1998-12-21 18:52:47 +08:00
|
|
|
|
1999-08-08 19:45:56 +08:00
|
|
|
OpenSSL 0.9.4 09 Aug 1999
|
1998-12-22 23:04:48 +08:00
|
|
|
|
1999-03-06 21:35:14 +08:00
|
|
|
Copyright (c) 1998-1999 The OpenSSL Project
|
1999-01-31 19:15:44 +08:00
|
|
|
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
|
1998-12-22 23:04:48 +08:00
|
|
|
All rights reserved.
|
|
|
|
|
1999-03-06 22:04:40 +08:00
|
|
|
DESCRIPTION
|
|
|
|
-----------
|
|
|
|
|
1998-12-23 15:38:54 +08:00
|
|
|
The OpenSSL Project is a collaborative effort to develop a robust,
|
1998-12-22 23:04:48 +08:00
|
|
|
commercial-grade, fully featured, and Open Source toolkit implementing the
|
1999-03-06 21:35:14 +08:00
|
|
|
Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1)
|
1998-12-22 23:04:48 +08:00
|
|
|
protocols with full-strength cryptography world-wide. The project is managed
|
|
|
|
by a worldwide community of volunteers that use the Internet to communicate,
|
1999-05-20 03:20:49 +08:00
|
|
|
plan, and develop the OpenSSL toolkit and its related documentation.
|
1998-12-22 23:04:48 +08:00
|
|
|
|
1998-12-23 15:38:54 +08:00
|
|
|
OpenSSL is based on the excellent SSLeay library developed from Eric A. Young
|
1999-03-06 21:35:14 +08:00
|
|
|
and Tim J. Hudson. The OpenSSL toolkit is licensed under a dual-license (the
|
|
|
|
OpenSSL license plus the SSLeay license) situation, which basically means
|
|
|
|
that you are free to get and use it for commercial and non-commercial
|
1999-05-20 03:20:49 +08:00
|
|
|
purposes as long as you fulfill the conditions of both licenses.
|
1998-12-22 23:04:48 +08:00
|
|
|
|
1999-03-06 22:04:40 +08:00
|
|
|
OVERVIEW
|
|
|
|
--------
|
|
|
|
|
1999-03-06 21:35:14 +08:00
|
|
|
The OpenSSL toolkit includes:
|
1998-12-22 23:04:48 +08:00
|
|
|
|
|
|
|
libssl.a:
|
|
|
|
Implementation of SSLv2, SSLv3, TLSv1 and the required code to support
|
1999-03-06 21:35:14 +08:00
|
|
|
both SSLv2, SSLv3 and TLSv1 in the one server and client.
|
1998-12-22 23:04:48 +08:00
|
|
|
|
|
|
|
libcrypto.a:
|
1999-03-06 21:35:14 +08:00
|
|
|
General encryption and X.509 v1/v3 stuff needed by SSL/TLS but not
|
|
|
|
actually logically part of it. It includes routines for the following:
|
1998-12-22 23:04:48 +08:00
|
|
|
|
|
|
|
Ciphers
|
|
|
|
libdes - EAY's libdes DES encryption package which has been floating
|
|
|
|
around the net for a few years. It includes 15
|
|
|
|
'modes/variations' of DES (1, 2 and 3 key versions of ecb,
|
|
|
|
cbc, cfb and ofb; pcbc and a more general form of cfb and
|
|
|
|
ofb) including desx in cbc mode, a fast crypt(3), and
|
|
|
|
routines to read passwords from the keyboard.
|
|
|
|
RC4 encryption,
|
|
|
|
RC2 encryption - 4 different modes, ecb, cbc, cfb and ofb.
|
|
|
|
Blowfish encryption - 4 different modes, ecb, cbc, cfb and ofb.
|
|
|
|
IDEA encryption - 4 different modes, ecb, cbc, cfb and ofb.
|
|
|
|
|
|
|
|
Digests
|
|
|
|
MD5 and MD2 message digest algorithms, fast implementations,
|
|
|
|
SHA (SHA-0) and SHA-1 message digest algorithms,
|
1999-05-20 03:20:49 +08:00
|
|
|
MDC2 message digest. A DES based hash that is popular on smart cards.
|
1998-12-22 23:04:48 +08:00
|
|
|
|
|
|
|
Public Key
|
|
|
|
RSA encryption/decryption/generation.
|
|
|
|
There is no limit on the number of bits.
|
|
|
|
DSA encryption/decryption/generation.
|
|
|
|
There is no limit on the number of bits.
|
|
|
|
Diffie-Hellman key-exchange/key generation.
