update from main branch
This commit is contained in:
parent
fb9520c12d
commit
fde9626cff
56
FAQ
56
FAQ
@ -122,7 +122,6 @@ A number of Linux and *BSD distributions include OpenSSL.
|
||||
autoconf will probably be used in future OpenSSL versions. If it was
|
||||
less Unix-centric, it might have been used much earlier.
|
||||
|
||||
|
||||
* What is an 'engine' version?
|
||||
|
||||
With version 0.9.6 OpenSSL was extended to interface to external crypto
|
||||
@ -130,7 +129,6 @@ hardware. This was realized in a special release '0.9.6-engine'. With
|
||||
version 0.9.7 (not yet released) the changes were merged into the main
|
||||
development line, so that the special release is no longer necessary.
|
||||
|
||||
|
||||
[LEGAL] =======================================================================
|
||||
|
||||
* Do I need patent licenses to use OpenSSL?
|
||||
@ -155,7 +153,7 @@ holders claim that you infringe on their rights if you use OpenSSL with
|
||||
their software on operating systems that don't normally include OpenSSL.
|
||||
|
||||
If you develop open source software that uses OpenSSL, you may find it
|
||||
useful to choose an other license than the GPL, or state explicitely that
|
||||
useful to choose an other license than the GPL, or state explicitly that
|
||||
"This program is released under the GPL with the additional exemption that
|
||||
compiling, linking, and/or using OpenSSL is allowed." If you are using
|
||||
GPL software developed by others, you may want to ask the copyright holder
|
||||
@ -195,7 +193,7 @@ environment variable HOME is set, then the seeding file is $HOME/.rnd.
|
||||
If neither RANDFILE nor HOME is set, versions up to OpenSSL 0.9.6 will
|
||||
use file .rnd in the current directory while OpenSSL 0.9.6a uses no
|
||||
default seeding file at all. OpenSSL 0.9.6b and later will behave
|
||||
similarly to 0.9.6a, but will use a default of "C:" for HOME on
|
||||
similarly to 0.9.6a, but will use a default of "C:\" for HOME on
|
||||
Windows systems if the environment variable has not been set.
|
||||
|
||||
If the default seeding file does not exist or is too short, the "PRNG
|
||||
@ -306,7 +304,7 @@ there is little point presenting a certificate which the server will
|
||||
reject.
|
||||
|
||||
The solution is to add the relevant CA certificate to your servers "trusted
|
||||
CA list". How you do this depends on the server sofware in uses. You can
|
||||
CA list". How you do this depends on the server software in uses. You can
|
||||
print out the servers list of acceptable CAs using the OpenSSL s_client tool:
|
||||
|
||||
openssl s_client -connect www.some.host:443 -prexit
|
||||
@ -532,44 +530,16 @@ OpenSSL_add_all_algorithms(). See the manual page for more information.
|
||||
|
||||
* Why can't the OpenSSH configure script detect OpenSSL?
