Added Cyg-Win
This commit is contained in:
parent
82cbc206eb
commit
413c315806
10586 changed files with 3806249 additions and 0 deletions
7
Agent-Windows/OGP64/usr/share/doc/openssl10/BUGS/MS
Normal file
7
Agent-Windows/OGP64/usr/share/doc/openssl10/BUGS/MS
Normal file
|
|
@ -0,0 +1,7 @@
|
|||
If you use the function that does an fopen inside the DLL, it's malloc
|
||||
will be used and when the function is then written inside, more
|
||||
hassles
|
||||
....
|
||||
|
||||
|
||||
think about it.
|
||||
49
Agent-Windows/OGP64/usr/share/doc/openssl10/BUGS/SSLv3
Normal file
49
Agent-Windows/OGP64/usr/share/doc/openssl10/BUGS/SSLv3
Normal file
|
|
@ -0,0 +1,49 @@
|
|||
So far...
|
||||
|
||||
ssl3.netscape.com:443 does not support client side dynamic
|
||||
session-renegotiation.
|
||||
|
||||
ssl3.netscape.com:444 (asks for client cert) sends out all the CA RDN
|
||||
in an invalid format (the outer sequence is removed).
|
||||
|
||||
Netscape-Commerce/1.12, when talking SSLv2, accepts a 32 byte
|
||||
challenge but then appears to only use 16 bytes when generating the
|
||||
encryption keys. Using 16 bytes is ok but it should be ok to use 32.
|
||||
According to the SSLv3 spec, one should use 32 bytes for the challenge
|
||||
when opperating in SSLv2/v3 compatablity mode, but as mentioned above,
|
||||
this breaks this server so 16 bytes is the way to go.
|
||||
|
||||
www.microsoft.com - when talking SSLv2, if session-id reuse is
|
||||
performed, the session-id passed back in the server-finished message
|
||||
is different from the one decided upon.
|
||||
|
||||
ssl3.netscape.com:443, first a connection is established with RC4-MD5.
|
||||
If it is then resumed, we end up using DES-CBC3-SHA. It should be
|
||||
RC4-MD5 according to 7.6.1.3, 'cipher_suite'.
|
||||
Netscape-Enterprise/2.01 (https://merchant.netscape.com) has this bug.
|
||||
It only really shows up when connecting via SSLv2/v3 then reconnecting
|
||||
via SSLv3. The cipher list changes....
|
||||
NEW INFORMATION. Try connecting with a cipher list of just
|
||||
DES-CBC-SHA:RC4-MD5. For some weird reason, each new connection uses
|
||||
RC4-MD5, but a re-connect tries to use DES-CBC-SHA. So netscape, when
|
||||
doing a re-connect, always takes the first cipher in the cipher list.
|
||||
|
||||
If we accept a netscape connection, demand a client cert, have a
|
||||
non-self-signed CA which does not have it's CA in netscape, and the
|
||||
browser has a cert, it will crash/hang. Works for 3.x and 4.xbeta
|
||||
|
||||
Netscape browsers do not really notice the server sending a
|
||||
close notify message. I was sending one, and then some invalid data.
|
||||
netscape complained of an invalid mac. (a fork()ed child doing a
|
||||
SSL_shutdown() and still sharing the socket with its parent).
|
||||
|
||||
Netscape, when using export ciphers, will accept a 1024 bit temporary
|
||||
RSA key. It is supposed to only accept 512.
|
||||
|
||||
If Netscape connects to a server which requests a client certificate
|
||||
it will frequently hang after the user has selected one and never
|
||||
complete the connection. Hitting "Stop" and reload fixes this and
|
||||
all subsequent connections work fine. This appears to be because
|
||||
Netscape wont read any new records in when it is awaiting a server
|
||||
done message at this point. The fix is to send the certificate request
|
||||
and server done messages in one record.
|
||||
92
Agent-Windows/OGP64/usr/share/doc/openssl10/BUGS/alpha.c
Normal file
92
Agent-Windows/OGP64/usr/share/doc/openssl10/BUGS/alpha.c
Normal file
|
|
@ -0,0 +1,92 @@
|
|||
/* bugs/alpha.c */
|
||||
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
|
||||
* All rights reserved.
|
||||
*
|
||||
* This package is an SSL implementation written
|
||||
* by Eric Young (eay@cryptsoft.com).
|
||||
* The implementation was written so as to conform with Netscapes SSL.
|
||||
*
|
||||
* This library is free for commercial and non-commercial use as long as
|
||||
* the following conditions are aheared to. The following conditions
|
||||
* apply to all code found in this distribution, be it the RC4, RSA,
|
||||
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
|
||||
* included with this distribution is covered by the same copyright terms
|
||||
* except that the holder is Tim Hudson (tjh@cryptsoft.com).
|
||||
*
|
||||
* Copyright remains Eric Young's, and as such any Copyright notices in
|
||||
* the code are not to be removed.
|
||||
* If this package is used in a product, Eric Young should be given attribution
|
||||
* as the author of the parts of the library used.
|
||||
* This can be in the form of a textual message at program startup or
|
||||
* in documentation (online or textual) provided with the package.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
* 3. All advertising materials mentioning features or use of this software
|
||||
* must display the following acknowledgement:
|
||||
* "This product includes cryptographic software written by
|
||||
* Eric Young (eay@cryptsoft.com)"
|
||||
* The word 'cryptographic' can be left out if the rouines from the library
|
||||
* being used are not cryptographic related :-).
|
||||
* 4. If you include any Windows specific code (or a derivative thereof) from
|
||||
* the apps directory (application code) you must include an acknowledgement:
|
||||
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
|
||||
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
||||
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* The licence and distribution terms for any publically available version or
|
||||
* derivative of this code cannot be changed. i.e. this code cannot simply be
|
||||
* copied and put under another distribution licence
|
||||
* [including the GNU Public Licence.]
|
||||
*/
|
||||
|
||||
/*
|
||||
* while not exactly a bug (ASN1 C leaves this undefined) it is something to
|
||||
* watch out for. This was fine on linux/NT/Solaris but not Alpha
|
||||
*/
|
||||
|
||||
/*-
|
||||
* it is basically an example of
|
||||
* func(*(a++),*(a++))
|
||||
* which parameter is evaluated first? It is not defined in ASN1 C.
|
||||
*/
|
||||
|
||||
#include <stdio.h>
|
||||
|
||||
#define TYPE unsigned int
|
||||
|
||||
void func(a, b)
|
||||
TYPE *a;
|
||||
TYPE b;
|
||||
{
|
||||
printf("%ld -1 == %ld\n", a[0], b);
|
||||
}
|
||||
|
||||
main()
|
||||
{
|
||||
TYPE data[5] = { 1L, 2L, 3L, 4L, 5L };
|
||||
TYPE *p;
|
||||
int i;
|
||||
|
||||
p = data;
|
||||
|
||||
for (i = 0; i < 4; i++) {
|
||||
func(p, *(p++));
|
||||
}
|
||||
}
|
||||
45
Agent-Windows/OGP64/usr/share/doc/openssl10/BUGS/dggccbug.c
Normal file
45
Agent-Windows/OGP64/usr/share/doc/openssl10/BUGS/dggccbug.c
Normal file
|
|
@ -0,0 +1,45 @@
|
|||
/* NOCW */
|
||||
/* dggccbug.c */
|
||||
/* bug found by Eric Young (eay@cryptsoft.com) - May 1995 */
|
||||
|
||||
#include <stdio.h>
|
||||
|
||||
/*
|
||||
* There is a bug in gcc version 2.5.8 (88open OCS/BCS, DG-2.5.8.3, Oct 14
|
||||
* 1994) as shipped with DGUX 5.4R3.10 that can be bypassed by defining
|
||||
* DG_GCC_BUG in my code. The bug manifests itself by the vaule of a pointer
|
||||
* that is used only by reference, not having it's value change when it is
|
||||
* used to check for exiting the loop. Probably caused by there being 2
|
||||
* copies of the valiable, one in a register and one being an address that is
|
||||
* passed.
|
||||
*/
|
||||
|
||||
/*-
|
||||
* compare the out put from
|
||||
* gcc dggccbug.c; ./a.out
|
||||
* and
|
||||
* gcc -O dggccbug.c; ./a.out
|
||||
* compile with -DFIXBUG to remove the bug when optimising.
|
||||
*/
|
||||
|
||||
void inc(a)
|
||||
int *a;
|
||||
{
|
||||
(*a)++;
|
||||
}
|
||||
|
||||
main()
|
||||
{
|
||||
int p = 0;
|
||||
#ifdef FIXBUG
|
||||
int dummy;
|
||||
#endif
|
||||
|
||||
while (p < 3) {
|
||||
fprintf(stderr, "%08X\n", p);
|
||||
inc(&p);
|
||||
#ifdef FIXBUG
|
||||
dummy += p;
|
||||
#endif
|
||||
}
|
||||
}
|
||||
60
Agent-Windows/OGP64/usr/share/doc/openssl10/BUGS/sgiccbug.c
Normal file
60
Agent-Windows/OGP64/usr/share/doc/openssl10/BUGS/sgiccbug.c
Normal file
|
|
@ -0,0 +1,60 @@
|
|||
/* NOCW */
|
||||
/* sgibug.c */
|
||||
/* bug found by Eric Young (eay@mincom.oz.au) May 95 */
|
||||
|
||||
#include <stdio.h>
|
||||
|
||||
/*
|
||||
* This compiler bug it present on IRIX 5.3, 5.1 and 4.0.5 (these are the
|
||||
* only versions of IRIX I have access to. defining FIXBUG removes the bug.
|
||||
* (bug is still present in IRIX 6.3 according to Gage
|
||||
* <agage@forgetmenot.Mines.EDU>
|
||||
*/
|
||||
|
||||
/*-
|
||||
* Compare the output from
|
||||
* cc sgiccbug.c; ./a.out
|
||||
* and
|
||||
* cc -O sgiccbug.c; ./a.out
|
||||
*/
|
||||
|
||||
static unsigned long a[4] =
|
||||
{ 0x01234567, 0x89ABCDEF, 0xFEDCBA98, 0x76543210 };
|
||||
static unsigned long b[4] =
|
||||
{ 0x89ABCDEF, 0xFEDCBA98, 0x76543210, 0x01234567 };
|
||||
static unsigned long c[4] =
|
||||
{ 0x77777778, 0x8ACF1357, 0x88888888, 0x7530ECA9 };
|
||||
|
||||
main()
|
||||
{
|
||||
unsigned long r[4];
|
||||
sub(r, a, b);
|
||||
fprintf(stderr, "input a= %08X %08X %08X %08X\n", a[3], a[2], a[1], a[0]);
|
||||
fprintf(stderr, "input b= %08X %08X %08X %08X\n", b[3], b[2], b[1], b[0]);
|
||||
fprintf(stderr, "output = %08X %08X %08X %08X\n", r[3], r[2], r[1], r[0]);
|
||||
fprintf(stderr, "correct= %08X %08X %08X %08X\n", c[3], c[2], c[1], c[0]);
|
||||
}
|
||||
|
||||
int sub(r, a, b)
|
||||
unsigned long *r, *a, *b;
|
||||
{
|
||||
register unsigned long t1, t2, *ap, *bp, *rp;
|
||||
int i, carry;
|
||||
#ifdef FIXBUG
|
||||
unsigned long dummy;
|
||||
#endif
|
||||
|
||||
ap = a;
|
||||
bp = b;
|
||||
rp = r;
|
||||
carry = 0;
|
||||
for (i = 0; i < 4; i++) {
|
||||
t1 = *(ap++);
|
||||
t2 = *(bp++);
|
||||
t1 = (t1 - t2);
|
||||
#ifdef FIXBUG
|
||||
dummy = t1;
|
||||
#endif
|
||||
*(rp++) = t1 & 0xffffffff;
|
||||
}
|
||||
}
|
||||
26
Agent-Windows/OGP64/usr/share/doc/openssl10/BUGS/sslref.dif
Normal file
26
Agent-Windows/OGP64/usr/share/doc/openssl10/BUGS/sslref.dif
Normal file
|
|
@ -0,0 +1,26 @@
|
|||
The February 9th, 1995 version of the SSL document differs from
|
||||
https://www.netscape.com in the following ways.
|
||||
=====
|
||||
The key material for generating a SSL_CK_DES_64_CBC_WITH_MD5 key is
|
||||
KEY-MATERIAL-0 = MD5[MASTER-KEY,"0",CHALLENGE,CONNECTION-ID]
|
||||
not
|
||||
KEY-MATERIAL-0 = MD5[MASTER-KEY,CHALLENGE,CONNECTION-ID]
|
||||
as specified in the documentation.
|
||||
=====
|
||||
From the section 2.6 Server Only Protocol Messages
|
||||
|
||||
If the SESSION-ID-HIT flag is non-zero then the CERTIFICATE-TYPE,
|
||||
CERTIFICATE-LENGTH and CIPHER-SPECS-LENGTH fields will be zero.
|
||||
|
||||
This is not true for https://www.netscape.com. The CERTIFICATE-TYPE
|
||||
is returned as 1.
|
||||
=====
|
||||
I have not tested the following but it is reported by holtzman@mit.edu.
|
||||
|
||||
SSLref clients wait to recieve a server-verify before they send a
|
||||
client-finished. Besides this not being evident from the examples in
|
||||
2.2.1, it makes more sense to always send all packets you can before
|
||||
reading. SSLeay was waiting in the server to recieve a client-finish
|
||||
before sending the server-verify :-). I have changed SSLeay to send a
|
||||
server-verify before trying to read the client-finished.
|
||||
|
||||
132
Agent-Windows/OGP64/usr/share/doc/openssl10/BUGS/stream.c
Normal file
132
Agent-Windows/OGP64/usr/share/doc/openssl10/BUGS/stream.c
Normal file
|
|
@ -0,0 +1,132 @@
|
|||
/* bugs/stream.c */
|
||||
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
|
||||
* All rights reserved.
|
||||
*
|
||||
* This package is an SSL implementation written
|
||||
* by Eric Young (eay@cryptsoft.com).
|
||||
* The implementation was written so as to conform with Netscapes SSL.
|
||||
*
|
||||
* This library is free for commercial and non-commercial use as long as
|
||||
* the following conditions are aheared to. The following conditions
|
||||
* apply to all code found in this distribution, be it the RC4, RSA,
|
||||
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
|
||||
* included with this distribution is covered by the same copyright terms
|
||||
* except that the holder is Tim Hudson (tjh@cryptsoft.com).
|
||||
*
|
||||
* Copyright remains Eric Young's, and as such any Copyright notices in
|
||||
* the code are not to be removed.
|
||||
* If this package is used in a product, Eric Young should be given attribution
|
||||
* as the author of the parts of the library used.
|
||||
* This can be in the form of a textual message at program startup or
|
||||
* in documentation (online or textual) provided with the package.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
* 3. All advertising materials mentioning features or use of this software
|
||||
* must display the following acknowledgement:
|
||||
* "This product includes cryptographic software written by
|
||||
* Eric Young (eay@cryptsoft.com)"
|
||||
* The word 'cryptographic' can be left out if the rouines from the library
|
||||
* being used are not cryptographic related :-).
|
||||
* 4. If you include any Windows specific code (or a derivative thereof) from
|
||||
* the apps directory (application code) you must include an acknowledgement:
|
||||
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
|
||||
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
||||
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* The licence and distribution terms for any publically available version or
|
||||
* derivative of this code cannot be changed. i.e. this code cannot simply be
|
||||
* copied and put under another distribution licence
|
||||
* [including the GNU Public Licence.]
|
||||
*/
|
||||
|
||||
#include <stdio.h>
|
||||
#include <openssl/rc4.h>
|
||||
#ifdef OPENSSL_NO_DES
|
||||
# include <des.h>
|
||||
#else
|
||||
# include <openssl/des.h>
|
||||
#endif
|
||||
|
||||
/*
|
||||
* show how stream ciphers are not very good. The mac has no affect on RC4
|
||||
* while it does for cfb DES
|
||||
*/
|
||||
|
||||
main()
|
||||
{
|
||||
fprintf(stderr, "rc4\n");
|
||||
rc4();
|
||||
fprintf(stderr, "cfb des\n");
|
||||
des();
|
||||
}
|
||||
|
||||
int des()
|
||||
{
|
||||
des_key_schedule ks;
|
||||
des_cblock iv, key;
|
||||
int num;
|
||||
static char *keystr = "01234567";
|
||||
static char *in1 = "0123456789ABCEDFdata 12345";
|
||||
static char *in2 = "9876543210abcdefdata 12345";
|
||||
unsigned char out[100];
|
||||
int i;
|
||||
|
||||
des_set_key((des_cblock *)keystr, ks);
|
||||
|
||||
num = 0;
|
||||
memset(iv, 0, 8);
|
||||
des_cfb64_encrypt(in1, out, 26, ks, (des_cblock *)iv, &num, 1);
|
||||
for (i = 0; i < 26; i++)
|
||||
fprintf(stderr, "%02X ", out[i]);
|
||||
fprintf(stderr, "\n");
|
||||
|
||||
num = 0;
|
||||
memset(iv, 0, 8);
|
||||
des_cfb64_encrypt(in2, out, 26, ks, (des_cblock *)iv, &num, 1);
|
||||
for (i = 0; i < 26; i++)
|
||||
fprintf(stderr, "%02X ", out[i]);
|
||||
fprintf(stderr, "\n");
|
||||
}
|
||||
|
||||
int rc4()
|
||||
{
|
||||
static char *keystr = "0123456789abcdef";
|
||||
RC4_KEY key;
|
||||
unsigned char in[100], out[100];
|
||||
int i;
|
||||
|
||||
RC4_set_key(&key, 16, keystr);
|
||||
in[0] = '\0';
|
||||
strcpy(in, "0123456789ABCEDFdata 12345");
|
||||
RC4(key, 26, in, out);
|
||||
|
||||
for (i = 0; i < 26; i++)
|
||||
fprintf(stderr, "%02X ", out[i]);
|
||||
fprintf(stderr, "\n");
|
||||
|
||||
RC4_set_key(&key, 16, keystr);
|
||||
in[0] = '\0';
|
||||
strcpy(in, "9876543210abcdefdata 12345");
|
||||
RC4(key, 26, in, out);
|
||||
|
||||
for (i = 0; i < 26; i++)
|
||||
fprintf(stderr, "%02X ", out[i]);
|
||||
fprintf(stderr, "\n");
|
||||
}
|
||||
44
Agent-Windows/OGP64/usr/share/doc/openssl10/BUGS/ultrixcc.c
Normal file
44
Agent-Windows/OGP64/usr/share/doc/openssl10/BUGS/ultrixcc.c
Normal file
|
|
@ -0,0 +1,44 @@
|
|||
#include <stdio.h>
|
||||
|
||||
/*-
|
||||
* This is a cc optimiser bug for ultrix 4.3, mips CPU.
