TLS_ECDHE_ECDSA_WITH_AES_128_CCM
Hi, can anyone tell me when the TLS cipher suite TLS_ECDHE_ECDSA_WITH_AES_128_CCM will be supported by openssl? I have a request to implement this cipher suite in my embedded client TLS software. For this implementation it would be helpful to have a working TLS server. Maybe at least the needed algorithms are available in openssl so that I can make / extend my own TLS server implementation with them. I could only find some draft versions of an RFC defining this TLS cipher suite. Is there a released version available that I just couldn't find? Best regards Thorsten Albers Senior Software Development Engineer Vector Informatik GmbH Ingersheimer Str. 24 70499 Stuttgart Germany Tel.: +49 711 80670-2317 Fax: +49 711 80670-399 mailto: thorsten.alb...@vector.com%20%20objLDAPUser.mail%20%20 Internet: www.vector.comhttp://www.vector.com/
Re: TLS_ECDHE_ECDSA_WITH_AES_128_CCM
On Tue, Nov 13, 2012, Albers, Thorsten wrote: Hi, can anyone tell me when the TLS cipher suite TLS_ECDHE_ECDSA_WITH_AES_128_CCM will be supported by openssl? I have a request to implement this cipher suite in my embedded client TLS software. For this implementation it would be helpful to have a working TLS server. Maybe at least the needed algorithms are available in openssl so that I can make / extend my own TLS server implementation with them. All the algorithms are supported by OpenSSL 1.0.1 including AES-CCM. There is a problem though... I could only find some draft versions of an RFC defining this TLS cipher suite. Is there a released version available that I just couldn't find? And that's the problem. AFAIK there are no official cipher suite numbers so this can't be implemented at present. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: openssl 1.0.1c cannot parse newest GOST/PFX
On Tue, Nov 13, 2012, Eugene Grosbein wrote: Hi! Recently we purchased Aladdin eToken USB with digital signature inside that uses GOST 34.11/34.10-2001 for official electronic contacts with Russian Government. It works just fine with Windows XP and CryptoPro CSP. I've exported it with its private key to pfx file (PKCS#12 format) using standard WinXP interface. Now I try to convert it to PKCS#7 format using openssl 1.0.1c built with GOST support but it fails: $ /usr/local/bin/openssl pkcs12 -in file.pfx -out file.pem Enter Import Password: MAC verified OK Error outputting keys and certificates 675239592:error:06074079:digital envelope routines:EVP_PBE_CipherInit:unknown pbe algorithm:evp_pbe.c:167:TYPE=1.2.840.113549.1.12.1.80 675239592:error:23077073:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 algor cipherinit error:p12_decr.c:83: 675239592:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:p12_decr.c:130: It seems this PFX uses PBE 1.2.840.113549.1.12.1.80 unknown to openssl, isn't it? I use FreeBSD 8.3-STABLE and openssl 1.0.1c built using Ports Collection. What should I do to be able to convert this PFX to PKCS#7? I'm ready to apply patches etc. You can only convert the certificates to PKCS#7 not the private key. There is an option in Windows to export to PKCS#7. If you want to decrypt the PKCS#12 file you need to find out what that OID means. I can't find a reference to it online. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: openssl 1.0.1c cannot parse newest GOST/PFX
13.11.2012 20:10, Dr. Stephen Henson пишет: On Tue, Nov 13, 2012, Eugene Grosbein wrote: Hi! Recently we purchased Aladdin eToken USB with digital signature inside that uses GOST 34.11/34.10-2001 for official electronic contacts with Russian Government. It works just fine with Windows XP and CryptoPro CSP. I've exported it with its private key to pfx file (PKCS#12 format) using standard WinXP interface. Now I try to convert it to PKCS#7 format using openssl 1.0.1c built with GOST support but it fails: $ /usr/local/bin/openssl pkcs12 -in file.pfx -out file.pem Enter Import Password: MAC verified OK Error outputting keys and certificates 675239592:error:06074079:digital envelope routines:EVP_PBE_CipherInit:unknown pbe algorithm:evp_pbe.c:167:TYPE=1.2.840.113549.1.12.1.80 675239592:error:23077073:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 algor cipherinit error:p12_decr.c:83: 675239592:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:p12_decr.c:130: It seems this PFX uses PBE 1.2.840.113549.1.12.1.80 unknown to openssl, isn't it? I use FreeBSD 8.3-STABLE and openssl 1.0.1c built using Ports Collection. What should I do to be able to convert this PFX to PKCS#7? I'm ready to apply patches etc. You can only convert the certificates to PKCS#7 not the private key. There is an option in Windows to export to PKCS#7. Yes, openssl converts the certificates with -nokeys option just fine. If you want to decrypt the PKCS#12 file you need to find out what that OID means. I can't find a reference to it online. Nor can I. Here I'm stuck. Eugene Grosbein __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: openssl 1.0.1c cannot parse newest GOST/PFX
On Tue, Nov 13, 2012, Eugene Grosbein wrote: 13.11.2012 20:10, Dr. Stephen Henson ?: On Tue, Nov 13, 2012, Eugene Grosbein wrote: Hi! Recently we purchased Aladdin eToken USB with digital signature inside that uses GOST 34.11/34.10-2001 for official electronic contacts with Russian Government. It works just fine with Windows XP and CryptoPro CSP. I've exported it with its private key to pfx file (PKCS#12 format) using standard WinXP interface. Now I try to convert it to PKCS#7 format using openssl 1.0.1c built with GOST support but it fails: $ /usr/local/bin/openssl pkcs12 -in file.pfx -out file.pem Enter Import Password: MAC verified OK Error outputting keys and certificates 675239592:error:06074079:digital envelope routines:EVP_PBE_CipherInit:unknown pbe algorithm:evp_pbe.c:167:TYPE=1.2.840.113549.1.12.1.80 675239592:error:23077073:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 algor cipherinit error:p12_decr.c:83: 675239592:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:p12_decr.c:130: It seems this PFX uses PBE 1.2.840.113549.1.12.1.80 unknown to openssl, isn't it? I use FreeBSD 8.3-STABLE and openssl 1.0.1c built using Ports Collection. What should I do to be able to convert this PFX to PKCS#7? I'm ready to apply patches etc. You can only convert the certificates to PKCS#7 not the private key. There is an option in Windows to export to PKCS#7. Yes, openssl converts the certificates with -nokeys option just fine. If you want to decrypt the PKCS#12 file you need to find out what that OID means. I can't find a reference to it online. Nor can I. Here I'm stuck. Could you post a sample PKCS#12 file including the password or alternatively send me one privately? Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: openssl 1.0.1c cannot parse newest GOST/PFX
