TLS/SSL and crypto library
Révision | 5a9c441c6e739ef0e3585e7aaa544fdf074a1ad4 (tree) |
---|---|
l'heure | 2001-04-06 02:48:04 |
Auteur | Richard Levitte <levitte@open...> |
Commiter | Richard Levitte |
Release OpenSSL 0.9.6a [engine]
The tag will be OpenSSL-engine-0_9_6a
@@ -2,7 +2,7 @@ | ||
2 | 2 | OpenSSL CHANGES |
3 | 3 | _______________ |
4 | 4 | |
5 | - Changes between 0.9.6 and 0.9.6a [xx XXX 2001] | |
5 | + Changes between 0.9.6 and 0.9.6a [5 Apr 2001] | |
6 | 6 | |
7 | 7 | *) Fix a couple of memory leaks in PKCS7_dataDecode() |
8 | 8 | [Steve Henson, reported by Heyun Zheng <hzheng@atdsprint.com>] |
@@ -1,20 +1,22 @@ | ||
1 | 1 | OpenSSL - Frequently Asked Questions |
2 | 2 | -------------------------------------- |
3 | 3 | |
4 | +[MISC] Miscellaneous questions | |
5 | + | |
4 | 6 | * Which is the current version of OpenSSL? |
5 | 7 | * Where is the documentation? |
6 | 8 | * How can I contact the OpenSSL developers? |
9 | +* Where can I get a compiled version of OpenSSL? | |
10 | +* Why aren't tools like 'autoconf' and 'libtool' used? | |
11 | + | |
12 | +[LEGAL] Legal questions | |
13 | + | |
7 | 14 | * Do I need patent licenses to use OpenSSL? |
8 | -* Is OpenSSL thread-safe? | |
15 | +* Can I use OpenSSL with GPL software? | |
16 | + | |
17 | +[USER] Questions on using the OpenSSL applications | |
18 | + | |
9 | 19 | * Why do I get a "PRNG not seeded" error message? |
10 | -* Why does the linker complain about undefined symbols? | |
11 | -* Where can I get a compiled version of OpenSSL? | |
12 | -* I've compiled a program under Windows and it crashes: why? | |
13 | -* How do I read or write a DER encoded buffer using the ASN1 functions? | |
14 | -* I've tried using <M_some_evil_pkcs12_macro> and I get errors why? | |
15 | -* I've called <some function> and it fails, why? | |
16 | -* I just get a load of numbers for the error output, what do they mean? | |
17 | -* Why do I get errors about unknown algorithms? | |
18 | 20 | * How do I create certificates or certificate requests? |
19 | 21 | * Why can't I create certificate requests? |
20 | 22 | * Why does <SSL program> fail with a certificate verify error? |
@@ -22,17 +24,38 @@ OpenSSL - Frequently Asked Questions | ||
22 | 24 | * How can I create DSA certificates? |
23 | 25 | * Why can't I make an SSL connection using a DSA certificate? |
24 | 26 | * How can I remove the passphrase on a private key? |
25 | -* Why can't the OpenSSH configure script detect OpenSSL? | |
27 | +* Why can't I use OpenSSL certificates with SSL client authentication? | |
28 | +* Why does my browser give a warning about a mismatched hostname? | |
29 | + | |
30 | +[BUILD] Questions about building and testing OpenSSL | |
31 | + | |
32 | +* Why does the linker complain about undefined symbols? | |
26 | 33 | * Why does the OpenSSL test fail with "bc: command not found"? |
27 | 34 | * Why does the OpenSSL test fail with "bc: 1 no implemented"? |
28 | 35 | * Why does the OpenSSL compilation fail on Alpha True64 Unix? |
29 | 36 | * Why does the OpenSSL compilation fail with "ar: command not found"? |
37 | +* Why does the OpenSSL compilation fail on Win32 with VC++? | |
38 | + | |
39 | +[PROG] Questions about programming with OpenSSL | |
40 | + | |
41 | +* Is OpenSSL thread-safe? | |
42 | +* I've compiled a program under Windows and it crashes: why? | |
43 | +* How do I read or write a DER encoded buffer using the ASN1 functions? | |
44 | +* I've tried using <M_some_evil_pkcs12_macro> and I get errors why? | |
45 | +* I've called <some function> and it fails, why? | |
46 | +* I just get a load of numbers for the error output, what do they mean? | |
47 | +* Why do I get errors about unknown algorithms? | |
48 | +* Why can't the OpenSSH configure script detect OpenSSL? | |
49 | +* Can I use OpenSSL's SSL library with non-blocking I/O? | |
50 | + | |
51 | +=============================================================================== | |
30 | 52 | |
53 | +[MISC] ======================================================================== | |
31 | 54 | |
32 | 55 | * Which is the current version of OpenSSL? |
33 | 56 | |
34 | 57 | The current version is available from <URL: http://www.openssl.org>. |
