X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=FAQ;h=a88765ef0fb85e8baf21d028518edc67c328561f;hp=889eb0ac43bc0322a198c86796c5225243376854;hb=f5cda4cbb17c908ceef33f4f52d94e8e04b7c1ab;hpb=2c730f6fc294357eb032e8ad85d51d40738f2290 diff --git a/FAQ b/FAQ index 889eb0ac43..a88765ef0f 100644 --- a/FAQ +++ b/FAQ @@ -32,6 +32,7 @@ OpenSSL - Frequently Asked Questions * How do I install a CA certificate into a browser? * Why is OpenSSL x509 DN output not conformant to RFC2253? * What is a "128 bit certificate"? Can I create one with OpenSSL? +* Why does OpenSSL set the authority key identifier extension incorrectly? [BUILD] Questions about building and testing OpenSSL @@ -49,6 +50,7 @@ OpenSSL - Frequently Asked Questions * Why does OpenBSD-i386 build fail on des-586.s with "Unimplemented segment type"? * Why does the OpenSSL test suite fail in sha512t on x86 CPU? * Why does compiler fail to compile sha512.c? +* Test suite still fails, what to do? [PROG] Questions about programming with OpenSSL @@ -400,10 +402,10 @@ You can't generally create such a certificate using OpenSSL but there is no need to any more. Nowadays web browsers using unrestricted strong encryption are generally available. -When there were tight export restrictions on the export of strong encryption +When there were tight restrictions on the export of strong encryption software from the US only weak encryption algorithms could be freely exported (initially 40 bit and then 56 bit). It was widely recognised that this was -inadequate. A relaxation the rules allowed the use of strong encryption but +inadequate. A relaxation of the rules allowed the use of strong encryption but only to an authorised server. Two slighly different techniques were developed to support this, one used by @@ -424,6 +426,25 @@ The export laws were later changed to allow almost unrestricted use of strong encryption so these certificates are now obsolete. +* Why does OpenSSL set the authority key identifier (AKID) extension incorrectly? + +It doesn't: this extension is often the cause of confusion. + +Consider a certificate chain A->B->C so that A signs B and B signs C. Suppose +certificate C contains AKID. + +The purpose of this extension is to identify the authority certificate B. This +can be done either by including the subject key identifier of B or its issuer +name and serial number. + +In this latter case because it is identifying certifcate B it must contain the +issuer name and serial number of B. + +It is often wrongly assumed that it should contain the subject name of B. If it +did this would be redundant information because it would duplicate the issuer +name of C. + + [BUILD] ======================================================================= * Why does the linker complain about undefined symbols? @@ -655,6 +676,18 @@ the module in question. The recommendation is to disable SHA-512 by adding no-sha512 to ./config [or ./Configure] command line. Another possible alternative might be to switch to GCC. +* Test suite still fails, what to do? + +Another common reason for failure to complete some particular test is +simply bad code generated by a buggy component in toolchain or deficiency +in run-time environment. There are few cases documented in PROBLEMS file, +consult it for possible workaround before you beat the drum. Even if you +don't find solution or even mention there, do reserve for possibility of +a compiler bug. Compiler bugs might appear in rather bizarre ways, they +never make sense, and tend to emerge when you least expect them. In order +to identify one, drop optimization level, e.g. by editing CFLAG line in +top-level Makefile, recompile and re-run the test. + [PROG] ======================================================================== * Is OpenSSL thread-safe? @@ -687,10 +720,10 @@ your application must link against the same by which OpenSSL was built. If you are using MS Visual C++ (Studio) this can be changed by: -1. Select Settings... from the Project Menu. -2. Select the C/C++ Tab. -3. Select "Code Generation from the "Category" drop down list box -4. Select the Appropriate library (see table below) from the "Use + 1. Select Settings... from the Project Menu. + 2. Select the C/C++ Tab. + 3. Select "Code Generation from the "Category" drop down list box + 4. Select the Appropriate library (see table below) from the "Use run-time library" drop down list box. Perform this step for both your debug and release versions of your application (look at the top left of the settings panel to change between the two)