14.11.2012 00:33, Dr. Stephen Henson пишет: You can only convert the certificates to PKCS#7 not the private key. There is an option in Windows to export to PKCS#7. Yes, openssl converts the certificates with -nokeys option just fine. If you want to decrypt the PKCS#12 file you need to find out what that OID means. I can't find a reference to it online. Nor can I. Here I'm stuck. Could you post a sample PKCS#12 file including the password or alternatively send me one privately? I'd love to, but I'm afraid I'm not allowed to share our JSC's official electronic digital signature :-( But I'm ready to run any code/debug and provide you with output. Eugene Grosbein __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
I can't believe how much this sucks
I have been struggling with openssl for a few months now writing batch scripts on windows trying to make a .net web client with a client certificate work with 2-way ssl against an apache web server. Do you guys just want to continue to answer questions on this alias and not FIX the docs somewhat over time? I could go into a litany of how much information is just missing from the docs with INCOMPLETE everywhere. (see this link for one of the 900k+ hits on a google search of “openssl+docs+suck” for how much hell you guys are putting people through trying to figure out this tool) openssl is used all over the world by tons of people (so I feel dumb having problems here – but I know from Google I am not alone.) but it is just unbelievable to me that the docs remain so terse and useless for so many years. I have sent email to this alias previously asking how I can help with this. It seems to me there should be an openssl docs forum where content from this eventually finds its way into the online docs themselves. A tool is only as good as people are able to use it. So let me get specific here – one simple specific question (of many that I have) that has me clueless: The command of: openssl s_client -connect www.pawnmasterpro.com:443 -CApath ssl\certs -cert ssl\certs\client_1.crt -key ssl\keys\client_1.key -pass file:ssl\keys\Client_1_pwd.txt results in output containing: No client certificate CA names sent from the docs for the s_client command, –cert option says: -cert certname The certificate to use, if one is requested by the server. The default is not to use a certificate. My guess from this is that this command is referring to the CLIENT SSL certificate - no? If my assumption is correct, then why am I getting this error? Or is this a notification of something normal and I should be looking elsewhere? I have checked the Apache httpd-ssl.cnf file I am using and verified that all the certificate related parts are filled in and I have verified the integrity of all the certificates referenced by it. I have been able to do straight one-way SSL with the server as well with both IE and Chrome browsers. Two-way SSL fails with the server logs indicating that the client “refused” the connection. I am using a self-signed CA which was used to sign the server certificate. The client certificate is also signed by the same CA self-signed certificate. Apache error logs give me this: [Tue Nov 13 12:38:56 2012] [error] [client 127.0.0.1] Invalid method in request Which is about as useful as the openssl docs are.I am also seeing this in openssl’s s_client output:verify error:num=19:self signed certificate in certificate chainFrom what I think I understand, this should not be a showstopper problem as all root CA certs would naturally be self-signed no?Full output of this operation with the –showcerts command is attached for reference.I have read through many forum examples of how to do this and it seems simple enough but then when it doesn’t work, figuring out what things MEAN and how to address what is wrong proves to be be very difficult indeed. httpd-ssl.conf Description: Binary data CONNECTED(0190) --- Certificate chain 0 s:/C=KY/ST=Grand Cayman/O=CashWiz/OU=Development/CN=www.pawnmasterpro.com i:/C=KY/ST=Grand Cayman/L=George Town/O=CashWiz/OU=Development/CN=CashWiz Root CA -BEGIN CERTIFICATE- MIID2zCCAsOgAwIBAgIBCjANBgkqhkiG9w0BAQQFADB8MQswCQYDVQQGEwJLWTEV MBMGA1UECBMMR3JhbmQgQ2F5bWFuMRQwEgYDVQQHEwtHZW9yZ2UgVG93bjEQMA4G A1UEChMHQ2FzaFdpejEUMBIGA1UECxMLRGV2ZWxvcG1lbnQxGDAWBgNVBAMTD0Nh c2hXaXogUm9vdCBDQTAeFw0xMjExMTMxNzI5NDBaFw0yMjExMTExNzI5NDBaMGwx CzAJBgNVBAYTAktZMRUwEwYDVQQIEwxHcmFuZCBDYXltYW4xEDAOBgNVBAoTB0Nh c2hXaXoxFDASBgNVBAsTC0RldmVsb3BtZW50MR4wHAYDVQQDExV3d3cucGF3bm1h c3RlcnByby5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDTp1dY GOY2ew6O7CbHvokVMSYNYv/uBghjeO3hP2FVXQSCfPWk4NpCh1ve8vu9kUgZ6Ezh slTSn7FM5RlG3NoOx1XnVkJNQ30cRX7oi01l1vwXHPvxn+dq0gJzGofamSYv6Hkm X+zhqhiK37GFmHG5gVZVKg84fEOV10WI+9j6SuOoVg646Rsu91Q3ZYW+v08ucmrC ZfoeuxXwZ/6kJkn8PkRb0RAgy20UMkYTPj7dgC5HkVlDdldJ1+IxegNGG0pMM6SW E6J08mAOs4t2wZ+oybtQZ4+2aeKylMUb/EEDBkSh+bab9k4fe48cmBxj4mnumajx b5pkm3d8HXOk1N5nAgMBAAGjeDB2MAkGA1UdEwQCMAAwHQYDVR0OBBYEFL5T2NTf xfmf3exS2OZB+t8ghcZ/MB8GA1UdIwQYMBaAFFRJfotvTu3PmEaV9+qJf95MmP1e MAsGA1UdDwQEAwIF4DARBglghkgBhvhCAQEEBAMCBkAwCQYDVR0RBAIwADANBgkq hkiG9w0BAQQFAAOCAQEAXlG4az+P/JrtNVgLux67FMQomimcppYVqkPS/HgERZvp VUhTxWClKqC+wQ4RS90VtjcMGQs7iPL5D+563u0CudBaXz3QK7oVInGLAqEIEhfa Si/S6tKA8bxeujKY5GnppRfV9DcTYIjX1eCLx+n8neI9gwiaKgXV8XLIQoE8g/r6 3Dsfn/uLatQZM7a+V8U/JtF/fGHP81M1D2aqG2JmSayZ9gMgwPAPqI3OdGRsCDqj zTI3z6XomblD1cUdEepMCxnhRHsGVaVXOY0ubM1zWB3b92pVDsKV8TwAlzeijGE1 vAVRptr58jAQXVIN0M3HzmtneHulvOP7UFu2Ozm4OQ== -END CERTIFICATE- 1 s:/C=KY/ST=Grand Cayman/O=CashWiz/OU=Development/CN=www.pawnmasterpro.com i:/C=KY/ST=Grand Cayman/L=George Town/O=CashWiz/OU=Development/CN=CashWiz Root CA -BEGIN CERTIFICATE-
Re: I can't believe how much this sucks
On 11/13/2012 07:34 PM, Sanford Staab wrote: Do you guys just want to continue to answer questions on this alias and not FIX the docs somewhat over time? I could go into a litany of how much information is just missing from the docs with INCOMPLETE everywhere. You might have overlooked the fact that openssl is an open source project. Feel free to contribute the needed documentation or finance the creation thereof if your knowledge is lacking to do so. (Yes, the documentation is lacking, an I (r=1 user of openssl) also find this a sad state of affairs. But I find whining about a problem in an open source project in this tone disturbing. Rule of thumb: the more you contribute you have more right to whine. You and me have right to point out a bug, or respectfully ask for a feature.
