X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=FAQ;h=0b9d60c32abd37be6117650a0ec08940303adda5;hp=d337d90ff09a3194d6ed8b7a3c38b0df3b22e59f;hb=dd2516596867cce7586b47406c010d63ba73f289;hpb=11d01d371f67a9cacfeccb1078669c595d65002f diff --git a/FAQ b/FAQ index d337d90ff0..0b9d60c32a 100644 --- a/FAQ +++ b/FAQ @@ -10,6 +10,7 @@ OpenSSL - Frequently Asked Questions * Why aren't tools like 'autoconf' and 'libtool' used? * What is an 'engine' version? * How do I check the authenticity of the OpenSSL distribution? +* How does the versioning scheme work? [LEGAL] Legal questions @@ -33,6 +34,7 @@ OpenSSL - Frequently Asked Questions * Why is OpenSSL x509 DN output not conformant to RFC2253? * What is a "128 bit certificate"? Can I create one with OpenSSL? * Why does OpenSSL set the authority key identifier extension incorrectly? +* How can I set up a bundle of commercial root CA certificates? [BUILD] Questions about building and testing OpenSSL @@ -51,6 +53,9 @@ OpenSSL - Frequently Asked Questions * Why does the OpenSSL test suite fail in sha512t on x86 CPU? * Why does compiler fail to compile sha512.c? * Test suite still fails, what to do? +* I think I've found a bug, what should I do? +* I'm SURE I've found a bug, how do I report it? +* I've found a security issue, how do I report it? [PROG] Questions about programming with OpenSSL @@ -69,6 +74,7 @@ OpenSSL - Frequently Asked Questions * I think I've detected a memory leak, is this a bug? * Why does Valgrind complain about the use of uninitialized data? * Why doesn't a memory BIO work when a file does? +* Where are the declarations and implementations of d2i_X509() etc? =============================================================================== @@ -77,7 +83,7 @@ OpenSSL - Frequently Asked Questions * Which is the current version of OpenSSL? The current version is available from . -OpenSSL 0.9.8g was released on October 19th, 2007. +OpenSSL 1.0.1c was released on May 10, 2012. In addition to the current stable release, you can also access daily snapshots of the OpenSSL development version at . +. Note that the online documents refer +to the very latest development versions of OpenSSL and may include features +not present in released versions. If in doubt refer to the documentation +that came with the version of OpenSSL you are using. The pod format +documentation is included in each OpenSSL distribution under the docs +directory. For information on parts of libcrypto that are not yet documented, you might want to read Ariel Glenn's documentation on SSLeay 0.9, OpenSSL's @@ -126,7 +137,7 @@ OpenSSL. Information on the OpenSSL mailing lists is available from * Where can I get a compiled version of OpenSSL? You can finder pointers to binary distributions in -http://www.openssl.org/related/binaries.html . + . Some applications that use OpenSSL are distributed in binary form. When using such an application, you don't need to install OpenSSL @@ -165,6 +176,19 @@ just do: pgp TARBALL.asc +* How does the versioning scheme work? + +After the release of OpenSSL 1.0.0 the versioning scheme changed. Letter +releases (e.g. 1.0.1a) can only contain bug and security fixes and no +new features. Minor releases change the last number (e.g. 1.0.2) and +can contain new features that retain binary compatibility. Changes to +the middle number are considered major releases and neither source nor +binary compatibility is guaranteed. + +Therefore the answer to the common question "when will feature X be +backported to OpenSSL 1.0.0/0.9.8?" is "never" but it could appear +in the next minor release. + [LEGAL] ======================================================================= * Do I need patent licenses to use OpenSSL? @@ -276,7 +300,7 @@ current directory in this case, but this has changed with 0.9.6a.) Check out the CA.pl(1) manual page. This provides a simple wrapper round the 'req', 'verify', 'ca' and 'pkcs12' utilities. For finer control check out the manual pages for the individual utilities and the certificate -extensions documentation (currently in doc/openssl.txt). +extensions documentation (in ca(1), req(1), x509v3_config(5) ) * Why can't I create certificate requests? @@ -447,6 +471,20 @@ did this would be redundant information because it would duplicate the issuer name of C. +* How can I set up a bundle of commercial root CA certificates? + +The OpenSSL software is shipped without any root CA certificate as the +OpenSSL project does not have any policy on including or excluding +any specific CA and does not intend to set up such a policy. Deciding +about which CAs to support is up to application developers or +administrators. + +Other projects do have other policies so you can for example extract the CA +bundle used by Mozilla and/or modssl as described in this article: + + + + [BUILD] ======================================================================= * Why does the linker complain about undefined symbols? @@ -486,7 +524,7 @@ when you run the test suite (using "make test"). The message returned is "bc: 1 not implemented". The best way to deal with this is to find another implementation of bc -and compile/install it. GNU bc (see http://www.gnu.org/software/software.html +and compile/install it. GNU bc (see for download instructions) can be safely used, for example. @@ -497,7 +535,7 @@ that the OpenSSL bntest throws at it. This gets triggered when you run the test suite (using "make test"). The message returned is "bc: stack empty". The best way to deal with this is to find another implementation of bc -and compile/install it. GNU bc (see http://www.gnu.org/software/software.html +and compile/install it. GNU bc (see for download instructions) can be safely used, for example. @@ -690,6 +728,46 @@ never make sense, and tend to emerge when you least expect them. In order to identify one, drop optimization level, e.g. by editing CFLAG line in top-level Makefile, recompile and re-run the test. +* I think I've found a bug, what should I do? + +If you are a new user then it is quite likely you haven't found a bug and +something is happening you aren't familiar with. Check this FAQ, the associated +documentation and the mailing lists for similar queries. If you are still +unsure whether it is a bug or not submit a query to the openssl-users mailing +list. + + +* I'm SURE I've found a bug, how do I report it? + +Bug reports with no security implications should be sent to the request +tracker. This can be done by mailing the report to (or its +alias ), please note that messages sent to the +request tracker also appear in the public openssl-dev mailing list. + +The report should be in plain text. Any patches should be sent as +plain text attachments because some mailers corrupt patches sent inline. +If your issue affects multiple versions of OpenSSL check any patches apply +cleanly and, if possible include patches to each affected version. + +The report should be given a meaningful subject line briefly summarising the +issue. Just "bug in OpenSSL" or "bug in OpenSSL 0.9.8n" is not very helpful. + +By sending reports to the request tracker the bug can then be given a priority +and assigned to the appropriate maintainer. The history of discussions can be +accessed and if the issue has been addressed or a reason why not. If patches +are only sent to openssl-dev they can be mislaid if a team member has to +wade through months of old messages to review the discussion. + +See also + + +* I've found a security issue, how do I report it? + +If you think your bug has security implications then please send it to +openssl-security@openssl.org if you don't get a prompt reply at least +acknowledging receipt then resend or mail it directly to one of the +more active team members (e.g. Steve). + [PROG] ======================================================================== * Is OpenSSL thread-safe? @@ -702,10 +780,10 @@ file. Multi-threaded applications must provide two callback functions to OpenSSL by calling CRYPTO_set_locking_callback() and -CRYPTO_set_id_callback(). (For OpenSSL 0.9.9 or later, the new -function CRYPTO_set_idptr_callback() may be used in place of -CRYPTO_set_id_callback().) This is described in the threads(3) -manpage. +CRYPTO_set_id_callback(), for all versions of OpenSSL up to and +including 0.9.8[abc...]. As of version 1.0.0, CRYPTO_set_id_callback() +and associated APIs are deprecated by CRYPTO_THREADID_set_callback() +and friends. This is described in the threads(3) manpage. * I've compiled a program under Windows and it crashes: why? @@ -846,11 +924,11 @@ code itself (the hex digits after the second colon). * Why do I get errors about unknown algorithms? -This can happen under several circumstances such as reading in an -encrypted private key or attempting to decrypt a PKCS#12 file. The cause -is forgetting to load OpenSSL's table of algorithms with -OpenSSL_add_all_algorithms(). See the manual page for more information. - +The cause is forgetting to load OpenSSL's table of algorithms with +OpenSSL_add_all_algorithms(). See the manual page for more information. This +can cause several problems such as being unable to read in an encrypted +PEM file, unable to decrypt a PKCS#12 file or signature failure when +verifying certificates. * Why can't the OpenSSH configure script detect OpenSSL? @@ -949,5 +1027,15 @@ is needed. This must be done by calling: See the manual pages for more details. -=============================================================================== +* Where are the declarations and implementations of d2i_X509() etc? + +These are defined and implemented by macros of the form: + + + DECLARE_ASN1_FUNCTIONS(X509) and IMPLEMENT_ASN1_FUNCTIONS(X509) +The implementation passes an ASN1 "template" defining the structure into an +ASN1 interpreter using generalised functions such as ASN1_item_d2i(). + + +===============================================================================