Book Review: Network Security with OpenSSL

If you have been wanting to get to use some of the features in the OpenSSL library or toolkit, you may have found that the offerings for documentation have been slim to none. You can usually only get so far with example code or trial and error. However, there's a new book you may want to look at.

I just finished one of the more interesting recent offerings from O'Reilly. Vieta et al. have put together a great resource in Network Security with OpenSSL . Read below for my full review.

Title: Network Security with OpenSSL
Authors: John Viega, Matt Messier, and Pravir Chandra
Publisher: O'Reilly and Associates
367 Pages, June 2002
Rating: 8/10
Reviewer: Jose Nazario

Network Security with OpenSSL is nothing if not thorough. While not an introduction to SSL itself, it describes the use of the OpenSSL library and toolkit. OpenSSL is both a C library and a command line tool which provides raw access to the cryptographic tools within the kit. It's been a poorly documented library but with the introduction of this book this is all changing.

The OpenSSL book is more or less a complete introduction to and reference for OpenSSL. This includes its C API (and PHP, Perl, and Python), but also its auxillary functions and the toolkit itself. This is a book geared at a medium experience C programmer or someone who needs to get into the dirty part of using the toolkit.

Strengths

The strength of this book is largely through in its treatment of the toolkit in its entirety. This includes the C library, which is how most people know it, and the openssl command itself. A variety of subjects are covered quite nicely, including X.509 certificates and certificate authorities, S/MIME, and PKCS#7.

The book doesn't simply cover the basics of SSL connections, it shows you how you can incorporate SSL connections into existing network applications. It also shows how to use the encryption and hashing functions of OpenSSL.

Weaknesses

There are a few corner topics I found to be lacking in the book overall. The first of these is a noticable lack of substantive mention of the OpenSSL-engine code which provides an interface for OpenSSL to hardware accelerators. Only a handful of pages are concerned with this topic throughout the whole book. Similarily, no real mention is made of measuring and improving OpenSSL performance. Large scale sites which do a lot of SSL traffic (ie a commerce server) may need to take this into consideration.

The sections on OpenSSL in other languages are slim. They cover Perl, PHP, and Python (through the Net::SSLeay in Perl and M2Crypto in Python). While you can get the gist of it from understanding the C APIs, you don't get to know he quirks of the implementations. The Perl and PHP discussions will get you off the ground, but the Python one is pretty lacking. A discussion of the high level classes and methods would have been ideal there, instead only a handul of examples are shown.

In large measure these weaknesses in the book are minor and don't detract from the utility of the book.

Conclusions

If you're a developer or power user of OpenSSL, either in C or Perl or PHP or even through the command line openssl tool, then you should investigate this book. Nothing else comes close to it for completeness on the subject. However, if you're new to OpenSSL and just have to secure a web server using SSL, you're better off using something else.

One big thing to note is that the book was written late in the 0.9.6e stage when 0.9.7 was taking shape. As a result, some of the API calls may have changed and the book may become outdated. Make sure you look closely at it before you purchase it as the OpenSSL API does change. The overall content will still be useful, however.