Re: I can't believe how much this sucks
For things that the peer support forum and the existing documentation don't cover, you have the source code, which is definitive. Additionally, there are professional OpenSSL consultants you can use for help. It would be more productive to submit bugs and patches, instead of a litany :-) __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: I can't believe how much this sucks
AMEN! Why is it easier to answer dumb question after dumb question here rather than to document the darned product once? (Never mind the cumulative labor of all the programmers trying to figure out and debug the same problems again and again and again, all over the world.) Consider http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf. Doesn’t *some* of the responsibility for these (severe and scary!) problems fall on the lack of clear documentation? It’s a GREAT product and I love it and am grateful but why after years and years do the man pages still say “under construction”? Charles From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Sanford Staab Sent: Tuesday, November 13, 2012 10:35 AM To: openssl-users@openssl.org Subject: I can't believe how much this sucks I have been struggling with openssl for a few months now writing batch scripts on windows trying to make a .net web client with a client certificate work with 2-way ssl against an apache web server. Do you guys just want to continue to answer questions on this alias and not FIX the docs somewhat over time? I could go into a litany of how much information is just missing from the docs with INCOMPLETE everywhere. (see this link http://www.wolmarans.com/drupal/?q=node/22 for one of the 900k+ hits on a google search of “openssl+docs+suck” for how much hell you guys are putting people through trying to figure out this tool) openssl is used all over the world by tons of people (so I feel dumb having problems here – but I know from Google I am not alone.) but it is just unbelievable to me that the docs remain so terse and useless for so many years. I have sent email to this alias previously asking how I can help with this. It seems to me there should be an openssl docs forum where content from this eventually finds its way into the online docs themselves. A tool is only as good as people are able to use it. So let me get specific here – one simple specific question (of many that I have) that has me clueless: The command of: openssl s_client -connect www.pawnmasterpro.com:443 -CApath ssl\certs -cert ssl\certs\client_1.crt -key ssl\keys\client_1.key -pass file:ssl\keys\Client_1_pwd.txt results in output containing: No client certificate CA names sent from the docs for the s_client command, –cert option says: -cert certname The certificate to use, if one is requested by the server. The default is not to use a certificate. My guess from this is that this command is referring to the CLIENT SSL certificate - no? If my assumption is correct, then why am I getting this error? Or is this a notification of something normal and I should be looking elsewhere? I have checked the Apache httpd-ssl.cnf file I am using and verified that all the certificate related parts are filled in and I have verified the integrity of all the certificates referenced by it. I have been able to do straight one-way SSL with the server as well with both IE and Chrome browsers. Two-way SSL fails with the server logs indicating that the client “refused” the connection. I am using a self-signed CA which was used to sign the server certificate. The client certificate is also signed by the same CA self-signed certificate. Apache error logs give me this: [Tue Nov 13 12:38:56 2012] [error] [client 127.0.0.1] Invalid method in request Which is about as useful as the openssl docs are. I am also seeing this in openssl’s s_client output: verify error:num=19:self signed certificate in certificate chain From what I think I understand, this should not be a showstopper problem as all root CA certs would naturally be self-signed no? Full output of this operation with the –showcerts command is attached for reference. I have read through many forum examples of how to do this and it seems simple enough but then when it doesn’t work, figuring out what things MEAN and how to address what is wrong proves to be be very difficult indeed.
RE: Problem with AES 256 algorithm / GCM mode.
Hello. I send my request to this other E-mail address because I had no response to my question with the E-mail address openssl-users@openssl.orgmailto:openssl-users@openssl.org. Regards. De : MACH Christian Envoyé : lundi 8 octobre 2012 17:04 À : 'openssl-users@openssl.org' Objet : Problem with AES 256 algorithm / GCM mode. Hello. I use OpenSSL for my work and particularly the AES 256 algorithm with the GCM mode. When I test this mode, the ciphered text is correct but the authentication tag is not correct. I think my test vectors are correct (source : NIST and my cipher room). Could you help me? If yes, how can we proceed?