35 | -OpenSSL 0.9.6 was released on September 24th, 2000. | |
58 | +OpenSSL 0.9.6a was released on April 5th, 2001. | |
36 | 59 | |
37 | 60 | In addition to the current stable release, you can also access daily |
38 | 61 | snapshots of the OpenSSL development version at <URL: |
@@ -78,6 +101,27 @@ OpenSSL. Information on the OpenSSL mailing lists is available from | ||
78 | 101 | <URL: http://www.openssl.org>. |
79 | 102 | |
80 | 103 | |
104 | +* Where can I get a compiled version of OpenSSL? | |
105 | + | |
106 | +Some applications that use OpenSSL are distributed in binary form. | |
107 | +When using such an application, you don't need to install OpenSSL | |
108 | +yourself; the application will include the required parts (e.g. DLLs). | |
109 | + | |
110 | +If you want to install OpenSSL on a Windows system and you don't have | |
111 | +a C compiler, read the "Mingw32" section of INSTALL.W32 for information | |
112 | +on how to obtain and install the free GNU C compiler. | |
113 | + | |
114 | +A number of Linux and *BSD distributions include OpenSSL. | |
115 | + | |
116 | + | |
117 | +* Why aren't tools like 'autoconf' and 'libtool' used? | |
118 | + | |
119 | +autoconf will probably be used in future OpenSSL versions. If it was | |
120 | +less Unix-centric, it might have been used much earlier. | |
121 | + | |
122 | + | |
123 | +[LEGAL] ======================================================================= | |
124 | + | |
81 | 125 | * Do I need patent licenses to use OpenSSL? |
82 | 126 | |
83 | 127 | The patents section of the README file lists patents that may apply to |
@@ -89,18 +133,26 @@ You can configure OpenSSL so as not to use RC5 and IDEA by using | ||
89 | 133 | ./config no-rc5 no-idea |
90 | 134 | |
91 | 135 | |
92 | -* Is OpenSSL thread-safe? | |
136 | +* Can I use OpenSSL with GPL software? | |
93 | 137 | |
94 | -Yes (with limitations: an SSL connection may not concurrently be used | |
95 | -by multiple threads). On Windows and many Unix systems, OpenSSL | |
96 | -automatically uses the multi-threaded versions of the standard | |
97 | -libraries. If your platform is not one of these, consult the INSTALL | |
98 | -file. | |
138 | +On many systems including the major Linux and BSD distributions, yes (the | |
139 | +GPL does not place restrictions on using libraries that are part of the | |
140 | +normal operating system distribution). | |
99 | 141 | |
100 | -Multi-threaded applications must provide two callback functions to | |
101 | -OpenSSL. This is described in the threads(3) manpage. | |
142 | +On other systems, the situation is less clear. Some GPL software copyright | |
143 | +holders claim that you infringe on their rights if you use OpenSSL with | |
144 | +their software on operating systems that don't normally include OpenSSL. | |
145 | + | |
146 | +If you develop open source software that uses OpenSSL, you may find it | |
147 | +useful to choose an other license than the GPL, or state explicitely that | |
148 | +"This program is released under the GPL with the additional exemption that | |
149 | +compiling, linking, and/or using OpenSSL is allowed." If you are using | |
150 | +GPL software developed by others, you may want to ask the copyright holder | |
151 | +for permission to use their software with OpenSSL. | |
102 | 152 | |
103 | 153 | |
154 | +[USER] ======================================================================== | |
155 | + | |
104 | 156 | * Why do I get a "PRNG not seeded" error message? |
105 | 157 | |
106 | 158 | Cryptographic software needs a source of unpredictable data to work |
@@ -138,6 +190,101 @@ versions. However, be warned that /dev/random is usually a blocking | ||
138 | 190 | device, which may have some effects on OpenSSL. |
139 | 191 | |
140 | 192 | |
193 | +* How do I create certificates or certificate requests? | |
194 | + | |
195 | +Check out the CA.pl(1) manual page. This provides a simple wrapper round | |
196 | +the 'req', 'verify', 'ca' and 'pkcs12' utilities. For finer control check | |
197 | +out the manual pages for the individual utilities and the certificate | |
198 | +extensions documentation (currently in doc/openssl.txt). | |
