Re: Is OpenSSL Production Ready?

2002-04-08 Thread Chris Cleeland

On Mon, 8 Apr 2002, Mark H. Wood wrote:

> On Sat, 6 Apr 2002, Jeffrey Altman wrote:
> > There is an answer to this of course.  It is do not link against
> > OpenSSL but instead load the libraries and functions manually as
> > OpenSSL does with the DSO interface.  Then the two programs are
> > separate with separate licenses.
>
> Thank you! I hadn't thought of that, and it sounds like fun too.

Sounds like this would be a great facility to stick into a contrib
directory...call it "glen"--Gnu Linkage ENabler?

-- 
  Chris Cleeland, cleeland_c @ ociweb.com, http://www.milodesigns.com/~chris
 Principal Software Engineer, Object Computing, Inc., +1 314 579 0066
  Support Me Supporting Cancer Survivors in Ride for the Roses 2002
>Donate at http://www.milodesigns.com/donate<

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



Re: Is OpenSSL Production Ready?

2002-04-08 Thread Mark H. Wood

On Sat, 6 Apr 2002, Jeffrey Altman wrote:
> There is an answer to this of course.  It is do not link against
> OpenSSL but instead load the libraries and functions manually as
> OpenSSL does with the DSO interface.  Then the two programs are
> separate with separate licenses.

Thank you! I hadn't thought of that, and it sounds like fun too.

-- 
Mark H. Wood, Lead System Programmer   [EMAIL PROTECTED]
MS Windows *is* user-friendly, but only for certain values of "user".

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



Re: Re: Is OpenSSL Production Ready?

2002-04-06 Thread Michael Kobar

Fine. Then lets just call it "Powered by OpenSSL" and at least let the Apache Group 
sue us.  But seriously, I do think that some form of "branding" would be useful.  I 
find it very useful to both promote OpenSSL to potential users/customers and to be 
able to show that it is widely used in both commercial and open source projects around 
the world.

Just my 2 cents,

Mike

--- "Mark H. Wood" <[EMAIL PROTECTED]> wrote:
> 
> On Thu, 4 Apr 2002, Michael Kobar wrote:
> [snip]
> > Perhaps OpenSSL.org should accept and post
> > commercial product names and/or start a voluntary 
> > "OpenSSL Inside" type branding program (like
> > the "powered by Apache" logo).
> 
> Watch out for that "xxx Inside".  I hear that Intel
> is suing some nonprofit for daring to call themselves 
> "Yoga Inside", on the (ludicrous IMHO) grounds that 
> that name harms their trademark.
> 
> -- 
> Mark H. Wood, Lead System Programmer  
> [EMAIL PROTECTED]> MS Windows *is* user-friendly, but only for certain
> values of "user".
> 


Michael Kobar   [EMAIL PROTECTED]
Software Engineer   860.434.4018
Lymeware Corporation801.383.9021 fax
www.lymeware.com

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



RE: Re: Is OpenSSL Production Ready?

2002-04-06 Thread Michael Kobar

Thanks Lutz, I just thought a page listing commercial usage (and products) on the 
website might be helpful.  We love to brag about our OpenSSL usage!

Mike

On Thu, Apr 04, 2002 at 22:28:47PM +0200, Lutz Jaenicke wrote:
> On Thu, Apr 04, 2002 at 01:31:59PM -0500, Michael Kobar wrote:
> > Perhaps OpenSSL.org should accept and post commercial 
> > product names and/or start a voluntary "OpenSSL Inside" 
> > type branding program (like the "powered by Apache" 
> > logo).
>
> To be precise: according to the OpenSSL license every 
> program that uses the library and advertises its SSL 
> capabilities also must advertise the use of OpenSSL.
> 
> Then there is the logo in doc/openssl_button.gif :-)
> 


Michael Kobar   [EMAIL PROTECTED]
Software Engineer   860.434.4018
Lymeware Corporation801.383.9021 fax
www.lymeware.com

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



Re: Is OpenSSL Production Ready?

