6 comments

[ 3.1 ms ] story [ 22.6 ms ] thread
Flaw N3 is not present in 1.0.1c. The | has been replaced with & in ssl/s3_svr.c:2933.
A good reason to use the right tools of static analysis, rather than look manually. ;)
OpenSSL straddles a difficult line: on the one hand, security. On the other, performance. It carries a fair amount of state around in big context structures and there is a ton of clever, platform-specific code.

One alternative that I've played with is PolarSSL[1], which has the nice property that every module is designed to be compiled as a standalone.

It's slower and it's less efficient, but I suspect that it would be a lot more auditable.

[1] https://polarssl.org/

How about MatrixSSL?

I've given up on the SSL libraries in favor of simpler, non-IETF offerings from a seemingly maverik yet brillliant crytographer who is very focused on performance, but I'd be curious what you think of MatrixSSL.

Honestly? I'd never heard of it until now.

A quick glance through the MatrixSSL docs suggests that it aims at being specifically an SSL/TLS package. So it can take certainly liberties that would, I presume, make it a bit smaller and faster than PolarSSL in that role.

What interested me about PolarSSL at the time, though, is that it is modular. I wasn't interested in SSL, I was looking for a small, easily-wrapped, standalone implementation of SHA-512 and SHA-512 HMACs. PolarSSL lets me use just the bits I want.

That's my main problem with OpenSSL: it tries to be so much more than SSL (despite it's name), and with all that extra functionality comes more responsibility, e.g. a much higher auditing burden.

OpenSSL is an impressive amount of work that has a long history, but for some purposes, it seems needlessly large and complex.

Reminds me of when OpenBSD wrote openntpd. The ntpd folks felt the need to criticise the project because it tried to simplify things a little, and left out much of the functionality (and complexity) added to ntpd over the years.

Overall, unless I am the one who has written something and thus understands how it is constructed from the ground up, I find smaller amounts of code (e.g. as standalone modules) easier to work with than larger ones.

Massive, integrated projects with huge amounts of code seem very popular, and I often wonder if I am alone in my appreciaton and preference for smaller standalone chunks of code.