autoconf will probably be used in future OpenSSL versions. If it was
less Unix-centric, it might have been used much earlier.
-
* What is an 'engine' version?
With version 0.9.6 OpenSSL was extended to interface to external crypto
version 0.9.7 (not yet released) the changes were merged into the main
development line, so that the special release is no longer necessary.
-
[LEGAL] =======================================================================
* Do I need patent licenses to use OpenSSL?
their software on operating systems that don't normally include OpenSSL.
If you develop open source software that uses OpenSSL, you may find it
-useful to choose an other license than the GPL, or state explicitely that
+useful to choose an other license than the GPL, or state explicitly that
"This program is released under the GPL with the additional exemption that
compiling, linking, and/or using OpenSSL is allowed." If you are using
GPL software developed by others, you may want to ask the copyright holder
If neither RANDFILE nor HOME is set, versions up to OpenSSL 0.9.6 will
use file .rnd in the current directory while OpenSSL 0.9.6a uses no
default seeding file at all. OpenSSL 0.9.6b and later will behave
-similarly to 0.9.6a, but will use a default of "C:" for HOME on
+similarly to 0.9.6a, but will use a default of "C:\" for HOME on
Windows systems if the environment variable has not been set.
If the default seeding file does not exist or is too short, the "PRNG
reject.
The solution is to add the relevant CA certificate to your servers "trusted
-CA list". How you do this depends on the server sofware in uses. You can
+CA list". How you do this depends on the server software in uses. You can
print out the servers list of acceptable CAs using the OpenSSL s_client tool:
openssl s_client -connect www.some.host:443 -prexit
* Why can't the OpenSSH configure script detect OpenSSL?
-There is a problem with OpenSSH 1.2.2p1, in that the configure script
-can't find the installed OpenSSL libraries. The problem is actually
-a small glitch that is easily solved with the following patch to be
-applied to the OpenSSH distribution:
-
------ snip:start -----
---- openssh-1.2.2p1/configure.in.orig Thu Mar 23 18:56:58 2000
-+++ openssh-1.2.2p1/configure.in Thu Mar 23 18:55:05 2000
-@@ -152,10 +152,10 @@
- AC_MSG_CHECKING([for OpenSSL/SSLeay directory])
- for ssldir in "" $tryssldir /usr /usr/local/openssl /usr/lib/openssl /usr/local/ssl /usr/lib/ssl /usr/local /usr/pkg /opt /opt/openssl ; do
- if test ! -z "$ssldir" ; then
-- LIBS="$saved_LIBS -L$ssldir"
-+ LIBS="$saved_LIBS -L$ssldir/lib"
- CFLAGS="$CFLAGS -I$ssldir/include"
- if test "x$need_dash_r" = "x1" ; then
-- LIBS="$LIBS -R$ssldir"
-+ LIBS="$LIBS -R$ssldir/lib"
- fi
- fi
- LIBS="$LIBS -lcrypto"
---- openssh-1.2.2p1/configure.orig Thu Mar 23 18:55:02 2000
-+++ openssh-1.2.2p1/configure Thu Mar 23 18:57:08 2000
-@@ -1890,10 +1890,10 @@
- echo "configure:1891: checking for OpenSSL/SSLeay directory" >&5
- for ssldir in "" $tryssldir /usr /usr/local/openssl /usr/lib/openssl /usr/local/ssl /usr/lib/ssl /usr/local /usr/pkg /opt /opt/openssl ; do
- if test ! -z "$ssldir" ; then
-- LIBS="$saved_LIBS -L$ssldir"
-+ LIBS="$saved_LIBS -L$ssldir/lib"
- CFLAGS="$CFLAGS -I$ssldir/include"
- if test "x$need_dash_r" = "x1" ; then
-- LIBS="$LIBS -R$ssldir"
-+ LIBS="$LIBS -R$ssldir/lib"
- fi
- fi
- LIBS="$LIBS -lcrypto"
------ snip:end -----
+Several reasons for problems with the automatic detection exist.
+OpenSSH requires at least version 0.9.5a of the OpenSSL libraries.
+Sometimes the distribution has installed an older version in the system
+locations that is detected instead of a new one installed. The OpenSSL
+library might have been compiled for another CPU or another mode (32/64 bits).
+Permissions might be wrong.
