It seems I have expressed myself poorly. My point was that, as far as I am aware, SSLeay has not been widely reviewed. A lot of people use it, sure, but that is not review. Since there are obvious defects in the code, from a security point of view, such as failure to scrub keys, it wouldn't get a clean bill of health from me. Of course, these kinds of defects require other defects in the user's security policy (such as running on an operating system which permits free access to memory) to exploit. There may or may not be worse problems. I don't know. And I won't know until either it becomes important to me, someone pays me to find out, or someone else points them out. I'm not saying that I'm aware of defects which are not obvious but my experience in using it suggests that it may have them - it isn't that hard to crash, and where there are crashes lurk possible security holes. Tracking these down is where it stops being fun. At least for me. Cheers, Ben. -- Ben Laurie Phone: +44 (181) 994 6435 Email: ben@algroup.co.uk Freelance Consultant and Fax: +44 (181) 994 6472 Technical Director URL: http://www.algroup.co.uk/Apache-SSL A.L. Digital Ltd, Apache Group member (http://www.apache.org) London, England. Apache-SSL author