On Thu, Jul 10, 2003 at 12:04:33PM +0100, [EMAIL PROTECTED] wrote:
> Instead, I have a
> different question: Where can I learn about SSL?
> As in, could someone reccommend a good book, or online tutorial, or
> something, somewhere, that explains it all from pretty much first
> principles, and leaves you knowing enough at the end to be able to make
> sensible use of OpenSSL and similar? 

I'd recommend Eric Rescorla's _SSL And TLS_ book for
learning about the protocol itself.  It's a very
good explanation of the protocol.

A concise explanation of the basic protocol
is in the original SSLv3 protocol spec from Netscape.
It's short but must be read carefully.

There's also a book on Openssl itself, that, from the parts I
have looked at, seems pretty good.
_Network Security with OpenSSL_ (Viega Messier & Chandra).

Like we've covered in this thread, Openssl  has a whole lot of stuff
that isn't needed for doing SSL.  It's the last place you want to start
trying to understand SSL.  Instead, first get a basic understanding of
the SSL protocol from Eric's book.  Then look at Openssl.  Unfortunately
the simpler SSL implementations seem to not be freely available.
If you do java, try Eric's 'pureTLS' java implementation.  

To start in Openssl, look at how the sample client and server apps
work.  Then step through them with a debugger.  The way that Openssl
is constructed with many macros and tables of pointers to functions makes it
difficult to simply read until you come to recognize the names.  Also, to
be honest, the code is written in a style that makes it more difficult to
understand than it should be.  Nothing against Tim and Eric or the current
Openssl crew, but anyone who uses that many single character variable
names needs to be whacked on the butt with a rolled-up copy of K&R C
and be told "NO" in a very firm voice.

Openssl is still changing and what little documentation
they have is often stale.

The openssl-users mailing list is quite active and is pretty
good about answering questions.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to