* How do I install a CA certificate into a browser?
* Why is OpenSSL x509 DN output not conformant to RFC2253?
* What is a "128 bit certificate"? Can I create one with OpenSSL?
+* How can I set up a bundle of commercial root CA certificates?
[BUILD] Questions about building and testing OpenSSL
* Why doesn't my server application receive a client certificate?
* Why does compilation fail due to an undefined symbol NID_uniqueIdentifier?
* I think I've detected a memory leak, is this a bug?
+* Why does Valgrind complain about the use of uninitialized data?
===============================================================================
* Which is the current version of OpenSSL?
The current version is available from <URL: http://www.openssl.org>.
-OpenSSL 0.9.8a was released on October 11th, 2005.
+OpenSSL 0.9.8h was released on May 28th, 2008.
In addition to the current stable release, you can also access daily
snapshots of the OpenSSL development version at <URL:
encryption so these certificates are now obsolete.
+* How can I set up a bundle of commercial root CA certificates?
+
+The OpenSSL software is shipped without any root CA certificate as the
+OpenSSL project does not have any policy on including or excluding
+any specific CA and does not intend to set up such a policy. Deciding
+about which CAs to support is up to application developers or
+administrators.
+
+Other projects do have other policies so you can for example extract the CA
+bundle used by Mozilla and/or modssl as described in this article:
+
+ http://www.mail-archive.com/modssl-users@modssl.org/msg16980.html
+
+
[BUILD] =======================================================================
* Why does the linker complain about undefined symbols?
file.
Multi-threaded applications must provide two callback functions to
-OpenSSL. This is described in the threads(3) manpage.
-
+OpenSSL by calling CRYPTO_set_locking_callback() and
+CRYPTO_set_id_callback(). This is described in the threads(3)
+manpage.
* I've compiled a program under Windows and it crashes: why?
* Why do I get errors about unknown algorithms?
-This can happen under several circumstances such as reading in an
-encrypted private key or attempting to decrypt a PKCS#12 file. The cause
-is forgetting to load OpenSSL's table of algorithms with
-OpenSSL_add_all_algorithms(). See the manual page for more information.
-
+The cause is forgetting to load OpenSSL's table of algorithms with
+OpenSSL_add_all_algorithms(). See the manual page for more information. This
+can cause several problems such as being unable to read in an encrypted
+PEM file, unable to decrypt a PKCS#12 file or signature failure when
+verifying certificates.
* Why can't the OpenSSH configure script detect OpenSSL?
ERR_free_strings(), EVP_cleanup() and CRYPTO_cleanup_all_ex_data().
+* Why does Valgrind complain about the use of uninitialized data?
+
+When OpenSSL's PRNG routines are called to generate random numbers the supplied
+buffer contents are mixed into the entropy pool: so it technically does not
+matter whether the buffer is initialized at this point or not. Valgrind (and
+other test tools) will complain about this. When using Valgrind, make sure the
+OpenSSL library has been compiled with the PURIFY macro defined (-DPURIFY)
+to get rid of these warnings.
+
+
===============================================================================