* Heikki Linnakangas (hlinnakan...@vmware.com) wrote: > I think you just packed up the goalposts for a one-way trip to Mars, > but I wonder: What would you consider "proper SSL support"? What > exactly are we missing?
I hit on a few things in my other email, but there is a huge portion of SSL which is just about making it easy and sensible to install and get working properly. Apache is a good example of how to do this and is one that a lot of people are familiar with. Specific issues that I recall running into are lack of the 'directory' options for certificates, having trouble figuring out the right format and structure to provide the complete root chain for the server's certificate and then trying to figure out how to add intermediate and additional root CAs for client certificates, getting CRLs to work was a pain, and nothing about how to get OCSP working. I think there's been some improvement since I last had to go through the pain of setting this all up, and some of it is undoubtably OpenSSL's fault, but there's definitely quite a bit more we could be doing to make SSL support easier. I'm hopeful that I'll be able to spend more time on this in the future but it's not a priority currently. Thanks, Stephen
Description: Digital signature