generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

update from main branch

Browse Source
This commit is contained in:
Bodo Möller 2001-09-11 12:26:35 +00:00
parent fb9520c12d
commit fde9626cff
3 changed files with 42 additions and 58 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

56
FAQ
View File

@ -122,7 +122,6 @@ A number of Linux and *BSD distributions include OpenSSL.
autoconf will probably be used in future OpenSSL versions. If it was autoconf will probably be used in future OpenSSL versions. If it was
less Unix-centric, it might have been used much earlier. less Unix-centric, it might have been used much earlier.
* What is an 'engine' version? * What is an 'engine' version?
With version 0.9.6 OpenSSL was extended to interface to external crypto With version 0.9.6 OpenSSL was extended to interface to external crypto
@ -130,7 +129,6 @@ hardware. This was realized in a special release '0.9.6-engine'. With
version 0.9.7 (not yet released) the changes were merged into the main version 0.9.7 (not yet released) the changes were merged into the main
development line, so that the special release is no longer necessary. development line, so that the special release is no longer necessary.
[LEGAL] ======================================================================= [LEGAL] =======================================================================
* Do I need patent licenses to use OpenSSL? * Do I need patent licenses to use OpenSSL?
@ -155,7 +153,7 @@ holders claim that you infringe on their rights if you use OpenSSL with
their software on operating systems that don't normally include OpenSSL. their software on operating systems that don't normally include OpenSSL.
If you develop open source software that uses OpenSSL, you may find it If you develop open source software that uses OpenSSL, you may find it
useful to choose an other license than the GPL, or state explicitely that useful to choose an other license than the GPL, or state explicitly that
"This program is released under the GPL with the additional exemption that "This program is released under the GPL with the additional exemption that
compiling, linking, and/or using OpenSSL is allowed." If you are using compiling, linking, and/or using OpenSSL is allowed." If you are using
GPL software developed by others, you may want to ask the copyright holder GPL software developed by others, you may want to ask the copyright holder
@ -195,7 +193,7 @@ environment variable HOME is set, then the seeding file is $HOME/.rnd.
If neither RANDFILE nor HOME is set, versions up to OpenSSL 0.9.6 will If neither RANDFILE nor HOME is set, versions up to OpenSSL 0.9.6 will
use file .rnd in the current directory while OpenSSL 0.9.6a uses no use file .rnd in the current directory while OpenSSL 0.9.6a uses no
default seeding file at all. OpenSSL 0.9.6b and later will behave default seeding file at all. OpenSSL 0.9.6b and later will behave
similarly to 0.9.6a, but will use a default of "C:" for HOME on similarly to 0.9.6a, but will use a default of "C:\" for HOME on
Windows systems if the environment variable has not been set. Windows systems if the environment variable has not been set.
If the default seeding file does not exist or is too short, the "PRNG If the default seeding file does not exist or is too short, the "PRNG
@ -306,7 +304,7 @@ there is little point presenting a certificate which the server will
reject. reject.
The solution is to add the relevant CA certificate to your servers "trusted The solution is to add the relevant CA certificate to your servers "trusted
CA list". How you do this depends on the server sofware in uses. You can CA list". How you do this depends on the server software in uses. You can
print out the servers list of acceptable CAs using the OpenSSL s_client tool: print out the servers list of acceptable CAs using the OpenSSL s_client tool:
openssl s_client -connect www.some.host:443 -prexit openssl s_client -connect www.some.host:443 -prexit
@ -532,44 +530,16 @@ OpenSSL_add_all_algorithms(). See the manual page for more information.
* Why can't the OpenSSH configure script detect OpenSSL? * Why can't the OpenSSH configure script detect OpenSSL?
There is a problem with OpenSSH 1.2.2p1, in that the configure script Several reasons for problems with the automatic detection exist.
can't find the installed OpenSSL libraries. The problem is actually OpenSSH requires at least version 0.9.5a of the OpenSSL libraries.
a small glitch that is easily solved with the following patch to be Sometimes the distribution has installed an older version in the system
applied to the OpenSSH distribution: locations that is detected instead of a new one installed. The OpenSSL
library might have been compiled for another CPU or another mode (32/64 bits).
----- snip:start ----- Permissions might be wrong.
--- openssh-1.2.2p1/configure.in.orig Thu Mar 23 18:56:58 2000
+++ openssh-1.2.2p1/configure.in Thu Mar 23 18:55:05 2000
@@ -152,10 +152,10 @@
AC_MSG_CHECKING([for OpenSSL/SSLeay directory])
for ssldir in "" $tryssldir /usr /usr/local/openssl /usr/lib/openssl /usr/local/ssl /usr/lib/ssl /usr/local /usr/pkg /opt /opt/openssl ; do
if test ! -z "$ssldir" ; then
- LIBS="$saved_LIBS -L$ssldir"
+ LIBS="$saved_LIBS -L$ssldir/lib"
CFLAGS="$CFLAGS -I$ssldir/include"
if test "x$need_dash_r" = "x1" ; then
- LIBS="$LIBS -R$ssldir"
+ LIBS="$LIBS -R$ssldir/lib"
fi
fi
LIBS="$LIBS -lcrypto"
--- openssh-1.2.2p1/configure.orig Thu Mar 23 18:55:02 2000
+++ openssh-1.2.2p1/configure Thu Mar 23 18:57:08 2000
@@ -1890,10 +1890,10 @@
echo "configure:1891: checking for OpenSSL/SSLeay directory" >&5
for ssldir in "" $tryssldir /usr /usr/local/openssl /usr/lib/openssl /usr/local/ssl /usr/lib/ssl /usr/local /usr/pkg /opt /opt/openssl ; do
if test ! -z "$ssldir" ; then
- LIBS="$saved_LIBS -L$ssldir"
+ LIBS="$saved_LIBS -L$ssldir/lib"
CFLAGS="$CFLAGS -I$ssldir/include"
if test "x$need_dash_r" = "x1" ; then
- LIBS="$LIBS -R$ssldir"
+ LIBS="$LIBS -R$ssldir/lib"
fi
fi
LIBS="$LIBS -lcrypto"
----- snip:end -----
The general answer is to check the config.log file generated when running
the OpenSSH configure script. It should contain the detailed information
on why the OpenSSL library was not detected or considered incompatible.
* Can I use OpenSSL's SSL library with non-blocking I/O? * Can I use OpenSSL's SSL library with non-blocking I/O?
@ -588,7 +558,7 @@ SSL_write() will try to continue any pending handshake.
* Why doesn't my server application receive a client certificate? * Why doesn't my server application receive a client certificate?
Due to the TLS protocol definition, a client will only send a certificate, Due to the TLS protocol definition, a client will only send a certificate,
if explicitely asked by the server. Use the SSL_VERIFY_PEER flag of the if explicitly asked by the server. Use the SSL_VERIFY_PEER flag of the
SSL_CTX_set_verify() function to enable the use of client certificates. SSL_CTX_set_verify() function to enable the use of client certificates.