199 | + | |
200 | + | |
201 | +* Why can't I create certificate requests? | |
202 | + | |
203 | +You typically get the error: | |
204 | + | |
205 | + unable to find 'distinguished_name' in config | |
206 | + problems making Certificate Request | |
207 | + | |
208 | +This is because it can't find the configuration file. Check out the | |
209 | +DIAGNOSTICS section of req(1) for more information. | |
210 | + | |
211 | + | |
212 | +* Why does <SSL program> fail with a certificate verify error? | |
213 | + | |
214 | +This problem is usually indicated by log messages saying something like | |
215 | +"unable to get local issuer certificate" or "self signed certificate". | |
216 | +When a certificate is verified its root CA must be "trusted" by OpenSSL | |
217 | +this typically means that the CA certificate must be placed in a directory | |
218 | +or file and the relevant program configured to read it. The OpenSSL program | |
219 | +'verify' behaves in a similar way and issues similar error messages: check | |
220 | +the verify(1) program manual page for more information. | |
221 | + | |
222 | + | |
223 | +* Why can I only use weak ciphers when I connect to a server using OpenSSL? | |
224 | + | |
225 | +This is almost certainly because you are using an old "export grade" browser | |
226 | +which only supports weak encryption. Upgrade your browser to support 128 bit | |
227 | +ciphers. | |
228 | + | |
229 | + | |
230 | +* How can I create DSA certificates? | |
231 | + | |
232 | +Check the CA.pl(1) manual page for a DSA certificate example. | |
233 | + | |
234 | + | |
235 | +* Why can't I make an SSL connection to a server using a DSA certificate? | |
236 | + | |
237 | +Typically you'll see a message saying there are no shared ciphers when | |
238 | +the same setup works fine with an RSA certificate. There are two possible | |
239 | +causes. The client may not support connections to DSA servers most web | |
240 | +browsers (including Netscape and MSIE) only support connections to servers | |
241 | +supporting RSA cipher suites. The other cause is that a set of DH parameters | |
242 | +has not been supplied to the server. DH parameters can be created with the | |
243 | +dhparam(1) command and loaded using the SSL_CTX_set_tmp_dh() for example: | |
244 | +check the source to s_server in apps/s_server.c for an example. | |
245 | + | |
246 | + | |
247 | +* How can I remove the passphrase on a private key? | |
248 | + | |
249 | +Firstly you should be really *really* sure you want to do this. Leaving | |
250 | +a private key unencrypted is a major security risk. If you decide that | |
251 | +you do have to do this check the EXAMPLES sections of the rsa(1) and | |
252 | +dsa(1) manual pages. | |
253 | + | |
254 | + | |
255 | +* Why can't I use OpenSSL certificates with SSL client authentication? | |
256 | + | |
257 | +What will typically happen is that when a server requests authentication | |
258 | +it will either not include your certificate or tell you that you have | |
259 | +no client certificates (Netscape) or present you with an empty list box | |
260 | +(MSIE). The reason for this is that when a server requests a client | |
261 | +certificate it includes a list of CAs names which it will accept. Browsers | |
262 | +will only let you select certificates from the list on the grounds that | |
263 | +there is little point presenting a certificate which the server will | |
264 | +reject. | |
265 | + | |
266 | +The solution is to add the relevant CA certificate to your servers "trusted | |
267 | +CA list". How you do this depends on the server sofware in uses. You can | |
268 | +print out the servers list of acceptable CAs using the OpenSSL s_client tool: | |
269 | + | |
270 | +openssl s_client -connect www.some.host:443 -prexit | |
271 | + | |
272 | +If your server only requests certificates on certain URLs then you may need | |
273 | +to manually issue an HTTP GET command to get the list when s_client connects: | |
274 | + | |
275 | +GET /some/page/needing/a/certificate.html | |
276 | + | |
277 | +If your CA does not appear in the list then this confirms the problem. | |
278 | + | |
279 | + | |