+The general answer is to check the config.log file generated when running
+the OpenSSH configure script. It should contain the detailed information
+on why the OpenSSL library was not detected or considered incompatible.
* Can I use OpenSSL's SSL library with non-blocking I/O?
* Why doesn't my server application receive a client certificate?
Due to the TLS protocol definition, a client will only send a certificate,
-if explicitely asked by the server. Use the SSL_VERIFY_PEER flag of the
+if explicitly asked by the server. Use the SSL_VERIFY_PEER flag of the
SSL_CTX_set_verify() function to enable the use of client certificates.
X.509v3 certificates
X509 encoding/decoding into/from binary ASN1 and a PEM
- based ascii-binary encoding which supports encryption with a
+ based ASCII-binary encoding which supports encryption with a
private key. Program to generate RSA and DSA certificate
requests and to generate RSA and DSA certificates.
locations around the world. _YOU_ are responsible for ensuring that your use
of any algorithms is legal by checking if there are any patents in your
country. The file contains some of the patents that we know about or are
- rumoured to exist. This is not a definitive list.
+ rumored to exist. This is not a definitive list.
RSA Security holds software patents on the RC5 algorithm. If you
intend to use this cipher, you must contact RSA Security for
only be used with RSA Security's permission.
The IDEA algorithm is patented by Ascom in Austria, France, Germany, Italy,
- Japan, Netherlands, Spain, Sweden, Switzerland, UK and the USA. They should
- be contacted if that algorithm is to be used, their web page is
+ Japan, the Netherlands, Spain, Sweden, Switzerland, UK and the USA. They
+ should be contacted if that algorithm is to be used; their web page is
http://www.ascom.ch/.
INSTALLATION
INSTALL.VMS.
Read the documentation in the doc/ directory. It is quite rough, but it
- lists the functions, you will probably have to look at the code to work out
- how to used them. Look at the example programs.
+ lists the functions; you will probably have to look at the code to work out
+ how to use them. Look at the example programs.
SUPPORT
-------
OpenSSL STATUS Last modified at
- ______________ $Date: 2001/04/05 17:42:00 $
+ ______________ $Date: 2001/09/11 12:26:35 $
DEVELOPMENT STATE
+ o OpenSSL 0.9.7: Under development...
+ o OpenSSL 0.9.6b: Released on July 9th, 2001
o OpenSSL 0.9.6a: Released on April 5th, 2001
o OpenSSL 0.9.6: Released on September 24th, 2000
o OpenSSL 0.9.5a: Released on April 1st, 2000
AVAILABLE PATCHES
+ o IA-64 (a.k.a. Intel Itanium) public-key operation performance
+ patch for Linux is available for download at
+ http://www.openssl.org/~appro/096b.linux-ia64.diff. As URL
+ suggests the patch is relative to OpenSSL 0.9.6b.
+
IN PROGRESS
o Steve is currently working on (in no particular order):
o Geoff and Richard are currently working on:
ENGINE (the new code that gives hardware support among others).
o Richard is currently working on:
+ UI (User Interface)
UTIL (a new set of library functions to support some higher level
functionality that is currently missing).
Shared library support for VMS.
- OCSP
Kerberos 5 authentication
Constification
+ OCSP
NEEDS PATCH
o Whenever strncpy is used, make sure the resulting string is NULL-terminated
or an error is reported
- OPEN ISSUES
+ o "OpenSSL STATUS" is never up-to-date.
- o crypto/ex_data.c is not really thread-safe and so must be used
- with care (e.g., extra locking where necessary, or don't call
- CRYPTO_get_ex_new_index once multiple threads exist).
- The current API is not suitable for everything that it pretends
- to offer.
+ OPEN ISSUES
o The Makefile hierarchy and build mechanism is still not a round thing:
WISHES
- o
+ o SRP in TLS.
+ [wished by:
+ Dj <derek@yo.net>, Tom Wu <tom@arcot.com>,
+ Tom Holroyd <tomh@po.crl.go.jp>]
+
+ See http://search.ietf.org/internet-drafts/draft-ietf-tls-srp-00.txt
+ as well as http://www-cs-students.stanford.edu/~tjw/srp/.
+
+ Tom Holroyd tells us there is a SRP patch for OpenSSH at
+ http://members.tripod.com/professor_tom/archives/, that could
+ be useful.