Re: I can't believe how much this sucks
On Tue, Nov 13, 2012 at 6:34 PM, Sanford Staab sanfo...@gmail.com wrote: I have been struggling with openssl for a few months now writing batch scripts on windows trying to make a .net web client with a client certificate work with 2-way ssl against an apache web server. Do you guys just want to continue to answer questions on this alias and not FIX the docs somewhat over time? I could go into a litany of how much information is just missing from the docs with INCOMPLETE everywhere. (see this link for one of the 900k+ hits on a google search of “openssl+docs+suck” for how much hell you guys are putting people through trying to figure out this tool) openssl is used all over the world by tons of people (so I feel dumb having problems here – but I know from Google I am not alone.) but it is just unbelievable to me that the docs remain so terse and useless for so many years. I have sent email to this alias previously asking how I can help with this. It seems to me there should be an openssl docs forum where content from this eventually finds its way into the online docs themselves. A tool is only as good as people are able to use it. So let me get specific here – one simple specific question (of many that I have) that has me clueless: The command of: openssl s_client -connect www.pawnmasterpro.com:443 -CApath ssl\certs -cert ssl\certs\client_1.crt -key ssl\keys\client_1.key -pass file:ssl\keys\Client_1_pwd.txt results in output containing: No client certificate CA names sent This seems straightforward: the client expects a list of acceptable CAs for the client certificate it should send. It got none. I suspect the reason is that you haven't required client verification in the context in which Apache is answering - it seems to be only enabled for certain URLs... from the docs for the s_client command, –cert option says: -cert certname The certificate to use, if one is requested by the server. The default is not to use a certificate. My guess from this is that this command is referring to the CLIENT SSL certificate - no? If my assumption is correct, then why am I getting this error? Or is this a notification of something normal and I should be looking elsewhere? I have checked the Apache httpd-ssl.cnf file I am using and verified that all the certificate related parts are filled in and I have verified the integrity of all the certificates referenced by it. I have been able to do straight one-way SSL with the server as well with both IE and Chrome browsers. Two-way SSL fails with the server logs indicating that the client “refused” the connection. I am using a self-signed CA which was used to sign the server certificate__ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl-users] I can't believe how much this sucks
Answers inline. -- Erwann ABALEA - paléocapridé: genre de vieille bique, cf paléotalpidé (vieille taupe) ou paléogadidé (vieille morue) Le 13/11/2012 19:34, Sanford Staab a écrit : I have been struggling with openssl for a few months now writing batch scripts on windows trying to make a .net web client with a client certificate work with 2-way ssl against an apache web server. So you've looked at Apache documentation in addition to OpenSSL doc, right? Do you guys just want to continue to answer questions on this alias and not FIX the docs somewhat over time? I could go into a litany of how much information is just missing from the docs with INCOMPLETE everywhere. (see this link http://www.wolmarans.com/drupal/?q=node/22 for one of the 900k+ hits on a google search of “openssl+docs+suck” for how much hell you guys are putting people through trying to figure out this tool) openssl is used all over the world by tons of people (so I feel dumb having problems here – but I know from Google I am not alone.) but it is just *unbelievable* to me that the docs remain so terse and useless for so many years. I have sent email to this alias previously asking how I can help with this. It seems to me there should be an openssl docs forum where content from this eventually finds its way into the online docs themselves. A tool is only as good as people are able to use it. So let me get specific here – one simple specific question (of many that I have) that has me clueless: The command of: openssl s_client -connect www.pawnmasterpro.com:443 -CApath ssl\certs -cert ssl\certs\client_1.crt -key ssl\keys\client_1.key -pass file:ssl\keys\Client_1_pwd.txt results in output containing: No client certificate CA names sent That's a warning. OpenSSL client warns you that your Apache server hasn't sent any CA name to the client to help decide which certificate it should present. That's the result of your Apache configuration. from the docs for the s_client command, –cert option says: **-cert certname** The certificate to use, if one is requested by the server. The default is not to use a certificate. *My guess from this is that this command is referring to the CLIENT SSL certificate - no? *If my assumption is correct, then why am I getting this error? Or is this a notification of something normal and I should be looking elsewhere? This isn't an error, and OpenSSL has tried to present the certificate you asked it to. I have checked the Apache httpd-ssl.cnf file I am using and verified that all the certificate related parts are filled in and I have verified the integrity of all the certificates referenced by it. I have been able to do straight one-way SSL with the server as well with both IE and Chrome browsers. Two-way SSL fails with the server logs indicating that the client “refused” the connection. I am using a self-signed CA which was used to sign the server certificate. The client certificate is also signed by the same CA self-signed certificate. Apache error logs give me this: [Tue Nov 13 12:38:56 2012] [error] [client 127.0.0.1] Invalid method in request Which is about as useful as the openssl docs are. It indicates Apache didn't receive a valid HTTP request. That's not OpenSSL's job. Right now (19:29 UTC), your server doesn't do TLS, only plain HTTP on port 443. Trying to do TLS on such a server might give this error message in your Apache. I am also seeing this in openssl’s s_client output: verify error:num=19:self signed certificate in certificate chain From what I think I understand, this should not be a showstopper problem as all root CA certs would naturally be self-signed no? Full output of this operation with the –showcerts command is attached for reference. I have read through many forum examples of how to do this and it seems simple enough but then when it doesn’t work, figuring out what things MEAN and how to address what is wrong proves to be be very difficult indeed. Having read the provided output of your tests, it seems you configured your Apache server to send both its own certificate and the root as intermediate certificates. That's both wrong and useless. OpenSSL s_client tells you that he found a self-signed certificate in the returned chain (which is true). Disable the SSLCertificateChainFile directive in your Apache, it should get better. Anyway, the output shows that the TLS connexion went OK, and that Apache received something that looked like a valid request. Go read Apache doc again.