280 | +* Why does my browser give a warning about a mismatched hostname? | |
281 | + | |
282 | +Browsers expect the server's hostname to match the value in the commonName | |
283 | +(CN) field of the certificate. If it does not then you get a warning. | |
284 | + | |
285 | + | |
286 | +[BUILD] ======================================================================= | |
287 | + | |
141 | 288 | * Why does the linker complain about undefined symbols? |
142 | 289 | |
143 | 290 | Maybe the compilation was interrupted, and make doesn't notice that |
@@ -162,17 +309,99 @@ If none of these helps, you may want to try using the current snapshot. | ||
162 | 309 | If the problem persists, please submit a bug report. |
163 | 310 | |
164 | 311 | |
165 | -* Where can I get a compiled version of OpenSSL? | |
312 | +* Why does the OpenSSL test fail with "bc: command not found"? | |
166 | 313 | |
167 | -Some applications that use OpenSSL are distributed in binary form. | |
168 | -When using such an application, you don't need to install OpenSSL | |
169 | -yourself; the application will include the required parts (e.g. DLLs). | |
314 | +You didn't install "bc", the Unix calculator. If you want to run the | |
315 | +tests, get GNU bc from ftp://ftp.gnu.org or from your OS distributor. | |
170 | 316 | |
171 | -If you want to install OpenSSL on a Windows system and you don't have | |
172 | -a C compiler, read the "Mingw32" section of INSTALL.W32 for information | |
173 | -on how to obtain and install the free GNU C compiler. | |
174 | 317 | |
175 | -A number of Linux and *BSD distributions include OpenSSL. | |
318 | +* Why does the OpenSSL test fail with "bc: 1 no implemented"? | |
319 | + | |
320 | +On some SCO installations or versions, bc has a bug that gets triggered | |
321 | +when you run the test suite (using "make test"). The message returned is | |
322 | +"bc: 1 not implemented". | |
323 | + | |
324 | +The best way to deal with this is to find another implementation of bc | |
325 | +and compile/install it. GNU bc (see http://www.gnu.org/software/software.html | |
326 | +for download instructions) can be safely used, for example. | |
327 | + | |
328 | + | |
329 | +* Why does the OpenSSL compilation fail on Alpha True64 Unix? | |
330 | + | |
331 | +On some Alpha installations running True64 Unix and Compaq C, the compilation | |
332 | +of crypto/sha/sha_dgst.c fails with the message 'Fatal: Insufficient virtual | |
333 | +memory to continue compilation.' As far as the tests have shown, this may be | |
334 | +a compiler bug. What happens is that it eats up a lot of resident memory | |
335 | +to build something, probably a table. The problem is clearly in the | |
336 | +optimization code, because if one eliminates optimization completely (-O0), | |
337 | +the compilation goes through (and the compiler consumes about 2MB of resident | |
338 | +memory instead of 240MB or whatever one's limit is currently). | |
339 | + | |
340 | +There are three options to solve this problem: | |
341 | + | |
342 | +1. set your current data segment size soft limit higher. Experience shows | |
343 | +that about 241000 kbytes seems to be enough on an AlphaServer DS10. You do | |
344 | +this with the command 'ulimit -Sd nnnnnn', where 'nnnnnn' is the number of | |
345 | +kbytes to set the limit to. | |
346 | + | |
347 | +2. If you have a hard limit that is lower than what you need and you can't | |
348 | +get it changed, you can compile all of OpenSSL with -O0 as optimization | |
349 | +level. This is however not a very nice thing to do for those who expect to | |
350 | +get the best result from OpenSSL. A bit more complicated solution is the | |
351 | +following: | |
352 | + | |
353 | +----- snip:start ----- | |
354 | + make DIRS=crypto SDIRS=sha "`grep '^CFLAG=' Makefile.ssl | \ | |
355 | + sed -e 's/ -O[0-9] / -O0 /'`" | |
356 | + rm `ls crypto/*.o crypto/sha/*.o | grep -v 'sha_dgst\.o'` | |
357 | + make | |
358 | +----- snip:end ----- | |
359 | + | |
360 | +This will only compile sha_dgst.c with -O0, the rest with the optimization | |
361 | +level chosen by the configuration process. When the above is done, do the | |
362 | +test and installation and you're set. | |
