]>
Commit | Line | Data |
---|---|---|
75b8dfc0 RE |
1 | |
2 | OpenSSL STATUS Last modified at | |
f5d7a031 | 3 | ______________ $Date: 1999/04/27 01:13:19 $ |
75b8dfc0 RE |
4 | |
5 | DEVELOPMENT STATE | |
6 | ||
540e6c17 | 7 | o OpenSSL 1.0: Under development... |
52a48254 RE |
8 | Proposed freeze date: Mon May 8th, 1999 |
9 | Proposed release date: Mon May 17th, 1999 | |
85b283ff | 10 | o OpenSSL 0.9.2b: Released on March 22th, 1999 |
9cb0969f | 11 | o OpenSSL 0.9.1c: Released on December 23th, 1998 |
75b8dfc0 | 12 | |
540e6c17 UM |
13 | [ Proposed new numbering scheme: <major>.<minor>[<patchlevel>] |
14 | 0.9.1c is 0913 | |
15 | 1.0 is 010000 | |
16 | 1.0 a is 100001 | |
17 | 1.8 z is 01081a ] | |
18 | ||
75b8dfc0 RE |
19 | RELEASE SHOWSTOPPERS |
20 | ||
38ef9a0c | 21 | o Compilation warnings: ctype-related int vs. char |
acafc0b4 | 22 | o BSD/OS: assembler functions must not have leading underscores |
540e6c17 | 23 | o exptest and rsa_oaep_test fail with irix64-* |
acafc0b4 UM |
24 | (Don Badrak <dbadrak@geo.census.gov>: "Re: Problems to compile openssl |
25 | on IRIX 6.2", openssl-users) | |
26 | o BN_add test fails on Caldera OpenLinux 1.3 | |
27 | (Marc Christensen <Marc.Christensen@m.cc.utah.edu> | |
28 | "Compiles but fails big number test?", openssl-users) | |
29 | ||
75b8dfc0 RE |
30 | AVAILABLE PATCHES |
31 | ||
f4371a65 | 32 | o OCSP (titchenert@certco.com) |
acafc0b4 | 33 | o Install prefix for packagers (dharris@drh.net) |
189b6a60 | 34 | o getenv in ca.c and x509_def.c (jaltman@watsun.cc.columbia.edu) |
189b6a60 RE |
35 | o linux dynamic libs (colin@field.medicine.adelaide.edu.au) |
36 | o MingW support (niklas@canit.se) | |
189b6a60 | 37 | |
75b8dfc0 RE |
38 | IN PROGRESS |
39 | ||
67d5ac03 | 40 | o Steve is currently working on (in no particular order): |
67d5ac03 DSH |
41 | Proper (or at least usable) certificate chain verification. |
42 | Documentation on X509 V3 extension code. | |
ee0508d4 | 43 | PKCS#12 code cleanup and enhancement. |
1d48dd00 DSH |
44 | PKCS #8 and PKCS#5 v2.0 support. |
45 | Private key, certificate and CRL API and implementation. | |
679ab7c3 | 46 | |
6ccec439 MC |
47 | o Mark is currently working on: |
48 | Folding in any changes that are in the C2Net code base that were | |
49 | not in the original SSLeay-0.9.1.b release. Plus other minor | |
50 | tidying. | |
51 | ||
d5083e01 RE |
52 | o Ralf is currently working on: |
53 | 1. Support for SSL_set_default_verify_paths(), | |
54 | SSL_load_verify_locations(), SSL_get_cert_store() and | |
55 | SSL_set_cert_store() functions which work like their existing | |
56 | SSL_CTX_xxx() variants but on a per connection basis. That's needed | |
57 | to let us provide full-featured per-URL client verification in | |
58 | mod_ssl or Apache-SSL. | |
a5e035b5 RE |
59 | => It still dumps core, so I suspend this and investigate |
60 | again for OpenSSL 0.9.3. | |
d5083e01 | 61 | 2. The perl/ stuff to make it really work the first time ;-) |
a5e035b5 | 62 | => I'll investigate a few more hours for OpenSSL 0.9.2 |
6b503540 | 63 | 3. The new documentation set in POD format under doc/ |
a5e035b5 | 64 | => I'll investigate a few more hours for OpenSSL 0.9.2 |
d5083e01 RE |
65 | 4. More cleanups to get rid of obsolete/old/ugly files in the |
66 | source tree which are not really needed. | |
a5e035b5 | 67 | => Done all which were possible with my personal knowledge |
d5083e01 | 68 | |
189b6a60 | 69 | o Ben is currently working on: |
726bae3f BL |
70 | 1. Function Prototype Thought Police issues. |
71 | 2. Integrated documentation. | |
72 | 3. New TLS Ciphersuites. | |
73 | 4. Anything else that takes his fancy. | |
189b6a60 | 74 | |
75b8dfc0 RE |
75 | NEEDS PATCH |
76 | ||
acafc0b4 UM |
77 | o broken demos |
78 | o salzr@certco.com (Rich Salz): Bug in X509_name_print | |
79 | <29E0A6D39ABED111A36000A0C99609CA2C2BA4@macertco-srv1.ma.certco.com> | |
acafc0b4 UM |
80 | o Jean-Hugues ROYER <jhroyer@joher.com>: rsa_oaep.c with Watcom C |
81 | o $(PERL) in */Makefile.ssl | |
82 | o "Sign the certificate?" - "n" creates empty certificate file | |
acafc0b4 UM |
83 | o dubious declaration of crypt() in des.h |
84 | ||
75b8dfc0 RE |
85 | OPEN ISSUES |
86 | ||
2ec077d8 RE |
87 | o The Makefile hierarchy and build mechanism is still not a round thing: |
88 | ||
89 | 1. The config vs. Configure scripts | |
90 | It's the same nasty situation as for Apache with APACI vs. | |
