"Leland V. Lammert" wrote:
>
> At 04:56 PM 12/22/99 , you wrote:
> >"Leland V. Lammert" wrote:
> >
> >i don't want to sound ungrateful, but that document is useless for
> >someone
> >who wants to learn how to operate the thing. if the openssl people want
> >to get
> >people to start using it, they've *got* to get some decent introductory
> >documentation
> >going.
>
> Mike,
>
> I don't think you have placed OpenSSL in the proper perspective. OpenSSL is a
>*toolkit* used primarily with OTHER applications.
>For example, Apache has at least three different ways to integrate OpenSSL, and the
>docs >for that are contained within the various Apache modules/options.
i have a tcl based httpd that has openssl socket extensions in it
but your pointer to "go look at the apache stuff" makes sense.
>OpenSSL is a VERY useful toolkit, .. to use it you only need (basically) three things:
> 1) How to download it;
easy enough.
> 2) Compile it;
reasonably easy. considering it's size..
>3) Generate a certificate.
what docs cover 3) ?? are there suggestions somewhere on how you should
make
certificates and a couple options on how i might want to manage them?
(note: looks like your pointer to openca below might be where i need to
look)
>
> As a toolkit, OpenSSL can only be used *directly* by a programmer that knows C/C++,
>and in >that case documentation is not required, as the programmer has the experience
>to use the >toolkit directly.
>
this is not entirely accurate. there are TCL and (i would assume)
perl,python,java
etc.. bindings out there for openssl.
I for one am using a tcl binding. In my case, I don't have much use for
the
C library directly. I'm just compiling it so i can use the tcl bindings.
so you're reasoning is partially faulty in my case.
the problem for people
like me is mostly one of configuration. i have a operational
openssl tcl client that i can do something simple like this with..
---------------------------------------
package require http
package require tls
http::register https 443 [list ::tls::socket -require 1 -cafile
./server.pem]
set tok [http::geturl https://developer.netscape.com/]
----------------------------------------
(the server.pem file one was in an example file in the tcl bindings tar
ball.)
and it allows me to get a https based url. which is great.. but how do i
apply that
operationally to my own project's client and server apps?
do i just make a certificate for my clients
that they put in a "server.pem" file that they use and
that's all i really have to do? ... or what ??
it's not obvious to the uninitiated.
>
> Would you complain that gcc does not have documentation?
>
i would complain if there was no documentation on how to use ld / ar /
ranlib,
what LD_LIRARY_PATH does, etc..
to make a finished program in conjunction with gcc. the analogy is not
perfect
but hopefully you get my point.
> >i'd like to give openssl a go in some of the projects i'm doing
> >i can compile it up etc.. but trying to figure out how one
> >might actually employ it is not obvious (to put it mildly).
>
> What sort of project? If it's a web project, see the Apache docs for the integration
>>method you choose (i.e. mod_ssl or apachessl). If you are building a CA, you will
>need some >of the docs at openca (which was offline yesterday, but should be back
>shortly). If it's >some other sort of project, your programmer should be fairly
>capable of glancing at the >existing docs to figure out the integration.
the apache docs? or some other docs? i'll check out openca right away.
maybe that's where i should really be looking for the info i need and
the obvious
has escaped me..
(of note) i did not see openca referred to in the
openssl. "related" links page. seems like that should be in there no??
>
> Since you're in the US, you need also to realize that openssl is NOT a US product,
>and the folks have to be pretty cautious about infringing on
the RSA patents (at least for the next year).
i was under the impression i could use the stuff without RSA, since i
have control
over both the client and the server i am using. so.. believe i have
patent free options.
-mike
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
