* Why does the linker complain about undefined symbols?
* Where can I get a compiled version of OpenSSL?
* I've compiled a program under Windows and it crashes: why?
+* I've called <some function> and it fails, why?
+* I just get a load of numbers for the error output, what do they mean?
* Why do I get errors about unknown algorithms?
* How do I create certificates or certificate requests?
* Why can't I create certificate requests?
* Why does <SSL program> fail with a certificate verify error?
+* Why can I only use weak ciphers when I connect to a server using OpenSSL?
* How can I create DSA certificates?
* Why can't I make an SSL connection using a DSA certificate?
+* How can I remove the passphrase on a private key?
* Why can't the OpenSSH configure script detect OpenSSL?
* Which is the current version of OpenSSL?
The current version is available from <URL: http://www.openssl.org>.
-OpenSSL 0.9.5 was released on February 28th, 2000.
+OpenSSL 0.9.5a was released on April 1st, 2000.
In addition to the current stable release, you can also access daily
snapshots of the OpenSSL development version at <URL:
number generator has not been seeded with at least 128 bits of
randomness. If this error occurs, please contact the author of the
application you are using. It is likely that it never worked
-correctly. OpenSSL 0.9.5 makes the error visible by refusing to
-perform potentially insecure encryption.
+correctly. OpenSSL 0.9.5 and later make the error visible by refusing
+to perform potentially insecure encryption.
+
+On systems without /dev/urandom, it is a good idea to use the Entropy
+Gathering Demon; see the RAND_egd() manpage for details.
Most components of the openssl command line tool try to use the
file $HOME/.rnd (or $RANDFILE, if this environment variable is set)
for seeding the PRNG. If this file does not exist or is too short,
the "PRNG not seeded" error message may occur.
-Note that the command "openssl rsa" in OpenSSL 0.9.5 does not do this
-and will fail on systems without /dev/urandom when trying to
-password-encrypt an RSA key! This is a bug in the library;
-try a later snaphost instead.
+
+[Note to OpenSSL 0.9.5 users: The command "openssl rsa" in version
+0.9.5 does not do this and will fail on systems without /dev/urandom
+when trying to password-encrypt an RSA key! This is a bug in the
+library; try a later version instead.]
* Why does the linker complain about undefined symbols?
first BIO related read or write operation.
+* I've called <some function> and it fails, why?
+
+Before submitting a report or asking in one of the mailing lists, you
+should try to determine the cause. In particular, you should call
+ERR_print_errors() or ERR_print_errors_fp() after the failed call
+and see if the message helps. Note that the problem may occur earlier
+than you think -- you should check for errors after every call where
+it is possible, otherwise the actual problem may be hidden because
+some OpenSSL functions clear the error state.
+
+
+* I just get a load of numbers for the error output, what do they mean?
+
+The actual format is described in the ERR_print_errors() manual page.
+You should call the function ERR_load_crypto_strings() before hand and
+the message will be output in text form. If you can't do this (for example
+it is a pre-compiled binary) you can use the errstr utility on the error
+code itself (the hex digits after the second colon).
+
+
* Why do I get errors about unknown algorithms?
This can happen under several circumstances such as reading in an
the verify(1) program manual page for more information.
+* Why can I only use weak ciphers when I connect to a server using OpenSSL?
+
+This is almost certainly because you are using an old "export grade" browser
+which only supports weak encryption. Upgrade your browser to support 128 bit
+ciphers.
+
+
* How can I create DSA certificates?
Check the CA.pl(1) manual page for a DSA certificate example.
Typically you'll see a message saying there are no shared ciphers when
the same setup works fine with an RSA certificate. There are two possible
causes. The client may not support connections to DSA servers most web
-browsers only support connections to servers supporting RSA cipher suites.
-The other cause is that a set of DH parameters has not been supplied to
-the server. DH parameters can be created with the dhparam(1) command and
-loaded using the SSL_CTX_set_tmp_dh() for example: check the source to
-s_server in apps/s_server.c for an example.
+browsers (including Netscape and MSIE) only support connections to servers
+supporting RSA cipher suites. The other cause is that a set of DH parameters
+has not been supplied to the server. DH parameters can be created with the
+dhparam(1) command and loaded using the SSL_CTX_set_tmp_dh() for example:
+check the source to s_server in apps/s_server.c for an example.
+
+
+* How can I remove the passphrase on a private key?
+
+Firstly you should be really *really* sure you want to do this. Leaving
+a private key unencrypted is a major security risk. If you decide that
+you do have to do this check the EXAMPLES sections of the rsa(1) and
+dsa(1) manual pages.
* Why can't the OpenSSH configure script detect OpenSSL?
projects / openssl.git / blobdiff