why build shared openssl

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

why build shared openssl

cross
I don't know what is the purpose of building openssl shared.  I am building apache with ssl statically built in.  What does building a shared openssl give me?  

Thanks
Reply | Threaded
Open this post in threaded view
|

Re: why build shared openssl

Julian-35
Never ship a Shared OpenSSL library. Anyone can rebuild it to output  
the socket buffer to disk prior to encryption and replace yours.

:-)

On Oct 23, 2008, at 9:32 AM, csross wrote:

>
> I don't know what is the purpose of building openssl shared.  I am  
> building
> apache with ssl statically built in.  What does building a shared  
> openssl
> give me?
>
> Thanks
> --
> View this message in context: http://www.nabble.com/why-build-shared-openssl-tp20134687p20134687.html
> Sent from the OpenSSL - User mailing list archive at Nabble.com.
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: why build shared openssl

Victor Duchovni
On Thu, Oct 23, 2008 at 02:12:45PM -0700, Julian wrote:

> Never ship a Shared OpenSSL library. Anyone can rebuild it to output  
> the socket buffer to disk prior to encryption and replace yours.

This risk model is not often realistic. If the administrator of the
machine is your adversary, you're toast whether the library is shared
or not. Shared libraries are fine, and make patching easier when the
library and application are maintained separately.

--
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: why build shared openssl

Graham Leggett
In reply to this post by cross
csross wrote:

> I don't know what is the purpose of building openssl shared.  I am building
> apache with ssl statically built in.  What does building a shared openssl
> give me?  

The ability to upgrade openssl without having to recompile anything else.

Regards,
Graham
--

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: why build shared openssl

Graham Leggett
In reply to this post by Julian-35
Julian wrote:

> Never ship a Shared OpenSSL library. Anyone can rebuild it to output the
> socket buffer to disk prior to encryption and replace yours.

If someone can do that, you've been owned already, compiling it static
won't make any practical difference.

Regards,
Graham
--

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

RE: why build shared openssl

JoelKatz
In reply to this post by Julian-35

> Never ship a Shared OpenSSL library. Anyone can rebuild it to output
> the socket buffer to disk prior to encryption and replace yours.
>
> :-)

A party to an encrypted conversation can put its contents in a full-page ad
in the New York Times if they want to. There's no need to keep a
conversation secret from its own parties. The two ends of the OpenSSL
encryption engine are controlled by the same party.

DS


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]