[thirdparty/openssl.git] / STATUS


  OpenSSL STATUS                           Last modified at
  ______________                           $Date: 2001/07/17 14:39:26 $

  DEVELOPMENT STATE

    o  OpenSSL 0.9.7:  Under development...
    o  OpenSSL 0.9.6b: Released on July       9th, 2001
    o  OpenSSL 0.9.6a: Released on April      5th, 2001
    o  OpenSSL 0.9.6:  Released on September 24th, 2000
    o  OpenSSL 0.9.5a: Released on April      1st, 2000
    o  OpenSSL 0.9.5:  Released on February  28th, 2000
    o  OpenSSL 0.9.4:  Released on August    09th, 1999
    o  OpenSSL 0.9.3a: Released on May       29th, 1999
    o  OpenSSL 0.9.3:  Released on May       25th, 1999
    o  OpenSSL 0.9.2b: Released on March     22th, 1999
    o  OpenSSL 0.9.1c: Released on December  23th, 1998

  RELEASE SHOWSTOPPERS

  AVAILABLE PATCHES

    o IA-64 (a.k.a. Intel Itanium) public-key operation performance 
      patch for Linux is available for download at
      http://www.openssl.org/~appro/096b.linux-ia64.diff. As URL
      suggests the patch is relative to OpenSSL 0.9.6b.

  IN PROGRESS

    o Steve is currently working on (in no particular order):
        ASN1 code redesign, butchery, replacement.
        OCSP
        EVP cipher enhancement.
        Enhanced certificate chain verification.
	Private key, certificate and CRL API and implementation.
	Developing and bugfixing PKCS#7 (S/MIME code).
        Various X509 issues: character sets, certificate request extensions.
    o Geoff and Richard are currently working on:
	ENGINE (the new code that gives hardware support among others).
    o Richard is currently working on:
	UI (User Interface)
	UTIL (a new set of library functions to support some higher level
	      functionality that is currently missing).
	Shared library support for VMS.
	Kerberos 5 authentication
	Constification
	OCSP

  NEEDS PATCH

    o  apps/ca.c: "Sign the certificate?" - "n" creates empty certificate file

    o  OpenSSL_0_9_6-stable:
       #include <openssl/e_os.h> in exported header files is illegal since
       e_os.h is suitable only for library-internal use.

    o  Whenever strncpy is used, make sure the resulting string is NULL-terminated
       or an error is reported

  OPEN ISSUES

    o  crypto/ex_data.c is not really thread-safe and so must be used
       with care (e.g., extra locking where necessary, or don't call
       CRYPTO_get_ex_new_index once multiple threads exist).
       The current API is not suitable for everything that it pretends
       to offer.

    o  The Makefile hierarchy and build mechanism is still not a round thing:

       1. The config vs. Configure scripts
          It's the same nasty situation as for Apache with APACI vs.
          src/Configure. It confuses.
          Suggestion: Merge Configure and config into a single configure
                      script with a Autoconf style interface ;-) and remove
                      Configure and config. Or even let us use GNU Autoconf
                      itself. Then we can avoid a lot of those platform checks
                      which are currently in Configure.

    o  Support for Shared Libraries has to be added at least
       for the major Unix platforms. The details we can rip from the stuff
       Ralf has done for the Apache src/Configure script. Ben wants the
       solution to be really simple.

       Status: Ralf will look how we can easily incorporate the
               compiler PIC and linker DSO flags from Apache
               into the OpenSSL Configure script.

               Ulf: +1 for using GNU autoconf and libtool (but not automake,
                    which apparently is not flexible enough to generate
                    libcrypto)


    o  The perl/ stuff needs a major overhaul. Currently it's
       totally obsolete. Either we clean it up and enhance it to be up-to-date
       with the C code or we also could replace it with the really nice
       Net::SSLeay package we can find under
       http://www.neuronio.pt/SSLeay.pm.html.  Ralf uses this package for a
       longer time and it works fine and is a nice Perl module. Best would be
       to convince the author to work for the OpenSSL project and create a
       Net::OpenSSL or Crypt::OpenSSL package out of it and maintains it for
       us.

       Status: Ralf thinks we should both contact the author of Net::SSLeay
               and look how much effort it is to bring Eric's perl/ stuff up
               to date.
               Paul +1

  WISHES

    o  SRP in TLS.
       [wished by:
        Dj <derek@yo.net>, Tom Wu <tom@arcot.com>,
        Tom Holroyd <tomh@po.crl.go.jp>]

       See http://search.ietf.org/internet-drafts/draft-ietf-tls-srp-00.txt
       as well as http://www-cs-students.stanford.edu/~tjw/srp/.