|
||||
* What happens is that the compiler, due to the (a)&7,
|
||||
* does
|
||||
* i=a&7;
|
||||
* i--;
|
||||
* i*=4;
|
||||
* Then uses i as the offset into a jump table.
|
||||
* The problem is that a value of 0 generates an offset of
|
||||
* 0xfffffffc.
|
||||
*/
|
||||
|
||||
main()
|
||||
{
|
||||
f(5);
|
||||
f(0);
|
||||
}
|
||||
|
||||
int f(a)
|
||||
int a;
|
||||
{
|
||||
switch (a & 7) {
|
||||
case 7:
|
||||
printf("7\n");
|
||||
case 6:
|
||||
printf("6\n");
|
||||
case 5:
|
||||
printf("5\n");
|
||||
case 4:
|
||||
printf("4\n");
|
||||
case 3:
|
||||
printf("3\n");
|
||||
case 2:
|
||||
printf("2\n");
|
||||
case 1:
|
||||
printf("1\n");
|
||||
#ifdef FIX_BUG
|
||||
case 0:
|
||||
;
|
||||
#endif
|
||||
}
|
||||
}
|
||||
11739
Agent-Windows/OGP64/usr/share/doc/openssl10/CHANGES
Normal file
11739
Agent-Windows/OGP64/usr/share/doc/openssl10/CHANGES
Normal file
File diff suppressed because it is too large
Load diff
968
Agent-Windows/OGP64/usr/share/doc/openssl10/CHANGES.SSLeay
Normal file
968
Agent-Windows/OGP64/usr/share/doc/openssl10/CHANGES.SSLeay
Normal file
|
|
@ -0,0 +1,968 @@
|
|||
This file contains the changes for the SSLeay library up to version
|
||||
0.9.0b. For later changes, see the file "CHANGES".
|
||||
|
||||
SSLeay CHANGES
|
||||
______________
|
||||
|
||||
Changes between 0.8.x and 0.9.0b
|
||||
|
||||
10-Apr-1998
|
||||
|
||||
I said the next version would go out at easter, and so it shall.
|
||||
I expect a 0.9.1 will follow with portability fixes in the next few weeks.
|
||||
|
||||
This is a quick, meet the deadline. Look to ssl-users for comments on what
|
||||
is new etc.
|
||||
|
||||
eric (about to go bushwalking for the 4 day easter break :-)
|
||||
|
||||
16-Mar-98
|
||||
- Patch for Cray T90 from Wayne Schroeder <schroede@SDSC.EDU>
|
||||
- Lots and lots of changes
|
||||
|
||||
29-Jan-98
|
||||
- ASN1_BIT_STRING_set_bit()/ASN1_BIT_STRING_get_bit() from
|
||||
Goetz Babin-Ebell <babinebell@trustcenter.de>.
|
||||
- SSL_version() now returns SSL2_VERSION, SSL3_VERSION or
|
||||
TLS1_VERSION.
|
||||
|
||||
7-Jan-98
|
||||
- Finally reworked the cipher string to ciphers again, so it
|
||||
works correctly
|
||||
- All the app_data stuff is now ex_data with funcion calls to access.
|
||||
The index is supplied by a function and 'methods' can be setup
|
||||
for the types that are called on XXX_new/XXX_free. This lets
|
||||
applications get notified on creation and destruction. Some of
|
||||
the RSA methods could be implemented this way and I may do so.
|
||||
- Oh yes, SSL under perl5 is working at the basic level.
|
||||
|
||||
15-Dec-97
|
||||
- Warning - the gethostbyname cache is not fully thread safe,
|
||||
but it should work well enough.
|
||||
- Major internal reworking of the app_data stuff. More functions
|
||||
but if you were accessing ->app_data directly, things will
|
||||
stop working.
|
||||
- The perlv5 stuff is working. Currently on message digests,
|
||||
ciphers and the bignum library.
|
||||
|
||||
9-Dec-97
|
||||
- Modified re-negotiation so that server initated re-neg
|
||||
will cause a SSL_read() to return -1 should retry.
|
||||
The danger otherwise was that the server and the
|
||||
client could end up both trying to read when using non-blocking
|
||||
sockets.
|
||||
|
||||
4-Dec-97
|
||||
- Lots of small changes
|
||||
- Fix for binaray mode in Windows for the FILE BIO, thanks to
|
||||
Bob Denny <rdenny@dc3.com>
|
||||
|
||||
17-Nov-97
|
||||
- Quite a few internal cleanups, (removal of errno, and using macros
|
||||
defined in e_os.h).
|
||||
- A bug in ca.c, pointed out by yasuyuki-ito@d-cruise.co.jp, where
|
||||
the automactic naming out output files was being stuffed up.
|
||||
|
||||
29-Oct-97
|
||||
- The Cast5 cipher has been added. MD5 and SHA-1 are now in assember
|
||||
for x86.
|
||||
|
||||
21-Oct-97
|
||||
- Fixed a bug in the BIO_gethostbyname() cache.
|
||||
|
||||
15-Oct-97
|
||||
- cbc mode for blowfish/des/3des is now in assember. Blowfish asm
|
||||
has also been improved. At this point in time, on the pentium,
|
||||
md5 is %80 faster, the unoptimesed sha-1 is %79 faster,
|
||||
des-cbc is %28 faster, des-ede3-cbc is %9 faster and blowfish-cbc
|
||||
is %62 faster.
|
||||
|
||||
12-Oct-97
|
||||
- MEM_BUF_grow() has been fixed so that it always sets the buf->length
|
||||
to the value we are 'growing' to. Think of MEM_BUF_grow() as the
|
||||
way to set the length value correctly.
|
||||
|
||||
10-Oct-97
|
||||
- I now hash for certificate lookup on the raw DER encoded RDN (md5).
|
||||
This breaks things again :-(. This is efficent since I cache
|
||||
the DER encoding of the RDN.
|
||||
- The text DN now puts in the numeric OID instead of UNKNOWN.
|
||||
- req can now process arbitary OIDs in the config file.
|
||||
- I've been implementing md5 in x86 asm, much faster :-).
|
||||
- Started sha1 in x86 asm, needs more work.
|
||||
- Quite a few speedups in the BN stuff. RSA public operation
|
||||
has been made faster by caching the BN_MONT_CTX structure.
|
||||
The calulating of the Ai where A*Ai === 1 mod m was rather
|
||||
expensive. Basically a 40-50% speedup on public operations.
|
||||
The RSA speedup is now 15% on pentiums and %20 on pentium
|
||||
pro.
|
||||
|
||||
30-Sep-97
|
||||
- After doing some profiling, I added x86 adm for bn_add_words(),
|
||||
which just adds 2 arrays of longs together. A %10 speedup
|
||||
for 512 and 1024 bit RSA on the pentium pro.
|
||||
|
||||
29-Sep-97
|
||||
- Converted the x86 bignum assembler to us the perl scripts
|
||||
for generation.
|
||||
|
||||
23-Sep-97
|
||||
- If SSL_set_session() is passed a NULL session, it now clears the
|
||||
current session-id.
|
||||
|
||||
22-Sep-97
|
||||
- Added a '-ss_cert file' to apps/ca.c. This will sign selfsigned
|
||||
certificates.
|
||||
- Bug in crypto/evp/encode.c where by decoding of 65 base64
|
||||
encoded lines, one line at a time (via a memory BIO) would report
|
||||
EOF after the first line was decoded.
|
||||
- Fix in X509_find_by_issuer_and_serial() from
|
||||
Dr Stephen Henson <shenson@bigfoot.com>
|
||||
|
||||
19-Sep-97
|
||||
- NO_FP_API and NO_STDIO added.
|
||||
- Put in sh config command. It auto runs Configure with the correct
|
||||
parameters.
|
||||
|
||||
18-Sep-97
|
||||
- Fix x509.c so if a DSA cert has different parameters to its parent,
|
||||
they are left in place. Not tested yet.
|
||||
|
||||
16-Sep-97
|
||||
- ssl_create_cipher_list() had some bugs, fixes from
|
||||
Patrick Eisenacher <eisenach@stud.uni-frankfurt.de>
|
||||
- Fixed a bug in the Base64 BIO, where it would return 1 instead
|
||||
of -1 when end of input was encountered but should retry.
|
||||
Basically a Base64/Memory BIO interaction problem.
|
||||
- Added a HMAC set of functions in preporarion for TLS work.
|
||||
|
||||
15-Sep-97
|
||||
- Top level makefile tweak - Cameron Simpson <cs@zip.com.au>
|
||||
- Prime generation spead up %25 (512 bit prime, pentium pro linux)
|
||||
by using montgomery multiplication in the prime number test.
|
||||
|
||||
11-Sep-97
|
||||
- Ugly bug in ssl3_write_bytes(). Basically if application land
|
||||
does a SSL_write(ssl,buf,len) where len > 16k, the SSLv3 write code
|
||||
did not check the size and tried to copy the entire buffer.
|
||||
This would tend to cause memory overwrites since SSLv3 has
|
||||
a maximum packet size of 16k. If your program uses
|
||||
buffers <= 16k, you would probably never see this problem.
|
||||
- Fixed a few errors that were cause by malloc() not returning
|
||||
0 initialised memory..
|
||||
- SSL_OP_NETSCAPE_CA_DN_BUG was being switched on when using
|
||||
SSL_CTX_set_options(ssl_ctx,SSL_OP_ALL); which was a bad thing
|
||||
since this flags stops SSLeay being able to handle client
|
||||
cert requests correctly.
|
||||
|
||||
08-Sep-97
|
||||
- SSL_SESS_CACHE_NO_INTERNAL_LOOKUP option added. When switched
|
||||
on, the SSL server routines will not use a SSL_SESSION that is
|
||||
held in it's cache. This in intended to be used with the session-id
|
||||
callbacks so that while the session-ids are still stored in the
|
||||
cache, the decision to use them and how to look them up can be
|
||||
done by the callbacks. The are the 'new', 'get' and 'remove'
|
||||
callbacks. This can be used to determine the session-id
|
||||
to use depending on information like which port/host the connection
|
||||
is coming from. Since the are also SSL_SESSION_set_app_data() and
|
||||
SSL_SESSION_get_app_data() functions, the application can hold
|
||||
information against the session-id as well.
|
||||
|
||||
03-Sep-97
|
||||
- Added lookup of CRLs to the by_dir method,
|
||||
X509_load_crl_file() also added. Basically it means you can
|
||||
lookup CRLs via the same system used to lookup certificates.
|
||||
- Changed things so that the X509_NAME structure can contain
|
||||
ASN.1 BIT_STRINGS which is required for the unique
|
||||
identifier OID.
|
||||
- Fixed some problems with the auto flushing of the session-id
|
||||
cache. It was not occuring on the server side.
|
||||
|
||||
02-Sep-97
|
||||
- Added SSL_CTX_sess_cache_size(SSL_CTX *ctx,unsigned long size)
|
||||
which is the maximum number of entries allowed in the
|
||||
session-id cache. This is enforced with a simple FIFO list.
|
||||
The default size is 20*1024 entries which is rather large :-).
|
||||
The Timeout code is still always operating.
|
||||
|
||||
01-Sep-97
|
||||
- Added an argument to all the 'generate private key/prime`
|
||||
callbacks. It is the last parameter so this should not
|
||||
break existing code but it is needed for C++.
|
||||
- Added the BIO_FLAGS_BASE64_NO_NL flag for the BIO_f_base64()
|
||||
BIO. This lets the BIO read and write base64 encoded data
|
||||
without inserting or looking for '\n' characters. The '-A'
|
||||
flag turns this on when using apps/enc.c.
|
||||
- RSA_NO_PADDING added to help BSAFE functionality. This is a
|
||||
very dangerous thing to use, since RSA private key
|
||||
operations without random padding bytes (as PKCS#1 adds) can
|
||||
be attacked such that the private key can be revealed.
|
||||
- ASN.1 bug and rc2-40-cbc and rc4-40 added by
|
||||
Dr Stephen Henson <shenson@bigfoot.com>
|
||||
|
||||
31-Aug-97 (stuff added while I was away)
|
||||
- Linux pthreads by Tim Hudson (tjh@cryptsoft.com).
|
||||
- RSA_flags() added allowing bypass of pub/priv match check
|
||||
in ssl/ssl_rsa.c - Tim Hudson.
|
||||
- A few minor bugs.
|
||||
|
||||
SSLeay 0.8.1 released.
|
||||
|
||||
19-Jul-97
|
||||
- Server side initated dynamic renegotiation is broken. I will fix
|
||||
it when I get back from holidays.
|
||||
|
||||
15-Jul-97
|
||||
- Quite a few small changes.
|
||||
- INVALID_SOCKET usage cleanups from Alex Kiernan <alex@hisoft.co.uk>
|
||||
|
||||
09-Jul-97
|
||||
- Added 2 new values to the SSL info callback.
|
||||
SSL_CB_START which is passed when the SSL protocol is started
|
||||
and SSL_CB_DONE when it has finished sucsessfully.
|
||||
|
||||
08-Jul-97
|
||||
- Fixed a few bugs problems in apps/req.c and crypto/asn1/x_pkey.c
|
||||
that related to DSA public/private keys.
|
||||
- Added all the relevent PEM and normal IO functions to support
|
||||
reading and writing RSAPublic keys.
|
||||
- Changed makefiles to use ${AR} instead of 'ar r'
|
||||
|
||||
07-Jul-97
|
||||
- Error in ERR_remove_state() that would leave a dangling reference
|
||||
to a free()ed location - thanks to Alex Kiernan <alex@hisoft.co.uk>
|
||||
- s_client now prints the X509_NAMEs passed from the server
|
||||
when requesting a client cert.
|
||||
- Added a ssl->type, which is one of SSL_ST_CONNECT or
|
||||
SSL_ST_ACCEPT. I had to add it so I could tell if I was
|
||||
a connect or an accept after the handshake had finished.
|
||||
- SSL_get_client_CA_list(SSL *s) now returns the CA names
|
||||
passed by the server if called by a client side SSL.
|
||||
|
||||
05-Jul-97
|
||||
- Bug in X509_NAME_get_text_by_OBJ(), looking starting at index
|
||||
0, not -1 :-( Fix from Tim Hudson (tjh@cryptsoft.com).
|
||||
|
||||
04-Jul-97
|
||||
- Fixed some things in X509_NAME_add_entry(), thanks to
|
||||
Matthew Donald <matthew@world.net>.
|
||||
- I had a look at the cipher section and though that it was a
|
||||
bit confused, so I've changed it.
|
||||
- I was not setting up the RC4-64-MD5 cipher correctly. It is
|
||||
a MS special that appears in exported MS Money.
|
||||
- Error in all my DH ciphers. Section 7.6.7.3 of the SSLv3
|
||||
spec. I was missing the two byte length header for the
|
||||
ClientDiffieHellmanPublic value. This is a packet sent from
|
||||
the client to the server. The SSL_OP_SSLEAY_080_CLIENT_DH_BUG
|
||||
option will enable SSLeay server side SSLv3 accept either
|
||||
the correct or my 080 packet format.
|
||||
- Fixed a few typos in crypto/pem.org.
|
||||
|
||||
02-Jul-97
|
||||
- Alias mapping for EVP_get_(digest|cipher)byname is now
|
||||
performed before a lookup for actual cipher. This means
|
||||
that an alias can be used to 're-direct' a cipher or a
|
||||
digest.
|
||||
- ASN1_read_bio() had a bug that only showed up when using a
|
||||
memory BIO. When EOF is reached in the memory BIO, it is
|
||||
reported as a -1 with BIO_should_retry() set to true.
|
||||
|
||||
01-Jul-97
|
||||
- Fixed an error in X509_verify_cert() caused by my
|
||||
miss-understanding how 'do { contine } while(0);' works.
|
||||
Thanks to Emil Sit <sit@mit.edu> for educating me :-)
|
||||
|
||||
30-Jun-97
|
||||
- Base64 decoding error. If the last data line did not end with
|
||||
a '=', sometimes extra data would be returned.
|
||||
- Another 'cut and paste' bug in x509.c related to setting up the
|
||||
STDout BIO.
|
||||
|
||||
27-Jun-97
|
||||
- apps/ciphers.c was not printing due to an editing error.
|
||||
- Alex Kiernan <alex@hisoft.co.uk> send in a nice fix for
|
||||
a library build error in util/mk1mf.pl
|
||||
|
||||
26-Jun-97
|
||||
- Still did not have the auto 'experimental' code removal
|
||||
script correct.
|
||||
- A few header tweaks for Watcom 11.0 under Win32 from
|
||||
Rolf Lindemann <Lindemann@maz-hh.de>
|
||||
- 0 length OCTET_STRING bug in asn1_parse
|
||||
- A minor fix with an non-existent function in the MS .def files.
|
||||
- A few changes to the PKCS7 stuff.
|
||||
|
||||
25-Jun-97
|
||||
SSLeay 0.8.0 finally it gets released.
