This is based on an OpenSSL-0.9.4 It has the following modifcations made to it. NOTES: Many tests will fail miserably, since most of them start with SSL v2, which requires RSA, and of course, they barf. idea tests will also fail. This is to be expected. Do "make -k test" if you want to see the output and draw your own conclusions. Many parts of the utility programs may not work, although things like client and server will provided you start them in a mode that does not require RSA to operate. Unlike an ssl library built to remove the offending routines (which removes many of the things like SSL23init which many packages like web servers use) this library does contain stubs for everything. The patent bits will simply fail. The idea is that this may be used as is for limited functionality, or where possible replaced with a full function library. When porting an app it is important to remember to try to use the tls1 version of stuff first where possible. I.E. if you're going to SSL-ize OpenBSD telnet, for example, call the tls1 init functions *NOT* sslv2init or sslv23init, or you'll be dependent on RSA and have a version that will only work with a full function library. Use the tls versions and you'll work with both - a good thing. "crypto" and "ssl" are OpenBSD style build dirs for the libraries of the same name. "ssleay" is the build dir for the "ssleay" executable, used to control everything vagely ssleay like, from testing to generating certificates, to playing simple client server games. libraries expect to install headers in "/usr/include/ssl", libraries in /usr/lib, ssleay in /usr/sbin TODO: SSLeay contains just no library docs, it's all use the force, read the source. This should be fixed sometime. DSS certificate generation is a black art. This needs to be properly documented and a comprehensive procedure written up, at least for how to generate a cert for a host to be used by multiple servers. beck@ has talked to Mark Shuttleworth of Thawte, and he has agreed that if we can get DSS hosts certs up and running Thawte will consider providing the service (for the usual fee of course) of for-real signing of OpenBSD host certs for those who want a real CA for things like telnet and ftp and the like. Apps beyond ssleay need testing - apps that use exclusively old style sslv2 or sslv2/3 need to be converted/modified where possible to try the tls1 stuff, so that we can handle doing things without RSA.