On Tue, 24 Jun 2008, Scoped Ptr wrote:

> As far as I know, OpenSSL doesnt has a stable set of APIs for SSL. They keep
> changing the APIs

What? The functions OpenSSL provides are mostly the same SSLeay provided 10
years ago. I don't know of any other functional SSL library that have provided
functions that long. I wouldn't call that "keep changing the APIs".

I'd say the main problem with OpenSSL from a user's stand-point is the lack of
docs, and that the APIs seem very ad-hoc constructed so there are often
inconsistences etc between functions that surprise you.

> and also the security updates are also released very frequently.

I'm not sure that's a sign of anything bad. OpenSSL is by far the most used
and thus the most tortured and abused SSL library.

> How does curl copes with it when it uses openssl for SSL ?

No problemos. curl built with SSLeay and probably still could with a little
effort. It builds fine with OpenSSL 0.9.6 and later.

Security-related fixes in third-party libs don't strict effect us, even if we
of course encourage (lib)curl users to always upgrade to versions that aren't
vulnerable.

> How frequently does curl has to do changes to cope with OpenSSL changes?

Once or twice I think during roughly ten years.

We haven't supported the other libs anywhere near as long so I can't make any
real comparisons in that regard.

-- 
  / daniel.haxx.se