Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> "This is why OpenSSL looks like a hodgepodge of hacks upon hacks in order to accomplish narrow goals with limited impact testing."

Can you point out specific examples that you view as hacks upon hacks?

Maybe I've spent too many years in the code base, but I've also seen worse.

OpenSSL does a lot. Maybe smaller modules would be better and more testing certainly. Organizations using it should also be contributing back more.

Hacks upon hacks seems like a stretch to me.



As a side note, the NaCL library you mention does only a fraction of the things OpenSSL does. OpenSSL could certainly stand to be broken into smaller components, but trying to compare it with a very small library that does mostly primitive operations is...an improper comparison.

I like Dan's work and have used in in projects, I just think your comparison and analysis are quite off base.


You are entitled to your opinion and your preferences.

As I am to mine.

From the tweetnacl.cr.yp.to paper:

"OpenSSL is the space shuttle of crypto libraries. It will get you to space, provided you have a team of people to push the ten thousand buttons required to do so. NaCL is more like an elevator -- you just press a button and it takes you there. No frills or options.

I like elevators." - Matthew D. Green, 2012

Yes, it is improper to compare a space shuttle to an elevator.

It's also absurd to use a space shuttle when all you need is an elevator.

Use whatever you want. Not everyone's needs are the same.

I like small components that are independent. The OpenSSL binary is feature for feature one fo the most complex I have ever used.

I prefer simplicity. That's just me.

Not for everybody. But some might desire it.

You have my sincere apologies for daring to mention an OpenSSL alternative.

The fact that this NaCl is so small and limited is the whole point.

I guess that point was missed.


I think you should reread what I said -- I think it needs to be componentized, because OpenSSL does a lot. Plus has a bunch of utilities to do things.

Comparing it to a library that is mostly crypto primitives is not a fair comparison.

Also - I'm still curious of examples of "hacks upon hacks" for my own curiosity. I've been using OpenSSL in a number of projects for 15+ years, so maybe I am used to certain things.


It takes 500 extra lines of C to write a secure channel abstraction with a server and client on top of NaCl. This is the curvecp implementation.


And something capable of doing an SSL/TLS connection with cipher sweet negotiation and client certificate validation?

Maybe throw in hardware token/PKCS11 support?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: