update from main branch

This commit is contained in:
Bodo Möller 2001-09-11 12:26:35 +00:00
parent fb9520c12d
commit fde9626cff
3 changed files with 42 additions and 58 deletions

56
FAQ
View File

@ -122,7 +122,6 @@ A number of Linux and *BSD distributions include OpenSSL.
autoconf will probably be used in future OpenSSL versions. If it was
less Unix-centric, it might have been used much earlier.
* What is an 'engine' version?
With version 0.9.6 OpenSSL was extended to interface to external crypto
@ -130,7 +129,6 @@ hardware. This was realized in a special release '0.9.6-engine'. With
version 0.9.7 (not yet released) the changes were merged into the main
development line, so that the special release is no longer necessary.
[LEGAL] =======================================================================
* Do I need patent licenses to use OpenSSL?
@ -155,7 +153,7 @@ holders claim that you infringe on their rights if you use OpenSSL with
their software on operating systems that don't normally include OpenSSL.
If you develop open source software that uses OpenSSL, you may find it
useful to choose an other license than the GPL, or state explicitely that
useful to choose an other license than the GPL, or state explicitly that
"This program is released under the GPL with the additional exemption that
compiling, linking, and/or using OpenSSL is allowed." If you are using
GPL software developed by others, you may want to ask the copyright holder
@ -195,7 +193,7 @@ environment variable HOME is set, then the seeding file is $HOME/.rnd.
If neither RANDFILE nor HOME is set, versions up to OpenSSL 0.9.6 will
use file .rnd in the current directory while OpenSSL 0.9.6a uses no
default seeding file at all. OpenSSL 0.9.6b and later will behave
similarly to 0.9.6a, but will use a default of "C:" for HOME on
similarly to 0.9.6a, but will use a default of "C:\" for HOME on
Windows systems if the environment variable has not been set.
If the default seeding file does not exist or is too short, the "PRNG
@ -306,7 +304,7 @@ there is little point presenting a certificate which the server will
reject.
The solution is to add the relevant CA certificate to your servers "trusted
CA list". How you do this depends on the server sofware in uses. You can
CA list". How you do this depends on the server software in uses. You can
print out the servers list of acceptable CAs using the OpenSSL s_client tool:
openssl s_client -connect www.some.host:443 -prexit
@ -532,44 +530,16 @@ OpenSSL_add_all_algorithms(). See the manual page for more information.
* Why can't the OpenSSH configure script detect OpenSSL?
There is a problem with OpenSSH 1.2.2p1, in that the configure script
can't find the installed OpenSSL libraries. The problem is actually
a small glitch that is easily solved with the following patch to be
applied to the OpenSSH distribution:
----- snip:start -----
--- openssh-1.2.2p1/configure.in.orig Thu Mar 23 18:56:58 2000
+++ openssh-1.2.2p1/configure.in Thu Mar 23 18:55:05 2000
@@ -152,10 +152,10 @@
AC_MSG_CHECKING([for OpenSSL/SSLeay directory])
for ssldir in "" $tryssldir /usr /usr/local/openssl /usr/lib/openssl /usr/local/ssl /usr/lib/ssl /usr/local /usr/pkg /opt /opt/openssl ; do
if test ! -z "$ssldir" ; then
- LIBS="$saved_LIBS -L$ssldir"
+ LIBS="$saved_LIBS -L$ssldir/lib"
CFLAGS="$CFLAGS -I$ssldir/include"
if test "x$need_dash_r" = "x1" ; then
- LIBS="$LIBS -R$ssldir"
+ LIBS="$LIBS -R$ssldir/lib"
fi
fi
LIBS="$LIBS -lcrypto"
--- openssh-1.2.2p1/configure.orig Thu Mar 23 18:55:02 2000
+++ openssh-1.2.2p1/configure Thu Mar 23 18:57:08 2000
@@ -1890,10 +1890,10 @@
echo "configure:1891: checking for OpenSSL/SSLeay directory" >&5
for ssldir in "" $tryssldir /usr /usr/local/openssl /usr/lib/openssl /usr/local/ssl /usr/lib/ssl /usr/local /usr/pkg /opt /opt/openssl ; do
if test ! -z "$ssldir" ; then
- LIBS="$saved_LIBS -L$ssldir"
+ LIBS="$saved_LIBS -L$ssldir/lib"
CFLAGS="$CFLAGS -I$ssldir/include"
if test "x$need_dash_r" = "x1" ; then
- LIBS="$LIBS -R$ssldir"
+ LIBS="$LIBS -R$ssldir/lib"
fi
fi
LIBS="$LIBS -lcrypto"
----- snip:end -----
Several reasons for problems with the automatic detection exist.
OpenSSH requires at least version 0.9.5a of the OpenSSL libraries.
Sometimes the distribution has installed an older version in the system
locations that is detected instead of a new one installed. The OpenSSL
library might have been compiled for another CPU or another mode (32/64 bits).
Permissions might be wrong.
The general answer is to check the config.log file generated when running
the OpenSSH configure script. It should contain the detailed information
on why the OpenSSL library was not detected or considered incompatible.
* Can I use OpenSSL's SSL library with non-blocking I/O?
@ -588,7 +558,7 @@ SSL_write() will try to continue any pending handshake.
* Why doesn't my server application receive a client certificate?
Due to the TLS protocol definition, a client will only send a certificate,
if explicitely asked by the server. Use the SSL_VERIFY_PEER flag of the
if explicitly asked by the server. Use the SSL_VERIFY_PEER flag of the
SSL_CTX_set_verify() function to enable the use of client certificates.

12
README
View File

@ -62,7 +62,7 @@
X.509v3 certificates
X509 encoding/decoding into/from binary ASN1 and a PEM
based ascii-binary encoding which supports encryption with a
based ASCII-binary encoding which supports encryption with a
private key. Program to generate RSA and DSA certificate
requests and to generate RSA and DSA certificates.
@ -97,7 +97,7 @@
locations around the world. _YOU_ are responsible for ensuring that your use
of any algorithms is legal by checking if there are any patents in your
country. The file contains some of the patents that we know about or are
rumoured to exist. This is not a definitive list.
rumored to exist. This is not a definitive list.
RSA Security holds software patents on the RC5 algorithm. If you
intend to use this cipher, you must contact RSA Security for
@ -107,8 +107,8 @@
only be used with RSA Security's permission.
The IDEA algorithm is patented by Ascom in Austria, France, Germany, Italy,
Japan, Netherlands, Spain, Sweden, Switzerland, UK and the USA. They should
be contacted if that algorithm is to be used, their web page is
Japan, the Netherlands, Spain, Sweden, Switzerland, UK and the USA. They
should be contacted if that algorithm is to be used; their web page is
http://www.ascom.ch/.
INSTALLATION
@ -119,8 +119,8 @@
INSTALL.VMS.
Read the documentation in the doc/ directory. It is quite rough, but it
lists the functions, you will probably have to look at the code to work out
how to used them. Look at the example programs.
lists the functions; you will probably have to look at the code to work out
how to use them. Look at the example programs.
SUPPORT
-------

32
STATUS
View File

@ -1,9 +1,11 @@
OpenSSL STATUS Last modified at
______________ $Date: 2001/04/05 17:42:00 $
______________ $Date: 2001/09/11 12:26:35 $
DEVELOPMENT STATE
o OpenSSL 0.9.7: Under development...
o OpenSSL 0.9.6b: Released on July 9th, 2001
o OpenSSL 0.9.6a: Released on April 5th, 2001
o OpenSSL 0.9.6: Released on September 24th, 2000
o OpenSSL 0.9.5a: Released on April 1st, 2000
@ -18,6 +20,11 @@
AVAILABLE PATCHES
o IA-64 (a.k.a. Intel Itanium) public-key operation performance
patch for Linux is available for download at
http://www.openssl.org/~appro/096b.linux-ia64.diff. As URL
suggests the patch is relative to OpenSSL 0.9.6b.
IN PROGRESS
o Steve is currently working on (in no particular order):
@ -31,12 +38,13 @@
o Geoff and Richard are currently working on:
ENGINE (the new code that gives hardware support among others).
o Richard is currently working on:
UI (User Interface)
UTIL (a new set of library functions to support some higher level
functionality that is currently missing).
Shared library support for VMS.
OCSP
Kerberos 5 authentication
Constification
OCSP
NEEDS PATCH
@ -49,13 +57,9 @@
o Whenever strncpy is used, make sure the resulting string is NULL-terminated
or an error is reported
OPEN ISSUES
o "OpenSSL STATUS" is never up-to-date.
o crypto/ex_data.c is not really thread-safe and so must be used
with care (e.g., extra locking where necessary, or don't call
CRYPTO_get_ex_new_index once multiple threads exist).
The current API is not suitable for everything that it pretends
to offer.
OPEN ISSUES
o The Makefile hierarchy and build mechanism is still not a round thing:
@ -99,4 +103,14 @@
WISHES
o
o SRP in TLS.
[wished by:
Dj <derek@yo.net>, Tom Wu <tom@arcot.com>,
Tom Holroyd <tomh@po.crl.go.jp>]
See http://search.ietf.org/internet-drafts/draft-ietf-tls-srp-00.txt
as well as http://www-cs-students.stanford.edu/~tjw/srp/.
Tom Holroyd tells us there is a SRP patch for OpenSSH at
http://members.tripod.com/professor_tom/archives/, that could
be useful.