363 | + | |
364 | + | |
365 | +* Why does the OpenSSL compilation fail with "ar: command not found"? | |
366 | + | |
367 | +Getting this message is quite usual on Solaris 2, because Sun has hidden | |
368 | +away 'ar' and other development commands in directories that aren't in | |
369 | +$PATH by default. One of those directories is '/usr/ccs/bin'. The | |
370 | +quickest way to fix this is to do the following (it assumes you use sh | |
371 | +or any sh-compatible shell): | |
372 | + | |
373 | +----- snip:start ----- | |
374 | + PATH=${PATH}:/usr/ccs/bin; export PATH | |
375 | +----- snip:end ----- | |
376 | + | |
377 | +and then redo the compilation. What you should really do is make sure | |
378 | +'/usr/ccs/bin' is permanently in your $PATH, for example through your | |
379 | +'.profile' (again, assuming you use a sh-compatible shell). | |
380 | + | |
381 | + | |
382 | +* Why does the OpenSSL compilation fail on Win32 with VC++? | |
383 | + | |
384 | +Sometimes, you may get reports from VC++ command line (cl) that it | |
385 | +can't find standard include files like stdio.h and other weirdnesses. | |
386 | +One possible cause is that the environment isn't correctly set up. | |
387 | +To solve that problem, one should run VCVARS32.BAT which is found in | |
388 | +the 'bin' subdirectory of the VC++ installation directory (somewhere | |
389 | +under 'Program Files'). This needs to be done prior to running NMAKE, | |
390 | +and the changes are only valid for the current DOS session. | |
391 | + | |
392 | + | |
393 | +[PROG] ======================================================================== | |
394 | + | |
395 | +* Is OpenSSL thread-safe? | |
396 | + | |
397 | +Yes (with limitations: an SSL connection may not concurrently be used | |
398 | +by multiple threads). On Windows and many Unix systems, OpenSSL | |
399 | +automatically uses the multi-threaded versions of the standard | |
400 | +libraries. If your platform is not one of these, consult the INSTALL | |
401 | +file. | |
402 | + | |
403 | +Multi-threaded applications must provide two callback functions to | |
404 | +OpenSSL. This is described in the threads(3) manpage. | |
176 | 405 | |
177 | 406 | |
178 | 407 | * I've compiled a program under Windows and it crashes: why? |
@@ -259,68 +488,6 @@ is forgetting to load OpenSSL's table of algorithms with | ||
259 | 488 | OpenSSL_add_all_algorithms(). See the manual page for more information. |
260 | 489 | |
261 | 490 | |
262 | -* How do I create certificates or certificate requests? | |
263 | - | |
264 | -Check out the CA.pl(1) manual page. This provides a simple wrapper round | |
265 | -the 'req', 'verify', 'ca' and 'pkcs12' utilities. For finer control check | |
266 | -out the manual pages for the individual utilities and the certificate | |
267 | -extensions documentation (currently in doc/openssl.txt). | |
268 | - | |
269 | - | |
270 | -* Why can't I create certificate requests? | |
271 | - | |
272 | -You typically get the error: | |
273 | - | |
274 | - unable to find 'distinguished_name' in config | |
275 | - problems making Certificate Request | |
276 | - | |
277 | -This is because it can't find the configuration file. Check out the | |
278 | -DIAGNOSTICS section of req(1) for more information. | |
279 | - | |
280 | - | |
281 | -* Why does <SSL program> fail with a certificate verify error? | |
282 | - | |
283 | -This problem is usually indicated by log messages saying something like | |
284 | -"unable to get local issuer certificate" or "self signed certificate". | |
285 | -When a certificate is verified its root CA must be "trusted" by OpenSSL | |
286 | -this typically means that the CA certificate must be placed in a directory | |
287 | -or file and the relevant program configured to read it. The OpenSSL program | |
288 | -'verify' behaves in a similar way and issues similar error messages: check | |
289 | -the verify(1) program manual page for more information. | |
290 | - | |
291 | - | |
292 | -* Why can I only use weak ciphers when I connect to a server using OpenSSL? | |
293 | - | |
294 | -This is almost certainly because you are using an old "export grade" browser | |