|
||||
|
||||
There is a problem with OpenSSH 1.2.2p1, in that the configure script
|
||||
can't find the installed OpenSSL libraries. The problem is actually
|
||||
a small glitch that is easily solved with the following patch to be
|
||||
applied to the OpenSSH distribution:
|
||||
|
||||
----- snip:start -----
|
||||
--- openssh-1.2.2p1/configure.in.orig Thu Mar 23 18:56:58 2000
|
||||
+++ openssh-1.2.2p1/configure.in Thu Mar 23 18:55:05 2000
|
||||
@@ -152,10 +152,10 @@
|
||||
AC_MSG_CHECKING([for OpenSSL/SSLeay directory])
|
||||
for ssldir in "" $tryssldir /usr /usr/local/openssl /usr/lib/openssl /usr/local/ssl /usr/lib/ssl /usr/local /usr/pkg /opt /opt/openssl ; do
|
||||
if test ! -z "$ssldir" ; then
|
||||
- LIBS="$saved_LIBS -L$ssldir"
|
||||
+ LIBS="$saved_LIBS -L$ssldir/lib"
|
||||
CFLAGS="$CFLAGS -I$ssldir/include"
|
||||
if test "x$need_dash_r" = "x1" ; then
|
||||
- LIBS="$LIBS -R$ssldir"
|
||||
+ LIBS="$LIBS -R$ssldir/lib"
|
||||
fi
|
||||
fi
|
||||
LIBS="$LIBS -lcrypto"
|
||||
--- openssh-1.2.2p1/configure.orig Thu Mar 23 18:55:02 2000
|
||||
+++ openssh-1.2.2p1/configure Thu Mar 23 18:57:08 2000
|
||||
@@ -1890,10 +1890,10 @@
|
||||
echo "configure:1891: checking for OpenSSL/SSLeay directory" >&5
|
||||
for ssldir in "" $tryssldir /usr /usr/local/openssl /usr/lib/openssl /usr/local/ssl /usr/lib/ssl /usr/local /usr/pkg /opt /opt/openssl ; do
|
||||
if test ! -z "$ssldir" ; then
|
||||
- LIBS="$saved_LIBS -L$ssldir"
|
||||
+ LIBS="$saved_LIBS -L$ssldir/lib"
|
||||
CFLAGS="$CFLAGS -I$ssldir/include"
|
||||
if test "x$need_dash_r" = "x1" ; then
|
||||
- LIBS="$LIBS -R$ssldir"
|
||||
+ LIBS="$LIBS -R$ssldir/lib"
|
||||
fi
|
||||
fi
|
||||
LIBS="$LIBS -lcrypto"
|
||||
----- snip:end -----
|
||||
Several reasons for problems with the automatic detection exist.
|
||||
OpenSSH requires at least version 0.9.5a of the OpenSSL libraries.
|
||||
Sometimes the distribution has installed an older version in the system
|
||||
locations that is detected instead of a new one installed. The OpenSSL
|
||||
library might have been compiled for another CPU or another mode (32/64 bits).
|
||||
Permissions might be wrong.
|
||||
|
||||
The general answer is to check the config.log file generated when running
|
||||
the OpenSSH configure script. It should contain the detailed information
|
||||
on why the OpenSSL library was not detected or considered incompatible.
|
||||
|
||||
* Can I use OpenSSL's SSL library with non-blocking I/O?
|
||||
|
||||
@ -588,7 +558,7 @@ SSL_write() will try to continue any pending handshake.
|
||||
* Why doesn't my server application receive a client certificate?
|
||||
|
||||
Due to the TLS protocol definition, a client will only send a certificate,
|
||||
if explicitely asked by the server. Use the SSL_VERIFY_PEER flag of the
|
||||
if explicitly asked by the server. Use the SSL_VERIFY_PEER flag of the
|
||||
SSL_CTX_set_verify() function to enable the use of client certificates.
|
||||
|
||||
|
||||
|
12
README
12
README
@ -62,7 +62,7 @@
|
||||
|
||||
X.509v3 certificates
|
||||
X509 encoding/decoding into/from binary ASN1 and a PEM
|
||||
based ascii-binary encoding which supports encryption with a
|
||||
based ASCII-binary encoding which supports encryption with a
|
||||
private key. Program to generate RSA and DSA certificate
|
||||
requests and to generate RSA and DSA certificates.
|
||||
|
||||
@ -97,7 +97,7 @@
|
||||
locations around the world. _YOU_ are responsible for ensuring that your use
|
||||
of any algorithms is legal by checking if there are any patents in your
|
||||
country. The file contains some of the patents that we know about or are
|
||||
rumoured to exist. This is not a definitive list.
|
||||
rumored to exist. This is not a definitive list.
|
||||
|
||||
RSA Security holds software patents on the RC5 algorithm. If you
|
||||
intend to use this cipher, you must contact RSA Security for
|
||||
@ -107,8 +107,8 @@
|
||||
only be used with RSA Security's permission.
|
||||
|
||||
The IDEA algorithm is patented by Ascom in Austria, France, Germany, Italy,
|
||||
Japan, Netherlands, Spain, Sweden, Switzerland, UK and the USA. They should
|
||||
be contacted if that algorithm is to be used, their web page is
|
||||
Japan, the Netherlands, Spain, Sweden, Switzerland, UK and the USA. They
|
||||
should be contacted if that algorithm is to be used; their web page is
|
||||
http://www.ascom.ch/.
