[notacoward]

I've tried not to be too critical of the developers, but I do understand where some of the negativity comes from. Have you ever tried to use OpenSSL, as a developer? It's kind of a crufty mess.

* Initialization is even more complicated than the security needs dictate, and so is everything afterward.

* The internal abstractions are leaky, e.g. requiring a poll for read before you can write (and vice versa), because of the way handshakes are implemented.

* The normal error reporting is awful, so you must add extra code to get useful information.

* The documentation is terrible. It's hard to find what you need to know just to write your code, then hard to find information about the "idiosyncratic" command-line tools to test it. Want to know if your certificate code actually works? Have fun fighting theirs to find out.

A lot of people have felt forced to use OpenSSL because it was the de facto standard, or because NSS and GnuTLS were even worse (especially in terms of documentation). That leads to resentment, which has been just waiting for an outlet like this. I'm not saying it's right. I completely empathize with the plight of an under-resourced development team who could use some more help in some difficult areas. All I'm saying is that it's understandable.

[jacques_chester]

OpenSSL is less like a library, and more like a framework. You need to mesh your code to it pretty closely to get anything done. All you want is a SHA256? Too bad, here's a dozen things you need to do first.

A lot of what makes OpenSSL complicated is that it covers almost every crypto/algo/protocol permutation (there are lots) and it is heavily tuned to run fast on a variety of hardware.

I like PolarSSL as an alternative. It is just a collection of libraries. When I just need SHA256, I can just compile, link and use SHA256. No book-keeping, no boilerplate.

But it's not as wide-ranging or optimised.

[antocv]

PolarSSLs biggest problem seems to be GPL.

And all the people who favor bsd style license instead.

Weve seen it before, a license which appeals to those who would benefit from it but not required to provide something back to the community - such projects fare worse in the long term than GPL or GNU projects.

I think this mentality also explains why people hate on openssl - they expect something for nothing.

Its 2014 we should know better than to trust corporations will do the right thing and require any modifications be released back to community. They wont and they dont.

[mst]

OpenSSL is one of those codebases that isn't so much measured in WTFs per minute as minutes to CANNOT UNSEE.

However, for practical use everything else seems to be worse (with the possible exception of PolarSSL, which is sadly probably screwed politically by its licensing).

So, yeah, it's software, and therefore hateful. And I'm infinitely grateful to the developers anyway because, well, it exists, and damned if I have the time, motivation or competency to do any better.

The asshattery is, I agree, understandable. But it's still asshattery.

[DanBC]

Isn't documentation something that can be fixed by people as they use OpenSSL?

[pjc50]

Documentation is in some ways harder to fix than code; you can fix what the code does, but documenting the intent can only be done by the author or someone involved in the original design.