2002-04-06 Thread Jeffrey Altman

Richard wrote:
> brian> Does anyone actually use OpenSSL for a production, business
> brian> operation? 
> 
> The are many programs out there that use OpenSSL.  A popular one that
> I use myself is the Opera browser.
> 
> brian> We're having a heck of a time with the FAQ-documented "Page
> brian> Could Not Load / DNS Error" page failures with IE browsers,
> brian> even after applying the fixes recommended in the FAQ.
> 
> "DNS Error" hardly sounds like something SSL-related...

Richard:

The famous "DNS Error or Server not found" error message from IE is
used whenever there is a failure to connect to a host.  This includes
such things as "CRL location not specified in certificate" errors when
CRL verification is turned on.  There are any number of reasons why
this message may be generated.

- Jeff




 Jeffrey Altman * Sr.Software Designer  C-Kermit 8.0 available now!!!
 The Kermit Project @ Columbia University   includes Telnet, FTP and HTTP
 http://www.kermit-project.org/ secured with Kerberos, SRP, and 
 [EMAIL PROTECTED]OpenSSL. Interfaces with OpenSSH
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



Re: Is OpenSSL Production Ready?

2002-04-06 Thread Jeffrey Altman

> On Fri, Apr 05, 2002 at 08:15:04AM -0500, Mark H. Wood wrote:
> > On Thu, 4 Apr 2002, Lutz Jaenicke wrote:
> > > To be precise: according to the OpenSSL license every program that uses
> > > the library and advertises its SSL capabilities also must advertise the
> > > use of OpenSSL.
> > 
> > Actually this is a problem -- it means you can't link OpenSSL libraries
> > with any GPLed code which you intend to distribute.  I'm facing the
> > necessity of having to use the not-quite-ready-for-prime-time GNUtls
> > package instead of OpenSSL for a project I'm contemplating, because it
> > builds on an application licensed under the GPL.  (And I have no idea how
> > hard it's going to be to get *both* compatibly installed on one box.)
> > 
> > IIRC the Ethereal folk have also run up against this problem.
> > 
> > I'm not asking for anything at this time; I just wanted to provide a
> > couple of data points.
> 
> Besides the "OpenSSL" license itself large parts of the code were written
> by EAY and his license still applies without any option of the OpenSSL
> team to influence it as long as EAY does not change his license.
> The OpenSSL team members are aware of this problem but there is not much
> we can do for the reason stated above.
> 
> Best regards,
>   Lutz

There is an answer to this of course.  It is do not link against 
OpenSSL but instead load the libraries and functions manually as 
OpenSSL does with the DSO interface.  Then the two programs are 
separate with separate licenses.  



 Jeffrey Altman * Sr.Software Designer  C-Kermit 8.0 available now!!!
 The Kermit Project @ Columbia University   includes Telnet, FTP and HTTP
 http://www.kermit-project.org/ secured with Kerberos, SRP, and 
 [EMAIL PROTECTED]OpenSSL. Interfaces with OpenSSH
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



Re: Is OpenSSL Production Ready?

2002-04-05 Thread Lutz Jaenicke

On Fri, Apr 05, 2002 at 08:15:04AM -0500, Mark H. Wood wrote:
> On Thu, 4 Apr 2002, Lutz Jaenicke wrote:
> > To be precise: according to the OpenSSL license every program that uses
> > the library and advertises its SSL capabilities also must advertise the
> > use of OpenSSL.
> 
> Actually this is a problem -- it means you can't link OpenSSL libraries
> with any GPLed code which you intend to distribute.  I'm facing the
> necessity of having to use the not-quite-ready-for-prime-time GNUtls
> package instead of OpenSSL for a project I'm contemplating, because it
> builds on an application licensed under the GPL.  (And I have no idea how
> hard it's going to be to get *both* compatibly installed on one box.)
> 
> IIRC the Ethereal folk have also run up against this problem.
> 
> I'm not asking for anything at this time; I just wanted to provide a
> couple of data points.

