Make OPENSSL_NO_COMP compile again.

* Why does my browser give a warning about a mismatched hostname?

* Why does my browser give a warning about a mismatched hostname?

* How do I install a CA certificate into a browser?

* How do I install a CA certificate into a browser?

* Why is OpenSSL x509 DN output not conformant to RFC2253?

* Why is OpenSSL x509 DN output not conformant to RFC2253?

* What is a "128 bit certificate"? Can I create one with OpenSSL?

[BUILD] Questions about building and testing OpenSSL

[BUILD] Questions about building and testing OpenSSL

page of the "openssl x509" commandline tool for details. The old behaviour

page of the "openssl x509" commandline tool for details. The old behaviour

has however been left as default for the sake of compatibility.

has however been left as default for the sake of compatibility.

* What is a "128 bit certificate"? Can I create one with OpenSSL?

The term "128 bit certificate" is a highly misleading marketing term. It does

*not* refer to the size of the public key in the certificate! A certificate

containing a 128 bit RSA key would have negligible security.

There were various other names such as "magic certificates", "SGC

certificates", "step up certificates" etc.

You can't generally create such a certificate using OpenSSL but there is no

need to any more. Nowadays web browsers using unrestricted strong encryption

are generally available.

When there were tight export restrictions on the export of strong encryption

software from the US only weak encryption algorithms could be freely exported

(initially 40 bit and then 56 bit). It was widely recognised that this was

inadequate. A relaxation the rules allowed the use of strong encryption but

only to an authorised server.

Two slighly different techniques were developed to support this, one used by

Netscape was called "step up", the other used by MSIE was called "Server Gated

Cryptography" (SGC). When a browser initially connected to a server it would

check to see if the certificate contained certain extensions and was issued by

an authorised authority. If these test succeeded it would reconnect using

strong encryption.

Only certain (initially one) certificate authorities could issue the

certificates and they generally cost more than ordinary certificates.

Although OpenSSL can create certificates containing the appropriate extensions

the certificate would not come from a permitted authority and so would not

be recognized.

The export laws were later changed to allow almost unrestricted use of strong

encryption so these certificates are now obsolete.

[BUILD] =======================================================================

[BUILD] =======================================================================

* Why does the linker complain about undefined symbols?

* Why does the linker complain about undefined symbols?

	SSL_CIPHER *c;

	SSL_CIPHER *c;

	X509_NAME *xn;

	X509_NAME *xn;

	int j,i;

	int j,i;

#ifndef OPENSSL_NO_COMP

	const COMP_METHOD *comp, *expansion;

	const COMP_METHOD *comp, *expansion;

#endif

	if (full)

	if (full)

		{

		{

							 EVP_PKEY_bits(pktmp));

							 EVP_PKEY_bits(pktmp));

		EVP_PKEY_free(pktmp);

		EVP_PKEY_free(pktmp);

	}

	}

#ifndef OPENSSL_NO_COMP

	comp=SSL_get_current_compression(s);

	comp=SSL_get_current_compression(s);

	expansion=SSL_get_current_expansion(s);

	expansion=SSL_get_current_expansion(s);

	BIO_printf(bio,"Compression: %s\n",

	BIO_printf(bio,"Compression: %s\n",

		comp ? SSL_COMP_get_name(comp) : "NONE");

		comp ? SSL_COMP_get_name(comp) : "NONE");

	BIO_printf(bio,"Expansion: %s\n",

	BIO_printf(bio,"Expansion: %s\n",

		expansion ? SSL_COMP_get_name(expansion) : "NONE");

		expansion ? SSL_COMP_get_name(expansion) : "NONE");

#endif

	SSL_SESSION_print(bio,SSL_get_session(s));

	SSL_SESSION_print(bio,SSL_get_session(s));

	BIO_printf(bio,"---\n");

	BIO_printf(bio,"---\n");

	if (peer != NULL)

	if (peer != NULL)

	ASN1_EXP_SEQUENCE_OF_OPT(X509_CRL_INFO, extensions, X509_EXTENSION, 0)

	ASN1_EXP_SEQUENCE_OF_OPT(X509_CRL_INFO, extensions, X509_EXTENSION, 0)

} ASN1_SEQUENCE_END_enc(X509_CRL_INFO, X509_CRL_INFO)

} ASN1_SEQUENCE_END_enc(X509_CRL_INFO, X509_CRL_INFO)

static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,

								void *exarg)

{

	X509_CRL *a = (X509_CRL_INFO *)*pval;

#ifndef OPENSSL_NO_SHA

	switch(operation) {

		/* Hash CRL here for rapid comparison in X509_digest_cmp()

		 */

		case ASN1_OP_D2I_POST:

		X509_CRL_digest(crl->digest, crl);

		break;

	}

#endif

	return 1;

}

ASN1_SEQUENCE_ref(X509_CRL, 0, CRYPTO_LOCK_X509_CRL) = {

ASN1_SEQUENCE_ref(X509_CRL, 0, CRYPTO_LOCK_X509_CRL) = {

	ASN1_SIMPLE(X509_CRL, crl, X509_CRL_INFO),

	ASN1_SIMPLE(X509_CRL, crl, X509_CRL_INFO),

	ASN1_SIMPLE(X509_CRL, sig_alg, X509_ALGOR),

	ASN1_SIMPLE(X509_CRL, sig_alg, X509_ALGOR),

			s->init_num=0;

			s->init_num=0;

			s->session->cipher=s->s3->tmp.new_cipher;

			s->session->cipher=s->s3->tmp.new_cipher;

#ifdef OPENSSL_NO_COMP

			s->session->compress_meth=0;

#else

			if (s->s3->tmp.new_compression == NULL)

			if (s->s3->tmp.new_compression == NULL)

				s->session->compress_meth=0;

				s->session->compress_meth=0;

			else

			else

				s->session->compress_meth=

				s->session->compress_meth=

					s->s3->tmp.new_compression->id;

					s->s3->tmp.new_compression->id;

#endif

			if (!s->method->ssl3_enc->setup_key_block(s))

			if (!s->method->ssl3_enc->setup_key_block(s))

				{

				{

				ret= -1;

				ret= -1;

		p+=i;

		p+=i;

		/* put the compression method */

		/* put the compression method */

#ifdef OPENSSL_NO_COMP

		*(p++)=0;

#else

		if (s->s3->tmp.new_compression == NULL)

		if (s->s3->tmp.new_compression == NULL)

			*(p++)=0;

			*(p++)=0;

		else

		else

			*(p++)=s->s3->tmp.new_compression->id;

			*(p++)=s->s3->tmp.new_compression->id;

#endif

		/* do the header */

		/* do the header */

		l=(p-d);

		l=(p-d);