X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=FAQ;h=0ff792bbc39ca37735ab864c78c72bea89f750a2;hp=550a998e6fba9e4c66cc3471aed727b695a0e1fb;hb=b3a231db49f864a40f999bf5b3843bebec5e3730;hpb=e796666d34c24b96943ae653dc93371bcae19021 diff --git a/FAQ b/FAQ index 550a998e6f..0ff792bbc3 100644 --- a/FAQ +++ b/FAQ @@ -85,7 +85,6 @@ OpenSSL - Frequently Asked Questions * Which is the current version of OpenSSL? The current version is available from . -OpenSSL 1.0.1e was released on Feb 11, 2013. In addition to the current stable release, you can also access daily snapshots of the OpenSSL development version at . Much -of this still applies to OpenSSL. - There is some documentation about certificate extensions and PKCS#12 in doc/openssl.txt @@ -139,7 +133,7 @@ OpenSSL. Information on the OpenSSL mailing lists is available from * Where can I get a compiled version of OpenSSL? You can finder pointers to binary distributions in - . + . Some applications that use OpenSSL are distributed in binary form. When using such an application, you don't need to install OpenSSL @@ -418,7 +412,7 @@ whatever name they choose. The ways to print out the oneline format of the DN (Distinguished Name) have been extended in version 0.9.7 of OpenSSL. Using the new X509_NAME_print_ex() interface, the "-nameopt" option could be introduded. See the manual -page of the "openssl x509" commandline tool for details. The old behaviour +page of the "openssl x509" command line tool for details. The old behaviour has however been left as default for the sake of compatibility. * What is a "128 bit certificate"? Can I create one with OpenSSL? @@ -440,7 +434,7 @@ software from the US only weak encryption algorithms could be freely exported inadequate. A relaxation of the rules allowed the use of strong encryption but only to an authorised server. -Two slighly different techniques were developed to support this, one used by +Two slightly different techniques were developed to support this, one used by Netscape was called "step up", the other used by MSIE was called "Server Gated Cryptography" (SGC). When a browser initially connected to a server it would check to see if the certificate contained certain extensions and was issued by @@ -729,16 +723,15 @@ possible alternative might be to switch to GCC. * Test suite still fails, what to do? -Another common reason for failure to complete some particular test is -simply bad code generated by a buggy component in toolchain or deficiency -in run-time environment. There are few cases documented in PROBLEMS file, -consult it for possible workaround before you beat the drum. Even if you -don't find solution or even mention there, do reserve for possibility of -a compiler bug. Compiler bugs might appear in rather bizarre ways, they -never make sense, and tend to emerge when you least expect them. In order -to identify one, drop optimization level, e.g. by editing CFLAG line in -top-level Makefile, recompile and re-run the test. - +Another common reason for test failures is bugs in the toolchain +or run-time environment. Known cases of this are documented in the +PROBLEMS file, please review it before you beat the drum. Even if you +don't find anything in that file, please do consider the possibility +of a compiler bug. Compiler bugs often appear in rather bizarre ways, +they never make sense, and tend to emerge when you least expect +them. One thing to try is to reduce the level of optimization (such +as by editing the CFLAG variable line in the top-level Makefile), +and then recompile and re-run the test. * I think I've found a bug, what should I do? @@ -755,6 +748,9 @@ LOT of false positives. * I'm SURE I've found a bug, how do I report it? +To avoid duplicated reports check the mailing lists and release notes for the +relevant version of OpenSSL to see if the problem has been reported already. + Bug reports with no security implications should be sent to the request tracker. This can be done by mailing the report to (or its alias ), please note that messages sent to the @@ -786,22 +782,22 @@ more active team members (e.g. Steve). If you wish to use PGP to send in a report please use one or more of the keys of the team members listed at +Note that bugs only present in the openssl utility are not in general +considered to be security issues. + [PROG] ======================================================================== * Is OpenSSL thread-safe? -Yes (with limitations: an SSL connection may not concurrently be used -by multiple threads). On Windows and many Unix systems, OpenSSL -automatically uses the multi-threaded versions of the standard -libraries. If your platform is not one of these, consult the INSTALL -file. +Provided an application sets up the thread callback functions, the +answer is yes. There are limitations; for example, an SSL connection +cannot be used concurrently by multiple threads. This is true for +most OpenSSL objects. -Multi-threaded applications must provide two callback functions to -OpenSSL by calling CRYPTO_set_locking_callback() and -CRYPTO_set_id_callback(), for all versions of OpenSSL up to and -including 0.9.8[abc...]. As of version 1.0.0, CRYPTO_set_id_callback() -and associated APIs are deprecated by CRYPTO_THREADID_set_callback() -and friends. This is described in the threads(3) manpage. +To do this, your application must call CRYPTO_set_locking_callback() +and one of the CRYPTO_THREADID_set...() API's. See the OpenSSL threads +manpage for details and "note on multi-threading" in the INSTALL file in +the source distribution. * I've compiled a program under Windows and it crashes: why? @@ -865,22 +861,25 @@ with the i2d_*_bio() or d2i_*_bio() functions or you can use the i2d_*(), d2i_*() functions directly. Since these are often the cause of grief here are some code fragments using PKCS7 as an example: +----- snip:start ----- unsigned char *buf, *p; - int len; + int len = i2d_PKCS7(p7, NULL); - len = i2d_PKCS7(p7, NULL); - buf = OPENSSL_malloc(len); /* or Malloc, error checking omitted */ + buf = OPENSSL_malloc(len); /* error checking omitted */ p = buf; i2d_PKCS7(p7, &p); +----- snip:end ----- At this point buf contains the len bytes of the DER encoding of p7. The opposite assumes we already have len bytes in buf: - unsigned char *p; - p = buf; +----- snip:start ----- + unsigned char *p = buf; + p7 = d2i_PKCS7(NULL, &p, len); +----- snip:end ----- At this point p7 contains a valid PKCS7 structure or NULL if an error occurred. If an error occurred ERR_print_errors(bio) should give more @@ -897,14 +896,17 @@ because it no longer points to the same address. Memory allocation and encoding can also be combined in a single operation by the ASN1 routines: - unsigned char *buf = NULL; /* mandatory */ - int len; - len = i2d_PKCS7(p7, &buf); - if (len < 0) - /* Error */ +----- snip:start ----- + unsigned char *buf = NULL; + int len = i2d_PKCS7(p7, &buf); + + if (len < 0) { + /* Error */ + } /* Do some things with 'buf' */ /* Finished with buf: free it */ OPENSSL_free(buf); +----- snip:end ----- In this special case the "buf" parameter is *not* incremented, it points to the start of the encoding.