[Previous] [Next] [Index] [Thread]

Re: Public httpd servers that support encryption (fwd)

FYI...

Following, is a response from the SSLeay author.


---------- Forwarded message ----------
Date: Mon, 13 Nov 1995 11:15:21 +1000 (EST)
From: Eric Young <eay@mincom.oz.au>
To: Kyle Amon <sfbzb1pu@scfn.thpl.lib.fl.us>
Cc: Jonathan George <jgeorge@cftnet.com>
Subject: Re: Public httpd servers that support encryption (fwd)


On Thu, 9 Nov 1995, Kyle Amon wrote:
> I posted the following message to www-security.  You are probably a 
> subscriber, however I thought I'd shoot you a copy just in case.

Yup, I'm not subscribed, as it is I feel I'm already on too many mailing 
lists :-).

> Also, I have a couple of questions, if you would be so kind.
> 1) Do you know of anyone currently using your libraries and patches
>    for the NCSA httpd in the US?
Ah, there are a few people but I can't point you at any specific sites, I 
could have a go at finding out though.  There are a few people starting 
to use a patched version of apachie though.

> 2) Which version (files) should I get to beta around with?
>    I'd be happy to help.
Well, the current version is ok, the next version which I will I hope 
have out soon has been reworked internally alot and has alot more general 
crypto stuff plus docuementation.  SSLeay 0.5 will also have the API 
changed slightly, that is why I am not just putting out quite yet.

> 3) When do you anticipate a non-beta version for initial release?
This is sort of hard to say.  The problem is that I'm currently just 
adding stuff all the time.  The next version will not support SSL v3 
(which is not really defined yet) and it will not support CRL or PKCS7.
This is simply because no-one else seems to have implementation I can 
test against.  I'm also spending my time on just cleaning up the existing 
stuff.  What will happen is that these extra parts will be 'added'.  So 
what the 0.5 release will hopefully be is a base that will be extended.

>      Also, if I've misunderstood anything, please feel free to elucidate
>      or flame me.
:-) will do.

eric

> It is VERY new and quite ALPHA though the docs say it's beta.
> It is written by an individual, not a group.
> Combine these facts, and it is probably still quite buggy.

:-) In some ways I feed being written by an individual will make it less 
buggy :-).  Since it is a library it will not be too bad with the bugs 
since each component has a defined function.  The problem is tending to 
be interoperability problems with other implementations.  The reason I'm 
tending to call it Beta is that it works, you can use it but it is still 
being changed.  We have been using SSLtelnet internally for quite a while.

> It is actually a set of libraries and programs that support SLL...
> or rather a "raw" SSL implementation that can be used to develop
> actual SSL applications.  These are in the .../SSL/ subdirectory.

Yup, it is a low level library of cryptographic routines. SSL is now only 
a small part of it :-).

> In the .../SSLapps/ subdirectory is a set of example apps and/or patches 
> that utilize the above libraries.  Among these are patches for NCSA's
> httpd versions 1.2 and 1.4.

These are actually being done by other people (mostly Tim Hudson 
<tjh@mincom.oz.au>).  I'm restricting myself to just doing the library 
and example programs.

> I think it's great!  I hope it makes it through the coming storm.  The 
> package is eponymously named SSLeay for it's author Eric Young.

Recent developments here is oz definitly mean that the law enforcement 
people know about it and how it will make packet monitoring very very hard.

eric
--
Eric Young                  | Signature removed since it was generating
AARNet: eay@mincom.oz.au    | more followups than the message contents :-)