chain, and check that the certificate is signed by an accepted root CA, or
> that each certificate in the chain has the signing property and that the
> chain reaches that CA -- which would be okay if OpenSSL did the validation
> for you automatically, but it doesn't, really.

Err, yes it does, but its not very well documented.

In fact, it constantly amazes me what OpenSSL does do for you
automatically. For example, I recently added CRL checking to Apache-SSL.
It took a while to figure it out, but in the end it came down to doing this:

static void InitCRL(SSLConfigRec *pConfig)
    {
    X509_STORE *pStore=SSL_CTX_get_cert_store(pConfig->pSSLCtx);
    int vflags=0;

    if(pConfig->bUseCRL)
	vflags|=X509_V_FLAG_CRL_CHECK;
    if(pConfig->bCRLCheckAll)
	vflags|=X509_V_FLAG_CRL_CHECK_ALL;
    X509_STORE_set_flags(pStore,vflags);
    }

(note, before people start nagging me for it, this is a WIP, but will be
released soon).

Cheers,

Ben.

-- 
http://www.apache-ssl.org/ben.html       http://www.thebunker.net/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com