|
|
|
|
There is no limit on the number of bits.
|
|
|
|
|
|
|
|
X.509v3 certificates
|
|
|
|
X509 encoding/decoding into/from binary ASN1 and a PEM
|
|
|
|
based ascii-binary encoding which supports encryption with a
|
|
|
|
private key. Program to generate RSA and DSA certificate
|
|
|
|
requests and to generate RSA and DSA certificates.
|
|
|
|
|
|
|
|
Systems
|
|
|
|
The normal digital envelope routines and base64 encoding. Higher
|
|
|
|
level access to ciphers and digests by name. New ciphers can be
|
|
|
|
loaded at run time. The BIO io system which is a simple non-blocking
|
|
|
|
IO abstraction. Current methods supported are file descriptors,
|
|
|
|
sockets, socket accept, socket connect, memory buffer, buffering, SSL
|
|
|
|
client/server, file pointer, encryption, digest, non-blocking testing
|
|
|
|
and null.
|
|
|
|
|
|
|
|
Data structures
|
|
|
|
A dynamically growing hashing system
|
|
|
|
A simple stack.
|
|
|
|
A Configuration loader that uses a format similar to MS .ini files.
|
|
|
|
|
1999-03-06 21:35:14 +08:00
|
|
|
openssl:
|
|
|
|
A command line tool which provides the following functions:
|
1998-12-22 23:04:48 +08:00
|
|
|
|
|
|
|
enc - a general encryption program that can encrypt/decrypt using
|
|
|
|
one of 17 different cipher/mode combinations. The
|
|
|
|
input/output can also be converted to/from base64
|
|
|
|
ascii encoding.
|
|
|
|
dgst - a generate message digesting program that will generate
|
|
|
|
message digests for any of md2, md5, sha (sha-0 or sha-1)
|
|
|
|
or mdc2.
|
|
|
|
asn1parse - parse and display the structure of an asn1 encoded
|
|
|
|
binary file.
|
|
|
|
rsa - Manipulate RSA private keys.
|
|
|
|
dsa - Manipulate DSA private keys.
|
|
|
|
dh - Manipulate Diffie-Hellman parameter files.
|
|
|
|
dsaparam- Manipulate and generate DSA parameter files.
|
|
|
|
crl - Manipulate certificate revocation lists.
|
|
|
|
crt2pkcs7- Generate a pkcs7 object containing a crl and a certificate.
|
|
|
|
x509 - Manipulate x509 certificates, self-sign certificates.
|
|
|
|
req - Manipulate PKCS#10 certificate requests and also
|
|
|
|
generate certificate requests.
|
|
|
|
genrsa - Generates an arbitrary sized RSA private key.
|
1999-01-31 19:15:44 +08:00
|
|
|
gendsa - Generates DSA parameters.
|
1998-12-22 23:04:48 +08:00
|
|
|
gendh - Generates a set of Diffie-Hellman parameters, the prime
|
|
|
|
will be a strong prime.
|
|
|
|
ca - Create certificates from PKCS#10 certificate requests.
|
|
|
|
This program also maintains a database of certificates
|
|
|
|
issued.
|
|
|
|
verify - Check x509 certificate signatures.
|
1999-01-31 19:15:44 +08:00
|
|
|
speed - Benchmark OpenSSL's ciphers.
|
1998-12-22 23:04:48 +08:00
|
|
|
s_server- A test SSL server.
|
|
|
|
s_client- A test SSL client.
|
|
|
|
s_time - Benchmark SSL performance of SSL server programs.
|
1999-01-31 19:15:44 +08:00
|
|
|
errstr - Convert from OpenSSL hex error codes to a readable form.
|
|
|
|
nseq - Netscape certificate sequence utility
|
1998-12-22 23:04:48 +08:00
|
|
|
|
1999-03-06 22:04:40 +08:00
|
|
|
PATENTS
|
|
|
|
-------
|
|
|
|
|
|
|
|
Various companies hold various patents for various algorithms in various
|
1999-03-22 23:38:59 +08:00
|
|
|
locations around the world. _YOU_ are responsible for ensuring that your use
|
1999-05-20 03:20:49 +08:00
|
|
|
of any algorithms is legal by checking if there are any patents in your
|
1999-03-22 23:38:59 +08:00
|
|
|
country. The file contains some of the patents that we know about or are
|
|
|
|
rumoured to exist. This is not a definitive list.