|
||||
|
||||
24-Jun-97
|
||||
Added a SSL_OP_EPHEMERAL_RSA option which causes all SSLv3 RSA keys to
|
||||
use a temporary RSA key. This is experimental and needs some more work.
|
||||
Fixed a few Win16 build problems.
|
||||
|
||||
23-Jun-97
|
||||
SSLv3 bug. I was not doing the 'lookup' of the CERT structure
|
||||
correctly. I was taking the SSL->ctx->default_cert when I should
|
||||
have been using SSL->cert. The bug was in ssl/s3_srvr.c
|
||||
|
||||
20-Jun-97
|
||||
X509_ATTRIBUTES were being encoded wrongly by apps/reg.c and the
|
||||
rest of the library. Even though I had the code required to do
|
||||
it correctly, apps/req.c was doing the wrong thing. I have fixed
|
||||
and tested everything.
|
||||
|
||||
Missing a few #ifdef FIONBIO sections in crypto/bio/bss_acpt.c.
|
||||
|
||||
19-Jun-97
|
||||
Fixed a bug in the SSLv2 server side first packet handling. When
|
||||
using the non-blocking test BIO, the ssl->s2->first_packet flag
|
||||
was being reset when a would-block failure occurred when reading
|
||||
the first 5 bytes of the first packet. This caused the checking
|
||||
logic to run at the wrong time and cause an error.
|
||||
|
||||
Fixed a problem with specifying cipher. If RC4-MD5 were used,
|
||||
only the SSLv3 version would be picked up. Now this will pick
|
||||
up both SSLv2 and SSLv3 versions. This required changing the
|
||||
SSL_CIPHER->mask values so that they only mask the ciphers,
|
||||
digests, authentication, export type and key-exchange algorithms.
|
||||
|
||||
I found that when a SSLv23 session is established, a reused
|
||||
session, of type SSLv3 was attempting to write the SSLv2
|
||||
ciphers, which were invalid. The SSL_METHOD->put_cipher_by_char
|
||||
method has been modified so it will only write out cipher which
|
||||
that method knows about.
|
||||
|
||||
|
||||
Changes between 0.8.0 and 0.8.1
|
||||
|
||||
*) Mostly bug fixes.
|
||||
There is an Ephemeral DH cipher problem which is fixed.
|
||||
|
||||
SSLeay 0.8.0
|
||||
|
||||
This version of SSLeay has quite a lot of things different from the
|
||||
previous version.
|
||||
|
||||
Basically check all callback parameters, I will be producing documentation
|
||||
about how to use things in th future. Currently I'm just getting 080 out
|
||||
the door. Please not that there are several ways to do everything, and
|
||||
most of the applications in the apps directory are hybrids, some using old
|
||||
methods and some using new methods.
|
||||
|
||||
Have a look in demos/bio for some very simple programs and
|
||||
apps/s_client.c and apps/s_server.c for some more advanced versions.
|
||||
Notes are definitly needed but they are a week or so away.
|
||||
|
||||
Anyway, some quick nots from Tim Hudson (tjh@cryptsoft.com)
|
||||
---
|
||||
Quick porting notes for moving from SSLeay-0.6.x to SSLeay-0.8.x to
|
||||
get those people that want to move to using the new code base off to
|
||||
a quick start.
|
||||
|
||||
Note that Eric has tidied up a lot of the areas of the API that were
|
||||
less than desirable and renamed quite a few things (as he had to break
|
||||
the API in lots of places anyrate). There are a whole pile of additional
|
||||
functions for making dealing with (and creating) certificates a lot
|
||||
cleaner.
|
||||
|
||||
01-Jul-97
|
||||
Tim Hudson
|
||||
tjh@cryptsoft.com
|
||||
|
||||
---8<---
|
||||
|
||||
To maintain code that uses both SSLeay-0.6.x and SSLeay-0.8.x you could
|
||||
use something like the following (assuming you #include "crypto.h" which
|
||||
is something that you really should be doing).
|
||||
|
||||
#if SSLEAY_VERSION_NUMBER >= 0x0800
|
||||
#define SSLEAY8
|
||||
#endif
|
||||
|
||||
buffer.h -> splits into buffer.h and bio.h so you need to include bio.h
|
||||
too if you are working with BIO internal stuff (as distinct
|
||||
from simply using the interface in an opaque manner)
|
||||
|
||||
#include "bio.h" - required along with "buffer.h" if you write
|
||||
your own BIO routines as the buffer and bio
|
||||
stuff that was intermixed has been separated
|
||||
out
|
||||
|
||||
envelope.h -> evp.h (which should have been done ages ago)
|
||||
|
||||
Initialisation ... don't forget these or you end up with code that
|
||||
is missing the bits required to do useful things (like ciphers):
|
||||
|
||||
SSLeay_add_ssl_algorithms()
|
||||
(probably also want SSL_load_error_strings() too but you should have
|
||||
already had that call in place)
|
||||
|
||||
SSL_CTX_new() - requires an extra method parameter
|
||||
SSL_CTX_new(SSLv23_method())
|
||||
SSL_CTX_new(SSLv2_method())
|
||||
SSL_CTX_new(SSLv3_method())
|
||||
|
||||
OR to only have the server or the client code
|
||||
SSL_CTX_new(SSLv23_server_method())
|
||||
SSL_CTX_new(SSLv2_server_method())
|
||||
SSL_CTX_new(SSLv3_server_method())
|
||||
or
|
||||
SSL_CTX_new(SSLv23_client_method())
|
||||
SSL_CTX_new(SSLv2_client_method())
|
||||
SSL_CTX_new(SSLv3_client_method())
|
||||
|
||||
SSL_set_default_verify_paths() ... renamed to the more appropriate
|
||||
SSL_CTX_set_default_verify_paths()
|
||||
|
||||
If you want to use client certificates then you have to add in a bit
|
||||
of extra stuff in that a SSLv3 server sends a list of those CAs that
|
||||
it will accept certificates from ... so you have to provide a list to
|
||||
SSLeay otherwise certain browsers will not send client certs.
|
||||
|
||||
SSL_CTX_set_client_CA_list(ctx,SSL_load_client_CA_file(s_cert_file));
|
||||
|
||||
|
||||
X509_NAME_oneline(X) -> X509_NAME_oneline(X,NULL,0)
|
||||
or provide a buffer and size to copy the
|
||||
result into
|
||||
|
||||
X509_add_cert -> X509_STORE_add_cert (and you might want to read the
|
||||
notes on X509_NAME structure changes too)
|
||||
|
||||
|
||||
VERIFICATION CODE
|
||||
=================
|
||||
|
||||
The codes have all be renamed from VERIFY_ERR_* to X509_V_ERR_* to
|
||||
more accurately reflect things.
|
||||
|
||||
The verification callback args are now packaged differently so that
|
||||
extra fields for verification can be added easily in future without
|
||||
having to break things by adding extra parameters each release :-)
|
||||
|
||||
X509_cert_verify_error_string -> X509_verify_cert_error_string
|
||||
|
||||
|
||||
BIO INTERNALS
|
||||
=============
|
||||
|
||||
Eric has fixed things so that extra flags can be introduced in
|
||||
the BIO layer in future without having to play with all the BIO
|
||||
modules by adding in some macros.
|
||||
|
||||
The ugly stuff using
|
||||
b->flags ~= (BIO_FLAGS_RW|BIO_FLAGS_SHOULD_RETRY)
|
||||
becomes
|
||||
BIO_clear_retry_flags(b)
|
||||
|
||||
b->flags |= (BIO_FLAGS_READ|BIO_FLAGS_SHOULD_RETRY)
|
||||
becomes
|
||||
BIO_set_retry_read(b)
|
||||
|
||||
Also ... BIO_get_retry_flags(b), BIO_set_flags(b)
|
||||
|
||||
|
||||
|
||||
OTHER THINGS
|
||||
============
|
||||
|
||||
X509_NAME has been altered so that it isn't just a STACK ... the STACK
|
||||
is now in the "entries" field ... and there are a pile of nice functions
|
||||
for getting at the details in a much cleaner manner.
|
||||
|
||||
SSL_CTX has been altered ... "cert" is no longer a direct member of this
|
||||
structure ... things are now down under "cert_store" (see x509_vfy.h) and
|
||||
things are no longer in a CERTIFICATE_CTX but instead in a X509_STORE.
|
||||
If your code "knows" about this level of detail then it will need some
|
||||
surgery.
|
||||
|
||||
If you depending on the incorrect spelling of a number of the error codes
|
||||
then you will have to change your code as these have been fixed.
|
||||
|
||||
ENV_CIPHER "type" got renamed to "nid" and as that is what it actually
|
||||
has been all along so this makes things clearer.
|
||||
ify_cert_error_string(ctx->error));
|
||||
|
||||
SSL_R_NO_CIPHER_WE_TRUST -> SSL_R_NO_CIPHER_LIST
|
||||
and SSL_R_REUSE_CIPHER_LIST_NOT_ZERO
|
||||
|
||||
|
||||
|
||||
Changes between 0.7.x and 0.8.0
|
||||
|
||||
*) There have been lots of changes, mostly the addition of SSLv3.
|
||||
There have been many additions from people and amongst
|
||||
others, C2Net has assisted greatly.
|
||||
|
||||
Changes between 0.7.x and 0.7.x
|
||||
|
||||
*) Internal development version only
|
||||
|
||||
SSLeay 0.6.6 13-Jan-1997
|
||||
|
||||
The main additions are
|
||||
|
||||
- assember for x86 DES improvments.
|
||||
From 191,000 per second on a pentium 100, I now get 281,000. The inner
|
||||
loop and the IP/FP modifications are from
|
||||
Svend Olaf Mikkelsen <svolaf@inet.uni-c.dk>. Many thanks for his
|
||||
contribution.
|
||||
- The 'DES macros' introduced in 0.6.5 now have 3 types.
|
||||
DES_PTR1, DES_PTR2 and 'normal'. As per before, des_opts reports which
|
||||
is best and there is a summery of mine in crypto/des/options.txt
|
||||
- A few bug fixes.
|
||||
- Added blowfish. It is not used by SSL but all the other stuff that
|
||||
deals with ciphers can use it in either ecb, cbc, cfb64 or ofb64 modes.
|
||||
There are 3 options for optimising Blowfish. BF_PTR, BF_PTR2 and 'normal'.
|
||||
BF_PTR2 is pentium/x86 specific. The correct option is setup in
|
||||
the 'Configure' script.
|
||||
- There is now a 'get client certificate' callback which can be
|
||||
'non-blocking'. If more details are required, let me know. It will
|
||||
documented more in SSLv3 when I finish it.
|
||||
- Bug fixes from 0.6.5 including the infamous 'ca' bug. The 'make test'
|
||||
now tests the ca program.
|
||||
- Lots of little things modified and tweaked.
|
||||
|
||||
SSLeay 0.6.5
|
||||
|
||||
After quite some time (3 months), the new release. I have been very busy
|
||||
for the last few months and so this is mostly bug fixes and improvments.
|
||||
|
||||
The main additions are
|
||||
|
||||
- assember for x86 DES. For all those gcc based systems, this is a big
|
||||
improvement. From 117,000 DES operation a second on a pentium 100,
|
||||
I now get 191,000. I have also reworked the C version so it
|
||||
now gives 148,000 DESs per second.
|
||||
- As mentioned above, the inner DES macros now have some more variant that
|
||||
sometimes help, sometimes hinder performance. There are now 3 options
|
||||
DES_PTR (ptr vs array lookup), DES_UNROLL (full vs partial loop unrolling)
|
||||
and DES_RISC (a more register intensive version of the inner macro).
|
||||
The crypto/des/des_opts.c program, when compiled and run, will give
|
||||
an indication of the correct options to use.
|
||||
- The BIO stuff has been improved. Read doc/bio.doc. There are now
|
||||
modules for encryption and base64 encoding and a BIO_printf() function.
|
||||
- The CA program will accept simple one line X509v3 extensions in the
|
||||
ssleay.cnf file. Have a look at the example. Currently this just
|
||||
puts the text into the certificate as an OCTET_STRING so currently
|
||||
the more advanced X509v3 data types are not handled but this is enough
|
||||
for the netscape extensions.
|
||||
- There is the start of a nicer higher level interface to the X509
|
||||
strucutre.
|
||||
- Quite a lot of bug fixes.
|
||||
- CRYPTO_malloc_init() (or CRYPTO_set_mem_functions()) can be used
|
||||
to define the malloc(), free() and realloc() routines to use
|
||||
(look in crypto/crypto.h). This is mostly needed for Windows NT/95 when
|
||||
using DLLs and mixing CRT libraries.
|
||||
|
||||
In general, read the 'VERSION' file for changes and be aware that some of
|
||||
the new stuff may not have been tested quite enough yet, so don't just plonk
|
||||
in SSLeay 0.6.5 when 0.6.4 used to work and expect nothing to break.
|
||||
|
||||
SSLeay 0.6.4 30/08/96 eay
|
||||
|
||||
I've just finished some test builds on Windows NT, Windows 3.1, Solaris 2.3,
|
||||
Solaris 2.5, Linux, IRIX, HPUX 10 and everthing seems to work :-).
|
||||
|
||||
The main changes in this release
|
||||
|
||||
- Thread safe. have a read of doc/threads.doc and play in the mt directory.
|
||||
For anyone using 0.6.3 with threads, I found 2 major errors so consider
|
||||
moving to 0.6.4. I have a test program that builds under NT and
|
||||
solaris.
|
||||
- The get session-id callback has changed. Have a read of doc/callback.doc.
|
||||
- The X509_cert_verify callback (the SSL_verify callback) now
|
||||
has another argument. Have a read of doc/callback.doc
|
||||
- 'ca -preserve', sign without re-ordering the DN. Not tested much.
|
||||
- VMS support.
|
||||
- Compile time memory leak detection can now be built into SSLeay.
|
||||
Read doc/memory.doc
|
||||
- CONF routines now understand '\', '\n', '\r' etc. What this means is that
|
||||
the SPKAC object mentioned in doc/ns-ca.doc can be on multiple lines.
|
||||
- 'ssleay ciphers' added, lists the default cipher list for SSLeay.
|
||||
- RC2 key setup is now compatable with Netscape.
|
||||
- Modifed server side of SSL implementation, big performance difference when
|
||||
using session-id reuse.
|
||||
|
||||
0.6.3
|
||||
|
||||
Bug fixes and the addition of some nice stuff to the 'ca' program.
|
||||
Have a read of doc/ns-ca.doc for how hit has been modified so
|
||||
it can be driven from a CGI script. The CGI script is not provided,
|
||||
but that is just being left as an excersize for the reader :-).
|
||||
|
||||
0.6.2
|
||||
|
||||
This is most bug fixes and functionality improvements.
|
||||
|
||||
Additions are
|
||||
- More thread debugging patches, the thread stuff is still being
|
||||
tested, but for those keep to play with stuff, have a look in
|
||||
crypto/cryptlib.c. The application needs to define 1 (or optionaly
|
||||
a second) callback that is used to implement locking. Compiling
|
||||
with LOCK_DEBUG spits out lots of locking crud :-).
|
||||
This is what I'm currently working on.
|
||||
- SSL_CTX_set_default_passwd_cb() can be used to define the callback
|
||||
function used in the SSL*_file() functions used to load keys. I was
|
||||
always of the opinion that people should call
|
||||
PEM_read_RSAPrivateKey() and pass the callback they want to use, but
|
||||
it appears they just want to use the SSL_*_file() function() :-(.
|
||||
- 'enc' now has a -kfile so a key can be read from a file. This is
|
||||
mostly used so that the passwd does not appear when using 'ps',
|
||||
which appears imposible to stop under solaris.
|
||||
- X509v3 certificates now work correctly. I even have more examples
|
||||
in my tests :-). There is now a X509_EXTENSION type that is used in
|
||||
X509v3 certificates and CRLv2.
|
||||
- Fixed that signature type error :-(
|
||||
- Fixed quite a few potential memory leaks and problems when reusing
|
||||
X509, CRL and REQ structures.
|
||||
- EVP_set_pw_prompt() now sets the library wide default password
|
||||
prompt.
|
||||
- The 'pkcs7' command will now, given the -print_certs flag, output in
|
||||
pem format, all certificates and CRL contained within. This is more
|
||||
of a pre-emtive thing for the new verisign distribution method. I
|
||||
should also note, that this also gives and example in code, of how
|
||||
to do this :-), or for that matter, what is involved in going the
|
||||
other way (list of certs and crl -> pkcs7).
|
||||
- Added RSA's DESX to the DES library. It is also available via the
|
||||
EVP_desx_cbc() method and via 'enc desx'.
|
||||
|
||||
SSLeay 0.6.1
|
||||
|
||||
The main functional changes since 0.6.0 are as follows
|
||||
- Bad news, the Microsoft 060 DLL's are not compatable, but the good news is
|
||||
that from now on, I'll keep the .def numbers the same so they will be.
|
||||
- RSA private key operations are about 2 times faster that 0.6.0
|
||||
- The SSL_CTX now has more fields so default values can be put against
|
||||
it. When an SSL structure is created, these default values are used
|
||||
but can be overwritten. There are defaults for cipher, certificate,
|
||||
private key, verify mode and callback. This means SSL session
|
||||
creation can now be
|
||||
ssl=SSL_new()
|
||||
SSL_set_fd(ssl,sock);
|
||||
SSL_accept(ssl)
|
||||
....
|
||||
All the other uglyness with having to keep a global copy of the
|
||||
private key and certificate/verify mode in the server is now gone.
|
||||
- ssl/ssltest.c - one process talking SSL to its self for testing.
|
||||
- Storage of Session-id's can be controled via a session_cache_mode
|
||||
flag. There is also now an automatic default flushing of
|
||||
old session-id's.
|
||||
- The X509_cert_verify() function now has another parameter, this
|
||||
should not effect most people but it now means that the reason for
|
||||
the failure to verify is now available via SSL_get_verify_result(ssl).
|
||||
You don't have to use a global variable.