295 | -which only supports weak encryption. Upgrade your browser to support 128 bit | |
296 | -ciphers. | |
297 | - | |
298 | - | |
299 | -* How can I create DSA certificates? | |
300 | - | |
301 | -Check the CA.pl(1) manual page for a DSA certificate example. | |
302 | - | |
303 | - | |
304 | -* Why can't I make an SSL connection to a server using a DSA certificate? | |
305 | - | |
306 | -Typically you'll see a message saying there are no shared ciphers when | |
307 | -the same setup works fine with an RSA certificate. There are two possible | |
308 | -causes. The client may not support connections to DSA servers most web | |
309 | -browsers (including Netscape and MSIE) only support connections to servers | |
310 | -supporting RSA cipher suites. The other cause is that a set of DH parameters | |
311 | -has not been supplied to the server. DH parameters can be created with the | |
312 | -dhparam(1) command and loaded using the SSL_CTX_set_tmp_dh() for example: | |
313 | -check the source to s_server in apps/s_server.c for an example. | |
314 | - | |
315 | - | |
316 | -* How can I remove the passphrase on a private key? | |
317 | - | |
318 | -Firstly you should be really *really* sure you want to do this. Leaving | |
319 | -a private key unencrypted is a major security risk. If you decide that | |
320 | -you do have to do this check the EXAMPLES sections of the rsa(1) and | |
321 | -dsa(1) manual pages. | |
322 | - | |
323 | - | |
324 | 491 | * Why can't the OpenSSH configure script detect OpenSSL? |
325 | 492 | |
326 | 493 | There is a problem with OpenSSH 1.2.2p1, in that the configure script |
@@ -362,71 +529,19 @@ applied to the OpenSSH distribution: | ||
362 | 529 | ----- snip:end ----- |
363 | 530 | |
364 | 531 | |
365 | -* Why does the OpenSSL test fail with "bc: command not found"? | |
532 | +* Can I use OpenSSL's SSL library with non-blocking I/O? | |
366 | 533 | |
367 | -You didn't install "bc", the Unix calculator. If you want to run the | |
368 | -tests, get GNU bc from ftp://ftp.gnu.org or from your OS distributor. | |
369 | - | |
370 | - | |
371 | -* Why does the OpenSSL test fail with "bc: 1 no implemented"? | |
534 | +Yes; make sure to read the SSL_get_error(3) manual page! | |
372 | 535 | |
373 | -On some SCO installations or versions, bc has a bug that gets triggered when | |
374 | -you run the test suite (using "make test"). The message returned is "bc: | |
375 | -1 not implemented". The best way to deal with this is to find another | |
376 | -implementation of bc and compile/install it. For example, GNU bc (see | |
377 | -http://www.gnu.org/software/software.html for download instructions) can | |
378 | -be safely used. | |
536 | +A pitfall to avoid: Don't assume that SSL_read() will just read from | |
537 | +the underlying transport or that SSL_write() will just write to it -- | |
538 | +it is also possible that SSL_write() cannot do any useful work until | |
539 | +there is data to read, or that SSL_read() cannot do anything until it | |
540 | +is possible to send data. One reason for this is that the peer may | |
541 | +request a new TLS/SSL handshake at any time during the protocol, | |
542 | +requiring a bi-directional message exchange; both SSL_read() and | |
543 | +SSL_write() will try to continue any pending handshake. | |
379 | 544 | |
380 | 545 | |
381 | -* Why does the OpenSSL compilation fail on Alpha True64 Unix? | |
382 | - | |
383 | -On some Alpha installations running True64 Unix and Compaq C, the compilation | |
384 | -of crypto/sha/sha_dgst.c fails with the message 'Fatal: Insufficient virtual | |
385 | -memory to continue compilation.' As far as the tests have shown, this may be | |
386 | -a compiler bug. What happens is that it eats up a lot of resident memory | |
387 | -to build something, probably a table. The problem is clearly in the | |
388 | -optimization code, because if one eliminates optimization completely (-O0), | |
389 | -the compilation goes through (and the compiler consumes about 2MB of resident | |
390 | -memory instead of 240MB or whatever one's limit is currently). | |
391 | - | |
392 | -There are three options to solve this problem: | |
393 | - | |