|
1999-03-06 22:04:40 +08:00
|
|
|
|
|
|
|
RSA Data Security holds software patents on the RSA and RC5 algorithms. If
|
|
|
|
their ciphers are used used inside the USA (and Japan?), you must contact RSA
|
1999-05-20 03:20:49 +08:00
|
|
|
Data Security for licensing conditions. Their web page is
|
1999-03-06 22:04:40 +08:00
|
|
|
http://www.rsa.com/.
|
|
|
|
|
|
|
|
RC4 is a trademark of RSA Data Security, so use of this label should perhaps
|
|
|
|
only be used with RSA Data Security's permission.
|
|
|
|
|
|
|
|
The IDEA algorithm is patented by Ascom in Austria, France, Germany, Italy,
|
|
|
|
Japan, Netherlands, Spain, Sweden, Switzerland, UK and the USA. They should
|
|
|
|
be contacted if that algorithm is to be used, their web page is
|
|
|
|
http://www.ascom.ch/.
|
|
|
|
|
|
|
|
INSTALLATION
|
|
|
|
------------
|
|
|
|
|
1999-03-06 21:35:14 +08:00
|
|
|
To install this package under a Unix derivative, read the INSTALL file. For
|
1999-05-13 19:37:32 +08:00
|
|
|
a Win32 platform, read the INSTALL.W32 file. For OpenVMS systems, read
|
|
|
|
INSTALL.VMS.
|
1998-12-22 23:04:48 +08:00
|
|
|
|
1999-03-06 21:35:14 +08:00
|
|
|
For people in the USA, it is possible to compile OpenSSL to use RSA Inc.'s
|
1999-05-01 02:22:59 +08:00
|
|
|
public key library, RSAREF, by configuring OpenSSL with the option "rsaref".
|
1998-12-22 23:04:48 +08:00
|
|
|
|
1999-03-06 21:35:14 +08:00
|
|
|
Read the documentation in the doc/ directory. It is quite rough, but it
|
|
|
|
lists the functions, you will probably have to look at the code to work out
|
|
|
|
how to used them. Look at the example programs.
|
1998-12-21 18:52:47 +08:00
|
|
|
|
1999-03-06 22:04:40 +08:00
|
|
|
SUPPORT
|
|
|
|
-------
|
|
|
|
|
|
|
|
If you have any problems with OpenSSL then please take the following steps
|
|
|
|
first:
|
|
|
|
|
|
|
|
- Remove ASM versions of libraries
|
|
|
|
- Remove compiler optimisation flags
|
|
|
|
- Add compiler debug flags (if using gcc then remove -fomit-frame-pointer
|
|
|
|
before you try to debug things)
|
|
|
|
|
|
|
|
If you wish to report a bug then please include the following information in
|
|
|
|
any bug report:
|
|
|
|
|
|
|
|
OpenSSL Details
|
|
|
|
- Version, most of these details can be got from the
|
|
|
|
'openssl version -a' command.
|
|
|
|
Operating System Details
|
1999-05-06 19:50:03 +08:00
|
|
|
- On Unix systems: Output of './config -t'
|
1999-05-06 08:40:46 +08:00
|
|
|
- OS Name, Version
|
1999-03-06 22:04:40 +08:00
|
|
|
- Hardware platform
|
|
|
|
Compiler Details
|
|
|
|
- Name
|
|
|
|
- Version
|
|
|
|
Application Details
|
|
|
|
- Name
|
|
|
|
- Version
|
|
|
|
Problem Description
|
|
|
|
- include steps that will reproduce the problem (if known)
|
|
|
|
Stack Traceback (if the application dumps core)
|
|
|
|
|
|
|
|
Report the bug to the OpenSSL project at:
|
|
|
|
|
1999-05-06 08:40:46 +08:00
|
|
|
openssl-bugs@openssl.org
|
1999-03-06 22:04:40 +08:00
|
|
|
|
1999-05-06 08:40:46 +08:00
|
|
|
HOW TO CONTRIBUTE TO OpenSSL
|
|
|
|
----------------------------
|
|
|
|
|
|
|
|
Development is coordinated on the openssl-dev mailing list (see
|
|
|
|
http://www.openssl.org for information on subscribing). If you
|
|
|
|
would like to submit a patch, send it to openssl-dev@openssl.org.
|
|
|
|
Please be sure to include a textual explanation of what your patch
|
|
|
|
does.
|
|
|
|
|
|
|
|
The preferred format for changes is "diff -u" output. You might
|
|
|
|
generate it like this:
|
|
|
|
|
|
|
|
# cd openssl-work
|
|
|
|
# [your changes]
|
|
|
|
# ./Configure dist; make clean
|
|
|
|
# cd ..
|
|
|
|
# diff -urN openssl-orig openssl-work > mydiffs.patch
|