Re: RE : zencod engine for openssl 0.9.6x & 0.9.7
Hi there, On Thu, 18 Jul 2002, Frederic DONNAT wrote: > I've sent the first release of our engine for 0.9.6x more than 6 months ago. > Later on, I've sent a release for the 0.9.7dev long before the 0.9.7beta versions. This has been an ongoing problem, for which we apologise. It's the main reason why RT exists - the submission of changes, new code, feature requests, bug reports, [ad infinitum] was outstripping our ability to keep track of things without most of it slipping through the cracks. W.r.t. ENGINE submissions - I have had innumerable mails from various hardware vendors who will, are, or have been developing implementations. For many of those, I have had multiple emails on various subjects from development problems, licensing/copyright issues, how to submit, openssl release timelines, blah blah blah. In the end, it's extremely difficult to know who has sent what, when, and how, and moreover what is currently waiting on action from me and what isn't. I know Richard has had his fair share of the same. So before dealing specifically with your mail, let me clarify something. Richard and I are currently working on an improved scheme for the ENGINE library code, with the hopes of having it ready in time for 0.9.8. In this scheme, all ENGINEs would be built as stand-alone shared-libraries - so whether the source is bundled with openssl or not has less bearing on a vendor's ability to support openssl on their clients' machines. The idea is that when an application (or admin/user/configuration) requests the use of engine "foo", openssl will check its internal list (as is currently the case), but when it finds no such ENGINE will take the additional step of probing a compiled-in installation directory such as $OPENSSLDIR/engines/ (though overridable by an environment variable) for the presence of a shared-library implementing "foo" (ie. using some canonical conversions, eg. libengine_foo.so, eng_foo.dll, etc). Right now we have numerous ENGINE implementations compiling in every openssl version on every platform and imposing a significant footprint on *every* openssl image. All this despite the fact that 99% of openssl users don't have any of these devices, most of the remaining 1% have at most one of these devices, and most of the supported devices themselves will never operate on more than 1 or 2 of the support platforms - despite the ENGINE support being compiled for every platform. In short, it's bloating out. Moreover, the speed at which new ENGINEs are coming in is increasing, to the point that we will have no choice soon but to unbundle them in *some* way. back to your post ... > We've tested in Linux (2.4.x), Windows (2k) and Solaris (8) platforms. > If it is mandatory to test in several platforms, please send me a list. > I'll be happy to do it :-) Until the late-binding support I mentioned is mature, your code would need to compile smoothly on every platform support by openssl for it to be included. Whilst that can be difficult to achieve in theory, getting compilation perfect (no warnings, and no ugly hacks to stop warnings) on a number of different platforms is a good start - anything else that remains will usually get noticed by someone else, particular during beta testing. You'd also need to give permission for the source to be covered by the openssl license. > On the other hand, I've proposed a patch for mod_ssl concerning the > random in crypto cards. Yes I saw that, and I believe Richard was looking at the equivalent points you mentioned in one or two openssl utilities (s_client and s_server IIRC)? > > Could you please open a ticket on the openssl request-tracker for this? > > http://www.openssl.org/support/rt2.html > > That's the appropriate place for this sort of change request. > > ok. I was not aware of the RT 'til now. That's why I sent the code in > the mailing list. OK - once it's in RT it won't get "lost" in list traffic. The only way for it to get completely passed by is for one of us to maliciously delete it, in which case you'll know who to chase and abuse :-) Note also that once it's on RT, anyone can look at the code and provide some peer-review, regardless of whether they're on the development team. > Sorry for any inconvinience but I think i'm not pushing too hard, am I? I don't think so, and again I apologise if you've found us a little unresponsive but I hope the above comments explain why, at least w.r.t. ENGINE implementations, things have been a little messy until RT came along. We have been steadily approaching a situation where we have to change the way these implementations are bundled, compiled, and loaded. That combined with the number of mails from various parties we get about ENGINE stuff makes it very difficult to keep track of everything and respond to all mail that deserves it. Cheers, Geoff PS: Now I'm going to have to bookmark this post when it hits the archives so I can use it as a canned response ... :-) -- Geoff Thorpe [EMAIL PROTECTED]
RE : zencod engine for openssl 0.9.6x & 0.9.7
