]>
Commit | Line | Data |
---|---|---|
f9a7c34f UM |
1 | OpenSSL - Frequently Asked Questions |
2 | -------------------------------------- | |
3 | ||
49976df5 | 4 | * Which is the current version of OpenSSL? |
f9a7c34f UM |
5 | * Where is the documentation? |
6 | * How can I contact the OpenSSL developers? | |
c1ce32f1 | 7 | * Do I need patent licenses to use OpenSSL? |
f9a7c34f UM |
8 | * Is OpenSSL thread-safe? |
9 | * Why do I get a "PRNG not seeded" error message? | |
49976df5 | 10 | * Why does the linker complain about undefined symbols? |
2b670ea2 | 11 | * Where can I get a compiled version of OpenSSL? |
e8dbc159 | 12 | * Why can't the OpenSSH configure script detect OpenSSL? |
f9a7c34f UM |
13 | |
14 | ||
49976df5 UM |
15 | * Which is the current version of OpenSSL? |
16 | ||
17 | The current version is available from <URL: http://www.openssl.org>. | |
74cdf6f7 | 18 | OpenSSL 0.9.5 was released on February 28th, 2000. |
49976df5 UM |
19 | |
20 | In addition to the current stable release, you can also access daily | |
21 | snapshots of the OpenSSL development version at <URL: | |
22 | ftp://ftp.openssl.org/snapshot/>, or get it by anonymous CVS access. | |
23 | ||
24 | ||
f9a7c34f UM |
25 | * Where is the documentation? |
26 | ||
27 | OpenSSL is a library that provides cryptographic functionality to | |
28 | applications such as secure web servers. Be sure to read the | |
29 | documentation of the application you want to use. The INSTALL file | |
30 | explains how to install this library. | |
31 | ||
32 | OpenSSL includes a command line utility that can be used to perform a | |
33 | variety of cryptographic functions. It is described in the openssl(1) | |
34 | manpage. Documentation for developers is currently being written. A | |
35 | few manual pages already are available; overviews over libcrypto and | |
36 | libssl are given in the crypto(3) and ssl(3) manpages. | |
37 | ||
38 | The OpenSSL manpages are installed in /usr/local/ssl/man/ (or a | |
39 | different directory if you specified one as described in INSTALL). | |
40 | In addition, you can read the most current versions at | |
41 | <URL: http://www.openssl.org/docs/>. | |
42 | ||
43 | For information on parts of libcrypto that are not yet documented, you | |
44 | might want to read Ariel Glenn's documentation on SSLeay 0.9, OpenSSL's | |
45 | predecessor, at <URL: http://www.columbia.edu/~ariel/ssleay/>. Much | |
46 | of this still applies to OpenSSL. | |
47 | ||
fbb41ae0 DSH |
48 | There is some documentation about certificate extensions and PKCS#12 |
49 | in doc/openssl.txt | |
50 | ||
f9a7c34f | 51 | The original SSLeay documentation is included in OpenSSL as |
cacbb51e | 52 | doc/ssleay.txt. It may be useful when none of the other resources |
f9a7c34f UM |
53 | help, but please note that it reflects the obsolete version SSLeay |
54 | 0.6.6. | |
55 | ||
56 | ||
57 | * How can I contact the OpenSSL developers? | |
58 | ||
59 | The README file describes how to submit bug reports and patches to | |
60 | OpenSSL. Information on the OpenSSL mailing lists is available from | |
61 | <URL: http://www.openssl.org>. | |
62 | ||
63 | ||
c1ce32f1 | 64 | * Do I need patent licenses to use OpenSSL? |
f9a7c34f UM |
65 | |
66 | The patents section of the README file lists patents that may apply to | |
