Monoculture

Thor Lancelot Simon tls at rek.tjls.com
Sat Oct 4 11:42:02 EDT 2003


On Sat, Oct 04, 2003 at 02:09:10PM +0100, Ben Laurie wrote:
> Thor Lancelot Simon wrote:
> > As far as what OpenSSL does, if you simply abandon outright any hope of
> > acting as a certificate authority, etc. you can punt a huge amount of
> > complexity; if you punt SSL, you'll lose quite a bit more.  As far as the
> > programming interface goes, I'd read Eric's book and then think hard about
> > what people actually use SSL/TLS for in the real world.  It's horrifying
> > to note that OpenSSL doesn't even have a published interface for a some of
> > these operations.  For example, there is no simple way to do the most
> > common certificate validation operation: take a certificate and an optional
> > chain, and check that the certificate is signed by an accepted root CA, or
> > that each certificate in the chain has the signing property and that the
> > chain reaches that CA -- which would be okay if OpenSSL did the validation
> > for you automatically, but it doesn't, really.
> 
> Err, yes it does, but its not very well documented.

No.  You can't do it in one step, and you have to use functions that are
marked in OpenSSL's header files as not being part of the official API.
mod_ssl has a convenience function that's confusingly named just like the
OpenSSL library functions that deals with this -- of course, it should be
part of OpenSSL itself, but at least as of 0.9.6 it was not.

Thor

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list