12
README
View File

@ -62,7 +62,7 @@
X.509v3 certificates X.509v3 certificates
X509 encoding/decoding into/from binary ASN1 and a PEM X509 encoding/decoding into/from binary ASN1 and a PEM
based ascii-binary encoding which supports encryption with a based ASCII-binary encoding which supports encryption with a
private key. Program to generate RSA and DSA certificate private key. Program to generate RSA and DSA certificate
requests and to generate RSA and DSA certificates. requests and to generate RSA and DSA certificates.
@ -97,7 +97,7 @@
locations around the world. _YOU_ are responsible for ensuring that your use locations around the world. _YOU_ are responsible for ensuring that your use
of any algorithms is legal by checking if there are any patents in your of any algorithms is legal by checking if there are any patents in your
country. The file contains some of the patents that we know about or are country. The file contains some of the patents that we know about or are
rumoured to exist. This is not a definitive list. rumored to exist. This is not a definitive list.
RSA Security holds software patents on the RC5 algorithm. If you RSA Security holds software patents on the RC5 algorithm. If you
intend to use this cipher, you must contact RSA Security for intend to use this cipher, you must contact RSA Security for
@ -107,8 +107,8 @@
only be used with RSA Security's permission. only be used with RSA Security's permission.
The IDEA algorithm is patented by Ascom in Austria, France, Germany, Italy, The IDEA algorithm is patented by Ascom in Austria, France, Germany, Italy,
Japan, Netherlands, Spain, Sweden, Switzerland, UK and the USA. They should Japan, the Netherlands, Spain, Sweden, Switzerland, UK and the USA. They
be contacted if that algorithm is to be used, their web page is should be contacted if that algorithm is to be used; their web page is
http://www.ascom.ch/. http://www.ascom.ch/.
INSTALLATION INSTALLATION
@ -119,8 +119,8 @@
INSTALL.VMS. INSTALL.VMS.
Read the documentation in the doc/ directory. It is quite rough, but it Read the documentation in the doc/ directory. It is quite rough, but it
lists the functions, you will probably have to look at the code to work out lists the functions; you will probably have to look at the code to work out
how to used them. Look at the example programs. how to use them. Look at the example programs.
SUPPORT SUPPORT
------- -------