67 | you if you want to use OpenSSL. For information on intellectual | |
68 | property rights, please consult a lawyer. The OpenSSL team does not | |
69 | offer legal advice. | |
70 | ||
71 | You can configure OpenSSL so as not to use RC5 and IDEA by using | |
72 | ./config no-rc5 no-idea | |
73 | ||
74 | Until the RSA patent expires, U.S. users may want to use | |
75 | ./config no-rc5 no-idea no-rsa | |
76 | ||
77 | Please note that you will *not* be able to communicate with most of | |
78 | the popular web browsers without RSA support. | |
79 | ||
80 | ||
81 | * Is OpenSSL thread-safe? | |
82 | ||
97853bd5 BM |
83 | Yes (with limitations: an SSL connection may not concurrently be used |
84 | by multiple threads). On Windows and many Unix systems, OpenSSL | |
85 | automatically uses the multi-threaded versions of the standard | |
86 | libraries. If your platform is not one of these, consult the INSTALL | |
87 | file. | |
f9a7c34f UM |
88 | |
89 | Multi-threaded applications must provide two callback functions to | |
be7ae175 | 90 | OpenSSL. This is described in the threads(3) manpage. |
f9a7c34f UM |
91 | |
92 | ||
93 | * Why do I get a "PRNG not seeded" error message? | |
94 | ||
95 | Cryptographic software needs a source of unpredictable data to work | |
96 | correctly. Many open source operating systems provide a "randomness | |
97 | device" that serves this purpose. On other systems, applications have | |
98 | to call the RAND_add() or RAND_seed() function with appropriate data | |
99 | before generating keys or performing public key encryption. | |
100 | ||
101 | Some broken applications do not do this. As of version 0.9.5, the | |
102 | OpenSSL functions that need randomness report an error if the random | |
103 | number generator has not been seeded with at least 128 bits of | |
104 | randomness. If this error occurs, please contact the author of the | |
105 | application you are using. It is likely that it never worked | |
106 | correctly. OpenSSL 0.9.5 makes the error visible by refusing to | |
107 | perform potentially insecure encryption. | |
2b670ea2 | 108 | |
d7960418 BM |
109 | Most components of the openssl command line tool try to use the |
110 | file $HOME/.rnd (or $RANDFILE, if this environment variable is set) | |
111 | for seeding the PRNG. If this file does not exist or is too short, | |
112 | the "PRNG not seeded" error message may occur. | |
299e7c91 BM |
113 | Note that the command "openssl rsa" in OpenSSL 0.9.5 does not do this |
114 | and will fail on systems without /dev/urandom when trying to | |
115 | password-encrypt an RSA key! This is a bug in the library; | |
116 | try a later snaphost instead. | |
d7960418 | 117 | |
2b670ea2 | 118 | |
49976df5 UM |
119 | * Why does the linker complain about undefined symbols? |
120 | ||
cacbb51e | 121 | Maybe the compilation was interrupted, and make doesn't notice that |
49976df5 UM |
122 | something is missing. Run "make clean; make". |
123 | ||
124 | If you used ./Configure instead of ./config, make sure that you | |
125 | selected the right target. File formats may differ slightly between | |
126 | OS versions (for example sparcv8/sparcv9, or a.out/elf). | |
127 | ||
0816bc22 UM |
128 | In case you get errors about the following symbols, use the config |
129 | option "no-asm", as described in INSTALL: | |
