On Tue, Jan 28, 2003 at 01:30:01PM +0100, Per Hedbor () @ Pike (-) developers forum wrote:
I cannot imagine that OpenSSL is all that much better.
It is. Just compare to SSLeay. Pike stuff is old enough, BTW :)
Your arguments boils down to two things: 1> Many people are using OpenSSL, and 2> Clearing memory should always be done when creating keys, and is not done in pike.
Not really.
#1: There is an implementation which is stable enough and provides API, ciphers and protocols for almost anything in this area.
#2: It takes care about stuff which leaves less freedom for (potential) attackers.
#3 and so on - to be prepared later on (detailed comparison) :)
I don't propose something only because "many people use it". Usually I use something which is good enough and most people don't use it (examples: Exim instead of sendmail/qmail; Pike instead of Perl :)
I assume you are running Windows only, and IE5.0
Of course not. But I've choice at least :) I use whatever I need to solve problems that I've; I am not sticky to one tool or one environment. So if I see that for particular task OpenSSL is better than Pike's SSL, I would like to have this functionality but I still want to Pike.
Also, generating new keys are not exactly a common problem. Most of the time you use a key you need to explicitly keep it in memory.
Yes, sure. But it should live not longer than needed. It should never be swapped (if possible). Any clues how to do this in Pike? :) Yes, it won't work _everywhere_ (memory locking), but it must work where it can, at least.
that it does not actually clear the generated keys before it exists. Not that it really matters, since they are saved to disk, but still.
If it is intended to be stored on the disk it makes no sense to clear the memory, obviously :)
Regards, /Al