       Tom Holroyd tells us there is a SRP patch for OpenSSH at
       http://members.tripod.com/professor_tom/archives/, that could
       be useful.
Commit	Line	Data
75b8dfc0 RE	1
75b8dfc0 RE	2	OpenSSL STATUS Last modified at
6b46ca13	3	______________ $Date: 2001/07/17 14:39:26 $
75b8dfc0 RE	4
	5	DEVELOPMENT STATE
	6
c5e8580e	7	o OpenSSL 0.9.7: Under development...
6b46ca13	8	o OpenSSL 0.9.6b: Released on July 9th, 2001
4d231b43	9	o OpenSSL 0.9.6a: Released on April 5th, 2001
16221173 RL	10	o OpenSSL 0.9.6: Released on September 24th, 2000
	11	o OpenSSL 0.9.5a: Released on April 1st, 2000
	12	o OpenSSL 0.9.5: Released on February 28th, 2000
	13	o OpenSSL 0.9.4: Released on August 09th, 1999
	14	o OpenSSL 0.9.3a: Released on May 29th, 1999
	15	o OpenSSL 0.9.3: Released on May 25th, 1999
	16	o OpenSSL 0.9.2b: Released on March 22th, 1999
	17	o OpenSSL 0.9.1c: Released on December 23th, 1998
75b8dfc0 RE	18
	19	RELEASE SHOWSTOPPERS
	20
	21	AVAILABLE PATCHES
	22
6b46ca13 AP	23	o IA-64 (a.k.a. Intel Itanium) public-key operation performance
	24	patch for Linux is available for download at
	25	http://www.openssl.org/~appro/096b.linux-ia64.diff. As URL
	26	suggests the patch is relative to OpenSSL 0.9.6b.
	27
75b8dfc0 RE	28	IN PROGRESS
75b8dfc0 RE	29
67d5ac03	30	o Steve is currently working on (in no particular order):
75c4f7e0	31	ASN1 code redesign, butchery, replacement.
36f554d4	32	OCSP
7f060601	33	EVP cipher enhancement.
36f554d4	34	Enhanced certificate chain verification.
1d48dd00	35	Private key, certificate and CRL API and implementation.
5a9a4b29	36	Developing and bugfixing PKCS#7 (S/MIME code).
87c49f62	37	Various X509 issues: character sets, certificate request extensions.
1e552869 RL	38	o Geoff and Richard are currently working on:
	39	ENGINE (the new code that gives hardware support among others).
	40	o Richard is currently working on:
b8ffcf49	41	UI (User Interface)
1e552869 RL	42	UTIL (a new set of library functions to support some higher level
1e552869 RL	43	functionality that is currently missing).
79d2eb64	44	Shared library support for VMS.
257341b5 RL	45	Kerberos 5 authentication
257341b5 RL	46	Constification
b8ffcf49	47	OCSP
679ab7c3	48
75b8dfc0 RE	49	NEEDS PATCH
75b8dfc0 RE	50
91b842c9	51	o apps/ca.c: "Sign the certificate?" - "n" creates empty certificate file
acafc0b4	52
bbd1c84e BM	53	o OpenSSL_0_9_6-stable:
bbd1c84e BM	54	#include <openssl/e_os.h> in exported header files is illegal since
d0a8af61 BM	55	e_os.h is suitable only for library-internal use.
d0a8af61 BM	56
f2c46006 BM	57	o Whenever strncpy is used, make sure the resulting string is NULL-terminated
	58	or an error is reported
	59
40753f76 BM	60	OPEN ISSUES
40753f76 BM	61
a14280d4 BM	62	o crypto/ex_data.c is not really thread-safe and so must be used
	63	with care (e.g., extra locking where necessary, or don't call
	64	CRYPTO_get_ex_new_index once multiple threads exist).
	65	The current API is not suitable for everything that it pretends
	66	to offer.
	67
2ec077d8 RE	68	o The Makefile hierarchy and build mechanism is still not a round thing:
	69
	70	1. The config vs. Configure scripts
	71	It's the same nasty situation as for Apache with APACI vs.
	72	src/Configure. It confuses.
	73	Suggestion: Merge Configure and config into a single configure
	74	script with a Autoconf style interface ;-) and remove
	75	Configure and config. Or even let us use GNU Autoconf
	76	itself. Then we can avoid a lot of those platform checks
	77	which are currently in Configure.
	78
a6f20a1e RE	79	o Support for Shared Libraries has to be added at least
	80	for the major Unix platforms. The details we can rip from the stuff
	81	Ralf has done for the Apache src/Configure script. Ben wants the
	82	solution to be really simple.
	83
	84	Status: Ralf will look how we can easily incorporate the
	85	compiler PIC and linker DSO flags from Apache
	86	into the OpenSSL Configure script.
	87
eb025998 UM	88	Ulf: +1 for using GNU autoconf and libtool (but not automake,
	89	which apparently is not flexible enough to generate
	90	libcrypto)
	91
	92
a6f20a1e RE	93	o The perl/ stuff needs a major overhaul. Currently it's
	94	totally obsolete. Either we clean it up and enhance it to be up-to-date
	95	with the C code or we also could replace it with the really nice
	96	Net::SSLeay package we can find under
	97	http://www.neuronio.pt/SSLeay.pm.html. Ralf uses this package for a
	98	longer time and it works fine and is a nice Perl module. Best would be
	99	to convince the author to work for the OpenSSL project and create a
	100	Net::OpenSSL or Crypt::OpenSSL package out of it and maintains it for
	101	us.
	102
	103	Status: Ralf thinks we should both contact the author of Net::SSLeay
	104	and look how much effort it is to bring Eric's perl/ stuff up
	105	to date.
68a8a41b	106	Paul +1
a6f20a1e	107
69d1dfba RE	108	WISHES
69d1dfba RE	109
27bfba29	110	o SRP in TLS.
528f6b81 RL	111	[wished by:
	112	Dj <derek@yo.net>, Tom Wu <tom@arcot.com>,
	113	Tom Holroyd <tomh@po.crl.go.jp>]
	114
27bfba29 RL	115	See http://search.ietf.org/internet-drafts/draft-ietf-tls-srp-00.txt
27bfba29 RL	116	as well as http://www-cs-students.stanford.edu/~tjw/srp/.
528f6b81 RL	117
	118	Tom Holroyd tells us there is a SRP patch for OpenSSH at
	119	http://members.tripod.com/professor_tom/archives/, that could
	120	be useful.