394 | -1. set your current data segment size soft limit higher. Experience shows | |
395 | -that about 241000 kbytes seems to be enough on an AlphaServer DS10. You do | |
396 | -this with the command 'ulimit -Sd nnnnnn', where 'nnnnnn' is the number of | |
397 | -kbytes to set the limit to. | |
398 | - | |
399 | -2. If you have a hard limit that is lower than what you need and you can't | |
400 | -get it changed, you can compile all of OpenSSL with -O0 as optimization | |
401 | -level. This is however not a very nice thing to do for those who expect to | |
402 | -get the best result from OpenSSL. A bit more complicated solution is the | |
403 | -following: | |
404 | - | |
405 | ------ snip:start ----- | |
406 | - make DIRS=crypto SDIRS=sha "`grep '^CFLAG=' Makefile.ssl | \ | |
407 | - sed -e 's/ -O[0-9] / -O0 /'`" | |
408 | - rm `ls crypto/*.o crypto/sha/*.o | grep -v 'sha_dgst\.o'` | |
409 | - make | |
410 | ------ snip:end ----- | |
411 | - | |
412 | -This will only compile sha_dgst.c with -O0, the rest with the optimization | |
413 | -level chosen by the configuration process. When the above is done, do the | |
414 | -test and installation and you're set. | |
415 | - | |
416 | - | |
417 | -* Why does the OpenSSL compilation fail with "ar: command not found"? | |
418 | - | |
419 | -Getting this message is quite usual on Solaris 2, because Sun has hidden | |
420 | -away 'ar' and other development commands in directories that aren't in | |
421 | -$PATH by default. One of those directories is '/usr/ccs/bin'. The | |
422 | -quickest way to fix this is to do the following (it assumes you use sh | |
423 | -or any sh-compatible shell): | |
424 | - | |
425 | ------ snip:start ----- | |
426 | - PATH=${PATH}:/usr/ccs/bin; export PATH | |
427 | ------ snip:end ----- | |
428 | - | |
429 | -and then redo the compilation. What you should really do is make sure | |
430 | -'/usr/ccs/bin' is permanently in your $PATH, for example through your | |
431 | -'.profile' (again, assuming you use a sh-compatible shell). | |
546 | +=============================================================================== | |
432 | 547 |
@@ -1,5 +1,5 @@ | ||
1 | 1 | |
2 | - OpenSSL 0.9.6a-beta4-dev [engine] XX xxx XXXX | |
2 | + OpenSSL 0.9.6a [engine] 5 Apr 2001 | |
3 | 3 | |
4 | 4 | Copyright (c) 1998-2000 The OpenSSL Project |
5 | 5 | Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson |
@@ -1,46 +1,10 @@ | ||
1 | 1 | |
2 | 2 | OpenSSL STATUS Last modified at |
3 | - ______________ $Date: 2001/03/26 17:09:12 $ | |
3 | + ______________ $Date: 2001/04/05 17:48:02 $ | |
4 | 4 | |
5 | 5 | DEVELOPMENT STATE |
6 | 6 | |
7 | - o OpenSSL 0.9.6a: Bugfix release -- under development... | |
8 | - Beta 1 released on March 13th, 2001 | |
9 | - HP-UX 10.20 (hpux-parisc-cc) - PASSED [normal+engine] | |
10 | - HP-UX 10.20 (hpux-parisc-gcc) - PASSED [normal+engine] | |
11 | - HP-UX 11.00 32bit (hpux-parisc-gcc) - FAILED [engine] | |
12 | - "openssl speed rsa1024 -engine cswift" fails unless | |
13 | - libswift.sl is renamed to libswift.so. | |
14 | - [CORRECTED] | |
15 | - HP MPE/iX - PASSED [presumed normal] | |
16 | - Linux 2.2.17 SMP (linux-elf) - PASSED [normal+engine] | |
17 | - Windows (VC-WIN32) - FAILED [presumed normal] | |
18 | - Missing line in ms/32all.bat: | |
19 | - perl util\mkfiles.pl >MINFO | |
20 | - [CORRECTED] | |
21 | - In randfile.c, line 214, signed and unsigned int are mixed. | |
22 | - [CORRECTED] | |
23 | - In s_client.c and s_server.c, RAND_status() needs to get | |
24 | - declared (#include <openssl/rand.h>) | |
25 | - [CORRECTED] | |
26 | - OpenVMS (any version) - FAILED [normal+engine] | |
27 | - Missing instructions in building script. | |
28 | - [CORRECTED] | |
29 | - AIX 4.3 - FAILED [engine] | |
30 | - Needs -DDSO_DLFCN and -DHAVE_DLFCN_H to work. | |
31 | - [CORRECTED] (but will not be automagically configured) | |
32 | - Irix 6.5.11 - FAILED [presumed normal] | |
33 | - BN_sqr test fails. | |
34 | - solaris64-sparcv9-cc (SunOS 5.8) - PASSED [normal+engine] | |
35 | - BSDI 4.0.1 (bsdi-elf-gcc) - FAILED [engine] | |
36 | - Needs -DDSO_DLFCN, -DHAVE_DLFCN_H and -ldl to work. | |
37 | - [CORRECTED] | |
38 | - mingw32 w/ gcc 2.95.2 - PASSED [presumed normal] | |
