OpenSSL STATUS Last modified at | |
______________ $Date: 2001/01/23 12:30:43 $ | |
DEVELOPMENT STATE | |
o OpenSSL 0.9.7: Under development... | |
o OpenSSL 0.9.6a: Bugfix release -- under development... | |
o OpenSSL 0.9.6: Released on September 24th, 2000 | |
o OpenSSL 0.9.5a: Released on April 1st, 2000 | |
o OpenSSL 0.9.5: Released on February 28th, 2000 | |
o OpenSSL 0.9.4: Released on August 09th, 1999 | |
o OpenSSL 0.9.3a: Released on May 29th, 1999 | |
o OpenSSL 0.9.3: Released on May 25th, 1999 | |
o OpenSSL 0.9.2b: Released on March 22th, 1999 | |
o OpenSSL 0.9.1c: Released on December 23th, 1998 | |
RELEASE SHOWSTOPPERS | |
o | |
AVAILABLE PATCHES | |
o | |
IN PROGRESS | |
o Steve is currently working on (in no particular order): | |
ASN1 code redesign, butchery, replacement. | |
OCSP | |
EVP cipher enhancement. | |
Enhanced certificate chain verification. | |
Private key, certificate and CRL API and implementation. | |
Developing and bugfixing PKCS#7 (S/MIME code). | |
Various X509 issues: character sets, certificate request extensions. | |
o Geoff and Richard are currently working on: | |
ENGINE (the new code that gives hardware support among others). | |
o Richard is currently working on: | |
UTIL (a new set of library functions to support some higher level | |
functionality that is currently missing). | |
Shared library support for VMS. | |
OCSP | |
Kerberos 5 authentication | |
Constification | |
NEEDS PATCH | |
o apps/ca.c: "Sign the certificate?" - "n" creates empty certificate file | |
o #include <openssl/e_os.h> in exported header files is illegal since | |
e_os.h is suitable only for library-internal use. | |
(This applies to openssl-0.9.6-stable too; openssl/conf.h is the | |
offending header file. While it is rarely used itself by applications, | |
it is included by openssl/x509v3.h, which is more likely to be used.) | |
o Whenever strncpy is used, make sure the resulting string is NULL-terminated | |
or an error is reported | |
OPEN ISSUES | |
o crypto/ex_data.c is not really thread-safe and so must be used | |
with care (e.g., extra locking where necessary, or don't call | |
CRYPTO_get_ex_new_index once multiple threads exist). | |
The current API is not suitable for everything that it pretends | |
to offer. | |
o The Makefile hierarchy and build mechanism is still not a round thing: | |
1. The config vs. Configure scripts | |
It's the same nasty situation as for Apache with APACI vs. | |
src/Configure. It confuses. | |
Suggestion: Merge Configure and config into a single configure | |
script with a Autoconf style interface ;-) and remove | |
Configure and config. Or even let us use GNU Autoconf | |
itself. Then we can avoid a lot of those platform checks | |
which are currently in Configure. | |
o Support for Shared Libraries has to be added at least | |
for the major Unix platforms. The details we can rip from the stuff | |
Ralf has done for the Apache src/Configure script. Ben wants the | |
solution to be really simple. | |
Status: Ralf will look how we can easily incorporate the | |
compiler PIC and linker DSO flags from Apache | |
into the OpenSSL Configure script. | |
Ulf: +1 for using GNU autoconf and libtool (but not automake, | |
which apparently is not flexible enough to generate | |
libcrypto) | |
o The perl/ stuff needs a major overhaul. Currently it's | |
totally obsolete. Either we clean it up and enhance it to be up-to-date | |
with the C code or we also could replace it with the really nice | |
Net::SSLeay package we can find under | |
http://www.neuronio.pt/SSLeay.pm.html. Ralf uses this package for a | |
longer time and it works fine and is a nice Perl module. Best would be | |
to convince the author to work for the OpenSSL project and create a | |
Net::OpenSSL or Crypt::OpenSSL package out of it and maintains it for | |
us. | |
Status: Ralf thinks we should both contact the author of Net::SSLeay | |
and look how much effort it is to bring Eric's perl/ stuff up | |
to date. | |
Paul +1 | |
WISHES | |
o |