
OpenSSL is written by monkeys (2009) - dptee
https://www.peereboom.us/assl/assl/html/openssl.html
======
agwa
I've done quite a bit of programming with the OpenSSL library and this article
is only scratching the surface of the awfulness. Documentation is horrible to
non-existent, you really do need to go spelunking into the source to figure
out how things work, and the code really is that horrible.

The worst thing is that error reporting is not consistent - sometimes -1 means
error, other times 0 means error, other times 0 means success, and sometimes
it's a combination. This is really, _really_ bad for a crypto library since
properly detecting errors is usually critical to security.

~~~
mrtksn
O.K. This is probably a stupid question but if it was apparent to many that
the code of OpenSSL was horrible why people kept using it and nobody tried to
re-factor it? How it is possible that such a popular and critical piece of
opensource software survived the years without a complete face-lift and nobody
wrote thorogh documentation?

~~~
betterunix
1\. Other libraries do exist -- NSS, GnuTLS, etc.

2\. Do you have time for a rewrite? What makes you think anyone else would?

3\. The (generally correct) mindset is _don 't implement your own crypto_.
This is particularly true of something like TLS, which is complicated and has
subtle requirements that are easy to screw up. Unfortunately, this means that
even people who have time are discouraged from doing an OpenSSL rewrite.

~~~
mlieberman85
If there's alternatives then why do so many pieces of software (nginx, Apache,
etc.) use OpenSSL as opposed one of these alternatives?

~~~
betterunix
_Today_ there are alternatives. Once upon a time those alternatives were
either not written, not stable, or not free. Now it is just a matter of
convincing an enormous number of developers to carefully rewrite large parts
of their systems to use a different library instead of new features (or
ironically, security fixes).

------
adrianpike
I'm getting a certificate warning on Chrome 33.0.1750.152. Is there a security
corollary to Muphry's law?[1]

[1] -
[http://en.wikipedia.org/wiki/Muphry's_law](http://en.wikipedia.org/wiki/Muphry's_law)

~~~
a3_nm
This might be intended. Supporting SSL is better than not supporting it (well,
except in situations where an OpenSSL bug could leak your server's memory, but
that's a bit of a stretch
<[http://filippo.io/Heartbleed/#www.peereboom.us>](http://filippo.io/Heartbleed/#www.peereboom.us>)
\-- but put this aside), because it's always better to encrypt traffic even in
a way vulnerable to passive attacks; and some people may reasonably opt-out of
the SSL CA business because they do not like the way it is structured, doubt
the security it offers, or feel that they do not need it.

(I use a free StartSSL signed certificate, but only because it's free and not
very hard to get. If there were no free provider with widespread support, I
would be very happy to use a self-signed cert and think of it as a protest
against the stupidity of browsers which present SSL+self-signed as less secure
than plain HTTP).

~~~
nknighthb
If someone has passive access to snoop, the odds they can perpetrate an active
attack are so close to 100% as to make the distinction immaterial. Encryption
without authentication accomplishes nothing.

Worse, self-signed certificates train users to freely click through
certificate warnings. People running servers with self-signed certificates are
actively reducing what security we have available for the web.

If we ever do get anything better than the existing CA structure, it won't do
us any good if users have been trained to ignore browser security warnings
anyway.

~~~
devinj
Can you MITM public wifi? Real question, but I thought the answer was "no",
which would make public wifi a compelling counter-example.

~~~
syshax
Yes. You arp poison the default gateway and route traffic through your own
host instead.

~~~
caf
Or spoof DNS responses to point to a machine under your control.

~~~
sp332
Or spoof a disassociation frame, then impersonate the access point so the
victim connects to your computer instead.

------
cpeterso
Adobe's Flash Player used OpenSSL on Linux for a long time, but eventually
switched to NSS because the OpenSSL project would repeatedly break their
library ABI without changing version numbers. The OpenSSL developers said that
a stable ABI was a non-goal of theirs. (Disclosure: I was an engineer on
Adobe's Flash Player team.)

~~~
TwoBit
OpenSSL's thread safety policies is undocumented and unintelligible. We gave
up and just put a single mutex around any call to OpenSSL within the process.