91 | src/Configure. It confuses. | |
92 | Suggestion: Merge Configure and config into a single configure | |
93 | script with a Autoconf style interface ;-) and remove | |
94 | Configure and config. Or even let us use GNU Autoconf | |
95 | itself. Then we can avoid a lot of those platform checks | |
96 | which are currently in Configure. | |
97 | ||
a6f20a1e RE |
98 | o The installation under "make install" produces a very |
99 | installation layout: $prefix/certs and $prefix/private dirs. That's | |
100 | not nice. Ralf suggests to move the two certs and private dirs either | |
101 | to $prefix/etc/, $prefix/lib/ or $prefix/share. Alternatively | |
102 | we could also not install the certs at all. | |
103 | ||
104 | Status: Ralf +1 for both not installing the certs at all and | |
105 | moving it to $prefix/etc/. +0 for $prefix/lib/ | |
106 | and $prefix/share. | |
68a8a41b | 107 | Paul: why is it not nice? |
96e479e3 RE |
108 | Ralf: because it messes up the install dir when |
109 | $prefix is not a dedicated area like /usr/local/ssl. | |
110 | When we move them to a standard subdir like | |
111 | etc/ lib/ or share/ we don't mess up things | |
112 | when $prefix is /usr or /usr/local, etc. | |
113 | Additionally it makes package vendors life | |
114 | easier.... | |
a6f20a1e RE |
115 | |
116 | o Support for Shared Libraries has to be added at least | |
117 | for the major Unix platforms. The details we can rip from the stuff | |
118 | Ralf has done for the Apache src/Configure script. Ben wants the | |
119 | solution to be really simple. | |
120 | ||
121 | Status: Ralf will look how we can easily incorporate the | |
122 | compiler PIC and linker DSO flags from Apache | |
123 | into the OpenSSL Configure script. | |
124 | ||
125 | o The perl/ stuff needs a major overhaul. Currently it's | |
126 | totally obsolete. Either we clean it up and enhance it to be up-to-date | |
127 | with the C code or we also could replace it with the really nice | |
128 | Net::SSLeay package we can find under | |
129 | http://www.neuronio.pt/SSLeay.pm.html. Ralf uses this package for a | |
130 | longer time and it works fine and is a nice Perl module. Best would be | |
131 | to convince the author to work for the OpenSSL project and create a | |
132 | Net::OpenSSL or Crypt::OpenSSL package out of it and maintains it for | |
133 | us. | |
134 | ||
135 | Status: Ralf thinks we should both contact the author of Net::SSLeay | |
136 | and look how much effort it is to bring Eric's perl/ stuff up | |
137 | to date. | |
68a8a41b | 138 | Paul +1 |
a6f20a1e | 139 | |
679ab7c3 DSH |
140 | o The EVP and ASN1 stuff is a mess. Currently you have one EVP_CIPHER |
141 | structure for each cipher. This may make sense for things like DES but | |
142 | for variable length ciphers like RC2 and RC4 it is NBG. Need a way to | |
143 | use the EVP interface and set up the cipher parameters. The ASN1 stuff | |
144 | is also foo wrt ciphers whose AlgorithmIdentifier has more than just | |
145 | an IV in it (e.g. RC2, RC5). This also means that EVP_Seal and EVP_Open | |
146 | don't work unless the key length matches the fixed value (some vendors | |
147 | use a key length decided by the size of the RSA encrypted key and expect | |
148 | RC2 to adapt). | |
69d1dfba | 149 | |
189b6a60 RE |
150 | o Properly initialize the PRNG in the absence of /dev/random. |
151 | ||
3f90e679 BM |
152 | o ERR_error_string(..., buf) does not know how large buf is, |
153 | there should be ERR_error_string_n(..., buf, bufsize) | |
154 | or similar. | |
155 | ||
69d1dfba RE |
156 | WISHES |
157 | ||
158 | o Damien Miller: | |
159 | "How about making the each of the locations compile-time defined. I | |
160 | would like to (for example) put binaries in /usr/bin, configuration | |
161 | data, certs and keys in /etc/openssl/certs and /etc/openssl/keys, etc. | |
162 | This would also be a great boon to binary package makers. The | |
163 | SSLeay-0.9.1b RPM already includes some patches which do some of this. | |
164 | I can forward them if you wish." | |
165 | ||
090db4f4 RE |
166 | o Mats Nilsson <mats.nilsson@xware.se>: |
167 | "Add reference counting to all substructures of X509 etc. For instance, | |
168 | X509_NAME lacks a reference counter, while EVP_PKEY has one. I'm | |
169 | making COM-wrappers for selected parts of SSLeay for a project of ours, | |
170 | and has found this inconsistency in copy semantics annoying." | |
171 |