X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=FAQ;h=584cb9fef97ec9656cb4d379a8ae61c140ee99fb;hp=a0288343a3cea883f859da30ec9534120aab8a87;hb=451038b40c47d5ed76ac6622dd2bd7c3c7372a57;hpb=930875ef77f07e6881a46f79c91c9254b453f5f5 diff --git a/FAQ b/FAQ index a0288343a3..584cb9fef9 100644 --- a/FAQ +++ b/FAQ @@ -33,6 +33,7 @@ OpenSSL - Frequently Asked Questions * Why is OpenSSL x509 DN output not conformant to RFC2253? * What is a "128 bit certificate"? Can I create one with OpenSSL? * Why does OpenSSL set the authority key identifier extension incorrectly? +* How can I set up a bundle of commercial root CA certificates? [BUILD] Questions about building and testing OpenSSL @@ -69,6 +70,7 @@ OpenSSL - Frequently Asked Questions * I think I've detected a memory leak, is this a bug? * Why does Valgrind complain about the use of uninitialized data? * Why doesn't a memory BIO work when a file does? +* Where are the declarations and implementations of d2i_X509() etc? =============================================================================== @@ -77,7 +79,7 @@ OpenSSL - Frequently Asked Questions * Which is the current version of OpenSSL? The current version is available from . -OpenSSL 0.9.8g was released on October 19th, 2007. +OpenSSL 0.9.8k was released on Mar 25th, 2009. In addition to the current stable release, you can also access daily snapshots of the OpenSSL development version at . +. Note that the online documents refer +to the very latest development versions of OpenSSL and may include features +not present in released versions. If in doubt refer to the documentation +that came with the version of OpenSSL you are using. For information on parts of libcrypto that are not yet documented, you might want to read Ariel Glenn's documentation on SSLeay 0.9, OpenSSL's @@ -447,6 +452,20 @@ did this would be redundant information because it would duplicate the issuer name of C. +* How can I set up a bundle of commercial root CA certificates? + +The OpenSSL software is shipped without any root CA certificate as the +OpenSSL project does not have any policy on including or excluding +any specific CA and does not intend to set up such a policy. Deciding +about which CAs to support is up to application developers or +administrators. + +Other projects do have other policies so you can for example extract the CA +bundle used by Mozilla and/or modssl as described in this article: + + http://www.mail-archive.com/modssl-users@modssl.org/msg16980.html + + [BUILD] ======================================================================= * Why does the linker complain about undefined symbols? @@ -702,10 +721,10 @@ file. Multi-threaded applications must provide two callback functions to OpenSSL by calling CRYPTO_set_locking_callback() and -CRYPTO_set_id_callback(). (For OpenSSL 0.9.9 or later, the new -function CRYPTO_set_idptr_callback() may be used in place of -CRYPTO_set_id_callback().) This is described in the threads(3) -manpage. +CRYPTO_set_id_callback(), for all versions of OpenSSL up to and +including 0.9.8[abc...]. As of version 0.9.9, CRYPTO_set_id_callback() +and associated APIs are deprecated by CRYPTO_THREADID_set_callback() +and friends. This is described in the threads(3) manpage. * I've compiled a program under Windows and it crashes: why? @@ -949,5 +968,15 @@ is needed. This must be done by calling: See the manual pages for more details. -=============================================================================== +* Where are the declarations and implementations of d2i_X509() etc? +These are defined and implemented by macros of the form: + + + DECLARE_ASN1_FUNCTIONS(X509) and IMPLEMENT_ASN1_FUNCTIONS(X509) + +The implementation passes an ASN1 "template" defining the structure into an +ASN1 interpreter using generalised functions such as ASN1_item_d2i(). + + +===============================================================================