~~~
richm44
That's actually something openssl does okay. See
[http://www.openssl.org/docs/crypto/threads.html](http://www.openssl.org/docs/crypto/threads.html)
it's actually one of the few things that are properly documented.

------
vl
>OpenSSL is equivalent to monkeys throwing feces at the wall. It is, bar none,
the worst library I have ever worked with

Ah, he haven't worked with MS Crypto APIs.

I was implementing TLS/SSL in one of the services working at _MS_. I couldn't
figure out many things from MSDN and samples - they would not cover error and
some variations code paths, and there was just no way to figure it out. And
recovery would be something like "in third buffer there will be value x, you
have to it pass to other function". And there was a need to do it correctly
for obvious reasons, really. So finally I got IIS sources to see how it's done
correctly, and discovered couple thousand lines of code with comments like
this "xxx told us that buffer X will contain value bla if condition Z is met,
and this is why we are doing it here". I had no choice but to cut-n-paste it
to my service. I can tell you for sure, nobody outside MS can implement
TLS/SSL correctly by using MS Crypto APIs. At least with OpenSSL you can read
sources for both library and services and figure it out.

~~~
TwoBit
The absolute worst API in the history of computers is the Microsoft Text
Services Framework (TSF) API.

It's incomprehensible, nearly undocumented, 10x more complicated than
necessary, and even Microsoft doesn't understand how it works and hates it.

~~~
yuhong
Don't forget x64 SEH. From
[http://www.nynaeve.net/?p=105](http://www.nynaeve.net/?p=105) : "This
layering violation is not the most egregious in the x64 exception handling
scene, however."

------
j_s
It looks like this was the precursor to assl, 'A library to hide awful OpenSSL
API in a sane interface' which hasn't gotten much GitHub love.

[https://opensource.conformal.com/wiki/assl](https://opensource.conformal.com/wiki/assl)

[https://github.com/conformal/assl](https://github.com/conformal/assl)

------
tptacek
For more, and more recently:

[https://twitter.com/OpenSSLFact](https://twitter.com/OpenSSLFact)

------
jonchang
[https://web.archive.org/web/20140125144231/http://www.peereb...](https://web.archive.org/web/20140125144231/http://www.peereboom.us/assl/assl/html/openssl.html)

If you don't want to add a security exception.

------
hf
I am a bit reluctant to repeat myself, but I can't see any mentioning of the
sheer _volume_ of code. It's more than 300.000 lines of code in the .c files
of the official tarball.

My experience with code grown beyond >10⁵ LoC is that it _forces_ you to
monkey-patch around any bugs (or even features for that matter). Surely
there's a Potterson's Law or something that describes the situation.

In short: it's not the monkeys (quality), it's the volume of code.

(Of course now we're getting in a chicken-egg situation.)

------
mschuster91
I seriously wonder what else is hidden in the mess called OpenSSL. And
especially how much of the bugs are known by the NSA.

Something like Heartbleed would definitely make a live-injection attack
feasible!

~~~
gnu8
If the NSA is going to spend our tax dollars analyzing that code, the least
they could do is contribute formatting cleanup patches!

~~~
conformal
i don't think the NSA works like that :)

remember "national security" equates to "we will watch you all the time and
steal all your dataz". it would obviously be great if "national security"
meant what it was supposed to...

~~~
sliverstorm
The NSA wrote SELinux.

