1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
|
This is based on an OpenSSL-0.9.4
It has the following modifcations made to it.
NOTES:
Many tests will fail miserably, since most of them start
with SSL v2, which requires RSA, and of course, they barf.
idea tests will also fail. This is to be expected. Do
"make -k test" if you want to see the output and draw
your own conclusions.
Many parts of the utility programs may not work, although things
like client and server will provided you start them in a mode
that does not require RSA to operate.
Unlike an ssl library built to remove the offending routines
(which removes many of the things like SSL23init which many
packages like web servers use) this library does contain
stubs for everything. The patent bits will simply fail. The
idea is that this may be used as is for limited functionality,
or where possible replaced with a full function library. When
porting an app it is important to remember to try to use the
tls1 version of stuff first where possible. I.E. if you're
going to SSL-ize OpenBSD telnet, for example, call the tls1 init
functions *NOT* sslv2init or sslv23init, or you'll be dependent
on RSA and have a version that will only work with a full
function library. Use the tls versions and you'll work with
both - a good thing.
"crypto" and "ssl" are OpenBSD style build dirs for the
libraries of the same name. "ssleay" is the build dir for the
"ssleay" executable, used to control everything vagely ssleay
like, from testing to generating certificates, to playing
simple client server games. libraries expect to install headers
in "/usr/include/ssl", libraries in /usr/lib, ssleay in /usr/sbin
TODO:
SSLeay contains just no library docs, it's all use the
force, read the source. This should be fixed sometime.
DSS certificate generation is a black art. This
needs to be properly documented and a comprehensive procedure
written up, at least for how to generate a cert for
a host to be used by multiple servers. beck@ has talked
to Mark Shuttleworth of Thawte, and he has agreed that
if we can get DSS hosts certs up and running Thawte will
consider providing the service (for the usual fee of course)
of for-real signing of OpenBSD host certs for those who
want a real CA for things like telnet and ftp and the like.
Apps beyond ssleay need testing - apps that use exclusively old style
sslv2 or sslv2/3 need to be converted/modified where possible to
try the tls1 stuff, so that we can handle doing things without
RSA.
|
