diff options
Diffstat (limited to 'crypto/openssl/FAQ')
-rw-r--r-- | crypto/openssl/FAQ | 70 |
1 files changed, 38 insertions, 32 deletions
diff --git a/crypto/openssl/FAQ b/crypto/openssl/FAQ index 9d1b0bb..389d786 100644 --- a/crypto/openssl/FAQ +++ b/crypto/openssl/FAQ @@ -68,7 +68,7 @@ OpenSSL - Frequently Asked Questions * Which is the current version of OpenSSL? The current version is available from <URL: http://www.openssl.org>. -OpenSSL 0.9.7 was released on December 31, 2002. +OpenSSL 0.9.7a was released on February 19, 2003. In addition to the current stable release, you can also access daily snapshots of the OpenSSL development version at <URL: @@ -189,18 +189,30 @@ for permission to use their software with OpenSSL. Cryptographic software needs a source of unpredictable data to work correctly. Many open source operating systems provide a "randomness -device" that serves this purpose. On other systems, applications have -to call the RAND_add() or RAND_seed() function with appropriate data -before generating keys or performing public key encryption. -(These functions initialize the pseudo-random number generator, PRNG.) - -Some broken applications do not do this. As of version 0.9.5, the -OpenSSL functions that need randomness report an error if the random -number generator has not been seeded with at least 128 bits of -randomness. If this error occurs, please contact the author of the -application you are using. It is likely that it never worked -correctly. OpenSSL 0.9.5 and later make the error visible by refusing -to perform potentially insecure encryption. +device" (/dev/urandom or /dev/random) that serves this purpose. +All OpenSSL versions try to use /dev/urandom by default; starting with +version 0.9.7, OpenSSL also tries /dev/random if /dev/urandom is not +available. + +On other systems, applications have to call the RAND_add() or +RAND_seed() function with appropriate data before generating keys or +performing public key encryption. (These functions initialize the +pseudo-random number generator, PRNG.) Some broken applications do +not do this. As of version 0.9.5, the OpenSSL functions that need +randomness report an error if the random number generator has not been +seeded with at least 128 bits of randomness. If this error occurs and +is not discussed in the documentation of the application you are +using, please contact the author of that application; it is likely +that it never worked correctly. OpenSSL 0.9.5 and later make the +error visible by refusing to perform potentially insecure encryption. + +If you are using Solaris 8, you can add /dev/urandom and /dev/random +devices by installing patch 112438 (Sparc) or 112439 (x86), which are +available via the Patchfinder at <URL: http://sunsolve.sun.com> +(Solaris 9 includes these devices by default). For /dev/random support +for earlier Solaris versions, see Sun's statement at +<URL: http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsrdb/27606&zone_32=SUNWski> +(the SUNWski package is available in patch 105710). On systems without /dev/urandom and /dev/random, it is a good idea to use the Entropy Gathering Demon (EGD); see the RAND_egd() manpage for @@ -233,18 +245,6 @@ OpenSSL command line tools. Applications using the OpenSSL library provide their own configuration options to specify the entropy source, please check out the documentation coming the with application. -For Solaris 2.6, Tim Nibbe <tnibbe@sprint.net> and others have suggested -installing the SUNski package from Sun patch 105710-01 (Sparc) which -adds a /dev/random device and make sure it gets used, usually through -$RANDFILE. There are probably similar patches for the other Solaris -versions. An official statement from Sun with respect to /dev/random -support can be found at - http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsrdb/27606&zone_32=SUNWski -However, be warned that /dev/random is usually a blocking device, which -may have some effects on OpenSSL. -A third party /dev/random solution for Solaris is available at - http://www.cosy.sbg.ac.at/~andi/ - * Why do I get an "unable to write 'random state'" error message? @@ -490,10 +490,13 @@ and then redo the compilation. What you should really do is make sure Sometimes, you may get reports from VC++ command line (cl) that it can't find standard include files like stdio.h and other weirdnesses. One possible cause is that the environment isn't correctly set up. -To solve that problem, one should run VCVARS32.BAT which is found in -the 'bin' subdirectory of the VC++ installation directory (somewhere -under 'Program Files'). This needs to be done prior to running NMAKE, -and the changes are only valid for the current DOS session. +To solve that problem for VC++ versions up to 6, one should run +VCVARS32.BAT which is found in the 'bin' subdirectory of the VC++ +installation directory (somewhere under 'Program Files'). For VC++ +version 7 (and up?), which is also called VS.NET, the file is called +VSVARS32.BAT instead. +This needs to be done prior to running NMAKE, and the changes are only +valid for the current DOS session. * What is special about OpenSSL on Redhat? @@ -577,10 +580,13 @@ As of 0.9.7 assembler routines were overhauled for position independence of the machine code, which is essential for shared library support. For some reason OpenBSD is equipped with an out-of-date GNU assembler which finds the new code offensive. To work around the problem, configure with -no-asm (and sacrifice a great deal of performance) or upgrade /usr/bin/as. +no-asm (and sacrifice a great deal of performance) or patch your assembler +according to <URL: http://www.openssl.org/~appro/gas-1.92.3.OpenBSD.patch>. For your convenience a pre-compiled replacement binary is provided at -http://www.openssl.org/~appro/i386-openbsd3-as, which is compiled from -binutils-2.8 released in 1997. +<URL: http://www.openssl.org/~appro/gas-1.92.3.static.aout.bin>. +Reportedly elder *BSD a.out platforms also suffer from this problem and +remedy should be same. Provided binary is statically linked and should be +working across wider range of *BSD branches, not just OpenBSD. [PROG] ======================================================================== |