Re: I can't believe how much this sucks
It's a GREAT product and I love it and am grateful but why after years and years do the man pages still say under construction? Because it is an open source project and the things that get done are the things people volunteer to do. Most programmers would much rather create cool things than write about them. That said, perhaps this is something that a Google Summer Of Code project could help get off the ground (money being a pretty decent motivator for poor students). John --- John Hascall, j...@iastate.edu Team Lead, NIADS (Network Infrastructure, Authentication Directory Services) IT Services, The Iowa State University of Science and Technology __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: I can't believe how much this sucks
On Tue, Nov 13, 2012 at 2:02 PM, Lee Fisher blib...@gmail.com wrote: For things that the peer support forum and the existing documentation don't cover, you have the source code, which is definitive. Additionally, there are professional OpenSSL consultants you can use for help. It would be more productive to submit bugs and patches, instead of a litany :-) Even so, some of those closely involved in the project ought to be doing a better job of documenting the product. Telling people to hire consultants is even worse than telling people to read the code. I develop software for a living, and I would be ashamed of any attempt to release even one of my products without a proper reference manual, complete design documentation, including a reasonable suite of UML documents (in the case of an open source product since good coders benefit from good design documentation - which, admittedly, I have not produced) and a thorough tutorial. I have had feedback on some of my products that the end users found my interface so intuitive that they did not look at the documentation I'd provided even once, but I do not see that as an excuse for not producing proper documentation. In my view, the documentation for a product is as much a part of the product as the code in the product. The product is not ready for release until the documentation is as complete and polished as is the code. Peer support is hardly a good, or cost effective, substitute for good documentation; and contrary to what some coders I have met, and worked with, have claimed, the source code is often not adequate documentation. Yes, you see what the code is doing, but tracing execution paths through it can be a tedious nightmare; especially if the coder that produced it wrote the code as a candidate for an obfuscated coding contest (something, BTW, I would regard as grounds for dismissal if obfuscation is the only justification the code can offer for it). In my own coding, the only libraries I use often are those that are well documented. Life is just too short to waste on libraries that are poorly documented (unless someone wants to pay me to do so - but they'd be paying a significant premium for such a tedious, and usually frustrating, task). I am not criticising the documentation for openssl, and will not; but I would encourage those who are responsible for maintaining and improving openssl to not neglect the documentation. It would be a mistake to leave that for someone else to do, for when that happens, it is certain that the documentation will suffer. just my $0.02, as a coder with decades of coding experience. Cheers Ted
Re: I can't believe how much this sucks
On Tue, Nov 13, 2012 at 1:34 PM, Sanford Staab sanfo...@gmail.com wrote: I have been struggling with openssl for a few months now writing batch scripts on windows trying to make a .net web client with a client certificate work with 2-way ssl against an apache web server. Do you guys just want to continue to answer questions on this alias and not FIX the docs somewhat over time? I could go into a litany of how much information is just missing from the docs with INCOMPLETE everywhere. (see this link for one of the 900k+ hits on a google search of “openssl+docs+suck” for how much hell you guys are putting people through trying to figure out this tool OpenSSL has a book by Viega, Messier, and Chandra (though its a bit dated). It will get you through most of the basics when using the API set. Its what I used years ago. If its any consolation, NSS's documentation is even worse. I banned NSS's use in code under my purview because I could not ensure it was being used correctly (that's how shitty their docs were at the time). Its a shame that Mozilla makes millions being Google's whore and it could not even hire a technical writer to produce a decent set of documents (perhaps that's changed now). Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: I can't believe how much this sucks
On Tue, Nov 13, 2012 at 1:51 PM, Magosányi, Árpád m4g...@gmail.com wrote: On 11/13/2012 07:34 PM, Sanford Staab wrote: Do you guys just want to continue to answer questions on this alias and not FIX the docs somewhat over time? I could go into a litany of how much information is just missing from the docs with INCOMPLETE everywhere. You might have overlooked the fact that openssl is an open source project. Feel free to contribute the needed documentation or finance the creation thereof if your knowledge is lacking to do so. I have to call bulshit on this one. The project does not appear to be interested in outside help (and I'm tired of folks making these statements). Confer: * IBM submitted patches for CCM and GCM nearly 10 years ago [1]. Not incorporated. * Thomas Wu submitted patches for SRP nearly 5 years ago [2]. Not incorporated. * I submitted patches (to try the waters) [3]. Not incorporated * Others have submitted documentation patches [4]. Not incorporated. Jeff [1] http://rt.openssl.org/Ticket/Display.html?id=782user=guestpass=guest [2] http://rt.openssl.org/Ticket/Display.html?id=1794user=guestpass=guest [3] http://rt.openssl.org/Ticket/Display.html?user=guestpass=guestid=2402 [4] http://rt.openssl.org/Ticket/Display.html?user=guestpass=guestid=2401 [5] http://rt.openssl.org/Ticket/Display.html?id=2697user=guestpass=guest __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: I can't believe how much this sucks
Hi, I am not criticising the documentation for openssl, and will not; but I would encourage those who are responsible for maintaining and improving openssl to not neglect the documentation. It would be a mistake to leave it is an Open Source project - thus there is also an onus on the USERS who use the code to also provide something into the mix - commonly that is for documentation - as users are often not the ones maintaining or improving the codebase...but are people USING the API and software (usually for their own purposes and financial gain) - so ideal for being people to offer something back in the way of , eg, better documentation. I'd cite a use example - eg Cisco use OpenSSL for their AnyConnect SSL client - they are using quite a few of the APIs and functions in their commercial product(s) - a proper symbiotic relationship would be for their expertise to be fed back in the way of bug fixes and documentation. coders are often NOT the best documentation writers ;-) alan __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: I can't believe how much this sucks