39 | - | |
40 | - Beta 2 released on March 21st, 2001 | |
41 | - OpenVMS (tested on VMS 7.2-1 for Alpha) - PASSED [presumed normal] | |
42 | - solaris64-sparcv9-cc (SunOS 5.8) - PASSED [normal] | |
43 | - | |
7 | + o OpenSSL 0.9.6a: Released on April 5th, 2001 | |
44 | 8 | o OpenSSL 0.9.6: Released on September 24th, 2000 |
45 | 9 | o OpenSSL 0.9.5a: Released on April 1st, 2000 |
46 | 10 | o OpenSSL 0.9.5: Released on February 28th, 2000 |
@@ -1172,8 +1172,8 @@ $cflags = -O3 -fomit-frame-pointer | ||
1172 | 1172 | $unistd = |
1173 | 1173 | $thread_cflag = (unknown) |
1174 | 1174 | $lflags = -lnsl -lsocket |
1175 | -$bn_ops = RC4_INDEX | |
1176 | -$bn_obj = RC4_INDEX DES_UNROLL | |
1175 | +$bn_ops = RC4_INDEX DES_UNROLL | |
1176 | +$bn_obj = | |
1177 | 1177 | $des_obj = |
1178 | 1178 | $bf_obj = |
1179 | 1179 | $md5_obj = |
@@ -2205,9 +2205,9 @@ $cc = gcc | ||
2205 | 2205 | $cflags = -O3 -fomit-frame-pointer -Dssize_t=int -DNO_SYS_UN_H |
2206 | 2206 | $unistd = |
2207 | 2207 | $thread_cflag = (unknown) |
2208 | -$lflags = | |
2209 | -$bn_ops = -lsocket | |
2210 | -$bn_obj = BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT | |
2208 | +$lflags = -lsocket | |
2209 | +$bn_ops = BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT | |
2210 | +$bn_obj = | |
2211 | 2211 | $des_obj = |
2212 | 2212 | $bf_obj = |
2213 | 2213 | $md5_obj = |
@@ -2599,10 +2599,10 @@ $ranlib = | ||
2599 | 2599 | *** unixware-2.0-pentium |
2600 | 2600 | $cc = cc |
2601 | 2601 | $cflags = -DFILIO_H -Kpentium |
2602 | -$unistd = -Kthread | |
2603 | -$thread_cflag = -lsocket -lnsl -lx | |
2604 | -$lflags = MD2_CHAR RC4_INDEX DES_PTR DES_RISC1 DES_UNROLL | |
2605 | -$bn_ops = | |
2602 | +$unistd = | |
2603 | +$thread_cflag = -Kthread | |
2604 | +$lflags = -lsocket -lnsl -lx | |
2605 | +$bn_ops = MD2_CHAR RC4_INDEX DES_PTR DES_RISC1 DES_UNROLL | |
2606 | 2606 | $bn_obj = |
2607 | 2607 | $des_obj = |
2608 | 2608 | $bf_obj = |
@@ -2690,7 +2690,51 @@ $cflags = -O -DFILIO_H -Kalloca | ||
2690 | 2690 | $unistd = |
2691 | 2691 | $thread_cflag = -Kthread |
2692 | 2692 | $lflags = -lsocket -lnsl |
2693 | -$bn_ops = MD2_CHAR RC4_INDEX DES_PTR DES_RISC1 DES_UNROLL | |
2693 | +$bn_ops = BN_LLONG MD2_CHAR RC4_INDEX DES_PTR DES_RISC1 DES_UNROLL | |
2694 | +$bn_obj = | |
2695 | +$des_obj = | |
2696 | +$bf_obj = | |
2697 | +$md5_obj = | |
2698 | +$sha1_obj = | |
2699 | +$cast_obj = | |
2700 | +$rc4_obj = | |
2701 | +$rmd160_obj = | |
2702 | +$rc5_obj = | |
2703 | +$dso_scheme = | |
2704 | +$shared_target= | |
2705 | +$shared_cflag = | |
2706 | +$shared_extension = | |
2707 | +$ranlib = | |
2708 | + | |
2709 | +*** unixware-7-pentium | |
2710 | +$cc = cc | |
2711 | +$cflags = -O -DFILIO_H -Kalloca -Kpentium | |
2712 | +$unistd = | |
2713 | +$thread_cflag = -Kthread | |
2714 | +$lflags = -lsocket -lnsl | |
2715 | +$bn_ops = BN_LLONG MD2_CHAR RC4_INDEX DES_PTR DES_RISC1 DES_UNROLL | |
2716 | +$bn_obj = | |
2717 | +$des_obj = | |
2718 | +$bf_obj = | |
2719 | +$md5_obj = | |
2720 | +$sha1_obj = | |
2721 | +$cast_obj = | |
2722 | +$rc4_obj = | |
2723 | +$rmd160_obj = | |
2724 | +$rc5_obj = | |
2725 | +$dso_scheme = | |
2726 | +$shared_target= | |
2727 | +$shared_cflag = | |
2728 | +$shared_extension = | |
2729 | +$ranlib = | |
2730 | + | |
2731 | +*** unixware-7-pentium_pro | |
2732 | +$cc = cc | |
2733 | +$cflags = -O -DFILIO_H -Kalloca -Kpentium_pro | |
2734 | +$unistd = | |
2735 | +$thread_cflag = -Kthread | |
2736 | +$lflags = -lsocket -lnsl | |
2737 | +$bn_ops = BN_LLONG MD2_CHAR RC4_INDEX DES_PTR DES_RISC1 DES_UNROLL | |
2694 | 2738 | $bn_obj = |
2695 | 2739 | $des_obj = |
2696 | 2740 | $bf_obj = |
@@ -25,8 +25,8 @@ | ||
25 | 25 | * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for |
26 | 26 | * major minor fix final patch/beta) |
27 | 27 | */ |
28 | -#define OPENSSL_VERSION_NUMBER 0x00906014L | |
29 | -#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.6a-beta4-dev [engine] XX xxx XXXX" | |
28 | +#define OPENSSL_VERSION_NUMBER 0x0090601fL | |
29 | +#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.6a [engine] 5 Apr 2001" | |
30 | 30 | #define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT |
31 | 31 | |
32 | 32 |