Besides the "OpenSSL" license itself large parts of the code were written
by EAY and his license still applies without any option of the OpenSSL
team to influence it as long as EAY does not change his license.
The OpenSSL team members are aware of this problem but there is not much
we can do for the reason stated above.

Best regards,
Lutz
-- 
Lutz Jaenicke [EMAIL PROTECTED]
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



Re: Is OpenSSL Production Ready?

2002-04-05 Thread Mark H. Wood

On Thu, 4 Apr 2002, Lutz Jaenicke wrote:
> To be precise: according to the OpenSSL license every program that uses
> the library and advertises its SSL capabilities also must advertise the
> use of OpenSSL.

Actually this is a problem -- it means you can't link OpenSSL libraries
with any GPLed code which you intend to distribute.  I'm facing the
necessity of having to use the not-quite-ready-for-prime-time GNUtls
package instead of OpenSSL for a project I'm contemplating, because it
builds on an application licensed under the GPL.  (And I have no idea how
hard it's going to be to get *both* compatibly installed on one box.)

IIRC the Ethereal folk have also run up against this problem.

I'm not asking for anything at this time; I just wanted to provide a
couple of data points.

-- 
Mark H. Wood, Lead System Programmer   [EMAIL PROTECTED]
MS Windows *is* user-friendly, but only for certain values of "user".

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



Re: Is OpenSSL Production Ready?

2002-04-05 Thread Mark H. Wood

On Thu, 4 Apr 2002, Michael Kobar wrote:
[snip]
> Perhaps OpenSSL.org should accept and post commercial product names
> and/or start a voluntary "OpenSSL Inside" type branding program (like
> the "powered by Apache" logo).

Watch out for that "xxx Inside".  I hear that Intel is suing some
nonprofit for daring to call themselves "Yoga Inside", on the (ludicrous
IMHO) grounds that that name harms their trademark.

-- 
Mark H. Wood, Lead System Programmer   [EMAIL PROTECTED]
MS Windows *is* user-friendly, but only for certain values of "user".

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



Re: Is OpenSSL Production Ready?

2002-04-04 Thread Michael Kobar

--- Brian Panulla <[EMAIL PROTECTED]> wrote:
> Does anyone actually use OpenSSL for a production,
> business operation? 
>
Yes we do.  We have several commercial products which use OpenSSL for SSL, RSA key and 
X.509 certificate generation and encryption.  We have been using it since SSLeay days 
and have seen significant improvement under the management of the OpenSSL Development 
team, and the huge traffic on the mailing lists.

We have used Consensus SSLplus, RSA BSAFE, and Baltimore KeyTools and have found 
OpenSSL no harder to use.  The one facet of OpenSSL which is both the best and worst 
of worlds is the availability of multiple levels of APIs.  Yea, open source.  It is a 
lot to swallow, especially for a beginner crypto programmer.

And we are not the only ones.  Stronghold is the famous commercial product using both 
Apache and OpenSSL.

Perhaps OpenSSL.org should accept and post commercial product  names and/or start a 
voluntary "OpenSSL Inside" type branding program (like the "powered by Apache" logo).

Mike


Michael Kobar   [EMAIL PROTECTED]
Software Engineer   860.434.4018
Lymeware Corporation801.383.9021 fax
www.lymeware.com

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]



Re: Is OpenSSL Production Ready?

2002-04-04 Thread Robert Joop

On 02-04-03 23:04:29 CEST, Harald Koch wrote:
> dbm: style session caching does not work *WITH CLIENT CERTIFICATES*. The
> client certificate is mangled when it is loaded from the cached
> session.

it works for me.
i've got a web server
Server: Apache/1.3.17 (Unix) mod_jk mod_ssl/2.8.0 OpenSSL/0.9.6
that requires client certificates and it uses
SSLSessionCache dbm:/usr/local/apache-1.3.17/logs/ssl_scache
and i can navigate around for as long as the SSLSessionCacheTimeout
allows.

but i remember that i had to compile it myself and had use
--enable-rule=SSL_SDBM because of the standard dbm implementation's
limitation.

rj
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]