I beg to differ and this is one reason I am not very active. Several years ago I contributed a function to determine endianess. I had done it years and years before so it was quite simple for me. I took the time to put documentation in the function. Also I am a professional consulting programmer adn I know both what to document, how to document and how to write code. Someone came in and removed the documentation. At the time I voluntered to start putting some documentation together. I saw no interest. I agree with those who point out the dreath in OSS documentation and the fact that years after problems have been identified that the docs are still not upgraded and moreover I never found out HOW to do any documentation. Besides which when I contributed a function someone went to the effort to remove the documentation. I have ALWAYS written the documentation for a function before the code because it is much faster and one can design the interface in about 1/4 of the time that it takes to code it. Then if I come back to the function years later I can read the documentation and I know how the function should work! I keep the documenation and the code in the same source file. Then I have utilities which will read the source file and split out the documentation and prepare a printable manual if I want. I've had clients ask me how long to document a rather large system which I wrote and my comment was I can have the manual by noon - which I did and it was 3 cm thick. they were quite impressed. This is just a NORMAL way for a programmer to work IMHO. I HATE comming into undocumented code years after its been written and IMHO its a big booby trap because its very easy to miss something and that creates hard to find bugs. Really criptic error messages don't help this. I've looked in the OOS community and there are attempts to put together systems and one I looked at was OXYGEN. http://www.stack.nl/~dimitri/doxygen/ I have no idea at this time how useful this would be. Perhaps the best we might be able to do on the user side is a wiki and perhaps one exists. I did a google search on this. https://help.ubuntu.com/community/OpenSSL ^ I did find this and I did not look very hard. Maybe there is something better. If there is then it doesn't come up in the 1st hits google finds. So I think we can do much better. Just my 2 cents. On Tue, Nov 13, 2012 at 01:33:48PM -0600, John Hascall wrote: It's a GREAT product and I love it and am grateful but why after years and years do the man pages still say under construction? Because it is an open source project and the things that get done are the things people volunteer to do. Most programmers would much rather create cool things than write about them. That said, perhaps this is something that a Google Summer Of Code project could help get off the ground (money being a pretty decent motivator for poor students). John --- John Hascall, j...@iastate.edu Team Lead, NIADS (Network Infrastructure, Authentication Directory Services) IT Services, The Iowa State University of Science and Technology __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: I can't believe how much this sucks
On Tue, Nov 13, 2012 at 07:51:24PM +0100, Magosányi, Árpád wrote: On 11/13/2012 07:34 PM, Sanford Staab wrote: Do you guys just want to continue to answer questions on this alias and not FIX the docs somewhat over time? I could go into a litany of how much information is just missing from the docs with INCOMPLETE everywhere. You might have overlooked the fact that openssl is an open source project. Feel free to contribute the needed documentation or finance the creation thereof if your knowledge is lacking to do so. I've read more variations of this than I can count, and I never know whether to laugh or cry when I read the assertion that the person with the most imperfect understanding of the product is the best to tell everyone how it works. I've been that person and I know better. (Yes, the documentation is lacking, an I (r=1 user of openssl) also find this a sad state of affairs. But I find whining about a problem in an open source project in this tone disturbing. Rule of thumb: the more you contribute you have more right to whine. You and me have right to point out a bug, or respectfully ask for a feature. Well, I've also been in the position of the person who *is* best qualified to write documentation: the author of the software. In that role, I would hope that people complain (with details) when I've left something out. And if I continue to leave it out, I would hope that someone would show his respect for my skills with a good sharp poke: Mark, I know you can do better than this! Reporting documentation problems is different from reporting software problems. In the latter case we send a report because we understand (to some extent) what is wrong; in the former, often we only understand that there is something missing but we have no idea what it may be. Our contribution is notice of the fact that someone read X and did not find the knowledge he needed to use the product. It could (and should) extend to willingness to work with the writer to ensure that the coverage and clarity of the writing is substantially improved. -- Mark H. Wood, Lead System Programmer mw...@iupui.edu Asking whether markets are efficient is like asking whether people are smart. pgpNJNzqoTBIj.pgp Description: PGP signature
Re: I can't believe how much this sucks
Couldn’t agree more Ted. I think the bar on open-source product documentation has been going way up over time. If I were these guys, I’d get it right so I wouldn’t have to keep bothering to answer so many questions over and over. From: Ted Byers Sent: Tuesday, November 13, 2012 2:49 PM To: openssl-users@openssl.org Subject: Re: I can't believe how much this sucks On Tue, Nov 13, 2012 at 2:02 PM, Lee Fisher blib...@gmail.com wrote: For things that the peer support forum and the existing documentation don't cover, you have the source code, which is definitive. Additionally, there are professional OpenSSL consultants you can use for help. It would be more productive to submit bugs and patches, instead of a litany :-) Even so, some of those closely involved in the project ought to be doing a better job of documenting the product. Telling people to hire consultants is even worse than telling people to read the code. I develop software for a living, and I would be ashamed of any attempt to release even one of my products without a proper reference manual, complete design documentation, including a reasonable suite of UML documents (in the case of an open source product since good coders benefit from good design documentation - which, admittedly, I have not produced) and a thorough tutorial. I have had feedback on some of my products that the end users found my interface so intuitive that they did not look at the documentation I'd provided even once, but I do not see that as an excuse for not producing proper documentation. In my view, the documentation for a product is as much a part of the product as the code in the product. The product is not ready for release until the documentation is as complete and polished as is the code. Peer support is hardly a good, or cost effective, substitute for good documentation; and contrary to what some coders I have met, and worked with, have claimed, the source code is often not adequate documentation. Yes, you see what the code is doing, but tracing execution paths through it can be a tedious nightmare; especially if the coder that produced it wrote the code as a candidate for an obfuscated coding contest (something, BTW, I would regard as grounds for dismissal if obfuscation is the only justification the code can offer for it). In my own coding, the only libraries I use often are those that are well documented. Life is just too short to waste on libraries that are poorly documented (unless someone wants to pay me to do so - but they'd be paying a significant premium for such a tedious, and usually frustrating, task). I am not criticising the documentation for openssl, and will not; but I would encourage those who are responsible for maintaining and improving openssl to not neglect the documentation. It would be a mistake to leave that for someone else to do, for when that happens, it is certain that the documentation will suffer. just my $0.02, as a coder with decades of coding experience. Cheers Ted
Re: I can't believe how much this sucks
You miss the fact that I VOLUNTEER TO HELP FIX IT if someone will tell me where to start. There are lots of open source projects out there with WAY better docs. Take JQuery for one example. I think the reason openssl docs suck is because the authors don’t really care about docs and they don’t even seem to want someone who does to help. From: Magosányi, Árpád Sent: Tuesday, November 13, 2012 1:51 PM To: openssl-users@openssl.org Subject: Re: I can't believe how much this sucks On 11/13/2012 07:34 PM, Sanford Staab wrote: Do you guys just want to continue to answer questions on this alias and not FIX the docs somewhat over time? I could go into a litany of how much information is just missing from the docs with INCOMPLETE everywhere. You might have overlooked the fact that openssl is an open source project. Feel free to contribute the needed documentation or finance the creation thereof if your knowledge is lacking to do so. (Yes, the documentation is lacking, an I (r=1 user of openssl) also find this a sad state of affairs. But I find whining about a problem in an open source project in this tone disturbing. Rule of thumb: the more you contribute you have more right to whine. You and me have right to point out a bug, or respectfully ask for a feature.