Hi, > I think a post of 266Kb to a public mail-list is more than a little > unnecessary - a URL to a place where they can be downloaded would be far > preferable. And FWIW, your mail agent is buggy or misconfigured - it > doesn't word-wrap lines in its plain-text output as it should. Sorry for the misconfiguration. > 0.9.6* releases are strictly for bug-fixes, so that is out of the > question. 0.9.7 is already in beta-testing so I'd similarly doubt > inclusion of anything new in there - especially as it only has to trip up > compilation on one platform for it to break the release at this late > stage. Given the size of the attachments you sent, I expect that this risk > would be considered unacceptable, though other team members may have > differing views on that ...? I've sent the first release of our engine for 0.9.6x more than 6 months ago. Later on, I've sent a release for the 0.9.7dev long before the 0.9.7beta versions. > BTW: Have you tested compilation of this code on other platforms besides > Linux? (Even if the ENGINE is only useful on Linux, the code will still > need to compile smoothly on all other platforms unless you have explicitly > disabled it on everything except Linux - ie. similarly to the > OpenBSD-specific /dev/crypto support ENGINE). We've tested in Linux (2.4.x), Windows (2k) and Solaris (8) platforms. If it is mandatory to test in several platforms, please send me a list. I'll be happy to do it :-) On the other hand, I've proposed a patch for mod_ssl concerning the random in crypto cards. > Could you please open a ticket on the openssl request-tracker for this? > http://www.openssl.org/support/rt2.html > That's the appropriate place for this sort of change request. ok. I was not aware of the RT 'til now. That's why I sent the code in the mailing list. > NB: I'm aware you mailed in the past about a previous version of your > code, but as you'll notice on "RT" there's other tasks in the pipeline too > that have been waiting there a while. I'll do my best to take a look at > your code as soon as I can, though others (not necessarily on the openssl > team) could certainly assist by peer-reviewing code submissions on RT if > they really want to help. the list> We'll be happy to help. Sorry for any inconvinience but I think i'm not pushing too hard, am I? Regards Fred __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: zencod engine for openssl 0.9.6x & 0.9.7
In message <[EMAIL PROTECTED]> on Wed, 17 Jul 2002 14:10:58 -0400 (EDT), Geoff Thorpe <[EMAIL PROTECTED]> said: geoff> 0.9.6* releases are strictly for bug-fixes, so that is out of geoff> the question. 0.9.7 is already in beta-testing so I'd similarly geoff> doubt inclusion of anything new in there - especially as it geoff> only has to trip up compilation on one platform for it to break geoff> the release at this late stage. Given the size of the geoff> attachments you sent, I expect that this risk would be geoff> considered unacceptable, though other team members may have geoff> differing views on that ...? I'd like to add that for 0.9.7+ engines, we usually recommend building the engine as a separate dynamically loadable library. We know it works, and there's a demo that one can look at, that implements some crypto algorithms using the RSAref library (I've tested it on Solaris, Linux and VMS). -- Richard Levitte [EMAIL PROTECTED] OpenSSL Project http://www.openssl.org/~levitte/ __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: zencod engine for openssl 0.9.6x & 0.9.7
Hello, I think a post of 266Kb to a public mail-list is more than a little unnecessary - a URL to a place where they can be downloaded would be far preferable. And FWIW, your mail agent is buggy or misconfigured - it doesn't word-wrap lines in its plain-text output as it should. On Wed, 17 Jul 2002, Frederic DONNAT wrote: > We have developped a new driver and a new library "zenbridge" for our > zencod ENGINE. > Tests have been made with apache, modssl under linux operating system > for RSA, DSA, DH, RAND, DES, 3DES, RC4, SHA, and MD5. > In the 0.9.7 engine we decided to let part of code but to disable the > symmetric algorithms except DES and 3DES for performance reasons. > > So i re-submit you again our source code for openssl-engine0.9.6x and > openssl-0.9.7. 0.9.6* releases are strictly for bug-fixes, so that is out of the question. 0.9.7 is already in beta-testing so I'd similarly doubt inclusion of anything new in there - especially as it only has to trip up compilation on one platform for it to break the release at this late stage. Given the size of the attachments you sent, I expect that this risk would be considered unacceptable, though other team members may have differing views on that ...? BTW: Have you tested compilation of this code on other platforms besides Linux? (Even if the ENGINE is only useful on Linux, the code will still need to compile smoothly on all other platforms unless you have explicitly disabled it on everything except Linux - ie. similarly to the OpenBSD-specific /dev/crypto support ENGINE). > You'll find the engine source code for both openssl version and diff > files (diff -urN ...). We tried to respect the openssl coding style and > of course we can provide some support or help concerning the maintenance > of the code. Could you please open a ticket on the openssl request-tracker for this? http://www.openssl.org/support/rt2.html That's the appropriate place for this sort of change request. NB: I'm aware you mailed in the past about a previous version of your code, but as you'll notice on "RT" there's other tasks in the pipeline too that have been waiting there a while. I'll do my best to take a look at your code as soon as I can, though others (not necessarily on the openssl team) could certainly assist by peer-reviewing code submissions on RT if they really want to help. Cheers, Geoff -- Geoff Thorpe [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]