Project direction

Angus Robertson - Magenta Systems Ltd angus at magsys.co.uk
Mon Nov 2 19:58:00 UTC 2020


> My claim is that much of the "applications" should be removed 
> from the core system, and should be re-implemented in a cleaner
> way using the APIs. 
> I.e. into a separate git repo with it's own release schedule.
> 
> They should serve as exemplars for using the APIs, which they are 
> often are not.
> 
> In particular, the way that many things are only doable via 
> "configuration file" is a serious problem.

Agree, to create X509 SANs you need to understand the application, but
that gets very confusing since half of it is getting command line and
config file input, even harder when you don't understand C.  

You end up using obscure APIs like GENERAL_NAME_set0_value for which
there is no documentation, because there seems nothing better to use to
create the stack of extensions.  But it was satisfying when it all
worked and I had a CA component.  

OpenSSL is really aimed at two markets, developers using the API and
admins using the applications, it would be easier for both groups if
the help was separate. 

Angus





More information about the openssl-project mailing list