|
||||
- SSL_get_app_data() and SSL_set_app_data() can be used to keep some
|
||||
application data against the SSL structure. It is upto the application
|
||||
to free the data. I don't use it, but it is available.
|
||||
- SSL_CTX_set_cert_verify_callback() can be used to specify a
|
||||
verify callback function that completly replaces my certificate
|
||||
verification code. Xcert should be able to use this :-).
|
||||
The callback is of the form int app_verify_callback(arg,ssl,cert).
|
||||
This needs to be documented more.
|
||||
- I have started playing with shared library builds, have a look in
|
||||
the shlib directory. It is very simple. If you need a numbered
|
||||
list of functions, have a look at misc/crypto.num and misc/ssl.num.
|
||||
- There is some stuff to do locking to make the library thread safe.
|
||||
I have only started this stuff and have not finished. If anyone is
|
||||
keen to do so, please send me the patches when finished.
|
||||
|
||||
So I have finally made most of the additions to the SSL interface that
|
||||
I thought were needed.
|
||||
|
||||
There will probably be a pause before I make any non-bug/documentation
|
||||
related changes to SSLeay since I'm feeling like a bit of a break.
|
||||
|
||||
eric - 12 Jul 1996
|
||||
I saw recently a comment by some-one that we now seem to be entering
|
||||
the age of perpetual Beta software.
|
||||
Pioneered by packages like linux but refined to an art form by
|
||||
netscape.
|
||||
|
||||
I too wish to join this trend with the anouncement of SSLeay 0.6.0 :-).
|
||||
|
||||
There are quite a large number of sections that are 'works in
|
||||
progress' in this package. I will also list the major changes and
|
||||
what files you should read.
|
||||
|
||||
BIO - this is the new IO structure being used everywhere in SSLeay. I
|
||||
started out developing this because of microsoft, I wanted a mechanism
|
||||
to callback to the application for all IO, so Windows 3.1 DLL
|
||||
perversion could be hidden from me and the 15 different ways to write
|
||||
to a file under NT would also not be dictated by me at library build
|
||||
time. What the 'package' is is an API for a data structure containing
|
||||
functions. IO interfaces can be written to conform to the
|
||||
specification. This in not intended to hide the underlying data type
|
||||
from the application, but to hide it from SSLeay :-).
|
||||
I have only really finished testing the FILE * and socket/fd modules.
|
||||
There are also 'filter' BIO's. Currently I have only implemented
|
||||
message digests, and it is in use in the dgst application. This
|
||||
functionality will allow base64/encrypto/buffering modules to be
|
||||
'push' into a BIO without it affecting the semantics. I'm also
|
||||
working on an SSL BIO which will hide the SSL_accept()/SLL_connet()
|
||||
from an event loop which uses the interface.
|
||||
It is also possible to 'attach' callbacks to a BIO so they get called
|
||||
before and after each operation, alowing extensive debug output
|
||||
to be generated (try running dgst with -d).
|
||||
|
||||
Unfortunaly in the conversion from 0.5.x to 0.6.0, quite a few
|
||||
functions that used to take FILE *, now take BIO *.
|
||||
The wrappers are easy to write
|
||||
|
||||
function_fp(fp,x)
|
||||
FILE *fp;
|
||||
{
|
||||
BIO *b;
|
||||
int ret;
|
||||
|
||||
if ((b=BIO_new(BIO_s_file())) == NULL) error.....
|
||||
BIO_set_fp(b,fp,BIO_NOCLOSE);
|
||||
ret=function_bio(b,x);
|
||||
BIO_free(b);
|
||||
return(ret);
|
||||
}
|
||||
Remember, there are no functions that take FILE * in SSLeay when
|
||||
compiled for Windows 3.1 DLL's.
|
||||
|
||||
--
|
||||
I have added a general EVP_PKEY type that can hold a public/private
|
||||
key. This is now what is used by the EVP_ functions and is passed
|
||||
around internally. I still have not done the PKCS#8 stuff, but
|
||||
X509_PKEY is defined and waiting :-)
|
||||
|
||||
--
|
||||
For a full function name listings, have a look at ms/crypt32.def and
|
||||
ms/ssl32.def. These are auto-generated but are complete.
|
||||
Things like ASN1_INTEGER_get() have been added and are in here if you
|
||||
look. I have renamed a few things, again, have a look through the
|
||||
function list and you will probably find what you are after. I intend
|
||||
to at least put a one line descrition for each one.....
|
||||
|
||||
--
|
||||
Microsoft - thats what this release is about, read the MICROSOFT file.
|
||||
|
||||
--
|
||||
Multi-threading support. I have started hunting through the code and
|
||||
flaging where things need to be done. In a state of work but high on
|
||||
the list.
|
||||
|
||||
--
|
||||
For random numbers, edit e_os.h and set DEVRANDOM (it's near the top)
|
||||
be be you random data device, otherwise 'RFILE' in e_os.h
|
||||
will be used, in your home directory. It will be updated
|
||||
periodically. The environment variable RANDFILE will override this
|
||||
choice and read/write to that file instead. DEVRANDOM is used in
|
||||
conjunction to the RFILE/RANDFILE. If you wish to 'seed' the random
|
||||
number generator, pick on one of these files.
|
||||
|
||||
--
|
||||
|
||||
The list of things to read and do
|
||||
|
||||
dgst -d
|
||||
s_client -state (this uses a callback placed in the SSL state loop and
|
||||
will be used else-where to help debug/monitor what
|
||||
is happening.)
|
||||
|
||||
doc/why.doc
|
||||
doc/bio.doc <- hmmm, needs lots of work.
|
||||
doc/bss_file.doc <- one that is working :-)
|
||||
doc/session.doc <- it has changed
|
||||
doc/speed.doc
|
||||
also play with ssleay version -a. I have now added a SSLeay()
|
||||
function that returns a version number, eg 0600 for this release
|
||||
which is primarily to be used to check DLL version against the
|
||||
application.
|
||||
util/* Quite a few will not interest people, but some may, like
|
||||
mk1mf.pl, mkdef.pl,
|
||||
util/do_ms.sh
|
||||
|
||||
try
|
||||
cc -Iinclude -Icrypto -c crypto/crypto.c
|
||||
cc -Iinclude -Issl -c ssl/ssl.c
|
||||
You have just built the SSLeay libraries as 2 object files :-)
|
||||
|
||||
Have a general rummage around in the bin stall directory and look at
|
||||
what is in there, like CA.sh and c_rehash
|
||||
|
||||
There are lots more things but it is 12:30am on a Friday night and I'm
|
||||
heading home :-).
|
||||
|
||||
eric 22-Jun-1996
|
||||
This version has quite a few major bug fixes and improvements. It DOES NOT
|
||||
do SSLv3 yet.
|
||||
|
||||
The main things changed
|
||||
- A Few days ago I added the s_mult application to ssleay which is
|
||||
a demo of an SSL server running in an event loop type thing.
|
||||
It supports non-blocking IO, I have finally gotten it right, SSL_accept()
|
||||
can operate in non-blocking IO mode, look at the code to see how :-).
|
||||
Have a read of doc/s_mult as well. This program leaks memory and
|
||||
file descriptors everywhere but I have not cleaned it up yet.
|
||||
This is a demo of how to do non-blocking IO.
|
||||
- The SSL session management has been 'worked over' and there is now
|
||||
quite an expansive set of functions to manipulate them. Have a read of
|
||||
doc/session.doc for some-things I quickly whipped up about how it now works.
|
||||
This assume you know the SSLv2 protocol :-)
|
||||
- I can now read/write the netscape certificate format, use the
|
||||
-inform/-outform 'net' options to the x509 command. I have not put support
|
||||
for this type in the other demo programs, but it would be easy to add.
|
||||
- asn1parse and 'enc' have been modified so that when reading base64
|
||||
encoded files (pem format), they do not require '-----BEGIN' header lines.
|
||||
The 'enc' program had a buffering bug fixed, it can be used as a general
|
||||
base64 -> binary -> base64 filter by doing 'enc -a -e' and 'enc -a -d'
|
||||
respecivly. Leaving out the '-a' flag in this case makes the 'enc' command
|
||||
into a form of 'cat'.
|
||||
- The 'x509' and 'req' programs have been fixed and modified a little so
|
||||
that they generate self-signed certificates correctly. The test
|
||||
script actually generates a 'CA' certificate and then 'signs' a
|
||||
'user' certificate. Have a look at this shell script (test/sstest)
|
||||
to see how things work, it tests most possible combinations of what can
|
||||
be done.
|
||||
- The 'SSL_set_pref_cipher()' function has been 'fixed' and the prefered name
|
||||
of SSL_set_cipher_list() is now the correct API (stops confusion :-).
|
||||
If this function is used in the client, only the specified ciphers can
|
||||
be used, with preference given to the order the ciphers were listed.
|
||||
For the server, if this is used, only the specified ciphers will be used
|
||||
to accept connections. If this 'option' is not used, a default set of
|
||||
ciphers will be used. The SSL_CTX_set_cipher_list(SSL_CTX *ctx) sets this
|
||||
list for all ciphers started against the SSL_CTX. So the order is
|
||||
SSL cipher_list, if not present, SSL_CTX cipher list, if not
|
||||
present, then the library default.
|
||||
What this means is that normally ciphers like
|
||||
NULL-MD5 will never be used. The only way this cipher can be used
|
||||
for both ends to specify to use it.
|
||||
To enable or disable ciphers in the library at build time, modify the
|
||||
first field for the cipher in the ssl_ciphers array in ssl/ssl_lib.c.
|
||||
This file also contains the 'pref_cipher' list which is the default
|
||||
cipher preference order.
|
||||
- I'm not currently sure if the 'rsa -inform net' and the 'rsa -outform net'
|
||||
options work. They should, and they enable loading and writing the
|
||||
netscape rsa private key format. I will be re-working this section of
|
||||
SSLeay for the next version. What is currently in place is a quick and
|
||||
dirty hack.
|
||||
- I've re-written parts of the bignum library. This gives speedups
|
||||
for all platforms. I now provide assembler for use under Windows NT.
|
||||
I have not tested the Windows 3.1 assembler but it is quite simple code.
|
||||
This gives RSAprivate_key operation encryption times of 0.047s (512bit key)
|
||||
and 0.230s (1024bit key) on a pentium 100 which I consider reasonable.
|
||||
Basically the times available under linux/solaris x86 can be achieve under
|
||||
Windows NT. I still don't know how these times compare to RSA's BSAFE
|
||||
library but I have been emailing with people and with their help, I should
|
||||
be able to get my library's quite a bit faster still (more algorithm changes).
|
||||
The object file crypto/bn/asm/x86-32.obj should be used when linking
|
||||
under NT.
|
||||
- 'make makefile.one' in the top directory will generate a single makefile
|
||||
called 'makefile.one' This makefile contains no perl references and
|
||||
will build the SSLeay library into the 'tmp' and 'out' directories.
|
||||
util/mk1mf.pl >makefile.one is how this makefile is
|
||||
generated. The mk1mf.pl command take several option to generate the
|
||||
makefile for use with cc, gcc, Visual C++ and Borland C++. This is
|
||||
still under development. I have only build .lib's for NT and MSDOS
|
||||
I will be working on this more. I still need to play with the
|
||||
correct compiler setups for these compilers and add some more stuff but
|
||||
basically if you just want to compile the library
|
||||
on a 'non-unix' platform, this is a very very good file to start with :-).
|
||||
Have a look in the 'microsoft' directory for my current makefiles.
|
||||
I have not yet modified things to link with sockets under Windows NT.
|
||||
You guys should be able to do this since this is actually outside of the
|
||||
SSLeay scope :-). I will be doing it for myself soon.
|
||||
util/mk1mf.pl takes quite a few options including no-rc, rsaref and no-sock
|
||||
to build without RC2/RC4, to require RSAref for linking, and to
|
||||
build with no socket code.
|
||||
|
||||
- Oh yes, the cipher that was reported to be compatible with RSA's RC2 cipher
|
||||
that was posted to sci.crypt has been added to the library and SSL.
|
||||
I take the view that if RC2 is going to be included in a standard,
|
||||
I'll include the cipher to make my package complete.
|
||||
There are NO_RC2, NO_RC4 and NO_IDEA macros to remove these ciphers
|
||||
at compile time. I have not tested this recently but it should all work
|
||||
and if you are in the USA and don't want RSA threatening to sue you,
|
||||
you could probably remove the RC4/RC2 code inside these sections.
|
||||
I may in the future include a perl script that does this code
|
||||
removal automatically for those in the USA :-).
|
||||
- I have removed all references to sed in the makefiles. So basically,
|
||||
the development environment requires perl and sh. The build environment
|
||||
does not (use the makefile.one makefile).
|
||||
The Configure script still requires perl, this will probably stay that way
|
||||
since I have perl for Windows NT :-).
|
||||
|
||||
eric (03-May-1996)
|
||||
|
||||
PS Have a look in the VERSION file for more details on the changes and
|
||||
bug fixes.
|
||||
I have fixed a few bugs, added alpha and x86 assembler and generally cleaned
|
||||
things up. This version will be quite stable, mostly because I'm on
|
||||
holidays until 10-March-1996. For any problems in the interum, send email
|
||||
to Tim Hudson <tjh@mincom.oz.au>.
|
||||
|
||||
SSLeay 0.5.0
|
||||
|
||||
12-12-95
|
||||
This is going out before it should really be released.
|
||||
|
||||
I leave for 11 weeks holidays on the 22-12-95 and so I either sit on
|
||||
this for 11 weeks or get things out. It is still going to change a
|
||||
lot in the next week so if you do grab this version, please test and
|
||||
give me feed back ASAP, inculuding questions on how to do things with
|
||||
the library. This will prompt me to write documentation so I don't
|
||||
have to answer the same question again :-).
|
||||
|
||||
This 'pre' release version is for people who are interested in the
|
||||
library. The applications will have to be changed to use
|
||||
the new version of the SSL interface. I intend to finish more
|
||||
documentation before I leave but until then, look at the programs in
|
||||
the apps directory. As far as code goes, it is much much nicer than
|
||||
the old version.
|
||||
|
||||
The current library works, has no memory leaks (as far as I can tell)
|
||||
and is far more bug free that 0.4.5d. There are no global variable of
|
||||
consequence (I believe) and I will produce some documentation that
|
||||
tell where to look for those people that do want to do multi-threaded
|
||||
stuff.
|
||||
|
||||
There should be more documentation. Have a look in the
|
||||
doc directory. I'll be adding more before I leave, it is a start
|
||||
by mostly documents the crypto library. Tim Hudson will update
|
||||
the web page ASAP. The spelling and grammar are crap but
|
||||
it is better than nothing :-)
|
||||
|
||||
Reasons to start playing with version 0.5.0
|
||||
- All the programs in the apps directory build into one ssleay binary.
|
||||
- There is a new version of the 'req' program that generates certificate
|
||||
requests, there is even documentation for this one :-)
|
||||
- There is a demo certification authorithy program. Currently it will
|
||||
look at the simple database and update it. It will generate CRL from
|
||||
the data base. You need to edit the database by hand to revoke a
|
||||
certificate, it is my aim to use perl5/Tk but I don't have time to do
|
||||
this right now. It will generate the certificates but the management
|
||||
scripts still need to be written. This is not a hard task.
|
||||
- Things have been cleaned up alot.
|
||||
- Have a look at the enc and dgst programs in the apps directory.
|
||||
- It supports v3 of x509 certiticates.
|
||||
|
||||
|
||||
Major things missing.
|
||||
- I have been working on (and thinging about) the distributed x509
|
||||
hierachy problem. I have not had time to put my solution in place.
|
||||
It will have to wait until I come back.
|
||||
- I have not put in CRL checking in the certificate verification but
|
||||
it would not be hard to do. I was waiting until I could generate my
|
||||
own CRL (which has only been in the last week) and I don't have time
|
||||
to put it in correctly.
|
||||
- Montgomery multiplication need to be implemented. I know the
|
||||
algorithm, just ran out of time.
|
||||
- PKCS#7. I can load and write the DER version. I need to re-work
|
||||
things to support BER (if that means nothing, read the ASN1 spec :-).
|
||||
- Testing of the higher level digital envelope routines. I have not
|
||||
played with the *_seal() and *_open() type functions. They are
|
||||
written but need testing. The *_sign() and *_verify() functions are
|
||||
rock solid.
|
||||
- PEM. Doing this and PKCS#7 have been dependant on the distributed
|
||||
x509 heirachy problem. I started implementing my ideas, got
|
||||
distracted writing a CA program and then ran out of time. I provide
|
||||
the functionality of RSAref at least.
|
||||
- Re work the asm. code for the x86. I've changed by low level bignum
|
||||
interface again, so I really need to tweak the x86 stuff. gcc is
|
||||
good enough for the other boxes.
|
||||
|
||||
2
Agent-Windows/OGP64/usr/share/doc/openssl10/FAQ
Normal file
2
Agent-Windows/OGP64/usr/share/doc/openssl10/FAQ
Normal file
|
|
@ -0,0 +1,2 @@
|
|||
The FAQ is now maintained on the web:
|
||||
https://www.openssl.org/docs/faq.html
|
||||
365
Agent-Windows/OGP64/usr/share/doc/openssl10/INSTALL
Normal file
365
Agent-Windows/OGP64/usr/share/doc/openssl10/INSTALL
Normal file
|
|
@ -0,0 +1,365 @@
|
|||
|
||||
INSTALLATION ON THE UNIX PLATFORM
|
||||
---------------------------------
|
||||
|
||||
[Installation on DOS (with djgpp), Windows, OpenVMS, MacOS (before MacOS X)
|
||||
and NetWare is described in INSTALL.DJGPP, INSTALL.W32, INSTALL.VMS,
|
||||
INSTALL.MacOS and INSTALL.NW.
|
||||
|
||||
This document describes installation on operating systems in the Unix
|
||||
family.]