~~~
chopin
Has that been audited independently? A quick Google search didn't cough up
anything.

~~~
sliverstorm
You mean, has anyone formally audited SELinux to make sure the NSA didn't load
it with backdoors? No idea, but it was accepted into mainline Linux kernel ten
years ago. So if you don't trust SELinux, you can't trust Linux.

------
pohl
The following thread is not directly related, but might be interesting to
those who would like to see a constructive response to the quality of OpenSSL.

[http://www.reddit.com/r/rust/comments/22gppc/when_life_hands...](http://www.reddit.com/r/rust/comments/22gppc/when_life_hands_you_lemons_is_this_rusts_time_to/)

------
nly
What's are the best alternatives?

I've recently started looking, and PolarSSL[0] and Botan[1] are on my trial
list. Mozilla NSS looks a little low level, and GnuTLS hasn't faired much
better lately, despite having _much_ better code hygiene than OpenSSL.

[0] [https://polarssl.org/](https://polarssl.org/) [1]
[http://botan.randombit.net/](http://botan.randombit.net/)

~~~
betterunix
I have some experience with NSS, and for simple things it is not terrible
despite being a bit low level. With about an afternoon of work I was able to
write a very simple TLS server using NSS -- in Lisp, using SBCL's FFI.

------
alkonaut
How can a library of this size and importance not be run through a linter,
with violating patches rejected? And why is a cleanup effort of the simplest
stuff not undertaken?

And with it being C, doing a proper operator spacing+indentation of the whole
source should be as easy as running it through a tool (yes, auto indent is
always better than a broken indent).

What's the next discovery? The core is all php and there are zero tests?

------
dkarapetyan
Why is this so hard? I'm honestly curious to know. The theory is extremely
well laid out, i.e. it's just number theory. We know to do stuff in a way that
avoids side-channel attacks, i.e. try not to leak power usage when you're
exponentiating, etc. Why do people keep using the awful mess that's openssl?

~~~
tptacek
It's not just number theory; it's a web of interlocking state machines
implementing the TLS protocol, which itself depends on a variety of different
marshalling formats for the number theoretic parameters, built on the shifting
sands of optimizations for different machines, all evolved over the the course
of ~15 years, starting from a package that was, literally, Eric Young's "teach
myself C" project.

~~~
nhaehnle
That's kind of missing the point though. It would be relatively easy to define
an interface that is simple to use and allows implementing 90% of the use
cases with rather low danger of shooting yourself in the foot. We _know_ that
this is possible because there are libraries out there that do it.

This whole thread is about OpenSSL somehow failing to do that, despite being
called out on it for years.

~~~
tptacek
I don't understand. What part of TLS are you calling "simple"?

~~~
nhaehnle
The _interface_ between an application that wants to communicate using TLS and
perform related tasks and a library that implements TLS can and should be
simple - at least for the 90% of common use cases.

The whole point of the original article is that the interface of OpenSSL is
horrible and undocumented. Consider how the article's author was not
originally interested in looking at the internals of OpenSSL. All they wanted
was a decent and documented interface for dealing with certificates; if
OpenSSL had exposed such an interface, they would never even have looked at
the source code of its internals.

~~~
acqq
It's open source, everybody can decide to invest his own time to do the fixes.

However, the functionality openssl provides is much bigger than most of the
commenters can imagine. It's not easy at all.

------
zjfroot
The version at pastebin.

[http://pastebin.com/HMUjbnnN](http://pastebin.com/HMUjbnnN)

------
tcgv
Last year I took part in a similar project in which I had to issue both server
and client certificates, signed by another certificate, for a company's sales
site. I'm not by all means an expert in cryptography (not even close), and
after googling around a bit I found "The Legion of The Bouncy Castle"[1]
crypto library, which was relatively easy to work with, and enabled me to
solve my problem quick enough. I just wonder what more experienced programmers
have to say about this crypto library.

[1]
[http://en.wikipedia.org/wiki/Bouncy_Castle_(cryptography)](http://en.wikipedia.org/wiki/Bouncy_Castle_\(cryptography\))

------
verroq
Having worked with OpenSSL on only one occasion. I figured something was up
when they have a function named SHA1_Update and SHA_Update that has the exact
same signature and creates different outputs. A library designed by
incompetents.

