X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=FAQ;h=f8ea604273a53f8354f17a768d806fa1a3541aed;hp=139e17b4a92e4e262bf09adfa7d21f7a8984f040;hb=966fe81f9befbff62522a158006fb03050a868df;hpb=ab9c689ad387fcd209017fe45985b1938a0ee0df diff --git a/FAQ b/FAQ index 139e17b4a9..f8ea604273 100644 --- a/FAQ +++ b/FAQ @@ -10,6 +10,7 @@ OpenSSL - Frequently Asked Questions * Why aren't tools like 'autoconf' and 'libtool' used? * What is an 'engine' version? * How do I check the authenticity of the OpenSSL distribution? +* How does the versioning scheme work? [LEGAL] Legal questions @@ -52,6 +53,9 @@ OpenSSL - Frequently Asked Questions * Why does the OpenSSL test suite fail in sha512t on x86 CPU? * Why does compiler fail to compile sha512.c? * Test suite still fails, what to do? +* I think I've found a bug, what should I do? +* I'm SURE I've found a bug, how do I report it? +* I've found a security issue, how do I report it? [PROG] Questions about programming with OpenSSL @@ -70,6 +74,7 @@ OpenSSL - Frequently Asked Questions * I think I've detected a memory leak, is this a bug? * Why does Valgrind complain about the use of uninitialized data? * Why doesn't a memory BIO work when a file does? +* Where are the declarations and implementations of d2i_X509() etc? =============================================================================== @@ -78,11 +83,11 @@ OpenSSL - Frequently Asked Questions * Which is the current version of OpenSSL? The current version is available from . -OpenSSL 0.9.8h was released on May 28th, 2008. +OpenSSL 1.0.1e was released on Feb 11th, 2013. In addition to the current stable release, you can also access daily snapshots of the OpenSSL development version at , or get it by anonymous CVS access. +ftp://ftp.openssl.org/snapshot/>, or get it by anonymous Git access. * Where is the documentation? @@ -94,19 +99,19 @@ explains how to install this library. OpenSSL includes a command line utility that can be used to perform a variety of cryptographic functions. It is described in the openssl(1) -manpage. Documentation for developers is currently being written. A -few manual pages already are available; overviews over libcrypto and +manpage. Documentation for developers is currently being written. Many +manual pages are available; overviews over libcrypto and libssl are given in the crypto(3) and ssl(3) manpages. The OpenSSL manpages are installed in /usr/local/ssl/man/ (or a different directory if you specified one as described in INSTALL). In addition, you can read the most current versions at -. - -For information on parts of libcrypto that are not yet documented, you -might want to read Ariel Glenn's documentation on SSLeay 0.9, OpenSSL's -predecessor, at . Much -of this still applies to OpenSSL. +. Note that the online documents refer +to the very latest development versions of OpenSSL and may include features +not present in released versions. If in doubt refer to the documentation +that came with the version of OpenSSL you are using. The pod format +documentation is included in each OpenSSL distribution under the docs +directory. There is some documentation about certificate extensions and PKCS#12 in doc/openssl.txt @@ -127,7 +132,7 @@ OpenSSL. Information on the OpenSSL mailing lists is available from * Where can I get a compiled version of OpenSSL? You can finder pointers to binary distributions in -http://www.openssl.org/related/binaries.html . + . Some applications that use OpenSSL are distributed in binary form. When using such an application, you don't need to install OpenSSL @@ -166,6 +171,19 @@ just do: pgp TARBALL.asc +* How does the versioning scheme work? + +After the release of OpenSSL 1.0.0 the versioning scheme changed. Letter +releases (e.g. 1.0.1a) can only contain bug and security fixes and no +new features. Minor releases change the last number (e.g. 1.0.2) and +can contain new features that retain binary compatibility. Changes to +the middle number are considered major releases and neither source nor +binary compatibility is guaranteed. + +Therefore the answer to the common question "when will feature X be +backported to OpenSSL 1.0.0/0.9.8?" is "never" but it could appear +in the next minor release. + [LEGAL] ======================================================================= * Do I need patent licenses to use OpenSSL? @@ -277,7 +295,7 @@ current directory in this case, but this has changed with 0.9.6a.) Check out the CA.pl(1) manual page. This provides a simple wrapper round the 'req', 'verify', 'ca' and 'pkcs12' utilities. For finer control check out the manual