From 3fc228fb4c1a39aceaee3d7013365042a6077bd0 Mon Sep 17 00:00:00 2001 From: cvs2svn Date: Fri, 26 Mar 1999 18:24:03 +0000 Subject: This commit was manufactured by cvs2git to create branch 'OPENBSD_2_5'. --- src/lib/libssl/README.OPENBSD | 66 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 66 insertions(+) create mode 100644 src/lib/libssl/README.OPENBSD (limited to 'src/lib/libssl/README.OPENBSD') diff --git a/src/lib/libssl/README.OPENBSD b/src/lib/libssl/README.OPENBSD new file mode 100644 index 0000000000..7cc3d0d424 --- /dev/null +++ b/src/lib/libssl/README.OPENBSD @@ -0,0 +1,66 @@ + + This is an SSLeay-0.9.0b (the b means the PKCS#1 bug is fixed) tree. + + It has the following modifcations made to it. + + 0) util/perlpath.pl has been run to change perlpath to /usr/bin + util/ssldir.pl has been run to change the ssl dir to /usr/ssl + Null check added to crypto/err/err.c (mailed to Eric Young) + to avoid problems in error handling. Includes install into + /usr/include/ssl, certs and configs are expected to be in + /etc/ssl. + + 1) Changes for openbsd compilation to have been made to + config and Configure (these have been sent to Eric Young) + +NOTES: + + Many tests will fail miserably, since most of them start + with SSL v2, which requires RSA, and of course, they barf. + idea tests will also fail. This is to be expected. Do + "make -k test" if you want to see the output and draw + your own conclusions. + + Many parts of the utility programs may not work, although things + like client and server will provided you start them in a mode + that does not require RSA to operate. + + Unlike an ssl library built to remove the offending routines + (which removes many of the things like SSL23init which many + packages like web servers use) this library does contain + stubs for everything. The patent bits will simply fail. The + idea is that this may be used as is for limited functionality, + or where possible replaced with a full function library. When + porting an app it is important to remember to try to use the + tls1 version of stuff first where possible. I.E. if you're + going to SSL-ize OpenBSD telnet, for example, call the tls1 init + functions *NOT* sslv2init or sslv23init, or you'll be dependent + on RSA and have a version that will only work with a full + function library. Use the tls versions and you'll work with + both - a good thing. + + "crypto" and "ssl" are OpenBSD style build dirs for the + libraries of the same name. "ssleay" is the build dir for the + "ssleay" executable, used to control everything vagely ssleay + like, from testing to generating certificates, to playing + simple client server games. libraries expect to install headers + in "/usr/include/ssl", libraries in /usr/lib, ssleay in /usr/sbin + +TODO: + SSLeay contains just no library docs, it's all use the + force, read the source. This should be fixed sometime. + + DSS certificate generation is a black art. This + needs to be properly documented and a comprehensive procedure + written up, at least for how to generate a cert for + a host to be used by multiple servers. beck@ has talked + to Mark Shuttleworth of Thawte, and he has agreed that + if we can get DSS hosts certs up and running Thawte will + consider providing the service (for the usual fee of course) + of for-real signing of OpenBSD host certs for those who + want a real CA for things like telnet and ftp and the like. + + Apps beyond ssleay need testing - apps that use exclusively old style + sslv2 or sslv2/3 need to be converted/modified where possible to + try the tls1 stuff, so that we can handle doing things without + RSA. -- cgit v1.2.3-55-g6feb