X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=FAQ;h=0b9d60c32abd37be6117650a0ec08940303adda5;hp=f96759b18e2bfc80e9da635d76874a483d5bae7f;hb=ddd13d677b0fc62c34d246b3d060c9cb5de04d82;hpb=11e46bd7ae27c982b53b175055fa28d2d1712276 diff --git a/FAQ b/FAQ index f96759b18e..0b9d60c32a 100644 --- a/FAQ +++ b/FAQ @@ -10,6 +10,7 @@ OpenSSL - Frequently Asked Questions * Why aren't tools like 'autoconf' and 'libtool' used? * What is an 'engine' version? * How do I check the authenticity of the OpenSSL distribution? +* How does the versioning scheme work? [LEGAL] Legal questions @@ -33,6 +34,7 @@ OpenSSL - Frequently Asked Questions * Why is OpenSSL x509 DN output not conformant to RFC2253? * What is a "128 bit certificate"? Can I create one with OpenSSL? * Why does OpenSSL set the authority key identifier extension incorrectly? +* How can I set up a bundle of commercial root CA certificates? [BUILD] Questions about building and testing OpenSSL @@ -51,6 +53,9 @@ OpenSSL - Frequently Asked Questions * Why does the OpenSSL test suite fail in sha512t on x86 CPU? * Why does compiler fail to compile sha512.c? * Test suite still fails, what to do? +* I think I've found a bug, what should I do? +* I'm SURE I've found a bug, how do I report it? +* I've found a security issue, how do I report it? [PROG] Questions about programming with OpenSSL @@ -67,6 +72,9 @@ OpenSSL - Frequently Asked Questions * Why doesn't my server application receive a client certificate? * Why does compilation fail due to an undefined symbol NID_uniqueIdentifier? * I think I've detected a memory leak, is this a bug? +* Why does Valgrind complain about the use of uninitialized data? +* Why doesn't a memory BIO work when a file does? +* Where are the declarations and implementations of d2i_X509() etc? =============================================================================== @@ -75,7 +83,7 @@ OpenSSL - Frequently Asked Questions * Which is the current version of OpenSSL? The current version is available from . -OpenSSL 0.9.8b was released on May 4th, 2006. +OpenSSL 1.0.1c was released on May 10, 2012. In addition to the current stable release, you can also access daily snapshots of the OpenSSL development version at . +. Note that the online documents refer +to the very latest development versions of OpenSSL and may include features +not present in released versions. If in doubt refer to the documentation +that came with the version of OpenSSL you are using. The pod format +documentation is included in each OpenSSL distribution under the docs +directory. For information on parts of libcrypto that are not yet documented, you might want to read Ariel Glenn's documentation on SSLeay 0.9, OpenSSL's @@ -124,7 +137,7 @@ OpenSSL. Information on the OpenSSL mailing lists is available from * Where can I get a compiled version of OpenSSL? You can finder pointers to binary distributions in -http://www.openssl.org/related/binaries.html . + . Some applications that use OpenSSL are distributed in binary form. When using such an application, you don't need to install OpenSSL @@ -163,6 +176,19 @@ just do: pgp TARBALL.asc +* How does the versioning scheme work? + +After the release of OpenSSL 1.0.0 the versioning scheme changed. Letter +releases (e.g. 1.0.1a) can only contain bug and security fixes and no +new features. Minor releases change the last number (e.g. 1.0.2) and +can contain new features that retain binary compatibility. Changes to +the middle number are considered major releases and neither source nor +binary compatibility is guaranteed. + +Therefore the answer to the common question "when will feature X be +backported to OpenSSL 1.0.0/0.9.8?" is "never" but it could appear +in the next minor release. + [LEGAL] ======================================================================= * Do I need patent licenses to use OpenSSL? @@ -274,7 +300,7 @@ current directory in this case, but this has changed with 0.9.6a.) Check out the CA.pl(1) manual page. This provides a simple wrapper round the 'req', 'verify', 'ca' and 'pkcs12' utilities. For finer control check out the manual pages for the individual utilities and the certificate -extensions documentation (currently in doc/openssl.txt). +extensions documentation (in ca(1), req(1), x509v3_config(5) ) * Why can't I create certificate requests? @@ -445,6 +471,20 @@ did this would be redundant information because it would duplicate the issuer name of C. +* How can I set up a bundle of commercial root CA certificates? + +The OpenSSL software is shipped without any root CA certificate as the +OpenSSL project does not have any policy on including or excluding +any specific CA and does not intend to set up such a policy. Deciding +about which CAs to support is up to application developers or +administrators. + +Other projects do have other policies so you can for example extract the CA +bundle used by Mozilla and/or modssl as described in this article: + + + + [BUILD] ======================================================================= * Why does the linker complain about undefined symbols? @@ -484,7 +524,7 @@ when you run the test suite (using "make test"). The message returned is "bc: 1 not implemented". The best way to deal with this is to find another implementation of bc -and compile/install it. GNU bc (see http://www.gnu.org/software/software.html +and compile/install it. GNU bc (see for download instructions) can be safely used, for example. @@ -495,7 +535,7 @@ that the OpenSSL bntest throws at it. This gets triggered when you run the test suite (using "make test"). The message returned is "bc: stack empty". The best way to deal with this is to find another implementation of bc -and compile/install it. GNU bc (see http://www.gnu.org/software/software.html +and compile/install it. GNU bc (see for download instructions) can be safely used, for example. @@ -688,6 +728,46 @@ never make sense, and tend to emerge when you least expect them. In order to identify one, drop optimization level, e.g. by editing CFLAG line in top-level Makefile, recompile and re-run the test. +* I think I've found a bug, what should I do? + +If you are a new user then it is quite likely you haven't found a bug and +something is happening you aren't familiar with. Check this FAQ, the associated +documentation and the mailing lists for similar queries. If you are still +unsure whether it is a bug or not submit a query to the openssl-users mailing +list. + + +* I'm SURE I've found a bug, how do I report it? + +Bug reports with no security implications should be sent to the request +tracker. This can be done by mailing the report to (or its +alias ), please note that messages sent to the +request tracker also appear in the public openssl-dev mailing list. + +The report should be in plain text. Any patches should be sent as +plain text attachments because some mailers corrupt patches sent inline. +If your issue affects multiple versions of OpenSSL check any patches apply +cleanly and, if possible include patches to each affected version. + +The report should be given a meaningful subject line briefly summarising the +issue. Just "bug in OpenSSL" or "bug in OpenSSL 0.9.8n" is not very helpful. + +By sending reports to the request tracker the bug can then be given a priority +and assigned to the appropriate maintainer. The history of discussions can be +accessed and if the issue has been addressed or a reason why not. If patches +are only sent to openssl-dev they can be mislaid if a team member has to +wade through months of old messages to review the discussion. + +See also + + +* I've found a security issue, how do I report it? + +If you think your bug has security implications then please send it to +openssl-security@openssl.org if you don't get a prompt reply at least +acknowledging receipt then resend or mail it directly to one of the +more active team members (e.g. Steve). + [PROG] ======================================================================== * Is OpenSSL thread-safe? @@ -699,8 +779,11 @@ libraries. If your platform is not one of these, consult the INSTALL file. Multi-threaded applications must provide two callback functions to -OpenSSL. This is described in the threads(3) manpage. - +OpenSSL by calling CRYPTO_set_locking_callback() and +CRYPTO_set_id_callback(), for all versions of OpenSSL up to and +including 0.9.8[abc...]. As of version 1.0.0, CRYPTO_set_id_callback() +and associated APIs are deprecated by CRYPTO_THREADID_set_callback() +and friends. This is described in the threads(3) manpage. * I've compiled a program under Windows and it crashes: why? @@ -841,11 +924,11 @@ code itself (the hex digits after the second colon). * Why do I get errors about unknown algorithms? -This can happen under several circumstances such as reading in an -encrypted private key or attempting to decrypt a PKCS#12 file. The cause -is forgetting to load OpenSSL's table of algorithms with -OpenSSL_add_all_algorithms(). See the manual page for more information. - +The cause is forgetting to load OpenSSL's table of algorithms with +OpenSSL_add_all_algorithms(). See the manual page for more information. This +can cause several problems such as being unable to read in an encrypted +PEM file, unable to decrypt a PKCS#12 file or signature failure when +verifying certificates. * Why can't the OpenSSH configure script detect OpenSSL? @@ -913,5 +996,46 @@ thread-safe): ERR_free_strings(), EVP_cleanup() and CRYPTO_cleanup_all_ex_data(). -=============================================================================== +* Why does Valgrind complain about the use of uninitialized data? + +When OpenSSL's PRNG routines are called to generate random numbers the supplied +buffer contents are mixed into the entropy pool: so it technically does not +matter whether the buffer is initialized at this point or not. Valgrind (and +other test tools) will complain about this. When using Valgrind, make sure the +OpenSSL library has been compiled with the PURIFY macro defined (-DPURIFY) +to get rid of these warnings. + + +* Why doesn't a memory BIO work when a file does? + +This can occur in several cases for example reading an S/MIME email message. +The reason is that a memory BIO can do one of two things when all the data +has been read from it. + +The default behaviour is to indicate that no more data is available and that +the call should be retried, this is to allow the application to fill up the BIO +again if necessary. + +Alternatively it can indicate that no more data is available and that EOF has +been reached. + +If a memory BIO is to behave in the same way as a file this second behaviour +is needed. This must be done by calling: + BIO_set_mem_eof_return(bio, 0); + +See the manual pages for more details. + + +* Where are the declarations and implementations of d2i_X509() etc? + +These are defined and implemented by macros of the form: + + + DECLARE_ASN1_FUNCTIONS(X509) and IMPLEMENT_ASN1_FUNCTIONS(X509) + +The implementation passes an ASN1 "template" defining the structure into an +ASN1 interpreter using generalised functions such as ASN1_item_d2i(). + + +===============================================================================