Re: I can't believe how much this sucks
On Tue, Nov 13, 2012 at 3:18 PM, alan buxey a.l.m.bu...@lboro.ac.uk wrote: Hi, I am not criticising the documentation for openssl, and will not; but I would encourage those who are responsible for maintaining and improving openssl to not neglect the documentation. It would be a mistake to leave it is an Open Source project - thus there is also an onus on the USERS who use the code to also provide something into the mix - commonly that is for documentation - as users are often not the ones maintaining or improving the codebase...but are people USING the API and software (usually for their own purposes and financial gain) - so ideal for being people to offer something back in the way of , eg, better documentation. Nonsense. The most the users can be expected to contribute is their questions. That is where the fodder for FAQs comes from. From the perspective of a library writer, they also show what you've missed. I am CTO in my company, and when I direct a junior or intermediate programmer to use library X (which may well be one I have developed over the decades), I do not tell them to study the code to figure out how to use it. In many cases, the library details involve aspects of the problem at hand that are well beyond their experience. However, when I give them direction to use the library, I also point them to good quality user documentation: documentation that clearly llustrates how the library is properly used, and it is at a level that they can understand. in this way, I can educate them, or introduce them, to technologies that are new to them at a pace they can handle, and that without wasting time examining the details fo the library implementation code which, as I said, is often well beyond what their experience can handle. I'd cite a use example - eg Cisco use OpenSSL for their AnyConnect SSL client - they are using quite a few of the APIs and functions in their commercial product(s) - a proper symbiotic relationship would be for their expertise to be fed back in the way of bug fixes and documentation. coders are often NOT the best documentation writers ;-) Nonsense. No-one knows better how the code ought to be working than the folk who developed it. I begin with the assumption that all my coders are functionally literate. I expect them to document their own code as part of the duties for their position. Of course, the senior staff will review, and require edits, as part of the routine code reviews; and, on a large project, there may be a professional educator who takes responsibility for the final drafts of the user documentation. But there is no excuse for a coder not to document his own code. And that a given product is open source, or free, is not an excuse for library developers doing a poor job documenting their product. Take a look at the boost documentation. Some of that is great; and some not so much. But the boost library documentation is gnerally more than enough for a capable programmer to make good use of most of those libraries. Granted, though, some of those libraries are sufficiently advanced that I would only ask senior members of my team to make use of them. And there are other open source products that do have adequate to good documentation; at least if you look carefully. Cheers Ted
openssh_DSA_verify_inFIPS EVP_VerifyFinal BAD SIG code:-1 ERROR
We are getting the following error in the syslogs secure:Nov 9 19:32:04 cls2-pub authpriv 3 sshd[9526]: error: openssh_DSA_verify_inFIPS EVP_VerifyFinal BAD SIG code:-1 when we connect between two servers using ssh key based authentication. This issue happens only in FIPS mode and not in non FIPS mode. What is the root cause for this and what is the workaround. Any pointers would be appreciated. Thanks, Anamitra
RE: I can't believe how much this sucks
EXACTLY! Charles From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Sanford Staab Sent: Tuesday, November 13, 2012 12:53 PM To: openssl-users@openssl.org Subject: Re: I can't believe how much this sucks Couldn’t agree more Ted. I think the bar on open-source product documentation has been going way up over time. If I were these guys, I’d get it right so I wouldn’t have to keep bothering to answer so many questions over and over. From: Ted Byers mailto:r.ted.by...@gmail.com Sent: Tuesday, November 13, 2012 2:49 PM To: openssl-users@openssl.org Subject: Re: I can't believe how much this sucks On Tue, Nov 13, 2012 at 2:02 PM, Lee Fisher blib...@gmail.com wrote: For things that the peer support forum and the existing documentation don't cover, you have the source code, which is definitive. Additionally, there are professional OpenSSL consultants you can use for help. It would be more productive to submit bugs and patches, instead of a litany :-) Even so, some of those closely involved in the project ought to be doing a better job of documenting the product. Telling people to hire consultants is even worse than telling people to read the code. I develop software for a living, and I would be ashamed of any attempt to release even one of my products without a proper reference manual, complete design documentation, including a reasonable suite of UML documents (in the case of an open source product since good coders benefit from good design documentation - which, admittedly, I have not produced) and a thorough tutorial. I have had feedback on some of my products that the end users found my interface so intuitive that they did not look at the documentation I'd provided even once, but I do not see that as an excuse for not producing proper documentation. In my view, the documentation for a product is as much a part of the product as the code in the product. The product is not ready for release until the documentation is as complete and polished as is the code. Peer support is hardly a good, or cost effective, substitute for good documentation; and contrary to what some coders I have met, and worked with, have claimed, the source code is often not adequate documentation. Yes, you see what the code is doing, but tracing execution paths through it can be a tedious nightmare; especially if the coder that produced it wrote the code as a candidate for an obfuscated coding contest (something, BTW, I would regard as grounds for dismissal if obfuscation is the only justification the code can offer for it). In my own coding, the only libraries I use often are those that are well documented. Life is just too short to waste on libraries that are poorly documented (unless someone wants to pay me to do so - but they'd be paying a significant premium for such a tedious, and usually frustrating, task). I am not criticising the documentation for openssl, and will not; but I would encourage those who are responsible for maintaining and improving openssl to not neglect the documentation. It would be a mistake to leave that for someone else to do, for when that happens, it is certain that the documentation will suffer. just my $0.02, as a coder with decades of coding experience. Cheers Ted
Re: I can't believe how much this sucks
Hi, Nonsense. No-one knows better how the code ought to be working than the folk who developed it. I begin with the assumption that all my coders are i'd cite the cathedral and the bazaar ...or the 'many eyes make all bugs shallow' views - if you are given the API and the documents, you use the code without seeing what its doing. by looking at each library you can see what it does and how it does it but most importantly, you can see the bugs/issues/problems. with the closed source proprietary software you expect to get 100% perfect docs because you cannot see the source code - you are told how it works and what to feed it. thats that. yes, one can complain until you are blue abotu documentation - and a few comments in this thread have certainly alerted me to some of OpenSSLs other issues - enough perhaps to look at GNUTLS or some alternative'ReallyOpenSSL' anyone? ;-) alan __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: I can't believe how much this sucks
