[keule]

So I only have a basic/intermediate understanding of SSL and X509, but I am curious about your opinion: Is the awful code design just a flaw in that particular implementation, or are the standards involved so hard to implement correctly?

[agwa]

I think it's largely a problem with OpenSSL itself.

It's true that TLS and X.509 are quite complicated and I think it would be a challenge for anyone to implement them correctly, but that doesn't explain even half of OpenSSL's awfulness. Having consistent naming and error handling conventions should be possible regardless of how complicated the standards are. Plus, their crypto library is awful too, despite not having to deal with TLS or X.509.

[rst]

While the core parts of the crypto algorithms are, to some extent, intrinsically messy, that doesn't have much to do with the specific complaints here: inconsistent error return codes, pseudorandom indentation, #ifdef and if(0) stuff which deeply obscures control flow, and so forth. All of that is just bad style.

[betterunix]

OpenSSL is a mess on its own. Other libraries are better organized and better documented, so I doubt that it is the fault of TLS or x509.

[lmm]

I understand that a lot of OpenSSL features were implemented by or because a company sponsored a specific feature, but was only interested in getting that specific feature done rather than any wholesale refactoring of the code. So it's had a bunch of different projects glommed onto it with no overall structure.