diff --git a/NEWS b/NEWS index 65dd4a7d9f..674703e80c 100644 --- a/NEWS +++ b/NEWS @@ -14,6 +14,10 @@ o New 'rsautl' application, low level RSA utility. o MD4 now included. o Bugfix for SSL rollback padding check. + o Support for external crypto device[1]. + + [1] The support for external crypto devices is currently a separate + distribution. See the file README.ENGINE. Major changes between OpenSSL 0.9.5 and OpenSSL 0.9.5a: diff --git a/README.ENGINE b/README.ENGINE new file mode 100644 index 0000000000..b30206c0ed --- /dev/null +++ b/README.ENGINE @@ -0,0 +1,54 @@ + + ENGINE + ====== + + With OpenSSL 0.9.6, a new component has been added to support external + crypto devices, for example accelerator cards. The component is called + ENGINE, and has still a pretty experimental status and almost no + documentation. It's designed to be faily easily extensible by the + calling programs. + + There's currently built-in support for the following crypto devices: + + o CryptoSwift + o Compaq Atalla + o nCipher CHIL + + A number of things are still needed and are being worked on: + + o An openssl utility command to handle or at least check available + engines. + o A better way of handling the methods that are handled by the + engines. + o Documentation! + + What already exists is fairly stable as far as it has been tested, but + the test base has been a bit small most of the time. + + Because of this experimental status and what's lacking, the ENGINE + component is not yet part of the default OpenSSL distribution. However, + we have made a separate kit for those who want to try this out, to be + found in the same places as the default OpenSSL distribution, but with + "-engine-" being part of the kit file name. For example, version 0.9.6 + is distributed in the following two files: + + openssl-0.9.6.tar.gz + openssl-engine-0.9.6.tar.gz + + NOTES + ===== + + openssl-engine-0.9.6.tar.gz does not depend on openssl-0.9.6.tar, you do + not need to download both. + + openssl-engine-0.9.6.tar.gz is usable even if you don't have an external + crypto device. The internal OpenSSL functions are contained in the + engine "openssl", and will be used by default. + + No external crypto device is chosen unless you say so. You have actively + tell the openssl utility commands to use it through a new command line + switch called "-engine". And if you want to use the ENGINE library to + do something similar, you must also explicitely choose an external crypto + device, or the built-in crypto routines will be used, just as in the + default OpenSSL distribution. +