This commit was manufactured by cvs2svn to create branch 'OpenSSL-fips-

* Why does my browser give a warning about a mismatched hostname?

* How do I install a CA certificate into a browser?

* Why is OpenSSL x509 DN output not conformant to RFC2253?

* What is a "128 bit certificate"? Can I create one with OpenSSL?

[BUILD] Questions about building and testing OpenSSL

* Why does the OpenSSL test suite fail on MacOS X?

* Why does the OpenSSL test suite fail in BN_sqr test [on a 64-bit platform]?

* Why does OpenBSD-i386 build fail on des-586.s with "Unimplemented segment type"?

* Why does the OpenSSL test suite fail in sha512t on x86 CPU?

* Why does compiler fail to compile sha512.c?

* Test suite still fails, what to do?

[PROG] Questions about programming with OpenSSL

* Which is the current version of OpenSSL?

The current version is available from <URL: http://www.openssl.org>.

OpenSSL 0.9.7g was released on April 11, 2005.

OpenSSL 0.9.8e was released on February 23rd, 2007.

In addition to the current stable release, you can also access daily

snapshots of the OpenSSL development version at <URL:

With version 0.9.6 OpenSSL was extended to interface to external crypto

hardware. This was realized in a special release '0.9.6-engine'. With

version 0.9.7 (not yet released) the changes were merged into the main

development line, so that the special release is no longer necessary.

version 0.9.7 the changes were merged into the main development line,

so that the special release is no longer necessary.

* How do I check the authenticity of the OpenSSL distribution?

page of the "openssl x509" commandline tool for details. The old behaviour

has however been left as default for the sake of compatibility.

* What is a "128 bit certificate"? Can I create one with OpenSSL?

The term "128 bit certificate" is a highly misleading marketing term. It does

*not* refer to the size of the public key in the certificate! A certificate

containing a 128 bit RSA key would have negligible security.

There were various other names such as "magic certificates", "SGC

certificates", "step up certificates" etc.

You can't generally create such a certificate using OpenSSL but there is no

need to any more. Nowadays web browsers using unrestricted strong encryption

are generally available.

When there were tight export restrictions on the export of strong encryption

software from the US only weak encryption algorithms could be freely exported

(initially 40 bit and then 56 bit). It was widely recognised that this was

inadequate. A relaxation the rules allowed the use of strong encryption but

only to an authorised server.

Two slighly different techniques were developed to support this, one used by

Netscape was called "step up", the other used by MSIE was called "Server Gated

Cryptography" (SGC). When a browser initially connected to a server it would

check to see if the certificate contained certain extensions and was issued by

an authorised authority. If these test succeeded it would reconnect using

strong encryption.

Only certain (initially one) certificate authorities could issue the

certificates and they generally cost more than ordinary certificates.

Although OpenSSL can create certificates containing the appropriate extensions

the certificate would not come from a permitted authority and so would not

be recognized.

The export laws were later changed to allow almost unrestricted use of strong

encryption so these certificates are now obsolete.

[BUILD] =======================================================================

* Why does the linker complain about undefined symbols?

remedy should be same. Provided binary is statically linked and should be

working across wider range of *BSD branches, not just OpenBSD.

* Why does the OpenSSL test suite fail in sha512t on x86 CPU?

If the test program in question fails withs SIGILL, Illegal Instruction

exception, then you more than likely to run SSE2-capable CPU, such as

Intel P4, under control of kernel which does not support SSE2

instruction extentions. See accompanying INSTALL file and

OPENSSL_ia32cap(3) documentation page for further information.

* Why does compiler fail to compile sha512.c?

OpenSSL SHA-512 implementation depends on compiler support for 64-bit

integer type. Few elder compilers [ULTRIX cc, SCO compiler to mention a

couple] lack support for this and therefore are incapable of compiling

the module in question. The recommendation is to disable SHA-512 by

adding no-sha512 to ./config [or ./Configure] command line. Another

possible alternative might be to switch to GCC.

* Test suite still fails, what to do?

Another common reason for failure to complete some particular test is

simply bad code generated by a buggy component in toolchain or deficiency

in run-time environment. There are few cases documented in PROBLEMS file,

consult it for possible workaround before you beat the drum. Even if you

don't find solution or even mention there, do reserve for possibility of

a compiler bug. Compiler bugs might appear in rather bizarre ways, they

never make sense, and tend to emerge when you least expect them. In order

to identify one, drop optimization level, e.g. by editing CFLAG line in

top-level Makefile, recompile and re-run the test.

[PROG] ========================================================================

* Is OpenSSL thread-safe?

file.

Multi-threaded applications must provide two callback functions to

OpenSSL.  This is described in the threads(3) manpage.

OpenSSL by calling CRYPTO_set_locking_callback() and

CRYPTO_set_id_callback().  This is described in the threads(3)

manpage.

* I've compiled a program under Windows and it crashes: why?

Note that debug and release libraries are NOT interchangeable.  If you

built OpenSSL with /MD your application must use /MD and cannot use /MDd.

As per 0.9.8 the above limitation is eliminated for .DLLs. OpenSSL

.DLLs compiled with some specific run-time option [we insist on the

default /MD] can be deployed with application compiled with different

option or even different compiler. But there is a catch! Instead of

re-compiling OpenSSL toolkit, as you would have to with prior versions,

you have to compile small C snippet with compiler and/or options of

your choice. The snippet gets installed as

<install-root>/include/openssl/applink.c and should be either added to

your application project or simply #include-d in one [and only one]

of your application source files. Failure to link this shim module

into your application manifests itself as fatal "no OPENSSL_Applink"

run-time error. An explicit reminder is due that in this situation

[mixing compiler options] it is as important to add CRYPTO_malloc_init

prior first call to OpenSSL.