|
||||
|
||||
To install OpenSSL, you will need:
|
||||
|
||||
* make
|
||||
* Perl 5
|
||||
* an ANSI C compiler
|
||||
* a development environment in form of development libraries and C
|
||||
header files
|
||||
* a supported Unix operating system
|
||||
|
||||
Quick Start
|
||||
-----------
|
||||
|
||||
If you want to just get on with it, do:
|
||||
|
||||
$ ./config
|
||||
$ make
|
||||
$ make test
|
||||
$ make install
|
||||
|
||||
[If any of these steps fails, see section Installation in Detail below.]
|
||||
|
||||
This will build and install OpenSSL in the default location, which is (for
|
||||
historical reasons) /usr/local/ssl. If you want to install it anywhere else,
|
||||
run config like this:
|
||||
|
||||
$ ./config --prefix=/usr/local --openssldir=/usr/local/openssl
|
||||
|
||||
|
||||
Configuration Options
|
||||
---------------------
|
||||
|
||||
There are several options to ./config (or ./Configure) to customize
|
||||
the build:
|
||||
|
||||
--prefix=DIR Install in DIR/bin, DIR/lib, DIR/include/openssl.
|
||||
Configuration files used by OpenSSL will be in DIR/ssl
|
||||
or the directory specified by --openssldir.
|
||||
|
||||
--openssldir=DIR Directory for OpenSSL files. If no prefix is specified,
|
||||
the library files and binaries are also installed there.
|
||||
|
||||
no-threads Don't try to build with support for multi-threaded
|
||||
applications.
|
||||
|
||||
threads Build with support for multi-threaded applications.
|
||||
This will usually require additional system-dependent options!
|
||||
See "Note on multi-threading" below.
|
||||
|
||||
no-zlib Don't try to build with support for zlib compression and
|
||||
decompression.
|
||||
|
||||
zlib Build with support for zlib compression/decompression.
|
||||
|
||||
zlib-dynamic Like "zlib", but has OpenSSL load the zlib library dynamically
|
||||
when needed. This is only supported on systems where loading
|
||||
of shared libraries is supported. This is the default choice.
|
||||
|
||||
no-shared Don't try to create shared libraries.
|
||||
|
||||
shared In addition to the usual static libraries, create shared
|
||||
libraries on platforms where it's supported. See "Note on
|
||||
shared libraries" below.
|
||||
|
||||
no-asm Do not use assembler code.
|
||||
|
||||
386 In 32-bit x86 builds, when generating assembly modules,
|
||||
use the 80386 instruction set only (the default x86 code
|
||||
is more efficient, but requires at least a 486). Note:
|
||||
This doesn't affect code generated by compiler, you're
|
||||
likely to complement configuration command line with
|
||||
suitable compiler-specific option.
|
||||
|
||||
no-sse2 Exclude SSE2 code paths from 32-bit x86 assembly modules.
|
||||
Normally SSE2 extension is detected at run-time, but the
|
||||
decision whether or not the machine code will be executed
|
||||
is taken solely on CPU capability vector. This means that
|
||||
if you happen to run OS kernel which does not support SSE2
|
||||
extension on Intel P4 processor, then your application
|
||||
might be exposed to "illegal instruction" exception.
|
||||
There might be a way to enable support in kernel, e.g.
|
||||
FreeBSD kernel can be compiled with CPU_ENABLE_SSE, and
|
||||
there is a way to disengage SSE2 code paths upon application
|
||||
start-up, but if you aim for wider "audience" running
|
||||
such kernel, consider no-sse2. Both the 386 and
|
||||
no-asm options imply no-sse2.
|
||||
|
||||
no-<cipher> Build without the specified cipher (bf, cast, des, dh, dsa,
|
||||
hmac, md2, md5, mdc2, rc2, rc4, rc5, rsa, sha).
|
||||
The crypto/<cipher> directory can be removed after running
|
||||
"make depend".
|
||||
|
||||
-Dxxx, -lxxx, -Lxxx, -fxxx, -mXXX, -Kxxx These system specific options will
|
||||
be passed through to the compiler to allow you to
|
||||
define preprocessor symbols, specify additional libraries,
|
||||
library directories or other compiler options. It might be
|
||||
worth noting that some compilers generate code specifically
|
||||
for processor the compiler currently executes on. This is
|
||||
not necessarily what you might have in mind, since it might
|
||||
be unsuitable for execution on other, typically older,
|
||||
processor. Consult your compiler documentation.
|
||||
|
||||
-DHAVE_CRYPTODEV Enable the BSD cryptodev engine even if we are not using
|
||||
BSD. Useful if you are running ocf-linux or something
|
||||
similar. Once enabled you can also enable the use of
|
||||
cryptodev digests, which is usually slower unless you have
|
||||
large amounts data. Use -DUSE_CRYPTODEV_DIGESTS to force
|
||||
it.
|
||||
|
||||
Installation in Detail
|
||||
----------------------
|
||||
|
||||
1a. Configure OpenSSL for your operation system automatically:
|
||||
|
||||
$ ./config [options]
|
||||
|
||||
This guesses at your operating system (and compiler, if necessary) and
|
||||
configures OpenSSL based on this guess. Run ./config -t to see
|
||||
if it guessed correctly. If you want to use a different compiler, you
|
||||
are cross-compiling for another platform, or the ./config guess was
|
||||
wrong for other reasons, go to step 1b. Otherwise go to step 2.
|
||||
|
||||
On some systems, you can include debugging information as follows:
|
||||
|
||||
$ ./config -d [options]
|
||||
|
||||
1b. Configure OpenSSL for your operating system manually
|
||||
|
||||
OpenSSL knows about a range of different operating system, hardware and
|
||||
compiler combinations. To see the ones it knows about, run
|
||||
|
||||
$ ./Configure
|
||||
|
||||
Pick a suitable name from the list that matches your system. For most
|
||||
operating systems there is a choice between using "cc" or "gcc". When
|
||||
you have identified your system (and if necessary compiler) use this name
|
||||
as the argument to ./Configure. For example, a "linux-elf" user would
|
||||
run:
|
||||
|
||||
$ ./Configure linux-elf [options]
|
||||
|
||||
If your system is not available, you will have to edit the Configure
|
||||
program and add the correct configuration for your system. The
|
||||
generic configurations "cc" or "gcc" should usually work on 32 bit
|
||||
systems.
|
||||
|
||||
Configure creates the file Makefile.ssl from Makefile.org and
|
||||
defines various macros in crypto/opensslconf.h (generated from
|
||||
crypto/opensslconf.h.in).
|
||||
|
||||
2. Build OpenSSL by running:
|
||||
|
||||
$ make
|
||||
|
||||
This will build the OpenSSL libraries (libcrypto.a and libssl.a) and the
|
||||
OpenSSL binary ("openssl"). The libraries will be built in the top-level
|
||||
directory, and the binary will be in the "apps" directory.
|
||||
|
||||
If the build fails, look at the output. There may be reasons
|
||||
for the failure that aren't problems in OpenSSL itself (like
|
||||
missing standard headers). If you are having problems you can
|
||||
get help by sending an email to the openssl-users email list (see
|
||||
https://www.openssl.org/community/mailinglists.html for details). If
|
||||
it is a bug with OpenSSL itself, please open an issue on GitHub, at
|
||||
https://github.com/openssl/openssl/issues. Please review the existing
|
||||
ones first; maybe the bug was already reported or has already been
|
||||
fixed.
|
||||
|
||||
(If you encounter assembler error messages, try the "no-asm"
|
||||
configuration option as an immediate fix.)
|
||||
|
||||
Compiling parts of OpenSSL with gcc and others with the system
|
||||
compiler will result in unresolved symbols on some systems.
|
||||
|
||||
3. After a successful build, the libraries should be tested. Run:
|
||||
|
||||
$ make test
|
||||
|
||||
If a test fails, look at the output. There may be reasons for
|
||||
the failure that isn't a problem in OpenSSL itself (like a missing
|
||||
or malfunctioning bc). If it is a problem with OpenSSL itself,
|
||||
try removing any compiler optimization flags from the CFLAG line
|
||||
in Makefile.ssl and run "make clean; make". To report a bug please open an
|
||||
issue on GitHub, at https://github.com/openssl/openssl/issues.
|
||||
|
||||
4. If everything tests ok, install OpenSSL with
|
||||
|
||||
$ make install
|
||||
|
||||
This will create the installation directory (if it does not exist) and
|
||||
then the following subdirectories:
|
||||
|
||||
certs Initially empty, this is the default location
|
||||
for certificate files.
|
||||
man/man1 Manual pages for the 'openssl' command line tool
|
||||
man/man3 Manual pages for the libraries (very incomplete)
|
||||
misc Various scripts.
|
||||
private Initially empty, this is the default location
|
||||
for private key files.
|
||||
|
||||
If you didn't choose a different installation prefix, the
|
||||
following additional subdirectories will be created:
|
||||
|
||||
bin Contains the openssl binary and a few other
|
||||
utility programs.
|
||||
include/openssl Contains the header files needed if you want to
|
||||
compile programs with libcrypto or libssl.
|
||||
lib Contains the OpenSSL library files themselves.
|
||||
|
||||
Use "make install_sw" to install the software without documentation,
|
||||
and "install_docs_html" to install HTML renditions of the manual
|
||||
pages.
|
||||
|
||||
Package builders who want to configure the library for standard
|
||||
locations, but have the package installed somewhere else so that
|
||||
it can easily be packaged, can use
|
||||
|
||||
$ make INSTALL_PREFIX=/tmp/package-root install
|
||||
|
||||
(or specify "--install_prefix=/tmp/package-root" as a configure
|
||||
option). The specified prefix will be prepended to all
|
||||
installation target filenames.
|
||||
|
||||
|
||||
NOTE: The header files used to reside directly in the include
|
||||
directory, but have now been moved to include/openssl so that
|
||||
OpenSSL can co-exist with other libraries which use some of the
|
||||
same filenames. This means that applications that use OpenSSL
|
||||
should now use C preprocessor directives of the form
|
||||
|
||||
#include <openssl/ssl.h>
|
||||
|
||||
instead of "#include <ssl.h>", which was used with library versions
|
||||
up to OpenSSL 0.9.2b.
|
||||
|
||||
If you install a new version of OpenSSL over an old library version,
|
||||
you should delete the old header files in the include directory.
|
||||
|
||||
Compatibility issues:
|
||||
|
||||
* COMPILING existing applications
|
||||
|
||||
To compile an application that uses old filenames -- e.g.
|
||||
"#include <ssl.h>" --, it will usually be enough to find
|
||||
the CFLAGS definition in the application's Makefile and
|
||||
add a C option such as
|
||||
|
||||
-I/usr/local/ssl/include/openssl
|
||||
|
||||
to it.
|
||||
|
||||
But don't delete the existing -I option that points to
|
||||
the ..../include directory! Otherwise, OpenSSL header files
|
||||
could not #include each other.
|
||||
|
||||
* WRITING applications
|
||||
|
||||
To write an application that is able to handle both the new
|
||||
and the old directory layout, so that it can still be compiled
|
||||
with library versions up to OpenSSL 0.9.2b without bothering
|
||||
the user, you can proceed as follows:
|
||||
|
||||
- Always use the new filename of OpenSSL header files,
|
||||
e.g. #include <openssl/ssl.h>.
|
||||
|
||||
- Create a directory "incl" that contains only a symbolic
|
||||
link named "openssl", which points to the "include" directory
|
||||
of OpenSSL.
|
||||
For example, your application's Makefile might contain the
|
||||
following rule, if OPENSSLDIR is a pathname (absolute or
|
||||
relative) of the directory where OpenSSL resides:
|
||||
|
||||
incl/openssl:
|
||||
-mkdir incl
|
||||
cd $(OPENSSLDIR) # Check whether the directory really exists
|
||||
-ln -s `cd $(OPENSSLDIR); pwd`/include incl/openssl
|
||||
|
||||
You will have to add "incl/openssl" to the dependencies
|
||||
of those C files that include some OpenSSL header file.
|
||||
|
||||
- Add "-Iincl" to your CFLAGS.
|
||||
|
||||
With these additions, the OpenSSL header files will be available
|
||||
under both name variants if an old library version is used:
|
||||
Your application can reach them under names like <openssl/foo.h>,
|
||||
while the header files still are able to #include each other
|
||||
with names of the form <foo.h>.
|
||||
|
||||
|
||||
Note on multi-threading
|
||||
-----------------------
|
||||
|
||||
For some systems, the OpenSSL Configure script knows what compiler options
|
||||
are needed to generate a library that is suitable for multi-threaded
|
||||
applications. On these systems, support for multi-threading is enabled
|
||||
by default; use the "no-threads" option to disable (this should never be
|
||||
necessary).
|
||||
|
||||
On other systems, to enable support for multi-threading, you will have
|
||||
to specify at least two options: "threads", and a system-dependent option.
|
||||
(The latter is "-D_REENTRANT" on various systems.) The default in this
|
||||
case, obviously, is not to include support for multi-threading (but
|
||||
you can still use "no-threads" to suppress an annoying warning message
|
||||
from the Configure script.)
|
||||
|
||||
|
||||
Note on shared libraries
|
||||
------------------------
|
||||
|
||||
Shared libraries have certain caveats. Binary backward compatibility
|
||||
can't be guaranteed before OpenSSL version 1.0. The only reason to
|
||||
use them would be to conserve memory on systems where several programs
|
||||
are using OpenSSL.
|
||||
|
||||
For some systems, the OpenSSL Configure script knows what is needed to
|
||||
build shared libraries for libcrypto and libssl. On these systems,
|
||||
the shared libraries are currently not created by default, but giving
|
||||
the option "shared" will get them created. This method supports Makefile
|
||||
targets for shared library creation, like linux-shared. Those targets
|
||||
can currently be used on their own just as well, but this is expected
|
||||
to change in future versions of OpenSSL.
|
||||
|
||||
Note on random number generation
|
||||
--------------------------------
|
||||
|
||||
Availability of cryptographically secure random numbers is required for
|
||||
secret key generation. OpenSSL provides several options to seed the
|
||||
internal PRNG. If not properly seeded, the internal PRNG will refuse
|
||||
to deliver random bytes and a "PRNG not seeded error" will occur.
|
||||
On systems without /dev/urandom (or similar) device, it may be necessary
|
||||
to install additional support software to obtain random seed.
|
||||
Please check out the manual pages for RAND_add(), RAND_bytes(), RAND_egd(),
|
||||
and the FAQ for more information.
|
||||
|
||||
Note on support for multiple builds
|
||||
-----------------------------------
|
||||
|
||||
OpenSSL is usually built in its source tree. Unfortunately, this doesn't
|
||||
support building for multiple platforms from the same source tree very well.
|
||||
It is however possible to build in a separate tree through the use of lots
|
||||
of symbolic links, which should be prepared like this:
|
||||
|
||||
mkdir -p objtree/"`uname -s`-`uname -r`-`uname -m`"
|
||||
cd objtree/"`uname -s`-`uname -r`-`uname -m`"
|
||||
(cd $OPENSSL_SOURCE; find . -type f) | while read F; do
|
||||
mkdir -p `dirname $F`
|
||||
rm -f $F; ln -s $OPENSSL_SOURCE/$F $F
|
||||
echo $F '->' $OPENSSL_SOURCE/$F
|
||||
done
|
||||
make -f Makefile.org clean
|
||||
|
||||
OPENSSL_SOURCE is an environment variable that contains the absolute (this
|
||||
is important!) path to the OpenSSL source tree.
|
||||
|
||||
Also, operations like 'make update' should still be made in the source tree.
|
||||
127
Agent-Windows/OGP64/usr/share/doc/openssl10/LICENSE
Normal file
127
Agent-Windows/OGP64/usr/share/doc/openssl10/LICENSE
Normal file
|
|
@ -0,0 +1,127 @@
|
|||
|
||||
LICENSE ISSUES
|
||||
==============
|
||||
|
||||
The OpenSSL toolkit stays under a double license, i.e. both the conditions of
|
||||
the OpenSSL License and the original SSLeay license apply to the toolkit.
|
||||
See below for the actual license texts. Actually both licenses are BSD-style
|
||||
Open Source licenses. In case of any license issues related to OpenSSL
|
||||
please contact openssl-core@openssl.org.
|
||||
|
||||
OpenSSL License
|
||||
---------------
|
||||
|
||||
/* ====================================================================
|
||||
* Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
*
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
*
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in
|
||||
* the documentation and/or other materials provided with the
|
||||
* distribution.
|
||||
*
|
||||
* 3. All advertising materials mentioning features or use of this
|
||||
* software must display the following acknowledgment:
|
||||
* "This product includes software developed by the OpenSSL Project
|
||||
* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
|
||||
*
|
||||
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
|
||||
* endorse or promote products derived from this software without
|
||||
* prior written permission. For written permission, please contact
|
||||
* openssl-core@openssl.org.
|
||||
*
|
||||
* 5. Products derived from this software may not be called "OpenSSL"
|
||||
* nor may "OpenSSL" appear in their names without prior written
|
||||
* permission of the OpenSSL Project.
|
||||
*
|
||||
* 6. Redistributions of any form whatsoever must retain the following
|
||||
* acknowledgment:
|
||||
* "This product includes software developed by the OpenSSL Project
|
||||
* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
|
||||
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
|
||||
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
|
||||
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
||||
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
|
||||
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
||||
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||||
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
|
||||
* OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
* ====================================================================
|
||||
*
|
||||
* This product includes cryptographic software written by Eric Young
|
||||
* (eay@cryptsoft.com). This product includes software written by Tim
|
||||
* Hudson (tjh@cryptsoft.com).
|
||||
*
|
||||
*/
|
||||
|
||||
Original SSLeay License
|
||||
-----------------------
|
||||
|
||||
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
|
||||
* All rights reserved.
|
||||
*
|
||||
* This package is an SSL implementation written
|
||||
* by Eric Young (eay@cryptsoft.com).
|
||||
* The implementation was written so as to conform with Netscapes SSL.