32
STATUS
View File

@ -1,9 +1,11 @@
OpenSSL STATUS Last modified at OpenSSL STATUS Last modified at
______________ $Date: 2001/04/05 17:42:00 $ ______________ $Date: 2001/09/11 12:26:35 $
DEVELOPMENT STATE DEVELOPMENT STATE
o OpenSSL 0.9.7: Under development...
o OpenSSL 0.9.6b: Released on July 9th, 2001
o OpenSSL 0.9.6a: Released on April 5th, 2001 o OpenSSL 0.9.6a: Released on April 5th, 2001
o OpenSSL 0.9.6: Released on September 24th, 2000 o OpenSSL 0.9.6: Released on September 24th, 2000
o OpenSSL 0.9.5a: Released on April 1st, 2000 o OpenSSL 0.9.5a: Released on April 1st, 2000
@ -18,6 +20,11 @@
AVAILABLE PATCHES AVAILABLE PATCHES
o IA-64 (a.k.a. Intel Itanium) public-key operation performance
patch for Linux is available for download at
http://www.openssl.org/~appro/096b.linux-ia64.diff. As URL
suggests the patch is relative to OpenSSL 0.9.6b.
IN PROGRESS IN PROGRESS
o Steve is currently working on (in no particular order): o Steve is currently working on (in no particular order):
@ -31,12 +38,13 @@
o Geoff and Richard are currently working on: o Geoff and Richard are currently working on:
ENGINE (the new code that gives hardware support among others). ENGINE (the new code that gives hardware support among others).
o Richard is currently working on: o Richard is currently working on:
UI (User Interface)
UTIL (a new set of library functions to support some higher level UTIL (a new set of library functions to support some higher level
functionality that is currently missing). functionality that is currently missing).
Shared library support for VMS. Shared library support for VMS.
OCSP
Kerberos 5 authentication Kerberos 5 authentication
Constification Constification
OCSP
NEEDS PATCH NEEDS PATCH
@ -49,13 +57,9 @@
o Whenever strncpy is used, make sure the resulting string is NULL-terminated o Whenever strncpy is used, make sure the resulting string is NULL-terminated
or an error is reported or an error is reported
OPEN ISSUES o "OpenSSL STATUS" is never up-to-date.
o crypto/ex_data.c is not really thread-safe and so must be used OPEN ISSUES
with care (e.g., extra locking where necessary, or don't call
CRYPTO_get_ex_new_index once multiple threads exist).
The current API is not suitable for everything that it pretends
to offer.
o The Makefile hierarchy and build mechanism is still not a round thing: o The Makefile hierarchy and build mechanism is still not a round thing:
@ -99,4 +103,14 @@
WISHES WISHES
o o SRP in TLS.
[wished by:
Dj <derek@yo.net>, Tom Wu <tom@arcot.com>,
Tom Holroyd <tomh@po.crl.go.jp>]
See http://search.ietf.org/internet-drafts/draft-ietf-tls-srp-00.txt
as well as http://www-cs-students.stanford.edu/~tjw/srp/.
Tom Holroyd tells us there is a SRP patch for OpenSSH at
http://members.tripod.com/professor_tom/archives/, that could
be useful.