130 | ||
131 | BF_cbc_encrypt, BF_decrypt, BF_encrypt, CAST_cbc_encrypt, | |
132 | CAST_decrypt, CAST_encrypt, RC4, RC5_32_cbc_encrypt, RC5_32_decrypt, | |
133 | RC5_32_encrypt, bn_add_words, bn_div_words, bn_mul_add_words, | |
134 | bn_mul_comba4, bn_mul_comba8, bn_mul_words, bn_sqr_comba4, | |
135 | bn_sqr_comba8, bn_sqr_words, bn_sub_words, des_decrypt3, | |
136 | des_ede3_cbc_encrypt, des_encrypt, des_encrypt2, des_encrypt3, | |
137 | des_ncbc_encrypt, md5_block_asm_host_order, sha1_block_asm_data_order | |
138 | ||
569be071 | 139 | If none of these helps, you may want to try using the current snapshot. |
49976df5 UM |
140 | If the problem persists, please submit a bug report. |
141 | ||
142 | ||
2b670ea2 UM |
143 | * Where can I get a compiled version of OpenSSL? |
144 | ||
145 | Some applications that use OpenSSL are distributed in binary form. | |
146 | When using such an application, you don't need to install OpenSSL | |
147 | yourself; the application will include the required parts (e.g. DLLs). | |
148 | ||
149 | If you want to install OpenSSL on a Windows system and you don't have | |
150 | a C compiler, read the "Mingw32" section of INSTALL.W32 for information | |
151 | on how to obtain and install the free GNU C compiler. | |
152 | ||
153 | A number of Linux and *BSD distributions include OpenSSL. | |
e8dbc159 RL |
154 | |
155 | ||
156 | * Why can't the OpenSSH configure script detect OpenSSL? | |
157 | ||
158 | There is a problem with OpenSSH 1.2.2p1, in that the configure script | |
159 | can't find the installed OpenSSL libraries. The problem is actually | |
160 | a small glitch that is easily solved with the following patch to be | |
161 | applied to the OpenSSH distribution: | |
162 | ||
1d6750b7 | 163 | ----- snip:start ----- |
e8dbc159 RL |
164 | --- openssh-1.2.2p1/configure.in.orig Thu Mar 23 18:56:58 2000 |
165 | +++ openssh-1.2.2p1/configure.in Thu Mar 23 18:55:05 2000 | |
166 | @@ -152,10 +152,10 @@ | |
167 | AC_MSG_CHECKING([for OpenSSL/SSLeay directory]) | |
168 | for ssldir in "" $tryssldir /usr /usr/local/openssl /usr/lib/openssl /usr/local/ssl /usr/lib/ssl /usr/local /usr/pkg /opt /opt/openssl ; do | |
169 | if test ! -z "$ssldir" ; then | |
170 | - LIBS="$saved_LIBS -L$ssldir" | |
171 | + LIBS="$saved_LIBS -L$ssldir/lib" | |
172 | CFLAGS="$CFLAGS -I$ssldir/include" | |
173 | if test "x$need_dash_r" = "x1" ; then | |
174 | - LIBS="$LIBS -R$ssldir" | |
175 | + LIBS="$LIBS -R$ssldir/lib" | |
176 | fi | |
177 | fi | |
178 | LIBS="$LIBS -lcrypto" | |
179 | --- openssh-1.2.2p1/configure.orig Thu Mar 23 18:55:02 2000 | |
180 | +++ openssh-1.2.2p1/configure Thu Mar 23 18:57:08 2000 | |
181 | @@ -1890,10 +1890,10 @@ | |
182 | echo "configure:1891: checking for OpenSSL/SSLeay directory" >&5 | |
183 | for ssldir in "" $tryssldir /usr /usr/local/openssl /usr/lib/openssl /usr/local/ssl /usr/lib/ssl /usr/local /usr/pkg /opt /opt/openssl ; do | |
184 | if test ! -z "$ssldir" ; then | |
185 | - LIBS="$saved_LIBS -L$ssldir" | |
186 | + LIBS="$saved_LIBS -L$ssldir/lib" | |
187 | CFLAGS="$CFLAGS -I$ssldir/include" | |
188 | if test "x$need_dash_r" = "x1" ; then | |
189 | - LIBS="$LIBS -R$ssldir" | |
190 | + LIBS="$LIBS -R$ssldir/lib" | |
191 | fi | |
192 | fi | |
193 | LIBS="$LIBS -lcrypto" | |
1d6750b7 | 194 | ----- snip:end ----- |
e8dbc159 | 195 |