|
||||
*
|
||||
* This library is free for commercial and non-commercial use as long as
|
||||
* the following conditions are aheared to. The following conditions
|
||||
* apply to all code found in this distribution, be it the RC4, RSA,
|
||||
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
|
||||
* included with this distribution is covered by the same copyright terms
|
||||
* except that the holder is Tim Hudson (tjh@cryptsoft.com).
|
||||
*
|
||||
* Copyright remains Eric Young's, and as such any Copyright notices in
|
||||
* the code are not to be removed.
|
||||
* If this package is used in a product, Eric Young should be given attribution
|
||||
* as the author of the parts of the library used.
|
||||
* This can be in the form of a textual message at program startup or
|
||||
* in documentation (online or textual) provided with the package.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
* 3. All advertising materials mentioning features or use of this software
|
||||
* must display the following acknowledgement:
|
||||
* "This product includes cryptographic software written by
|
||||
* Eric Young (eay@cryptsoft.com)"
|
||||
* The word 'cryptographic' can be left out if the rouines from the library
|
||||
* being used are not cryptographic related :-).
|
||||
* 4. If you include any Windows specific code (or a derivative thereof) from
|
||||
* the apps directory (application code) you must include an acknowledgement:
|
||||
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
|
||||
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
||||
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*
|
||||
* The licence and distribution terms for any publically available version or
|
||||
* derivative of this code cannot be changed. i.e. this code cannot simply be
|
||||
* copied and put under another distribution licence
|
||||
* [including the GNU Public Licence.]
|
||||
*/
|
||||
|
||||
852
Agent-Windows/OGP64/usr/share/doc/openssl10/NEWS
Normal file
852
Agent-Windows/OGP64/usr/share/doc/openssl10/NEWS
Normal file
|
|
@ -0,0 +1,852 @@
|
|||
|
||||
NEWS
|
||||
====
|
||||
|
||||
This file gives a brief overview of the major changes between each OpenSSL
|
||||
release. For more details please read the CHANGES file.
|
||||
|
||||
Major changes between OpenSSL 1.0.2t and OpenSSL 1.0.2u [20 Dec 2019]
|
||||
|
||||
o Fixed an an overflow bug in the x64_64 Montgomery squaring procedure
|
||||
used in exponentiation with 512-bit moduli (CVE-2019-1551)
|
||||
|
||||
Major changes between OpenSSL 1.0.2s and OpenSSL 1.0.2t [10 Sep 2019]
|
||||
|
||||
o Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey
|
||||
(CVE-2019-1563)
|
||||
o For built-in EC curves, ensure an EC_GROUP built from the curve name is
|
||||
used even when parsing explicit parameters
|
||||
o Compute ECC cofactors if not provided during EC_GROUP construction
|
||||
(CVE-2019-1547)
|
||||
o Document issue with installation paths in diverse Windows builds
|
||||
(CVE-2019-1552)
|
||||
|
||||
Major changes between OpenSSL 1.0.2r and OpenSSL 1.0.2s [28 May 2019]
|
||||
|
||||
o None
|
||||
|
||||
Major changes between OpenSSL 1.0.2q and OpenSSL 1.0.2r [26 Feb 2019]
|
||||
|
||||
o 0-byte record padding oracle (CVE-2019-1559)
|
||||
|
||||
Major changes between OpenSSL 1.0.2p and OpenSSL 1.0.2q [20 Nov 2018]
|
||||
|
||||
o Microarchitecture timing vulnerability in ECC scalar multiplication (CVE-2018-5407)
|
||||
o Timing vulnerability in DSA signature generation (CVE-2018-0734)
|
||||
|
||||
Major changes between OpenSSL 1.0.2o and OpenSSL 1.0.2p [14 Aug 2018]
|
||||
|
||||
o Client DoS due to large DH parameter (CVE-2018-0732)
|
||||
o Cache timing vulnerability in RSA Key Generation (CVE-2018-0737)
|
||||
|
||||
Major changes between OpenSSL 1.0.2n and OpenSSL 1.0.2o [27 Mar 2018]
|
||||
|
||||
o Constructed ASN.1 types with a recursive definition could exceed the
|
||||
stack (CVE-2018-0739)
|
||||
|
||||
Major changes between OpenSSL 1.0.2m and OpenSSL 1.0.2n [7 Dec 2017]
|
||||
|
||||
o Read/write after SSL object in error state (CVE-2017-3737)
|
||||
o rsaz_1024_mul_avx2 overflow bug on x86_64 (CVE-2017-3738)
|
||||
|
||||
Major changes between OpenSSL 1.0.2l and OpenSSL 1.0.2m [2 Nov 2017]
|
||||
|
||||
o bn_sqrx8x_internal carry bug on x86_64 (CVE-2017-3736)
|
||||
o Malformed X.509 IPAddressFamily could cause OOB read (CVE-2017-3735)
|
||||
|
||||
Major changes between OpenSSL 1.0.2k and OpenSSL 1.0.2l [25 May 2017]
|
||||
|
||||
o config now recognises 64-bit mingw and chooses mingw64 instead of mingw
|
||||
|
||||
Major changes between OpenSSL 1.0.2j and OpenSSL 1.0.2k [26 Jan 2017]
|
||||
|
||||
o Truncated packet could crash via OOB read (CVE-2017-3731)
|
||||
o BN_mod_exp may produce incorrect results on x86_64 (CVE-2017-3732)
|
||||
o Montgomery multiplication may produce incorrect results (CVE-2016-7055)
|
||||
|
||||
Major changes between OpenSSL 1.0.2i and OpenSSL 1.0.2j [26 Sep 2016]
|
||||
|
||||
o Missing CRL sanity check (CVE-2016-7052)
|
||||
|
||||
Major changes between OpenSSL 1.0.2h and OpenSSL 1.0.2i [22 Sep 2016]
|
||||
|
||||
o OCSP Status Request extension unbounded memory growth (CVE-2016-6304)
|
||||
o SWEET32 Mitigation (CVE-2016-2183)
|
||||
o OOB write in MDC2_Update() (CVE-2016-6303)
|
||||
o Malformed SHA512 ticket DoS (CVE-2016-6302)
|
||||
o OOB write in BN_bn2dec() (CVE-2016-2182)
|
||||
o OOB read in TS_OBJ_print_bio() (CVE-2016-2180)
|
||||
o Pointer arithmetic undefined behaviour (CVE-2016-2177)
|
||||
o Constant time flag not preserved in DSA signing (CVE-2016-2178)
|
||||
o DTLS buffered message DoS (CVE-2016-2179)
|
||||
o DTLS replay protection DoS (CVE-2016-2181)
|
||||
o Certificate message OOB reads (CVE-2016-6306)
|
||||
|
||||
Major changes between OpenSSL 1.0.2g and OpenSSL 1.0.2h [3 May 2016]
|
||||
|
||||
o Prevent padding oracle in AES-NI CBC MAC check (CVE-2016-2107)
|
||||
o Fix EVP_EncodeUpdate overflow (CVE-2016-2105)
|
||||
o Fix EVP_EncryptUpdate overflow (CVE-2016-2106)
|
||||
o Prevent ASN.1 BIO excessive memory allocation (CVE-2016-2109)
|
||||
o EBCDIC overread (CVE-2016-2176)
|
||||
o Modify behavior of ALPN to invoke callback after SNI/servername
|
||||
callback, such that updates to the SSL_CTX affect ALPN.
|
||||
o Remove LOW from the DEFAULT cipher list. This removes singles DES from
|
||||
the default.
|
||||
o Only remove the SSLv2 methods with the no-ssl2-method option.
|
||||
|
||||
Major changes between OpenSSL 1.0.2f and OpenSSL 1.0.2g [1 Mar 2016]
|
||||
|
||||
o Disable weak ciphers in SSLv3 and up in default builds of OpenSSL.
|
||||
o Disable SSLv2 default build, default negotiation and weak ciphers
|
||||
(CVE-2016-0800)
|
||||
o Fix a double-free in DSA code (CVE-2016-0705)
|
||||
o Disable SRP fake user seed to address a server memory leak
|
||||
(CVE-2016-0798)
|
||||
o Fix BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption
|
||||
(CVE-2016-0797)
|
||||
o Fix memory issues in BIO_*printf functions (CVE-2016-0799)
|
||||
o Fix side channel attack on modular exponentiation (CVE-2016-0702)
|
||||
|
||||
Major changes between OpenSSL 1.0.2e and OpenSSL 1.0.2f [28 Jan 2016]
|
||||
|
||||
o DH small subgroups (CVE-2016-0701)
|
||||
o SSLv2 doesn't block disabled ciphers (CVE-2015-3197)
|
||||
|
||||
Major changes between OpenSSL 1.0.2d and OpenSSL 1.0.2e [3 Dec 2015]
|
||||
|
||||
o BN_mod_exp may produce incorrect results on x86_64 (CVE-2015-3193)
|
||||
o Certificate verify crash with missing PSS parameter (CVE-2015-3194)
|
||||
o X509_ATTRIBUTE memory leak (CVE-2015-3195)
|
||||
o Rewrite EVP_DecodeUpdate (base64 decoding) to fix several bugs
|
||||
o In DSA_generate_parameters_ex, if the provided seed is too short,
|
||||
return an error
|
||||
|
||||
Major changes between OpenSSL 1.0.2c and OpenSSL 1.0.2d [9 Jul 2015]
|
||||
|
||||
o Alternate chains certificate forgery (CVE-2015-1793)
|
||||
o Race condition handling PSK identify hint (CVE-2015-3196)
|
||||
|
||||
Major changes between OpenSSL 1.0.2b and OpenSSL 1.0.2c [12 Jun 2015]
|
||||
|
||||
o Fix HMAC ABI incompatibility
|
||||
|
||||
Major changes between OpenSSL 1.0.2a and OpenSSL 1.0.2b [11 Jun 2015]
|
||||
|
||||
o Malformed ECParameters causes infinite loop (CVE-2015-1788)
|
||||
o Exploitable out-of-bounds read in X509_cmp_time (CVE-2015-1789)
|
||||
o PKCS7 crash with missing EnvelopedContent (CVE-2015-1790)
|
||||
o CMS verify infinite loop with unknown hash function (CVE-2015-1792)
|
||||
o Race condition handling NewSessionTicket (CVE-2015-1791)
|
||||
|
||||
Major changes between OpenSSL 1.0.2 and OpenSSL 1.0.2a [19 Mar 2015]
|
||||
|
||||
o OpenSSL 1.0.2 ClientHello sigalgs DoS fix (CVE-2015-0291)
|
||||
o Multiblock corrupted pointer fix (CVE-2015-0290)
|
||||
o Segmentation fault in DTLSv1_listen fix (CVE-2015-0207)
|
||||
o Segmentation fault in ASN1_TYPE_cmp fix (CVE-2015-0286)
|
||||
o Segmentation fault for invalid PSS parameters fix (CVE-2015-0208)
|
||||
o ASN.1 structure reuse memory corruption fix (CVE-2015-0287)
|
||||
o PKCS7 NULL pointer dereferences fix (CVE-2015-0289)
|
||||
o DoS via reachable assert in SSLv2 servers fix (CVE-2015-0293)
|
||||
o Empty CKE with client auth and DHE fix (CVE-2015-1787)
|
||||
o Handshake with unseeded PRNG fix (CVE-2015-0285)
|
||||
o Use After Free following d2i_ECPrivatekey error fix (CVE-2015-0209)
|
||||
o X509_to_X509_REQ NULL pointer deref fix (CVE-2015-0288)
|
||||
o Removed the export ciphers from the DEFAULT ciphers
|
||||
|
||||
Major changes between OpenSSL 1.0.1l and OpenSSL 1.0.2 [22 Jan 2015]:
|
||||
|
||||
o Suite B support for TLS 1.2 and DTLS 1.2
|
||||
o Support for DTLS 1.2
|
||||
o TLS automatic EC curve selection.
|
||||
o API to set TLS supported signature algorithms and curves
|
||||
o SSL_CONF configuration API.
|
||||
o TLS Brainpool support.
|
||||
o ALPN support.
|
||||
o CMS support for RSA-PSS, RSA-OAEP, ECDH and X9.42 DH.
|
||||
|
||||
Major changes between OpenSSL 1.0.1k and OpenSSL 1.0.1l [15 Jan 2015]
|
||||
|
||||
o Build fixes for the Windows and OpenVMS platforms
|
||||
|
||||
Major changes between OpenSSL 1.0.1j and OpenSSL 1.0.1k [8 Jan 2015]
|
||||
|
||||
o Fix for CVE-2014-3571
|
||||
o Fix for CVE-2015-0206
|
||||
o Fix for CVE-2014-3569
|
||||
o Fix for CVE-2014-3572
|
||||
o Fix for CVE-2015-0204
|
||||
o Fix for CVE-2015-0205
|
||||
o Fix for CVE-2014-8275
|
||||
o Fix for CVE-2014-3570
|
||||
|
||||
Major changes between OpenSSL 1.0.1i and OpenSSL 1.0.1j [15 Oct 2014]
|
||||
|
||||
o Fix for CVE-2014-3513
|
||||
o Fix for CVE-2014-3567
|
||||
o Mitigation for CVE-2014-3566 (SSL protocol vulnerability)
|
||||
o Fix for CVE-2014-3568
|
||||
|
||||
Major changes between OpenSSL 1.0.1h and OpenSSL 1.0.1i [6 Aug 2014]
|
||||
|
||||
o Fix for CVE-2014-3512
|
||||
o Fix for CVE-2014-3511
|
||||
o Fix for CVE-2014-3510
|
||||
o Fix for CVE-2014-3507
|
||||
o Fix for CVE-2014-3506
|
||||
o Fix for CVE-2014-3505
|
||||
o Fix for CVE-2014-3509
|
||||
o Fix for CVE-2014-5139
|
||||
o Fix for CVE-2014-3508
|
||||
|
||||
Major changes between OpenSSL 1.0.1g and OpenSSL 1.0.1h [5 Jun 2014]
|
||||
|
||||
o Fix for CVE-2014-0224
|
||||
o Fix for CVE-2014-0221
|
||||
o Fix for CVE-2014-0198
|
||||
o Fix for CVE-2014-0195
|
||||
o Fix for CVE-2014-3470
|
||||
o Fix for CVE-2010-5298
|
||||
|
||||
Major changes between OpenSSL 1.0.1f and OpenSSL 1.0.1g [7 Apr 2014]
|
||||
|
||||
o Fix for CVE-2014-0160
|
||||
o Add TLS padding extension workaround for broken servers.
|
||||
o Fix for CVE-2014-0076
|
||||
|
||||
Major changes between OpenSSL 1.0.1e and OpenSSL 1.0.1f [6 Jan 2014]
|
||||
|
||||
o Don't include gmt_unix_time in TLS server and client random values
|
||||
o Fix for TLS record tampering bug CVE-2013-4353
|
||||
o Fix for TLS version checking bug CVE-2013-6449
|
||||
o Fix for DTLS retransmission bug CVE-2013-6450
|
||||
|
||||
Major changes between OpenSSL 1.0.1d and OpenSSL 1.0.1e [11 Feb 2013]:
|
||||
|
||||
o Corrected fix for CVE-2013-0169
|
||||
|
||||
Major changes between OpenSSL 1.0.1c and OpenSSL 1.0.1d [4 Feb 2013]:
|
||||
|
||||
o Fix renegotiation in TLS 1.1, 1.2 by using the correct TLS version.
|
||||
o Include the fips configuration module.
|
||||
o Fix OCSP bad key DoS attack CVE-2013-0166
|
||||
o Fix for SSL/TLS/DTLS CBC plaintext recovery attack CVE-2013-0169
|
||||
o Fix for TLS AESNI record handling flaw CVE-2012-2686
|
||||
|
||||
Major changes between OpenSSL 1.0.1b and OpenSSL 1.0.1c [10 May 2012]:
|
||||
|
||||
o Fix TLS/DTLS record length checking bug CVE-2012-2333
|
||||
o Don't attempt to use non-FIPS composite ciphers in FIPS mode.
|
||||
|
||||
Major changes between OpenSSL 1.0.1a and OpenSSL 1.0.1b [26 Apr 2012]:
|
||||
|
||||
o Fix compilation error on non-x86 platforms.
|
||||
o Make FIPS capable OpenSSL ciphers work in non-FIPS mode.
|
||||
o Fix SSL_OP_NO_TLSv1_1 clash with SSL_OP_ALL in OpenSSL 1.0.0
|
||||
|
||||
Major changes between OpenSSL 1.0.1 and OpenSSL 1.0.1a [19 Apr 2012]:
|
||||
|
||||
o Fix for ASN1 overflow bug CVE-2012-2110
|
||||
o Workarounds for some servers that hang on long client hellos.
|
||||
o Fix SEGV in AES code.
|
||||
|
||||
Major changes between OpenSSL 1.0.0h and OpenSSL 1.0.1 [14 Mar 2012]:
|
||||
|
||||
o TLS/DTLS heartbeat support.
|
||||
o SCTP support.
|
||||
o RFC 5705 TLS key material exporter.
|
||||
o RFC 5764 DTLS-SRTP negotiation.
|
||||
o Next Protocol Negotiation.
|
||||
o PSS signatures in certificates, requests and CRLs.
|
||||
o Support for password based recipient info for CMS.
|
||||
o Support TLS v1.2 and TLS v1.1.
|
||||
o Preliminary FIPS capability for unvalidated 2.0 FIPS module.
|
||||
o SRP support.
|
||||
|
||||
Major changes between OpenSSL 1.0.0g and OpenSSL 1.0.0h [12 Mar 2012]:
|
||||
|
||||
o Fix for CMS/PKCS#7 MMA CVE-2012-0884
|
||||
o Corrected fix for CVE-2011-4619
|
||||
o Various DTLS fixes.