* How do I read or write a DER encoded buffer using the ASN1 functions?

  no-asm        Do not use assembler code.

  386           Use the 80386 instruction set only (the default x86 code is

                more efficient, but requires at least a 486).

                more efficient, but requires at least a 486). Note: Use

                compiler flags for any other CPU specific configuration,

                e.g. "-m32" to build x86 code on an x64 system.

  no-sse2	Exclude SSE2 code pathes. Normally SSE2 extention is

		detected at run-time, but the decision whether or not the

                The crypto/<cipher> directory can be removed after running

                "make depend".

  -Dxxx, -lxxx, -Lxxx, -fxxx, -Kxxx These system specific options will

  -Dxxx, -lxxx, -Lxxx, -fxxx, -mxxx, -Kxxx These system specific options will

                be passed through to the compiler to allow you to

                define preprocessor symbols, specify additional libraries,

                library directories or other compiler options.

 Note on shared libraries

 ------------------------

 Shared library is currently an experimental feature.  The only reason to

 have them would be to conserve memory on systems where several program

 are using OpenSSL.  Binary backward compatibility can't be guaranteed

 before OpenSSL version 1.0.

 Shared libraries have certain caveats.  Binary backward compatibility

 can't be guaranteed before OpenSSL version 1.0.  The only reason to

 use them would be to conserve memory on systems where several programs

 are using OpenSSL.

 For some systems, the OpenSSL Configure script knows what is needed to

 build shared libraries for libcrypto and libssl.  On these systems,

 Note on support for multiple builds

 -----------------------------------

 OpenSSL is usually built in it's source tree.  Unfortunately, this doesn't

 OpenSSL is usually built in its source tree.  Unfortunately, this doesn't

 support building for multiple platforms from the same source tree very well.

 It is however possible to build in a separate tree through the use of lots

 of symbolic links, which should be prepared like this:

NetWare 5.x versions will require updates in order to run the OpenSSL LibC

build.

As of June 2005, the LibC build can be configured to use BSD sockets instead

of WinSock sockets. Call Configure (usually through netware\build.bat) using

a target of "netware-libc-bsdsock" instead of "netware-libc".

REQUIRED TOOLS:

---------------

         Microsoft SDK.  Note: The winsock2.h support headers may change

         with various versions of winsock2.h.  Check the dependencies

         section on the NDK WinSock2 download page for the latest

         information on dependencies.

         information on dependencies. These components are unsupported by

         Novell. They are provided as a courtesy, but it is strongly

         suggested that all development be done using LIBC, not CLIB.

         As of June 2005, the WinSock2 components are available at:

         http://forgeftp.novell.com//ws2comp/

      NLM and NetWare libraries for C (including CLIB and XPlat):

         NOTE: The LibC SDK includes the necessary WinSock2 support.  It

         It is not necessary to download the WinSock2 Developer when building

         for LibC.

         for LibC. The LibC SDK also includes the appropriate BSD socket support

         if configuring to use BSD sockets.

BUILDING:

   netware\build [target] [debug opts] [assembly opts] [configure opts]

      target        - "netware-clib" - CLib NetWare build

                    - "netware-libc" - LibC NetWare build

      target        - "netware-clib" - CLib NetWare build (WinSock Sockets)

                    - "netware-libc" - LibC NetWare build (WinSock Sockets)

                    - "netware-libc-bsdsock" - LibC NetWare build (BSD Sockets)

      debug opts    - "debug"  - build debug

      LibC build, non-debug, using NASM assembly:

         netware\build.bat netware-libc nw-nasm

      LibC build, BSD sockets, non-debug, without assembly:

         netware\build.bat netware-libc-bsdsock no-asm

Running build.bat generates a make file to be processed by your make 

tool (gmake or nmake):

   CLIB ex: gmake -f netware\nlm_clib.mak 

   CLIB ex: gmake -f netware\nlm_clib_dbg.mak 

   LibC ex: gmake -f netware\nlm_libc.mak 

   LibC ex: gmake -f netware\nlm_libc_bsdsock.mak 

You can also run the build scripts manually if you do not want to use the

build.bat file.  Run the following scripts in the "\openssl"

subdirectory (in the order listed below):

   perl configure no-asm [other config opts] [netware-clib|netware-libc]

   perl configure no-asm [other config opts] [netware-clib|netware-libc|netware-libc-bsdsock]

      configures no assembly build for specified netware environment

      (CLIB or LibC).

   perl util\mkfiles.pl >MINFO

      generates a listing of source files (used by mk1mf)

   perl util\mk1mf.pl no-asm [other config opts] [netware-clib|netware-libc >netware\nlm.mak

   perl util\mk1mf.pl no-asm [other config opts] [netware-clib|netware-libc|netware-libc-bsdsock >netware\nlm.mak

      generates the makefile for NetWare

   gmake -f netware\nlm.mak

which should be reviewed for errors.  Any errors will be denoted by the word

"ERROR" in the log.

NOTE:  Currently (11/2002), the LibC test nlms report an error while loading

       when launched from the perl script (do_tests.pl).  The problems are 

       being addressed by the LibC development team and should be fixed in the

       next release.  Until the problems are corrected, the LibC test nlms 

       will have to be executed manually.  

DEVELOPING WITH THE OPENSSL SDK:

--------------------------------

Now that everything is built and tested, you are ready to use the OpenSSL