On Tue, Nov 13, 2012 at 4:38 PM, alan buxey a.l.m.bu...@lboro.ac.uk wrote: Hi, Nonsense. No-one knows better how the code ought to be working than the folk who developed it. I begin with the assumption that all my coders are i'd cite the cathedral and the bazaar ...or the 'many eyes make all bugs shallow' views - if you are given the API and the documents, you use the code without seeing what its doing. by looking at each library you can see what it does and how it does it but most importantly, you can see the bugs/issues/problems. You neglect context. My junior staff generally don't see the library implementations, even when we own the code. To ask them to study that code pushes them way too far much too fast. I want junior staff to develop at a reasonable pace; but at their own pace. I will not assign them tasks that they haven't a hope of completing in a reasonable timeframe. That is just plain cruel! It is madness to expect a junior coder to have all the expertise of a senior software engineer. To do so is a recipe for disaster, and for rapid burnout of your junior staff. Your cathedral and bazaar metaphore therefore does not apply in most cases. Your metaphore only applies in the case of senior programmers interacting with other senior programmers. And, when it comes to security, you want as many senior programmers' eyes on the code as is possible. And I would be concerned about using a library that my senior staff have trouble figuring out. But even this does not excuse the senior programmers responsible for developing the code from documenting it. There is no-one better to do it, especially if they put themselves in the place of the junior programmers they are responsible for training. with the closed source proprietary software you expect to get 100% perfect docs because you cannot see the source code - you are told how it works and what to feed it. thats that. That's just plain wishful thinking! The perfect product does not exist, closed source or otherwise! We know software engineers are human, and thus error is always certain in any document. It is, though, to be expected that closed source software and its documentation goes through a QU process to ensure that error is at a minimum, and also that their support staff are sufficiently senior that when a user encounters a problem, they are competent enough to jointly test the nature of each complaint and correctly distinguish between a bug in their own product and user error. In a product that is acceptable for production use, from an acceptable supplier, it is never a case of that's that. Failure on either count above guarantees that the library in question will not be used, at least in any product I am responsible for. yes, one can complain until you are blue abotu documentation - and a few comments in this thread have certainly alerted me to some of OpenSSLs other issues - enough perhaps to look at GNUTLS or some alternative'ReallyOpenSSL' anyone? ;-) It is always a question of examining whichof the available products/libraries to use, vs writing your own code. In every such case, it is a question of having (only) your senior staff invest a bit of time to evaluate the options. This includes applying tests to determine the adequacy and reliability, and limit s of application, of the product in question. I will not waste time on complaining about documentation for one library or another. Instead, I will examine the product, including its documentation. I will then make a judgement as to whether or not it will be used, and by which of my staff. We might even decide to use multiple compeeting products for different tasks, perhaps with our own 'abstraction layer' to ensure that what we have our junior people coding to is of sufficient quality and that we do not get hurt by deficiencies in each of the products we're using. I set the coding standard for me staff, as well as the criteria that must be met by any library, or other tool, we will use; along with any conditions for their use. And nne of that is static. Some of the senior staff are responsible for reviewing available libraries, with a view toward adding or removing products from teh mix, based on deficiencies and improvements that appear in each as they develop. Cheers Ted
Re: I can't believe how much this sucks
If we would have to have deep understanding of the various codes we are using everyday (I am myself a programmer, and openssl WCE contributor), we would not have enough time to work, to produce anything. Anyway understanding what the code is SUPPOSED to do is one thing, and HOW it is doing it, another thing. This is the basic difference between specifications and design... Do you really need to understand the code of zlib to use it ? the code of libpng to produce png ? the code of c-lib (written in assembly !!!) to produce c code ? So, this kind of argument is just pretending sarcasm. Maybe the doc could be improved by a kind of wiki system ? Where people having found useful answers in the distribution list could push back some useful info. This is just a suggestion. Yours sincerely Pierre Le 13/11/2012 23:13, Ted Byers a écrit : On Tue, Nov 13, 2012 at 4:38 PM, alan buxey a.l.m.bu...@lboro.ac.uk mailto:a.l.m.bu...@lboro.ac.uk wrote: Hi, Nonsense. No-one knows better how the code ought to be working than the folk who developed it. I begin with the assumption that all my coders are i'd cite the cathedral and the bazaar ...or the 'many eyes make all bugs shallow' views - if you are given the API and the documents, you use the code without seeing what its doing. by looking at each library you can see what it does and how it does it but most importantly, you can see the bugs/issues/problems. You neglect context. My junior staff generally don't see the library implementations, even when we own the code. To ask them to study that code pushes them way too far much too fast. I want junior staff to develop at a reasonable pace; but at their own pace. I will not assign them tasks that they haven't a hope of completing in a reasonable timeframe. That is just plain cruel! It is madness to expect a junior coder to have all the expertise of a senior software engineer. To do so is a recipe for disaster, and for rapid burnout of your junior staff. Your cathedral and bazaar metaphore therefore does not apply in most cases. Your metaphore only applies in the case of senior programmers interacting with other senior programmers. And, when it comes to security, you want as many senior programmers' eyes on the code as is possible. And I would be concerned about using a library that my senior staff have trouble figuring out. But even this does not excuse the senior programmers responsible for developing the code from documenting it. There is no-one better to do it, especially if they put themselves in the place of the junior programmers they are responsible for training. with the closed source proprietary software you expect to get 100% perfect docs because you cannot see the source code - you are told how it works and what to feed it. thats that. That's just plain wishful thinking! The perfect product does not exist, closed source or otherwise! We know software engineers are human, and thus error is always certain in any document. It is, though, to be expected that closed source software and its documentation goes through a QU process to ensure that error is at a minimum, and also that their support staff are sufficiently senior that when a user encounters a problem, they are competent enough to jointly test the nature of each complaint and correctly distinguish between a bug in their own product and user error. In a product that is acceptable for production use, from an acceptable supplier, it is never a case of that's that. Failure on either count above guarantees that the library in question will not be used, at least in any product I am responsible for. yes, one can complain until you are blue abotu documentation - and a few comments in this thread have certainly alerted me to some of OpenSSLs other issues - enough perhaps to look at GNUTLS or some alternative'ReallyOpenSSL' anyone? ;-) It is always a question of examining whichof the available products/libraries to use, vs writing your own code. In every such case, it is a question of having (only) your senior staff invest a bit of time to evaluate the options. This includes applying tests to determine the adequacy and reliability, and limit s of application, of the product in question. I will not waste time on complaining about documentation for one library or another. Instead, I will examine the product, including its documentation. I will then make a judgement as to whether or not it will be used, and by which of my staff. We might even decide to use multiple compeeting products for different tasks, perhaps with our own 'abstraction layer' to ensure that what we have our junior people coding to is of sufficient quality and that we do not get hurt by deficiencies in each of the products we're using. I set the coding standard for me staff, as well as the criteria that must be
Re: I can't believe how much this sucks
For things that the peer support forum and the existing documentation don't cover, you have the source code, which is definitive. The source code can tell you what it DOES do - but the cost of understanding that can be very high in some cases, and the problem domain of OpenSSL almost guarantees it. But what raw source will not tell you is WHY it does what it does, or what the INTENT was when it was written, or what non-obvious assumptions are in play and necessary for correct operation. Nor does it tell you how to use it, and that is not necessarily obvious from the source code, even if it contains embedded documentation (comments) that address the points above. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: I can't believe how much this sucks
the 'many eyes make all bugs shallow' views You don't believe that, do you? The number of counter-examples of long-standing bugs in widely available and active open-source systems should be large enough to call it now. Especially in subtle, complex systems where there is no documentation of the design itself - just code. Bugs in code generators and race conditions in kernels do not become shallow by making the source available to millions of developers with no experience in those domains. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org