Book Reviews

The following book reviews are the copyright of their respective authors and no part should be reproduced without the express permission of the author. Publishers and Authors of the books reviewed may reproduce the whole or extracts of a review for their book. To request copyright permission please email webmaster@birmingham.pm.org.

All the reviews herein are the opinions of the reviewer and are not necessarily the views of Birmingham Perl Mongers and its members. If you feel a review or comment has been made in error, please contact webmaster@birmingham.pm.org to rectify the situation.

Other Books

Static Link: http://birmingham.pm.org/reviews/51

 
Network Security with OpenSSL
Title:Network Security with OpenSSL
Author(s):John Vega, Matt Messier & Pravir Chandra
ISBN:0-596-00270-X
Publisher:O'Reilly Media
Reviewer:Mark Songhurst

One of my job roles recently involved adding Transport Layer Security (TLS) support to the qmail SMTP application, in the guise of the Extended SMTP command STARTTLS, using the open source OpenSSL library to provide the backend crypto graphical support. Coming from a background of encryption software development, I was confident with crypto terminology, but I had no hands-on experience of TLS (or SSL) itself. Development time, as is always, was limited and I needed to learn OpenSSL fast. Where to turn?

Whilst the OpenSSL has a reasonably documented website (www.openssl.org) the documentation is mainly man page, API based - there is little in the way of examples, and a fair number of holes in the documentation. An active and reliable mailing list (http://groups.google.com/groups?group=mailing.openssl.users) is available, but I wanted to learn OpenSSL myself, not rely on others! Enter Network Security with OpenSSL

The book was released in June 2002 and at the time of writing there have since been 13 releases of OpenSSL. However, as these releases have generally been security updates, the book still stands accurate.

In a well designed first chapter the reader is introduced (or refreshed) on the foundations and terminology of cryptography and if required, guided through the downloading and building of OpenSSL.

The second chapter covers the command line interface of OpenSSL, when the library is used in an interactive context. Although you are more likely to be using OpenSSL as an API, learning the OpenSSL CLI is essential for OpenSSL development, particularly in the generation of X.509 certificates, or the use of the s_client and s_server tools for debugging your development. This chapter is backed up by the books appendix, which is an easy reading reference guide to the CLI.

The following seven chapters of this book are dedicated towards using OpenSSL as an API for your own development. The authors have based the content of these chapters on the key applications of OpenSSL, including Public Key Infrastructure, SSL/TLS Programming and Symmetric Cryptography.

I have found the chapter on SSL/TLS Programming to be almost essential in order to get my development complete. The chapter guides you through creating a fully functional SSL client and server using C, and is complete with well explained source code listings, which are also available for download from a supplemental website. O'Reilly Sidebars are used to good effect to explain slightly off-topic areas, whilst allowing the reader to remain focused on the topic at hand.

OpenSSL is primarily a C language based library. However chapter nine is likely to interest readers of this review. "OpenSSL in Other Languages" discusses using OpenSSL in Perl (Net::SSLeay), Python and PHP. Whilst my development with OpenSSL has been only in C, This chapter presents itself as being a good lightweight reference to using OpenSSL with Perl, although I would suggest the use of other on-line resources to supplement the chapter.

I would recommend Network Security with OpenSSL without hesitation to any developers who are considering or are already using OpenSSL. It is both authoritative and readable.

- Mark Songhurst, © 4th May 2004