diff options
Diffstat (limited to 'src/lib/libssl/README.OPENBSD')
| -rw-r--r-- | src/lib/libssl/README.OPENBSD | 66 |
1 files changed, 66 insertions, 0 deletions
diff --git a/src/lib/libssl/README.OPENBSD b/src/lib/libssl/README.OPENBSD new file mode 100644 index 0000000000..7cc3d0d424 --- /dev/null +++ b/src/lib/libssl/README.OPENBSD | |||
| @@ -0,0 +1,66 @@ | |||
| 1 | |||
| 2 | This is an SSLeay-0.9.0b (the b means the PKCS#1 bug is fixed) tree. | ||
| 3 | |||
| 4 | It has the following modifcations made to it. | ||
| 5 | |||
| 6 | 0) util/perlpath.pl has been run to change perlpath to /usr/bin | ||
| 7 | util/ssldir.pl has been run to change the ssl dir to /usr/ssl | ||
| 8 | Null check added to crypto/err/err.c (mailed to Eric Young) | ||
| 9 | to avoid problems in error handling. Includes install into | ||
| 10 | /usr/include/ssl, certs and configs are expected to be in | ||
| 11 | /etc/ssl. | ||
| 12 | |||
| 13 | 1) Changes for openbsd compilation to have been made to | ||
| 14 | config and Configure (these have been sent to Eric Young) | ||
| 15 | |||
| 16 | NOTES: | ||
| 17 | |||
| 18 | Many tests will fail miserably, since most of them start | ||
| 19 | with SSL v2, which requires RSA, and of course, they barf. | ||
| 20 | idea tests will also fail. This is to be expected. Do | ||
| 21 | "make -k test" if you want to see the output and draw | ||
| 22 | your own conclusions. | ||
| 23 | |||
| 24 | Many parts of the utility programs may not work, although things | ||
| 25 | like client and server will provided you start them in a mode | ||
| 26 | that does not require RSA to operate. | ||
| 27 | |||
| 28 | Unlike an ssl library built to remove the offending routines | ||
| 29 | (which removes many of the things like SSL23init which many | ||
| 30 | packages like web servers use) this library does contain | ||
| 31 | stubs for everything. The patent bits will simply fail. The | ||
| 32 | idea is that this may be used as is for limited functionality, | ||
| 33 | or where possible replaced with a full function library. When | ||
| 34 | porting an app it is important to remember to try to use the | ||
| 35 | tls1 version of stuff first where possible. I.E. if you're | ||
| 36 | going to SSL-ize OpenBSD telnet, for example, call the tls1 init | ||
| 37 | functions *NOT* sslv2init or sslv23init, or you'll be dependent | ||
| 38 | on RSA and have a version that will only work with a full | ||
| 39 | function library. Use the tls versions and you'll work with | ||
| 40 | both - a good thing. | ||
| 41 | |||
| 42 | "crypto" and "ssl" are OpenBSD style build dirs for the | ||
| 43 | libraries of the same name. "ssleay" is the build dir for the | ||
| 44 | "ssleay" executable, used to control everything vagely ssleay | ||
| 45 | like, from testing to generating certificates, to playing | ||
| 46 | simple client server games. libraries expect to install headers | ||
| 47 | in "/usr/include/ssl", libraries in /usr/lib, ssleay in /usr/sbin | ||
| 48 | |||
| 49 | TODO: | ||
| 50 | SSLeay contains just no library docs, it's all use the | ||
| 51 | force, read the source. This should be fixed sometime. | ||
| 52 | |||
| 53 | DSS certificate generation is a black art. This | ||
| 54 | needs to be properly documented and a comprehensive procedure | ||
| 55 | written up, at least for how to generate a cert for | ||
| 56 | a host to be used by multiple servers. beck@ has talked | ||
| 57 | to Mark Shuttleworth of Thawte, and he has agreed that | ||
| 58 | if we can get DSS hosts certs up and running Thawte will | ||
| 59 | consider providing the service (for the usual fee of course) | ||
| 60 | of for-real signing of OpenBSD host certs for those who | ||
| 61 | want a real CA for things like telnet and ftp and the like. | ||
| 62 | |||
| 63 | Apps beyond ssleay need testing - apps that use exclusively old style | ||
| 64 | sslv2 or sslv2/3 need to be converted/modified where possible to | ||
| 65 | try the tls1 stuff, so that we can handle doing things without | ||
| 66 | RSA. | ||