|
||||
|
||||
Major changes between OpenSSL 1.0.0f and OpenSSL 1.0.0g [18 Jan 2012]:
|
||||
|
||||
o Fix for DTLS DoS issue CVE-2012-0050
|
||||
|
||||
Major changes between OpenSSL 1.0.0e and OpenSSL 1.0.0f [4 Jan 2012]:
|
||||
|
||||
o Fix for DTLS plaintext recovery attack CVE-2011-4108
|
||||
o Clear block padding bytes of SSL 3.0 records CVE-2011-4576
|
||||
o Only allow one SGC handshake restart for SSL/TLS CVE-2011-4619
|
||||
o Check parameters are not NULL in GOST ENGINE CVE-2012-0027
|
||||
o Check for malformed RFC3779 data CVE-2011-4577
|
||||
|
||||
Major changes between OpenSSL 1.0.0d and OpenSSL 1.0.0e [6 Sep 2011]:
|
||||
|
||||
o Fix for CRL vulnerability issue CVE-2011-3207
|
||||
o Fix for ECDH crashes CVE-2011-3210
|
||||
o Protection against EC timing attacks.
|
||||
o Support ECDH ciphersuites for certificates using SHA2 algorithms.
|
||||
o Various DTLS fixes.
|
||||
|
||||
Major changes between OpenSSL 1.0.0c and OpenSSL 1.0.0d [8 Feb 2011]:
|
||||
|
||||
o Fix for security issue CVE-2011-0014
|
||||
|
||||
Major changes between OpenSSL 1.0.0b and OpenSSL 1.0.0c [2 Dec 2010]:
|
||||
|
||||
o Fix for security issue CVE-2010-4180
|
||||
o Fix for CVE-2010-4252
|
||||
o Fix mishandling of absent EC point format extension.
|
||||
o Fix various platform compilation issues.
|
||||
o Corrected fix for security issue CVE-2010-3864.
|
||||
|
||||
Major changes between OpenSSL 1.0.0a and OpenSSL 1.0.0b [16 Nov 2010]:
|
||||
|
||||
o Fix for security issue CVE-2010-3864.
|
||||
o Fix for CVE-2010-2939
|
||||
o Fix WIN32 build system for GOST ENGINE.
|
||||
|
||||
Major changes between OpenSSL 1.0.0 and OpenSSL 1.0.0a [1 Jun 2010]:
|
||||
|
||||
o Fix for security issue CVE-2010-1633.
|
||||
o GOST MAC and CFB fixes.
|
||||
|
||||
Major changes between OpenSSL 0.9.8n and OpenSSL 1.0.0 [29 Mar 2010]:
|
||||
|
||||
o RFC3280 path validation: sufficient to process PKITS tests.
|
||||
o Integrated support for PVK files and keyblobs.
|
||||
o Change default private key format to PKCS#8.
|
||||
o CMS support: able to process all examples in RFC4134
|
||||
o Streaming ASN1 encode support for PKCS#7 and CMS.
|
||||
o Multiple signer and signer add support for PKCS#7 and CMS.
|
||||
o ASN1 printing support.
|
||||
o Whirlpool hash algorithm added.
|
||||
o RFC3161 time stamp support.
|
||||
o New generalised public key API supporting ENGINE based algorithms.
|
||||
o New generalised public key API utilities.
|
||||
o New ENGINE supporting GOST algorithms.
|
||||
o SSL/TLS GOST ciphersuite support.
|
||||
o PKCS#7 and CMS GOST support.
|
||||
o RFC4279 PSK ciphersuite support.
|
||||
o Supported points format extension for ECC ciphersuites.
|
||||
o ecdsa-with-SHA224/256/384/512 signature types.
|
||||
o dsa-with-SHA224 and dsa-with-SHA256 signature types.
|
||||
o Opaque PRF Input TLS extension support.
|
||||
o Updated time routines to avoid OS limitations.
|
||||
|
||||
Major changes between OpenSSL 0.9.8m and OpenSSL 0.9.8n [24 Mar 2010]:
|
||||
|
||||
o CFB cipher definition fixes.
|
||||
o Fix security issues CVE-2010-0740 and CVE-2010-0433.
|
||||
|
||||
Major changes between OpenSSL 0.9.8l and OpenSSL 0.9.8m [25 Feb 2010]:
|
||||
|
||||
o Cipher definition fixes.
|
||||
o Workaround for slow RAND_poll() on some WIN32 versions.
|
||||
o Remove MD2 from algorithm tables.
|
||||
o SPKAC handling fixes.
|
||||
o Support for RFC5746 TLS renegotiation extension.
|
||||
o Compression memory leak fixed.
|
||||
o Compression session resumption fixed.
|
||||
o Ticket and SNI coexistence fixes.
|
||||
o Many fixes to DTLS handling.
|
||||
|
||||
Major changes between OpenSSL 0.9.8k and OpenSSL 0.9.8l [5 Nov 2009]:
|
||||
|
||||
o Temporary work around for CVE-2009-3555: disable renegotiation.
|
||||
|
||||
Major changes between OpenSSL 0.9.8j and OpenSSL 0.9.8k [25 Mar 2009]:
|
||||
|
||||
o Fix various build issues.
|
||||
o Fix security issues (CVE-2009-0590, CVE-2009-0591, CVE-2009-0789)
|
||||
|
||||
Major changes between OpenSSL 0.9.8i and OpenSSL 0.9.8j [7 Jan 2009]:
|
||||
|
||||
o Fix security issue (CVE-2008-5077)
|
||||
o Merge FIPS 140-2 branch code.
|
||||
|
||||
Major changes between OpenSSL 0.9.8g and OpenSSL 0.9.8h [28 May 2008]:
|
||||
|
||||
o CryptoAPI ENGINE support.
|
||||
o Various precautionary measures.
|
||||
o Fix for bugs affecting certificate request creation.
|
||||
o Support for local machine keyset attribute in PKCS#12 files.
|
||||
|
||||
Major changes between OpenSSL 0.9.8f and OpenSSL 0.9.8g [19 Oct 2007]:
|
||||
|
||||
o Backport of CMS functionality to 0.9.8.
|
||||
o Fixes for bugs introduced with 0.9.8f.
|
||||
|
||||
Major changes between OpenSSL 0.9.8e and OpenSSL 0.9.8f [11 Oct 2007]:
|
||||
|
||||
o Add gcc 4.2 support.
|
||||
o Add support for AES and SSE2 assembly lanugauge optimization
|
||||
for VC++ build.
|
||||
o Support for RFC4507bis and server name extensions if explicitly
|
||||
selected at compile time.
|
||||
o DTLS improvements.
|
||||
o RFC4507bis support.
|
||||
o TLS Extensions support.
|
||||
|
||||
Major changes between OpenSSL 0.9.8d and OpenSSL 0.9.8e [23 Feb 2007]:
|
||||
|
||||
o Various ciphersuite selection fixes.
|
||||
o RFC3779 support.
|
||||
|
||||
Major changes between OpenSSL 0.9.8c and OpenSSL 0.9.8d [28 Sep 2006]:
|
||||
|
||||
o Introduce limits to prevent malicious key DoS (CVE-2006-2940)
|
||||
o Fix security issues (CVE-2006-2937, CVE-2006-3737, CVE-2006-4343)
|
||||
o Changes to ciphersuite selection algorithm
|
||||
|
||||
Major changes between OpenSSL 0.9.8b and OpenSSL 0.9.8c [5 Sep 2006]:
|
||||
|
||||
o Fix Daniel Bleichenbacher forged signature attack, CVE-2006-4339
|
||||
o New cipher Camellia
|
||||
|
||||
Major changes between OpenSSL 0.9.8a and OpenSSL 0.9.8b [4 May 2006]:
|
||||
|
||||
o Cipher string fixes.
|
||||
o Fixes for VC++ 2005.
|
||||
o Updated ECC cipher suite support.
|
||||
o New functions EVP_CIPHER_CTX_new() and EVP_CIPHER_CTX_free().
|
||||
o Zlib compression usage fixes.
|
||||
o Built in dynamic engine compilation support on Win32.
|
||||
o Fixes auto dynamic engine loading in Win32.
|
||||
|
||||
Major changes between OpenSSL 0.9.8 and OpenSSL 0.9.8a [11 Oct 2005]:
|
||||
|
||||
o Fix potential SSL 2.0 rollback, CVE-2005-2969
|
||||
o Extended Windows CE support
|
||||
|
||||
Major changes between OpenSSL 0.9.7g and OpenSSL 0.9.8 [5 Jul 2005]:
|
||||
|
||||
o Major work on the BIGNUM library for higher efficiency and to
|
||||
make operations more streamlined and less contradictory. This
|
||||
is the result of a major audit of the BIGNUM library.
|
||||
o Addition of BIGNUM functions for fields GF(2^m) and NIST
|
||||
curves, to support the Elliptic Crypto functions.
|
||||
o Major work on Elliptic Crypto; ECDH and ECDSA added, including
|
||||
the use through EVP, X509 and ENGINE.
|
||||
o New ASN.1 mini-compiler that's usable through the OpenSSL
|
||||
configuration file.
|
||||
o Added support for ASN.1 indefinite length constructed encoding.
|
||||
o New PKCS#12 'medium level' API to manipulate PKCS#12 files.
|
||||
o Complete rework of shared library construction and linking
|
||||
programs with shared or static libraries, through a separate
|
||||
Makefile.shared.
|
||||
o Rework of the passing of parameters from one Makefile to another.
|
||||
o Changed ENGINE framework to load dynamic engine modules
|
||||
automatically from specifically given directories.
|
||||
o New structure and ASN.1 functions for CertificatePair.
|
||||
o Changed the ZLIB compression method to be stateful.
|
||||
o Changed the key-generation and primality testing "progress"
|
||||
mechanism to take a structure that contains the ticker
|
||||
function and an argument.
|
||||
o New engine module: GMP (performs private key exponentiation).
|
||||
o New engine module: VIA PadLOck ACE extension in VIA C3
|
||||
Nehemiah processors.
|
||||
o Added support for IPv6 addresses in certificate extensions.
|
||||
See RFC 1884, section 2.2.
|
||||
o Added support for certificate policy mappings, policy
|
||||
constraints and name constraints.
|
||||
o Added support for multi-valued AVAs in the OpenSSL
|
||||
configuration file.
|
||||
o Added support for multiple certificates with the same subject
|
||||
in the 'openssl ca' index file.
|
||||
o Make it possible to create self-signed certificates using
|
||||
'openssl ca -selfsign'.
|
||||
o Make it possible to generate a serial number file with
|
||||
'openssl ca -create_serial'.
|
||||
o New binary search functions with extended functionality.
|
||||
o New BUF functions.
|
||||
o New STORE structure and library to provide an interface to all
|
||||
sorts of data repositories. Supports storage of public and
|
||||
private keys, certificates, CRLs, numbers and arbitrary blobs.
|
||||
This library is unfortunately unfinished and unused withing
|
||||
OpenSSL.
|
||||
o New control functions for the error stack.
|
||||
o Changed the PKCS#7 library to support one-pass S/MIME
|
||||
processing.
|
||||
o Added the possibility to compile without old deprecated
|
||||
functionality with the OPENSSL_NO_DEPRECATED macro or the
|
||||
'no-deprecated' argument to the config and Configure scripts.
|
||||
o Constification of all ASN.1 conversion functions, and other
|
||||
affected functions.
|
||||
o Improved platform support for PowerPC.
|
||||
o New FIPS 180-2 algorithms (SHA-224, -256, -384 and -512).
|
||||
o New X509_VERIFY_PARAM structure to support parametrisation
|
||||
of X.509 path validation.
|
||||
o Major overhaul of RC4 performance on Intel P4, IA-64 and
|
||||
AMD64.
|
||||
o Changed the Configure script to have some algorithms disabled
|
||||
by default. Those can be explicitely enabled with the new
|
||||
argument form 'enable-xxx'.
|
||||
o Change the default digest in 'openssl' commands from MD5 to
|
||||
SHA-1.
|
||||
o Added support for DTLS.
|
||||
o New BIGNUM blinding.
|
||||
o Added support for the RSA-PSS encryption scheme
|
||||
o Added support for the RSA X.931 padding.
|
||||
o Added support for BSD sockets on NetWare.
|
||||
o Added support for files larger than 2GB.
|
||||
o Added initial support for Win64.
|
||||
o Added alternate pkg-config files.
|
||||
|
||||
Major changes between OpenSSL 0.9.7l and OpenSSL 0.9.7m [23 Feb 2007]:
|
||||
|
||||
o FIPS 1.1.1 module linking.
|
||||
o Various ciphersuite selection fixes.
|
||||
|
||||
Major changes between OpenSSL 0.9.7k and OpenSSL 0.9.7l [28 Sep 2006]:
|
||||
|
||||
o Introduce limits to prevent malicious key DoS (CVE-2006-2940)
|
||||
o Fix security issues (CVE-2006-2937, CVE-2006-3737, CVE-2006-4343)
|
||||
|
||||
Major changes between OpenSSL 0.9.7j and OpenSSL 0.9.7k [5 Sep 2006]:
|
||||
|
||||
o Fix Daniel Bleichenbacher forged signature attack, CVE-2006-4339
|
||||
|
||||
Major changes between OpenSSL 0.9.7i and OpenSSL 0.9.7j [4 May 2006]:
|
||||
|
||||
o Visual C++ 2005 fixes.
|
||||
o Update Windows build system for FIPS.
|
||||
|
||||
Major changes between OpenSSL 0.9.7h and OpenSSL 0.9.7i [14 Oct 2005]:
|
||||
|
||||
o Give EVP_MAX_MD_SIZE it's old value, except for a FIPS build.
|
||||
|
||||
Major changes between OpenSSL 0.9.7g and OpenSSL 0.9.7h [11 Oct 2005]:
|
||||
|
||||
o Fix SSL 2.0 Rollback, CVE-2005-2969
|
||||
o Allow use of fixed-length exponent on DSA signing
|
||||
o Default fixed-window RSA, DSA, DH private-key operations
|
||||
|
||||
Major changes between OpenSSL 0.9.7f and OpenSSL 0.9.7g [11 Apr 2005]:
|
||||
|
||||
o More compilation issues fixed.
|
||||
o Adaptation to more modern Kerberos API.
|
||||
o Enhanced or corrected configuration for Solaris64, Mingw and Cygwin.
|
||||
o Enhanced x86_64 assembler BIGNUM module.
|
||||
o More constification.
|
||||
o Added processing of proxy certificates (RFC 3820).
|
||||
|
||||
Major changes between OpenSSL 0.9.7e and OpenSSL 0.9.7f [22 Mar 2005]:
|
||||
|
||||
o Several compilation issues fixed.
|
||||
o Many memory allocation failure checks added.
|
||||
o Improved comparison of X509 Name type.
|
||||
o Mandatory basic checks on certificates.
|
||||
o Performance improvements.
|
||||
|
||||
Major changes between OpenSSL 0.9.7d and OpenSSL 0.9.7e [25 Oct 2004]:
|
||||
|
||||
o Fix race condition in CRL checking code.
|
||||
o Fixes to PKCS#7 (S/MIME) code.
|
||||
|
||||
Major changes between OpenSSL 0.9.7c and OpenSSL 0.9.7d [17 Mar 2004]:
|
||||
|
||||
o Security: Fix Kerberos ciphersuite SSL/TLS handshaking bug
|
||||
o Security: Fix null-pointer assignment in do_change_cipher_spec()
|
||||
o Allow multiple active certificates with same subject in CA index
|
||||
o Multiple X509 verification fixes
|
||||
o Speed up HMAC and other operations
|
||||
|
||||
Major changes between OpenSSL 0.9.7b and OpenSSL 0.9.7c [30 Sep 2003]:
|
||||
|
||||
o Security: fix various ASN1 parsing bugs.
|
||||
o New -ignore_err option to OCSP utility.
|
||||
o Various interop and bug fixes in S/MIME code.
|
||||
o SSL/TLS protocol fix for unrequested client certificates.
|
||||
|
||||
Major changes between OpenSSL 0.9.7a and OpenSSL 0.9.7b [10 Apr 2003]:
|
||||
|
||||
o Security: counter the Klima-Pokorny-Rosa extension of
|
||||
Bleichbacher's attack
|
||||
o Security: make RSA blinding default.
|
||||
o Configuration: Irix fixes, AIX fixes, better mingw support.
|
||||
o Support for new platforms: linux-ia64-ecc.
|
||||
o Build: shared library support fixes.
|
||||
o ASN.1: treat domainComponent correctly.
|
||||
o Documentation: fixes and additions.
|
||||
|
||||
Major changes between OpenSSL 0.9.7 and OpenSSL 0.9.7a [19 Feb 2003]:
|
||||
|
||||
o Security: Important security related bugfixes.
|
||||
o Enhanced compatibility with MIT Kerberos.
|
||||
o Can be built without the ENGINE framework.
|
||||
o IA32 assembler enhancements.
|
||||
o Support for new platforms: FreeBSD/IA64 and FreeBSD/Sparc64.
|
||||
o Configuration: the no-err option now works properly.
|
||||
o SSL/TLS: now handles manual certificate chain building.
|
||||
o SSL/TLS: certain session ID malfunctions corrected.
|
||||
|
||||
Major changes between OpenSSL 0.9.6 and OpenSSL 0.9.7 [30 Dec 2002]:
|
||||
|
||||
o New library section OCSP.
|
||||
o Complete rewrite of ASN1 code.
|
||||
o CRL checking in verify code and openssl utility.
|
||||
o Extension copying in 'ca' utility.
|
||||
o Flexible display options in 'ca' utility.
|
||||
o Provisional support for international characters with UTF8.
|
||||
o Support for external crypto devices ('engine') is no longer
|
||||
a separate distribution.
|
||||
o New elliptic curve library section.
|
||||
o New AES (Rijndael) library section.
|
||||
o Support for new platforms: Windows CE, Tandem OSS, A/UX, AIX 64-bit,
|
||||
Linux x86_64, Linux 64-bit on Sparc v9
|
||||
o Extended support for some platforms: VxWorks
|
||||
o Enhanced support for shared libraries.
