summaryrefslogtreecommitdiff
path: root/lib/libssl/README.OPENBSD
blob: 7cc3d0d424a13880b1c89578be031a9107df128c (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66

	This is an SSLeay-0.9.0b (the b means the PKCS#1 bug is fixed) tree.
	
	It has the following modifcations made to it.

	0) util/perlpath.pl has been run to change perlpath to /usr/bin
	   util/ssldir.pl has been run to change the ssl dir to /usr/ssl
	   Null check added to crypto/err/err.c (mailed to Eric Young)
	   to avoid problems in error handling.  Includes install into
           /usr/include/ssl, certs and configs are expected to be in
           /etc/ssl.

	1) Changes for openbsd compilation to have been made to
	   config and Configure (these have been sent to Eric Young)

NOTES:

	Many tests will fail miserably, since most of them start
	with SSL v2, which requires RSA, and of course, they barf.
	idea tests will also fail. This is to be expected. Do
	"make -k test" if you want to see the output and draw
	your own conclusions.

	Many parts of the utility programs may not work, although things
	like client and server will provided you start them in a mode
	that does not require RSA to operate.

	Unlike an ssl library built to remove the offending routines
	(which removes many of the things like SSL23init which many
	packages like web servers use) this library does contain
	stubs for everything. The patent bits will simply fail. The
	idea is that this may be used as is for limited functionality,
	or where possible replaced with a full function library. When
	porting an app it is important to remember to try to use the
	tls1 version of stuff first where possible. I.E. if you're
	going to SSL-ize OpenBSD telnet, for example, call the tls1 init
	functions *NOT* sslv2init or sslv23init, or you'll be dependent
	on RSA and have a version that will only work with a full
	function library. Use the tls versions and you'll work with
	both - a good thing.

	"crypto" and "ssl" are OpenBSD style build dirs for the
	libraries of the same name. "ssleay" is the build dir for the
	"ssleay" executable, used to control everything vagely ssleay
	like, from testing to generating certificates, to playing
	simple client server games. libraries expect to install headers
	in "/usr/include/ssl", libraries in /usr/lib, ssleay in /usr/sbin

TODO:
	SSLeay contains just no library docs, it's all use the
	force, read the source. This should be fixed sometime.

	DSS certificate generation is a black art. This
	needs to be properly documented and a comprehensive procedure
	written up, at least for how to generate a cert for 
	a host to be used by multiple servers. beck@ has talked
	to Mark Shuttleworth of Thawte, and he has agreed that
	if we can get DSS hosts certs up and running Thawte will
	consider providing the service (for the usual fee of course)
	of for-real signing of OpenBSD host certs for those who
	want a real CA for things like telnet and ftp and the like.
	
	Apps beyond ssleay need testing - apps that use exclusively old style
	sslv2 or sslv2/3 need to be converted/modified where possible to
	try the tls1 stuff, so that we can handle doing things without
	RSA.