

On checking OpenSSL - AndreyKarpov
http://www.viva64.com/en/b/0183/

======
samuellb
Flaw N3 is not present in 1.0.1c. The | has been replaced with & in
ssl/s3_svr.c:2933.

~~~
AndreyKarpov
A good reason to use the right tools of static analysis, rather than look
manually. ;)

------
jacques_chester
OpenSSL straddles a difficult line: on the one hand, security. On the other,
performance. It carries a fair amount of state around in big context
structures and there is a ton of clever, platform-specific code.

One alternative that I've played with is PolarSSL[1], which has the nice
property that every module is designed to be compiled as a standalone.

It's slower and it's less efficient, but I suspect that it would be a lot more
auditable.

[1] <https://polarssl.org/>

~~~
vaxdigitalnh
How about MatrixSSL?

I've given up on the SSL libraries in favor of simpler, non-IETF offerings
from a seemingly maverik yet brillliant crytographer who is very focused on
performance, but I'd be curious what you think of MatrixSSL.

~~~
jacques_chester
Honestly? I'd never heard of it until now.

A quick glance through the MatrixSSL docs suggests that it aims at being
specifically an SSL/TLS package. So it can take certainly liberties that
would, I presume, make it a bit smaller and faster than PolarSSL in that role.

What interested me about PolarSSL at the time, though, is that it is modular.
I wasn't interested in SSL, I was looking for a small, easily-wrapped,
standalone implementation of SHA-512 and SHA-512 HMACs. PolarSSL lets me use
just the bits I want.

~~~
vaxdigitalnh
That's my main problem with OpenSSL: it tries to be so much more than SSL
(despite it's name), and with all that extra functionality comes more
responsibility, e.g. a much higher auditing burden.

OpenSSL is an impressive amount of work that has a long history, but for some
purposes, it seems needlessly large and complex.

Reminds me of when OpenBSD wrote openntpd. The ntpd folks felt the need to
criticise the project because it tried to simplify things a little, and left
out much of the functionality (and complexity) added to ntpd over the years.

Overall, unless I am the one who has written something and thus understands
how it is constructed from the ground up, I find smaller amounts of code (e.g.
as standalone modules) easier to work with than larger ones.

Massive, integrated projects with huge amounts of code seem very popular, and
I often wonder if I am alone in my appreciaton and preference for smaller
standalone chunks of code.

