[openssl-users] FIPS certification for openssl

Jordan Brown openssl at jordan.maileater.net
Thu Nov 30 00:55:43 UTC 2017


On 11/29/2017 8:53 AM, Salz, Rich via openssl-users wrote:
> I am biased, but I believe the project is better, by almost any
> metric, then it used to be. If you have specific suggestions for how
> you think it could be improved, it would be great to see them. 


My number one complaint is that it seems like the defaults are generally
set up to do the wrong things, and the application has to either
explicitly set "yes, you should be secure" options or do stuff on its
own.  This seems to have been getting better - gaining hostname
validation, for instance - but really a client should be able to say
"give me a secure connection to host:port" and have sensible and secure
things happen with a single call.  Maybe two, one to create a handle and
the other to actually set up the connection (to allow for intervening
calls that customize the connection).

-- 
Jordan Brown, Oracle Solaris

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20171129/6fe884a6/attachment-0001.html>


More information about the openssl-users mailing list