On Thu, Jul 10, 2003 at 12:04:33PM +0100, [EMAIL PROTECTED] wrote: > Instead, I have a > different question: Where can I learn about SSL? > > As in, could someone reccommend a good book, or online tutorial, or > something, somewhere, that explains it all from pretty much first > principles, and leaves you knowing enough at the end to be able to make > sensible use of OpenSSL and similar?
I'd recommend Eric Rescorla's _SSL And TLS_ book for learning about the protocol itself. It's a very good explanation of the protocol. A concise explanation of the basic protocol is in the original SSLv3 protocol spec from Netscape. It's short but must be read carefully. There's also a book on Openssl itself, that, from the parts I have looked at, seems pretty good. _Network Security with OpenSSL_ (Viega Messier & Chandra). Like we've covered in this thread, Openssl has a whole lot of stuff that isn't needed for doing SSL. It's the last place you want to start trying to understand SSL. Instead, first get a basic understanding of the SSL protocol from Eric's book. Then look at Openssl. Unfortunately the simpler SSL implementations seem to not be freely available. If you do java, try Eric's 'pureTLS' java implementation. To start in Openssl, look at how the sample client and server apps work. Then step through them with a debugger. The way that Openssl is constructed with many macros and tables of pointers to functions makes it difficult to simply read until you come to recognize the names. Also, to be honest, the code is written in a style that makes it more difficult to understand than it should be. Nothing against Tim and Eric or the current Openssl crew, but anyone who uses that many single character variable names needs to be whacked on the butt with a rolled-up copy of K&R C and be told "NO" in a very firm voice. Openssl is still changing and what little documentation they have is often stale. The openssl-users mailing list is quite active and is pretty good about answering questions. Eric --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]