diff options
author | Simon L. B. Nielsen <simon@FreeBSD.org> | 2008-09-21 14:56:30 +0000 |
---|---|---|
committer | Simon L. B. Nielsen <simon@FreeBSD.org> | 2008-09-21 14:56:30 +0000 |
commit | bb1499d2aac1d25a95b8573ff425751f06f159e1 (patch) | |
tree | a136b5b2317abe8eb83b021afe5e088230fd67e2 /FAQ | |
parent | ee266f1253f9cc49430572463d26f72910dfb49e (diff) | |
download | src-test2-bb1499d2aac1d25a95b8573ff425751f06f159e1.tar.gz src-test2-bb1499d2aac1d25a95b8573ff425751f06f159e1.zip |
Notes
Diffstat (limited to 'FAQ')
-rw-r--r-- | FAQ | 85 |
1 files changed, 76 insertions, 9 deletions
@@ -32,6 +32,8 @@ OpenSSL - Frequently Asked Questions * How do I install a CA certificate into a browser? * Why is OpenSSL x509 DN output not conformant to RFC2253? * What is a "128 bit certificate"? Can I create one with OpenSSL? +* Why does OpenSSL set the authority key identifier extension incorrectly? +* How can I set up a bundle of commercial root CA certificates? [BUILD] Questions about building and testing OpenSSL @@ -66,6 +68,8 @@ OpenSSL - Frequently Asked Questions * Why doesn't my server application receive a client certificate? * Why does compilation fail due to an undefined symbol NID_uniqueIdentifier? * I think I've detected a memory leak, is this a bug? +* Why does Valgrind complain about the use of uninitialized data? +* Why doesn't a memory BIO work when a file does? =============================================================================== @@ -74,7 +78,7 @@ OpenSSL - Frequently Asked Questions * Which is the current version of OpenSSL? The current version is available from <URL: http://www.openssl.org>. -OpenSSL 0.9.8e was released on February 23rd, 2007. +OpenSSL 0.9.8i was released on Sep 15th, 2008. In addition to the current stable release, you can also access daily snapshots of the OpenSSL development version at <URL: @@ -401,10 +405,10 @@ You can't generally create such a certificate using OpenSSL but there is no need to any more. Nowadays web browsers using unrestricted strong encryption are generally available. -When there were tight export restrictions on the export of strong encryption +When there were tight restrictions on the export of strong encryption software from the US only weak encryption algorithms could be freely exported (initially 40 bit and then 56 bit). It was widely recognised that this was -inadequate. A relaxation the rules allowed the use of strong encryption but +inadequate. A relaxation of the rules allowed the use of strong encryption but only to an authorised server. Two slighly different techniques were developed to support this, one used by @@ -425,6 +429,39 @@ The export laws were later changed to allow almost unrestricted use of strong encryption so these certificates are now obsolete. +* Why does OpenSSL set the authority key identifier (AKID) extension incorrectly? + +It doesn't: this extension is often the cause of confusion. + +Consider a certificate chain A->B->C so that A signs B and B signs C. Suppose +certificate C contains AKID. + +The purpose of this extension is to identify the authority certificate B. This +can be done either by including the subject key identifier of B or its issuer +name and serial number. + +In this latter case because it is identifying certifcate B it must contain the +issuer name and serial number of B. + +It is often wrongly assumed that it should contain the subject name of B. If it +did this would be redundant information because it would duplicate the issuer +name of C. + + +* How can I set up a bundle of commercial root CA certificates? + +The OpenSSL software is shipped without any root CA certificate as the +OpenSSL project does not have any policy on including or excluding +any specific CA and does not intend to set up such a policy. Deciding +about which CAs to support is up to application developers or +administrators. + +Other projects do have other policies so you can for example extract the CA +bundle used by Mozilla and/or modssl as described in this article: + + http://www.mail-archive.com/modssl-users@modssl.org/msg16980.html + + [BUILD] ======================================================================= * Why does the linker complain about undefined symbols? @@ -822,11 +859,11 @@ code itself (the hex digits after the second colon). * Why do I get errors about unknown algorithms? -This can happen under several circumstances such as reading in an -encrypted private key or attempting to decrypt a PKCS#12 file. The cause -is forgetting to load OpenSSL's table of algorithms with -OpenSSL_add_all_algorithms(). See the manual page for more information. - +The cause is forgetting to load OpenSSL's table of algorithms with +OpenSSL_add_all_algorithms(). See the manual page for more information. This +can cause several problems such as being unable to read in an encrypted +PEM file, unable to decrypt a PKCS#12 file or signature failure when +verifying certificates. * Why can't the OpenSSH configure script detect OpenSSL? @@ -894,5 +931,35 @@ thread-safe): ERR_free_strings(), EVP_cleanup() and CRYPTO_cleanup_all_ex_data(). -=============================================================================== +* Why does Valgrind complain about the use of uninitialized data? + +When OpenSSL's PRNG routines are called to generate random numbers the supplied +buffer contents are mixed into the entropy pool: so it technically does not +matter whether the buffer is initialized at this point or not. Valgrind (and +other test tools) will complain about this. When using Valgrind, make sure the +OpenSSL library has been compiled with the PURIFY macro defined (-DPURIFY) +to get rid of these warnings. + + +* Why doesn't a memory BIO work when a file does? + +This can occur in several cases for example reading an S/MIME email message. +The reason is that a memory BIO can do one of two things when all the data +has been read from it. + +The default behaviour is to indicate that no more data is available and that +the call should be retried, this is to allow the application to fill up the BIO +again if necessary. +Alternatively it can indicate that no more data is available and that EOF has +been reached. + +If a memory BIO is to behave in the same way as a file this second behaviour +is needed. This must be done by calling: + + BIO_set_mem_eof_return(bio, 0); + +See the manual pages for more details. + + +=============================================================================== |