pages for the individual utilities and the certificate -extensions documentation (currently in doc/openssl.txt). +extensions documentation (in ca(1), req(1), x509v3_config(5) ) * Why can't I create certificate requests? @@ -459,7 +477,7 @@ administrators. Other projects do have other policies so you can for example extract the CA bundle used by Mozilla and/or modssl as described in this article: - http://www.mail-archive.com/modssl-users@modssl.org/msg16980.html + [BUILD] ======================================================================= @@ -501,7 +519,7 @@ when you run the test suite (using "make test"). The message returned is "bc: 1 not implemented". The best way to deal with this is to find another implementation of bc -and compile/install it. GNU bc (see http://www.gnu.org/software/software.html +and compile/install it. GNU bc (see for download instructions) can be safely used, for example. @@ -512,7 +530,7 @@ that the OpenSSL bntest throws at it. This gets triggered when you run the test suite (using "make test"). The message returned is "bc: stack empty". The best way to deal with this is to find another implementation of bc -and compile/install it. GNU bc (see http://www.gnu.org/software/software.html +and compile/install it. GNU bc (see for download instructions) can be safely used, for example. @@ -705,6 +723,49 @@ never make sense, and tend to emerge when you least expect them. In order to identify one, drop optimization level, e.g. by editing CFLAG line in top-level Makefile, recompile and re-run the test. +* I think I've found a bug, what should I do? + +If you are a new user then it is quite likely you haven't found a bug and +something is happening you aren't familiar with. Check this FAQ, the associated +documentation and the mailing lists for similar queries. If you are still +unsure whether it is a bug or not submit a query to the openssl-users mailing +list. + + +* I'm SURE I've found a bug, how do I report it? + +Bug reports with no security implications should be sent to the request +tracker. This can be done by mailing the report to (or its +alias ), please note that messages sent to the +request tracker also appear in the public openssl-dev mailing list. + +The report should be in plain text. Any patches should be sent as +plain text attachments because some mailers corrupt patches sent inline. +If your issue affects multiple versions of OpenSSL check any patches apply +cleanly and, if possible include patches to each affected version. + +The report should be given a meaningful subject line briefly summarising the +issue. Just "bug in OpenSSL" or "bug in OpenSSL 0.9.8n" is not very helpful. + +By sending reports to the request tracker the bug can then be given a priority +and assigned to the appropriate maintainer. The history of discussions can be +accessed and if the issue has been addressed or a reason why not. If patches +are only sent to openssl-dev they can be mislaid if a team member has to +wade through months of old messages to review the discussion. + +See also + + +* I've found a security issue, how do I report it? + +If you think your bug has security implications then please send it to +openssl-security@openssl.org if you don't get a prompt reply at least +acknowledging receipt then resend or mail it directly to one of the +more active team members (e.g. Steve). + +Note that bugs only present in the openssl utility are not in general +considered to be security issues. + [PROG] ======================================================================== * Is OpenSSL thread-safe? @@ -718,7 +779,7 @@ file. Multi-threaded applications must provide two callback functions to OpenSSL by calling CRYPTO_set_locking_callback() and CRYPTO_set_id_callback(), for all versions of OpenSSL up to and -including 0.9.8[abc...]. As of version 0.9.9, CRYPTO_set_id_callback() +including 0.9.8[abc...]. As of version 1.0.0, CRYPTO_set_id_callback() and associated APIs are deprecated by CRYPTO_THREADID_set_callback() and friends. This is described in the threads(3) manpage. @@ -964,4 +1025,15 @@ is needed. This must be done by calling: See the manual pages for more details. +* Where are the declarations and implementations of d2i_X509() etc? + +These are defined and implemented by macros of the form: + + + DECLARE_ASN1_FUNCTIONS(X509) and IMPLEMENT_ASN1_FUNCTIONS(X509) + +The implementation passes an ASN1 "template" defining the structure into an +ASN1 interpreter using generalised functions such as ASN1_item_d2i(). + + ===============================================================================