* How do I install a CA certificate into a browser?
* Why is OpenSSL x509 DN output not conformant to RFC2253?
* What is a "128 bit certificate"? Can I create one with OpenSSL?
+* How can I set up a bundle of commercial root CA certificates?
[BUILD] Questions about building and testing OpenSSL
* Which is the current version of OpenSSL?
The current version is available from <URL: http://www.openssl.org>.
-OpenSSL 0.9.8e was released on February 23rd, 2007.
+OpenSSL 0.9.8h was released on May 28th, 2008.
In addition to the current stable release, you can also access daily
snapshots of the OpenSSL development version at <URL:
encryption so these certificates are now obsolete.
+* How can I set up a bundle of commercial root CA certificates?
+
+The OpenSSL software is shipped without any root CA certificate as the
+OpenSSL project does not have any policy on including or excluding
+any specific CA and does not intend to set up such a policy. Deciding
+about which CAs to support is up to application developers or
+administrators.
+
+Other projects do have other policies so you can for example extract the CA
+bundle used by Mozilla and/or modssl as described in this article:
+
+ http://www.mail-archive.com/modssl-users@modssl.org/msg16980.html
+
+
[BUILD] =======================================================================
* Why does the linker complain about undefined symbols?
* Why do I get errors about unknown algorithms?
-This can happen under several circumstances such as reading in an
-encrypted private key or attempting to decrypt a PKCS#12 file. The cause
-is forgetting to load OpenSSL's table of algorithms with
-OpenSSL_add_all_algorithms(). See the manual page for more information.
-
+The cause is forgetting to load OpenSSL's table of algorithms with
+OpenSSL_add_all_algorithms(). See the manual page for more information. This
+can cause several problems such as being unable to read in an encrypted
+PEM file, unable to decrypt a PKCS#12 file or signature failure when
+verifying certificates.
* Why can't the OpenSSH configure script detect OpenSSL?
* Why does Valgrind complain about the use of uninitialized data?
-OpenSSL does internally call its own PRNG routines to retrieve random
-numbers. It so does with uninitialed buffer contents. The buffer
-contents is mixed into the entropy pool so that it technically does
-not matter whether the buffer is initialized at this point or not.
-Valgrind (and other test tools) will complain whatsoever. When
-using Valgrind, make sure to use an OpenSSL library that has been
-compiled with the PEDANTIC macro being defined (-DPEDANTIC) to
-get rid of these warnings. Compling with -DPURIFY will help as well.
-
-The PEDANTIC macro was added in OpenSSL 0.9.8f.
+When OpenSSL's PRNG routines are called to generate random numbers the supplied
+buffer contents are mixed into the entropy pool: so it technically does not
+matter whether the buffer is initialized at this point or not. Valgrind (and
+other test tools) will complain about this. When using Valgrind, make sure the
+OpenSSL library has been compiled with the PURIFY macro defined (-DPURIFY)
+to get rid of these warnings.
===============================================================================