[cryptography] Just how bad is OpenSSL ?

Erwann Abalea eabalea at gmail.com
Fri Oct 26 15:48:28 EDT 2012

2012/10/26 John Case <case at sdf.org>:
> And the hackernews discussion led me to "OpenSSL is written by monkeys":
> http://www.peereboom.us/assl/assl/html/openssl.html
> So, given what is in the stanford report and then reading this rant about
> openssl, I am wondering just how bad openssl is ?  I've never had to
> implement it or code with it, so I really have no idea.
> How long has it been "understood" that it's a mess (if it is indeed a mess)
> ?  How dangerous is it ?

OpenSSL *is* a mess. It's hard to correctly use the library, the
learning curve is steep, mistakes are easy to achieve, and the code is
hard to read. The lot of #ifdef ... is needed so you can compile the
library with your own subset of functionalities.

I use OpenSSL since a little more than a decade, and I consider it as
a swiss knife. It's not a "become an SSL server/client"-type library,
you've got functions to do crypto, big numbers, ASN.1, X.520, X.509,
PKCS#xx, TLS, etc. Add to it abstractions like the BIO layer, ENGINE
layer, EVP layer, and you have something horrible but powerful. Each
of these subjects is horrible to code from scratch, anyway.
Writing code to be a CA and publish certificates in an LDAP without
knowing the API, in less than a week is a challenge in itself.

I wouldn't be surprised if he wrote the same thing about libNSS or BouncyCastle.


More information about the cryptography mailing list