|
||||
|
||||
INSTALLATION
|
||||
@ -119,8 +119,8 @@
|
||||
INSTALL.VMS.
|
||||
|
||||
Read the documentation in the doc/ directory. It is quite rough, but it
|
||||
lists the functions, you will probably have to look at the code to work out
|
||||
how to used them. Look at the example programs.
|
||||
lists the functions; you will probably have to look at the code to work out
|
||||
how to use them. Look at the example programs.
|
||||
|
||||
SUPPORT
|
||||
-------
|
||||
|
32
STATUS
32
STATUS
@ -1,9 +1,11 @@
|
||||
|
||||
OpenSSL STATUS Last modified at
|
||||
______________ $Date: 2001/04/05 17:42:00 $
|
||||
______________ $Date: 2001/09/11 12:26:35 $
|
||||
|
||||
DEVELOPMENT STATE
|
||||
|
||||
o OpenSSL 0.9.7: Under development...
|
||||
o OpenSSL 0.9.6b: Released on July 9th, 2001
|
||||
o OpenSSL 0.9.6a: Released on April 5th, 2001
|
||||
o OpenSSL 0.9.6: Released on September 24th, 2000
|
||||
o OpenSSL 0.9.5a: Released on April 1st, 2000
|
||||
@ -18,6 +20,11 @@
|
||||
|
||||
AVAILABLE PATCHES
|
||||
|
||||
o IA-64 (a.k.a. Intel Itanium) public-key operation performance
|
||||
patch for Linux is available for download at
|
||||
http://www.openssl.org/~appro/096b.linux-ia64.diff. As URL
|
||||
suggests the patch is relative to OpenSSL 0.9.6b.
|
||||
|
||||
IN PROGRESS
|
||||
|
||||
o Steve is currently working on (in no particular order):
|
||||
@ -31,12 +38,13 @@
|
||||
o Geoff and Richard are currently working on:
|
||||
ENGINE (the new code that gives hardware support among others).
|
||||
o Richard is currently working on:
|
||||
UI (User Interface)
|
||||
UTIL (a new set of library functions to support some higher level
|
||||
functionality that is currently missing).
|
||||
Shared library support for VMS.
|
||||
OCSP
|
||||
Kerberos 5 authentication
|
||||
Constification
|
||||
OCSP
|
||||
|
||||
NEEDS PATCH
|
||||
|
||||
@ -49,13 +57,9 @@
|
||||
o Whenever strncpy is used, make sure the resulting string is NULL-terminated
|
||||
or an error is reported
|
||||
|
||||
OPEN ISSUES
|
||||
o "OpenSSL STATUS" is never up-to-date.
|
||||
|
||||
o crypto/ex_data.c is not really thread-safe and so must be used
|
||||
with care (e.g., extra locking where necessary, or don't call
|
||||
CRYPTO_get_ex_new_index once multiple threads exist).
|
||||
The current API is not suitable for everything that it pretends
|
||||
to offer.
|
||||
OPEN ISSUES
|
||||
|
||||
o The Makefile hierarchy and build mechanism is still not a round thing:
|
||||
|
||||
@ -99,4 +103,14 @@
|
||||
|
||||
WISHES
|
||||
|
||||
o
|
||||
o SRP in TLS.
|
||||
[wished by:
|
||||
Dj <derek@yo.net>, Tom Wu <tom@arcot.com>,
|
||||
Tom Holroyd <tomh@po.crl.go.jp>]
|
||||
|
||||
See http://search.ietf.org/internet-drafts/draft-ietf-tls-srp-00.txt
|
||||
as well as http://www-cs-students.stanford.edu/~tjw/srp/.
|
||||
|
||||
Tom Holroyd tells us there is a SRP patch for OpenSSH at
|
||||
http://members.tripod.com/professor_tom/archives/, that could
|
||||
be useful.
|
||||
|
Loading…
x
Reference in New Issue
Block a user