[ipfire-3.x.git] / openssl / patches / openssl-1.0.0-beta5-readme-warning.patch

diff -up openssl-1.0.0-beta5/README.warning openssl-1.0.0-beta5/README
--- openssl-1.0.0-beta5/README.warning	2010-01-20 16:00:47.000000000 +0100
+++ openssl-1.0.0-beta5/README	2010-01-21 09:06:11.000000000 +0100
@@ -5,6 +5,35 @@
  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
  All rights reserved.
 
+ WARNING
+ -------
+
+ This version of OpenSSL is built in a way that supports operation in
+ the so called FIPS mode. Note though that the library as we build it
+ is not FIPS validated and the FIPS mode is present for testing purposes
+ only.
+ 
+ This version also contains a few differences from the upstream code
+ some of which are:
+   * There are added changes forward ported from the upstream OpenSSL
+     0.9.8 FIPS branch however the FIPS integrity verification check
+     is implemented differently from the upstream FIPS validated OpenSSL
+     module. It verifies HMAC-SHA256 checksum of the whole shared
+     libraries. For this reason the changes are ported to files in the
+     crypto directory and not in a separate fips subdirectory. Also
+     note that the FIPS integrity verification check requires unmodified
+     libcrypto and libssl shared library files which means that it will
+     fail if these files are modified for example by prelink.
+   * The module respects the kernel FIPS flag /proc/sys/crypto/fips and
+     tries to initialize the FIPS mode if it is set to 1 aborting if the
+     FIPS mode could not be initialized. It is also possible to force the
+     OpenSSL library to FIPS mode especially for debugging purposes by
+     setting the environment variable OPENSSL_FORCE_FIPS_MODE.
+   * If the environment variable OPENSSL_NO_DEFAULT_ZLIB is set the module
+     will not automatically load the built in compression method ZLIB
+     when initialized. Applications can still explicitely ask for ZLIB
+     compression method.
+
  DESCRIPTION
  -----------
Commit	Line	Data
0595faf5 MT	1	diff -up openssl-1.0.0-beta5/README.warning openssl-1.0.0-beta5/README
	2	--- openssl-1.0.0-beta5/README.warning 2010-01-20 16:00:47.000000000 +0100
	3	+++ openssl-1.0.0-beta5/README 2010-01-21 09:06:11.000000000 +0100
	4	@@ -5,6 +5,35 @@
	5	Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
	6	All rights reserved.
	7
	8	+ WARNING
	9	+ -------
	10	+
	11	+ This version of OpenSSL is built in a way that supports operation in
	12	+ the so called FIPS mode. Note though that the library as we build it
	13	+ is not FIPS validated and the FIPS mode is present for testing purposes
	14	+ only.
	15	+
	16	+ This version also contains a few differences from the upstream code
	17	+ some of which are:
	18	+ * There are added changes forward ported from the upstream OpenSSL
	19	+ 0.9.8 FIPS branch however the FIPS integrity verification check
	20	+ is implemented differently from the upstream FIPS validated OpenSSL
	21	+ module. It verifies HMAC-SHA256 checksum of the whole shared
	22	+ libraries. For this reason the changes are ported to files in the
	23	+ crypto directory and not in a separate fips subdirectory. Also
	24	+ note that the FIPS integrity verification check requires unmodified
	25	+ libcrypto and libssl shared library files which means that it will
	26	+ fail if these files are modified for example by prelink.
	27	+ * The module respects the kernel FIPS flag /proc/sys/crypto/fips and
	28	+ tries to initialize the FIPS mode if it is set to 1 aborting if the
	29	+ FIPS mode could not be initialized. It is also possible to force the
	30	+ OpenSSL library to FIPS mode especially for debugging purposes by
	31	+ setting the environment variable OPENSSL_FORCE_FIPS_MODE.
	32	+ * If the environment variable OPENSSL_NO_DEFAULT_ZLIB is set the module
	33	+ will not automatically load the built in compression method ZLIB
	34	+ when initialized. Applications can still explicitely ask for ZLIB
	35	+ compression method.
	36	+
	37	DESCRIPTION
	38	-----------
	39