|
||||
o Now only builds PIC code when shared library support is requested.
|
||||
o Support for pkg-config.
|
||||
o Lots of new manuals.
|
||||
o Makes symbolic links to or copies of manuals to cover all described
|
||||
functions.
|
||||
o Change DES API to clean up the namespace (some applications link also
|
||||
against libdes providing similar functions having the same name).
|
||||
Provide macros for backward compatibility (will be removed in the
|
||||
future).
|
||||
o Unify handling of cryptographic algorithms (software and engine)
|
||||
to be available via EVP routines for asymmetric and symmetric ciphers.
|
||||
o NCONF: new configuration handling routines.
|
||||
o Change API to use more 'const' modifiers to improve error checking
|
||||
and help optimizers.
|
||||
o Finally remove references to RSAref.
|
||||
o Reworked parts of the BIGNUM code.
|
||||
o Support for new engines: Broadcom ubsec, Accelerated Encryption
|
||||
Processing, IBM 4758.
|
||||
o A few new engines added in the demos area.
|
||||
o Extended and corrected OID (object identifier) table.
|
||||
o PRNG: query at more locations for a random device, automatic query for
|
||||
EGD style random sources at several locations.
|
||||
o SSL/TLS: allow optional cipher choice according to server's preference.
|
||||
o SSL/TLS: allow server to explicitly set new session ids.
|
||||
o SSL/TLS: support Kerberos cipher suites (RFC2712).
|
||||
Only supports MIT Kerberos for now.
|
||||
o SSL/TLS: allow more precise control of renegotiations and sessions.
|
||||
o SSL/TLS: add callback to retrieve SSL/TLS messages.
|
||||
o SSL/TLS: support AES cipher suites (RFC3268).
|
||||
|
||||
Major changes between OpenSSL 0.9.6j and OpenSSL 0.9.6k [30 Sep 2003]:
|
||||
|
||||
o Security: fix various ASN1 parsing bugs.
|
||||
o SSL/TLS protocol fix for unrequested client certificates.
|
||||
|
||||
Major changes between OpenSSL 0.9.6i and OpenSSL 0.9.6j [10 Apr 2003]:
|
||||
|
||||
o Security: counter the Klima-Pokorny-Rosa extension of
|
||||
Bleichbacher's attack
|
||||
o Security: make RSA blinding default.
|
||||
o Build: shared library support fixes.
|
||||
|
||||
Major changes between OpenSSL 0.9.6h and OpenSSL 0.9.6i [19 Feb 2003]:
|
||||
|
||||
o Important security related bugfixes.
|
||||
|
||||
Major changes between OpenSSL 0.9.6g and OpenSSL 0.9.6h [5 Dec 2002]:
|
||||
|
||||
o New configuration targets for Tandem OSS and A/UX.
|
||||
o New OIDs for Microsoft attributes.
|
||||
o Better handling of SSL session caching.
|
||||
o Better comparison of distinguished names.
|
||||
o Better handling of shared libraries in a mixed GNU/non-GNU environment.
|
||||
o Support assembler code with Borland C.
|
||||
o Fixes for length problems.
|
||||
o Fixes for uninitialised variables.
|
||||
o Fixes for memory leaks, some unusual crashes and some race conditions.
|
||||
o Fixes for smaller building problems.
|
||||
o Updates of manuals, FAQ and other instructive documents.
|
||||
|
||||
Major changes between OpenSSL 0.9.6f and OpenSSL 0.9.6g [9 Aug 2002]:
|
||||
|
||||
o Important building fixes on Unix.
|
||||
|
||||
Major changes between OpenSSL 0.9.6e and OpenSSL 0.9.6f [8 Aug 2002]:
|
||||
|
||||
o Various important bugfixes.
|
||||
|
||||
Major changes between OpenSSL 0.9.6d and OpenSSL 0.9.6e [30 Jul 2002]:
|
||||
|
||||
o Important security related bugfixes.
|
||||
o Various SSL/TLS library bugfixes.
|
||||
|
||||
Major changes between OpenSSL 0.9.6c and OpenSSL 0.9.6d [9 May 2002]:
|
||||
|
||||
o Various SSL/TLS library bugfixes.
|
||||
o Fix DH parameter generation for 'non-standard' generators.
|
||||
|
||||
Major changes between OpenSSL 0.9.6b and OpenSSL 0.9.6c [21 Dec 2001]:
|
||||
|
||||
o Various SSL/TLS library bugfixes.
|
||||
o BIGNUM library fixes.
|
||||
o RSA OAEP and random number generation fixes.
|
||||
o Object identifiers corrected and added.
|
||||
o Add assembler BN routines for IA64.
|
||||
o Add support for OS/390 Unix, UnixWare with gcc, OpenUNIX 8,
|
||||
MIPS Linux; shared library support for Irix, HP-UX.
|
||||
o Add crypto accelerator support for AEP, Baltimore SureWare,
|
||||
Broadcom and Cryptographic Appliance's keyserver
|
||||
[in 0.9.6c-engine release].
|
||||
|
||||
Major changes between OpenSSL 0.9.6a and OpenSSL 0.9.6b [9 Jul 2001]:
|
||||
|
||||
o Security fix: PRNG improvements.
|
||||
o Security fix: RSA OAEP check.
|
||||
o Security fix: Reinsert and fix countermeasure to Bleichbacher's
|
||||
attack.
|
||||
o MIPS bug fix in BIGNUM.
|
||||
o Bug fix in "openssl enc".
|
||||
o Bug fix in X.509 printing routine.
|
||||
o Bug fix in DSA verification routine and DSA S/MIME verification.
|
||||
o Bug fix to make PRNG thread-safe.
|
||||
o Bug fix in RAND_file_name().
|
||||
o Bug fix in compatibility mode trust settings.
|
||||
o Bug fix in blowfish EVP.
|
||||
o Increase default size for BIO buffering filter.
|
||||
o Compatibility fixes in some scripts.
|
||||
|
||||
Major changes between OpenSSL 0.9.6 and OpenSSL 0.9.6a [5 Apr 2001]:
|
||||
|
||||
o Security fix: change behavior of OpenSSL to avoid using
|
||||
environment variables when running as root.
|
||||
o Security fix: check the result of RSA-CRT to reduce the
|
||||
possibility of deducing the private key from an incorrectly
|
||||
calculated signature.
|
||||
o Security fix: prevent Bleichenbacher's DSA attack.
|
||||
o Security fix: Zero the premaster secret after deriving the
|
||||
master secret in DH ciphersuites.
|
||||
o Reimplement SSL_peek(), which had various problems.
|
||||
o Compatibility fix: the function des_encrypt() renamed to
|
||||
des_encrypt1() to avoid clashes with some Unixen libc.
|
||||
o Bug fixes for Win32, HP/UX and Irix.
|
||||
o Bug fixes in BIGNUM, SSL, PKCS#7, PKCS#12, X.509, CONF and
|
||||
memory checking routines.
|
||||
o Bug fixes for RSA operations in threaded environments.
|
||||
o Bug fixes in misc. openssl applications.
|
||||
o Remove a few potential memory leaks.
|
||||
o Add tighter checks of BIGNUM routines.
|
||||
o Shared library support has been reworked for generality.
|
||||
o More documentation.
|
||||
o New function BN_rand_range().
|
||||
o Add "-rand" option to openssl s_client and s_server.
|
||||
|
||||
Major changes between OpenSSL 0.9.5a and OpenSSL 0.9.6 [10 Oct 2000]:
|
||||
|
||||
o Some documentation for BIO and SSL libraries.
|
||||
o Enhanced chain verification using key identifiers.
|
||||
o New sign and verify options to 'dgst' application.
|
||||
o Support for DER and PEM encoded messages in 'smime' application.
|
||||
o New 'rsautl' application, low level RSA utility.
|
||||
o MD4 now included.
|
||||
o Bugfix for SSL rollback padding check.
|
||||
o Support for external crypto devices [1].
|
||||
o Enhanced EVP interface.
|
||||
|
||||
[1] The support for external crypto devices is currently a separate
|
||||
distribution. See the file README.ENGINE.
|
||||
|
||||
Major changes between OpenSSL 0.9.5 and OpenSSL 0.9.5a [1 Apr 2000]:
|
||||
|
||||
o Bug fixes for Win32, SuSE Linux, NeXTSTEP and FreeBSD 2.2.8
|
||||
o Shared library support for HPUX and Solaris-gcc
|
||||
o Support of Linux/IA64
|
||||
o Assembler support for Mingw32
|
||||
o New 'rand' application
|
||||
o New way to check for existence of algorithms from scripts
|
||||
|
||||
Major changes between OpenSSL 0.9.4 and OpenSSL 0.9.5 [25 May 2000]:
|
||||
|
||||
o S/MIME support in new 'smime' command
|
||||
o Documentation for the OpenSSL command line application
|
||||
o Automation of 'req' application
|
||||
o Fixes to make s_client, s_server work under Windows
|
||||
o Support for multiple fieldnames in SPKACs
|
||||
o New SPKAC command line utilty and associated library functions
|
||||
o Options to allow passwords to be obtained from various sources
|
||||
o New public key PEM format and options to handle it
|
||||
o Many other fixes and enhancements to command line utilities
|
||||
o Usable certificate chain verification
|
||||
o Certificate purpose checking
|
||||
o Certificate trust settings
|
||||
o Support of authority information access extension
|
||||
o Extensions in certificate requests
|
||||
o Simplified X509 name and attribute routines
|
||||
o Initial (incomplete) support for international character sets
|
||||
o New DH_METHOD, DSA_METHOD and enhanced RSA_METHOD
|
||||
o Read only memory BIOs and simplified creation function
|
||||
o TLS/SSL protocol bugfixes: Accept TLS 'client hello' in SSL 3.0
|
||||
record; allow fragmentation and interleaving of handshake and other
|
||||
data
|
||||
o TLS/SSL code now "tolerates" MS SGC
|
||||
o Work around for Netscape client certificate hang bug
|
||||
o RSA_NULL option that removes RSA patent code but keeps other
|
||||
RSA functionality
|
||||
o Memory leak detection now allows applications to add extra information
|
||||
via a per-thread stack
|
||||
o PRNG robustness improved
|
||||
o EGD support
|
||||
o BIGNUM library bug fixes
|
||||
o Faster DSA parameter generation
|
||||
o Enhanced support for Alpha Linux
|
||||
o Experimental MacOS support
|
||||
|
||||
Major changes between OpenSSL 0.9.3 and OpenSSL 0.9.4 [9 Aug 1999]:
|
||||
|
||||
o Transparent support for PKCS#8 format private keys: these are used
|
||||
by several software packages and are more secure than the standard
|
||||
form
|
||||
o PKCS#5 v2.0 implementation
|
||||
o Password callbacks have a new void * argument for application data
|
||||
o Avoid various memory leaks
|
||||
o New pipe-like BIO that allows using the SSL library when actual I/O
|
||||
must be handled by the application (BIO pair)
|
||||
|
||||
Major changes between OpenSSL 0.9.2b and OpenSSL 0.9.3 [24 May 1999]:
|
||||
o Lots of enhancements and cleanups to the Configuration mechanism
|
||||
o RSA OEAP related fixes
|
||||
o Added `openssl ca -revoke' option for revoking a certificate
|
||||
o Source cleanups: const correctness, type-safe stacks and ASN.1 SETs
|
||||
o Source tree cleanups: removed lots of obsolete files
|
||||
o Thawte SXNet, certificate policies and CRL distribution points
|
||||
extension support
|
||||
o Preliminary (experimental) S/MIME support
|
||||
o Support for ASN.1 UTF8String and VisibleString
|
||||
o Full integration of PKCS#12 code
|
||||
o Sparc assembler bignum implementation, optimized hash functions
|
||||
o Option to disable selected ciphers
|
||||
|
||||
Major changes between OpenSSL 0.9.1c and OpenSSL 0.9.2b [22 Mar 1999]:
|
||||
o Fixed a security hole related to session resumption
|
||||
o Fixed RSA encryption routines for the p < q case
|
||||
o "ALL" in cipher lists now means "everything except NULL ciphers"
|
||||
o Support for Triple-DES CBCM cipher
|
||||
o Support of Optimal Asymmetric Encryption Padding (OAEP) for RSA
|
||||
o First support for new TLSv1 ciphers
|
||||
o Added a few new BIOs (syslog BIO, reliable BIO)
|
||||
o Extended support for DSA certificate/keys.
|
||||
o Extended support for Certificate Signing Requests (CSR)
|
||||
o Initial support for X.509v3 extensions
|
||||
o Extended support for compression inside the SSL record layer
|
||||
o Overhauled Win32 builds
|
||||
o Cleanups and fixes to the Big Number (BN) library
|
||||
o Support for ASN.1 GeneralizedTime
|
||||
o Splitted ASN.1 SETs from SEQUENCEs
|
||||
o ASN1 and PEM support for Netscape Certificate Sequences
|
||||
o Overhauled Perl interface
|
||||
o Lots of source tree cleanups.
|
||||
o Lots of memory leak fixes.
|
||||
o Lots of bug fixes.
|
||||
|
||||
Major changes between SSLeay 0.9.0b and OpenSSL 0.9.1c [23 Dec 1998]:
|
||||
o Integration of the popular NO_RSA/NO_DSA patches
|
||||
o Initial support for compression inside the SSL record layer
|
||||
o Added BIO proxy and filtering functionality
|
||||
o Extended Big Number (BN) library
|
||||
o Added RIPE MD160 message digest
|
||||
o Addeed support for RC2/64bit cipher
|
||||
o Extended ASN.1 parser routines
|
||||
o Adjustations of the source tree for CVS
|
||||
o Support for various new platforms
|
||||
|
||||
101
Agent-Windows/OGP64/usr/share/doc/openssl10/README
Normal file
101
Agent-Windows/OGP64/usr/share/doc/openssl10/README
Normal file
|
|
@ -0,0 +1,101 @@
|
|||
|
||||
OpenSSL 1.0.2u 20 Dec 2019
|
||||
|
||||
Copyright (c) 1998-2019 The OpenSSL Project
|
||||
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
|
||||
All rights reserved.
|
||||
|
||||
DESCRIPTION
|
||||
-----------
|
||||
|
||||
The OpenSSL Project is a collaborative effort to develop a robust,
|
||||
commercial-grade, fully featured, and Open Source toolkit implementing the
|
||||
Secure Sockets Layer (SSLv3) and Transport Layer Security (TLS) protocols as
|
||||
well as a full-strength general purpose cryptograpic library. The project is
|
||||
managed by a worldwide community of volunteers that use the Internet to
|
||||
communicate, plan, and develop the OpenSSL toolkit and its related
|
||||
documentation.
|
||||
|
||||
OpenSSL is descended from the SSLeay library developed by Eric A. Young
|
||||
and Tim J. Hudson. The OpenSSL toolkit is licensed under a dual-license (the
|
||||
OpenSSL license plus the SSLeay license), which means that you are free to
|
||||
get and use it for commercial and non-commercial purposes as long as you
|
||||
fulfill the conditions of both licenses.
|
||||
|
||||
OVERVIEW
|
||||
--------
|
||||
|
||||
The OpenSSL toolkit includes:
|
||||
|
||||
libssl.a:
|
||||
Provides the client and server-side implementations for SSLv3 and TLS.
|
||||
|
||||
libcrypto.a:
|
||||
Provides general cryptographic and X.509 support needed by SSL/TLS but
|
||||
not logically part of it.
|
||||
|
||||
openssl:
|
||||
A command line tool that can be used for:
|
||||
Creation of key parameters
|
||||
Creation of X.509 certificates, CSRs and CRLs
|
||||
Calculation of message digests
|
||||
Encryption and decryption
|
||||
SSL/TLS client and server tests
|
||||
Handling of S/MIME signed or encrypted mail
|
||||
And more...
|
||||
|
||||
INSTALLATION
|
||||
------------
|
||||
|
||||
See the appropriate file:
|
||||
INSTALL Linux, Unix, etc.
|
||||
INSTALL.DJGPP DOS platform with DJGPP
|
||||
INSTALL.NW Netware
|
||||
INSTALL.OS2 OS/2
|
||||
INSTALL.VMS VMS
|
||||
INSTALL.W32 Windows (32bit)
|
||||
INSTALL.W64 Windows (64bit)
|
||||
INSTALL.WCE Windows CE
|
||||
|
||||
SUPPORT
|
||||
-------
|
||||
|
||||
See the OpenSSL website www.openssl.org for details on how to obtain
|
||||
commercial technical support.
|
||||
|
||||
If you have any problems with OpenSSL then please take the following steps
|
||||
first:
|
||||
|
||||
- Download the latest version from the repository
|
||||
to see if the problem has already been addressed
|
||||
- Configure with no-asm
|
||||
- Remove compiler optimisation flags
|
||||
|
||||
If you wish to report a bug then please include the following information
|
||||
and create an issue on GitHub:
|
||||
|
||||
- On Unix systems:
|
||||
Self-test report generated by 'make report'
|
||||
- On other systems:
|
||||
OpenSSL version: output of 'openssl version -a'
|
||||
OS Name, Version, Hardware platform
|
||||
Compiler Details (name, version)
|
||||
- Application Details (name, version)
|
||||
- Problem Description (steps that will reproduce the problem, if known)
|
||||
- Stack Traceback (if the application dumps core)
|
||||
|
||||
Just because something doesn't work the way you expect does not mean it
|
||||
is necessarily a bug in OpenSSL.
|
||||
|
||||
HOW TO CONTRIBUTE TO OpenSSL
|
||||
----------------------------
|
||||
|
||||
See CONTRIBUTING
|
||||
|
||||
LEGALITIES
|
||||
----------
|
||||
|
||||
A number of nations restrict the use or export of cryptography. If you
|
||||
are potentially subject to such restrictions you should seek competent
|
||||
professional legal advice before attempting to develop or distribute
|
||||
cryptographic code.
|
||||
Loading…
Add table
Add a link
Reference in a new issue