~~~
brohee
SHA_Update is for the SHA-0 hash, and SHA1_Update is for the SHA-1 hash, so
it's hardly completely illogical. The main issue here, is that people that
don't know the difference between SHA-0 and SHA-1 should likely not be in
charge of computing hashes by themselves. Crypto requires some expertise or it
goes awry very fast, but then the educational system is producing plenty
people with good crypto knowledge, it's hardly the niche it was only 20 years
ago.

Also SHA-0 support is left out if OPENSSL_NO_SHA0 is defined, which must at
last be the case in the FIPS version of the library, the one your want to use
for regulation reasons in many cases...

~~~
verroq
The problem was that the names are too close to each other and was one typo
away from mysterious bugs. The non-existence of documentation didn't help
either.

~~~
brohee
If you go that way there is also MD2_Update, MD4_Update and MD5_Update, that
are also one typo away of _a bug you can 't miss at all if you test anything_.

Of the many many faults of the OpenSSL API you just didn't chose the right
one.

~~~
verroq
Having been bitten by SHA1_Update with no expectation that SHA_Update would
work as well. I'm sort of bitter about that.

------
cratermoon
OpenSSL is a monoculture. Refactoring it or trying to prettify it would be a
waste of time. The right response is to create a completely separate open
source project that implements SSL/TLS. The biggest problem that comes to mind
is that there are only so many people expert enough to do it right and lots of
those people are already on OpenSSL, and produced the mess there. Then there's
the adoption curve -- while there are probably quite a few people who'd jump
on a better library, there is lots of inertia in the big and important
projects.

------
woodypl
reminds me of this: [https://www.varnish-
cache.org/docs/trunk/phk/ssl.html](https://www.varnish-
cache.org/docs/trunk/phk/ssl.html)

------
anfedorov
Date on the article might belong in the title: 2009-08-24

------
j_s
What alternatives are out there?

It is time for a new open source SSL implementation, maybe minimizing what is
supported to reduce attack surface?

~~~
alaaibrahim
Depending on your needs, but you can check:

[https://en.wikipedia.org/wiki/Comparison_of_TLS_Implementati...](https://en.wikipedia.org/wiki/Comparison_of_TLS_Implementations)

------
mamcx
Readability matters (Zen of python).

This kind of thing make me appreciate saner languages like python & pascal.

But this make look C __too bad it is...

------
trhway
a guy setting out to write a CA (with LDAP backend! cue in nostalgy for my old
days at one well known BigCo ) for what seems to be a first time, and as a
first timer he obviously goes for OpenSSL (has he ever heard at least about
NSS?). Does it all sound like part of the same problem he talks about?

------
sfeng
I highly recommend fixing the style before attempting to read:
[https://www.dropbox.com/s/euuuyrjydo8z5jy/Screenshot%202014-...](https://www.dropbox.com/s/euuuyrjydo8z5jy/Screenshot%202014-04-08%2020.14.31.png)

------
privong
Is there anyone with a more current read on this issue (heartbleed aside)? The
linked article is 5 years old, lots can change in 5 years.

~~~
noselasd
As having maintained a code base that uses openssl since 2004, no, not a lot
has changed, openssl has just accumulated more of the same.

------
plaguuuuuu
Article raises a good point.

Seeing this repeated 50+ times made me cringe though

    
    
        if ((req = X509_REQ_new()) == NULL)
            ERROR_OUT(ERR_SSL, done);
    

seriously..

also, writing new code and not using Rust, or D, or even C++. WTFs like the
above are par for the course when you're writing in a 40 year old language
without any features of modern low-level languages.

~~~
72deluxe
I don't think writing bad code is a reflection on the language. You can write
rubbish code in any language.

------
gregulrajani
Sounds a bit like Sun's Metro WS-Security implementation

------
triplesec
Chrome thinks this site is unsafe, which amuses me at least.

------
martco
this title is so offensive towards monkeys

------
jokoon
either monkeys or NSA programmers

------
nknighthb
I'm going to assume "monkeys" is a poor translation from another language.
Maybe it's supposed to say "OpenSSL is written by fuzzy hackers". It's
impossible to tell without accepting a self-signed certificate I have no means
of validating.

