Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror
User Journal

Journal Xerithane's Journal: SSL is the biggest clusterfuck. 12

Journal by Xerithane

Seriously, not one of you motherfuckers can implement it to standard and correctly. I have not encountered any of the same results amongst 3 different browsers, and get different outputs on 2 different linux distros and Solaris. What the fuck happened to this?

Is TLS going to be this way, too? Where it takes a fucking mind-reader to understand how to use the libraries that suck anyway. Their error reporting is next to non-existent, and it isn't even threadsafe? Seriously, what the fuck were you guys doing? They woke up out of their cataonia and decided they were going to write a fucked up OpenSSL library that only works if you are apparently one of their fucking developers. I bought the O'Reilly OpenSSL book, and it got me jack and shit. Jack still is in town and he's kicking me in the nuts.

It's a fucking communication protocol, why is that so fucking hard? It even has an RFC! Gee, Bob, I don't think we should follow the RFC because it will make our fucking webbrowser more cool! The sheer amount of bullshit that goes into coding an SSL application is astounding. Isn't this two-thousand-fucking-three? We've been dealing with this whole "internet" thing for a long enough time we shouldn't be dealing with monkey fucking like this. Has it really taken so damned long to get a fucking standard into usable code? SSL v3 was standardized in 1996! You've had almost 10 years to make it not suck! What the fuck is wrong with all of you people?

This discussion has been archived. No new comments can be posted.

SSL is the biggest clusterfuck. More

SSL is the biggest clusterfuck.

Comments Filter:
  • ... ah ... sucky things that are ... bad to ... suck. yeah. I've never gotten SSL to work the right way and we just dropped the idea at work 'cuz we didn't really need the stinkin' thing anyhow.
  • Now I have to bring out a bugfix release of MirBSD.
  • I know a guy who worked on implementing SSL for Microsoft when he was there.

    He claims the 2 problems were Netscape couldn't follow their own fucking standard and that the standard left a little too much up to implementation detail. Hence the mess you are trying to deal with.
    • He claims the 2 problems were Netscape couldn't follow their own fucking standard and that the standard left a little too much up to implementation detail. Hence the mess you are trying to deal with.

      IE 5.5 and 6 are broken worse than Netscape 4.x. Netscape 4.x has a serious flaw with SSL v2. SSL v3 doesn't work very smoothly in Netscape 4. IE 6 has some seriously strange issues.

      Netscape fucked it in the beginning. SSL 3 should have fixed all the things wrong, but it didn't. TLS probably will be fuck
  • I had to install the server end of some single sign on SSL shit using Oracle Wallets about six months ago...

    I still wake up screaming in the night :(
  • It still bothers me that standards can offer such flexible interpretation. Everything from protocols to CSS have optional, deprecated, and interpretable segments. Maybe I'm a control freak, but wouldn't it be so much easier if everything on a standard was a requirement? That way, either you implement the standard and get a little "Compliant" logo, or you don't, and you don't.

    But then, I'm more of a theory person. Am I over-simplifying things?
  • Last year I had to implement a version of SSL for embedded devices, as OpenSSL is seriously bloated.

    This meant I had to interoperate with many browsers going back to very early SSL enabled browsers (damn those customers!), and OpenSSL, which I used as my basic test suite during development.

    Seriously, not one of you motherfuckers can implement it to standard and correctly

    I think I did ;) Although many, many problems and workarounds were required to make it work with all the browsers properly.

    OpenSSL is
    • OpenSSL is the only other one that works properly, in my experience. That's not to say it's easy to use though

      The API is dumb, though. Even so, OpenSSL does not work properly -- play with stunnel to figure that one out.

      Anyway, I'm guessing it's not really his fault, and he's more interested in the low-level stuff and always has been, and doesn't seem to care about people like you or me who just want to use the thing :) ... so the ball is in the court of the OpenSSL people there.

      I'm irritated at the
      • The API is dumb, though.

        I flipped through Rescorla last night - another reason the API is like this is because programming at both the sockets and the SSL levels at the same time, like we have now, is the only way to support upgrading an existing socket to a secure socket.

        Once again, this is making it hard for the common case to support the exceptional case.

        This should all be seamless. You should just replace "read" with "SSL_read", "accept" with "SSL_accept" and so on. Sadly, it's just not designed tha
        • One of these days I'll write a usable API for SSL. And make it (optionally) thread safe. It wouldn't be hard. OpenSSL++?

          Alright, if you ever do that I will definitely donate some money or hardware your way and help you out. The GnuTLS project seems really fragmented, which is a shame. Too reliant on other gnu libraries instead of trying to just write things the Best Way(tm) and forgetting about the other broken implementations.

          It turns out that my suspicion was correct ... it claims to be thread safe
          • Alright, if you ever do that I will definitely donate some money or hardware your way and help you out

            Just to clarify, I probably wouldn't do an SSL implementation from the ground up just yet, because 1) it's a lot of work, and very frustrating what with the broken-ness of the various browsers, and 2) I'm still encumbered with my contract from my previous employer, having just written one for them :(

            It would simply be C++ (or maybe C) wrappers that would make the OpenSSL API sane for the common case. But
            • Yes, you're right, it's the usual "almost, but not quite" definition employed throught OpenSSL.

              They are big Douglas Adams fans, I suppose.

              Okay. I'll do my own little threaded example. Then I'll try to make yours break when you get the code out, and if I can't make it work I'll reproduce it in a small example and flick it over to the OpenSSL team.

              It may be a bit awkward if you've never worked with Qt. I coded it in Qt because the callbacks and threading is handled transparently, and it gives me job se

Slashdot Top Deals

grep me no patterns and I'll tell you no lines.

Close