* Why aren't tools like 'autoconf' and 'libtool' used?
* What is an 'engine' version?
* How do I check the authenticity of the OpenSSL distribution?
+* How does the versioning scheme work?
[LEGAL] Legal questions
* Which is the current version of OpenSSL?
The current version is available from <URL: http://www.openssl.org>.
-OpenSSL 1.0.0 was released on Mar 29th, 2010.
+OpenSSL 1.0.1c was released on May 10, 2012.
In addition to the current stable release, you can also access daily
snapshots of the OpenSSL development version at <URL:
<URL: http://www.openssl.org/docs/>. Note that the online documents refer
to the very latest development versions of OpenSSL and may include features
not present in released versions. If in doubt refer to the documentation
-that came with the version of OpenSSL you are using.
+that came with the version of OpenSSL you are using. The pod format
+documentation is included in each OpenSSL distribution under the docs
+directory.
For information on parts of libcrypto that are not yet documented, you
might want to read Ariel Glenn's documentation on SSLeay 0.9, OpenSSL's
* Where can I get a compiled version of OpenSSL?
You can finder pointers to binary distributions in
-http://www.openssl.org/related/binaries.html .
+<URL: http://www.openssl.org/related/binaries.html> .
Some applications that use OpenSSL are distributed in binary form.
When using such an application, you don't need to install OpenSSL
pgp TARBALL.asc
+* How does the versioning scheme work?
+
+After the release of OpenSSL 1.0.0 the versioning scheme changed. Letter
+releases (e.g. 1.0.1a) can only contain bug and security fixes and no
+new features. Minor releases change the last number (e.g. 1.0.2) and
+can contain new features that retain binary compatibility. Changes to
+the middle number are considered major releases and neither source nor
+binary compatibility is guaranteed.
+
+Therefore the answer to the common question "when will feature X be
+backported to OpenSSL 1.0.0/0.9.8?" is "never" but it could appear
+in the next minor release.
+
[LEGAL] =======================================================================
* Do I need patent licenses to use OpenSSL?
Check out the CA.pl(1) manual page. This provides a simple wrapper round
the 'req', 'verify', 'ca' and 'pkcs12' utilities. For finer control check
out the manual pages for the individual utilities and the certificate
-extensions documentation (currently in doc/openssl.txt).
+extensions documentation (in ca(1), req(1), x509v3_config(5) )
* Why can't I create certificate requests?
Other projects do have other policies so you can for example extract the CA
bundle used by Mozilla and/or modssl as described in this article:
- http://www.mail-archive.com/modssl-users@modssl.org/msg16980.html
+ <URL: http://www.mail-archive.com/modssl-users@modssl.org/msg16980.html>
[BUILD] =======================================================================
"bc: 1 not implemented".
The best way to deal with this is to find another implementation of bc
-and compile/install it. GNU bc (see http://www.gnu.org/software/software.html
+and compile/install it. GNU bc (see <URL: http://www.gnu.org/software/software.html>
for download instructions) can be safely used, for example.
test suite (using "make test"). The message returned is "bc: stack empty".
The best way to deal with this is to find another implementation of bc
-and compile/install it. GNU bc (see http://www.gnu.org/software/software.html
+and compile/install it. GNU bc (see <URL: http://www.gnu.org/software/software.html>
for download instructions) can be safely used, for example.
unsure whether it is a bug or not submit a query to the openssl-users mailing
list.
+
* I'm SURE I've found a bug, how do I report it?
Bug reports with no security implications should be sent to the request
-tracker. This can be done my mailing the report to rt@openssl.org (or its alias
-openssl-bugs@openssl.org), please note that messages sent to the request
-tracker also appear in the public openssl-dev mailing list.
+tracker. This can be done by mailing the report to <rt@openssl.org> (or its
+alias <openssl-bugs@openssl.org>), please note that messages sent to the
+request tracker also appear in the public openssl-dev mailing list.
The report should be in plain text. Any patches should be sent as
plain text attachments because some mailers corrupt patches sent inline.
-If your issue affects multiple versions of OpenSSL check any patch apply
+If your issue affects multiple versions of OpenSSL check any patches apply
cleanly and, if possible include patches to each affected version.
The report should be given a meaningful subject line briefly summarising the
By sending reports to the request tracker the bug can then be given a priority
and assigned to the appropriate maintainer. The history of discussions can be
accessed and if the issue has been addressed or a reason why not. If patches
-are sent to openssl-dev instead only they can be lost if a team member has to
+are only sent to openssl-dev they can be mislaid if a team member has to
wade through months of old messages to review the discussion.
-See also http://www.openssl.org/support/rt.html
+See also <URL: http://www.openssl.org/support/rt.html>
+
* I've found a security issue, how do I report it?
If you think your bug has security implications then please send it to
openssl-security@openssl.org if you don't get a prompt reply at least
acknowledging receipt then resend or mail it directly to one of the
-more active team members (e.g. steve@openssl.org).
-
-[PROG] Questions about programming with OpenSSL
-
-* Is OpenSSL thread-safe?
-* I've compiled a program under Windows and it crashes: why?
-* How do I read or write a DER encoded buffer using the ASN1 functions?
-* OpenSSL uses DER but I need BER format: does OpenSSL support BER?
-* I've tried using <M_some_evil_pkcs12_macro> and I get errors why?
-* I've called <some function> and it fails, why?
-* I just get a load of numbers for the error output, what do they mean?
-* Why do I get errors about unknown algorithms?
-* Why can't the OpenSSH configure script detect OpenSSL?
-* Can I use OpenSSL's SSL library with non-blocking I/O?
-* Why doesn't my server application receive a client certificate?
-* Why does compilation fail due to an undefined symbol NID_uniqueIdentifier?
-* I think I've detected a memory leak, is this a bug?
-* Why does Valgrind complain about the use of uninitialized data?
-* Why doesn't a memory BIO work when a file does?
-* Where are the declarations and implementations of d2i_X509() etc?
-
+more active team members (e.g. Steve).
[PROG] ========================================================================
Multi-threaded applications must provide two callback functions to
OpenSSL by calling CRYPTO_set_locking_callback() and
CRYPTO_set_id_callback(), for all versions of OpenSSL up to and
-including 0.9.8[abc...]. As of version 0.9.9, CRYPTO_set_id_callback()
+including 0.9.8[abc...]. As of version 1.0.0, CRYPTO_set_id_callback()
and associated APIs are deprecated by CRYPTO_THREADID_set_callback()
and friends. This is described in the threads(3) manpage.