The irony is delicious, much like a banana.

~~~
aaronem
Within the page you didn't bother to read, presumably due to the mortal terror
well known to be inflicted by presentation of a self-signed SSL certificate
for a resource for which there's no reason to give a damn about identity
validation in the first place, there's an expanded version of the metaphor
which involves a reference to flung feces. So, no, I'm pretty sure that when
the author says "monkeys", it's monkeys he means.

~~~
nknighthb
It's not mortal terror, it's declining to enable someone who uses racially-
charged language to attack their fellow human beings while configuring their
server in a way that anyone competent to evaluate OpenSSL's merits in the
first place would know was no better than not having SSL at all, and in fact
much worse, since it trains people to ignore certificate warnings.

~~~
koenigdavidmj
You're the only one bringing race into this. All that is meant is that the
author views OpenSSL as approximately what you would get if you flung poo
around for a while.

~~~
nknighthb
The author brought race into it by comparing human beings to monkeys, a common
racist trope.

If your only defense for someone calling people sub-humans is "but it might
not be racist!", you need to think hard about what you're defending.

~~~
aaronem
If your only justification for calling someone a racist is "but sometimes
racists use that word!", you need to spend less time on Tumblr.

~~~
nknighthb
I really have no idea what this crap about Tumblr is. I don't use it, and I
don't really know anyone who does. When I click a link to it, it's almost
always a cute animal picture or a piece of art that has no relation to any
controversial subject. If there's something more to Tumblr, I wouldn't know,
and there is no reason to assume I would.

People raised not to call others monkeys are not somehow the result of the
latest social media fad.

~~~
fyrabanks
It's because you sound like the "check your privilege" crew that tends to
congregate on Tumblr. ([http://knowyourmeme.com/memes/check-your-
privilege](http://knowyourmeme.com/memes/check-your-privilege))

By the way, the key line from the article you didn't read (yet presume to
understand its author's intent): "I have come to the conclusion that OpenSSL
is equivalent to monkeys throwing feces at the wall."

~~~
nknighthb
I did read it, after it was helpfully posted elsewhere. I wish I hadn't. Not
surprisingly, it wasn't worth my time.

~~~
fyrabanks
"Not surprisingly, it wasn't worth my time," says the guy conducting multiple
conversations in the comments section of an article on the internet that he
didn't agree with.

~~~
nknighthb
Says the person arguing with said guy. Did you have a point other than that
you think you're better-qualified to judge how I use my time than I am?

~~~
dang
Please stop.

------
euske
Apparently we don't have enough eyeballs.

------
AdrianRossouw
put the text up in a gist, to get around the dodgy cert.

[https://gist.github.com/anonymous/10204608](https://gist.github.com/anonymous/10204608)

~~~
dfc
dodgy cert for read only site + magic verisign fairy dust = unicorns and
rainbows?

For future reference you can use archive.org in the future if you are afraid
of dodgy certs:
[http://web.archive.org/web/20140125144231/http://www.peerebo...](http://web.archive.org/web/20140125144231/http://www.peereboom.us/assl/assl/html/openssl.html)

------
geuis
Be security conscious folks. Don't click through to a site with a self-signed
cert.

~~~
hadoukenio
There is nothing wrong with self-signed certificates. If you need to trust a
website that uses self-signed certificates, just make sure to verify out-of-
band.

~~~
ScottWhigham
Yes, I trust my own self-signed certs and I _might_ trust the self-signed
certs of certain sites. However, telling me that "There is nothing wrong with
self-signed certificates." is irresponsible IMO. Who runs "peereboom.us"? ####
if I know. I'm going to tell FF "It's okay - I'm good" this time b/c I'm not
doing anything that matters but, as a rule, self-signed certs for unknown
sites is not okay.

~~~
ghshephard
Would you trust visiting a site that's just HTTP?

Self signed certs for unknown sites are fine. There is zero problem visiting
them.

~~~
hadoukenio
@ScottWhigham I'm not being irresponsible. I'm with ghshephard on this one.

