X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=FAQ;h=ab74287977db95eca1b416ff2d317e2de0255206;hp=b6fd981ce0c0e33903cc9e1001c6bda73b908b16;hb=934397ec661daeb63ea9d9f1e464ca50de8072cf;hpb=0ae485dc07398a8fcd3cbbc293e9e5472e7e61c4 diff --git a/FAQ b/FAQ index b6fd981ce0..ab74287977 100644 --- a/FAQ +++ b/FAQ @@ -12,6 +12,7 @@ OpenSSL - Frequently Asked Questions [LEGAL] Legal questions * Do I need patent licenses to use OpenSSL? +* Can I use OpenSSL with GPL software? [USER] Questions on using the OpenSSL applications @@ -23,6 +24,8 @@ OpenSSL - Frequently Asked Questions * How can I create DSA certificates? * Why can't I make an SSL connection using a DSA certificate? * How can I remove the passphrase on a private key? +* Why can't I use OpenSSL certificates with SSL client authentication? +* Why does my browser give a warning about a mismatched hostname? [BUILD] Questions about building and testing OpenSSL @@ -139,6 +142,24 @@ You can configure OpenSSL so as not to use RC5 and IDEA by using ./config no-rc5 no-idea +* Can I use OpenSSL with GPL software? + +On many systems including the major Linux and BSD distributions, yes (the +GPL does not place restrictions on using libraries that are part of the +normal operating system distribution). + +On other systems, the situation is less clear. Some GPL software copyright +holders claim that you infringe on their rights if you use OpenSSL with +their software on operating systems that don't normally include OpenSSL. + +If you develop open source software that uses OpenSSL, you may find it +useful to choose an other license than the GPL, or state explicitely that +"This program is released under the GPL with the additional exemption that +compiling, linking, and/or using OpenSSL is allowed." If you are using +GPL software developed by others, you may want to ask the copyright holder +for permission to use their software with OpenSSL. + + [USER] ======================================================================== * Why do I get a "PRNG not seeded" error message? @@ -240,6 +261,37 @@ you do have to do this check the EXAMPLES sections of the rsa(1) and dsa(1) manual pages. +* Why can't I use OpenSSL certificates with SSL client authentication? + +What will typically happen is that when a server requests authentication +it will either not include your certificate or tell you that you have +no client certificates (Netscape) or present you with an empty list box +(MSIE). The reason for this is that when a server requests a client +certificate it includes a list of CAs names which it will accept. Browsers +will only let you select certificates from the list on the grounds that +there is little point presenting a certificate which the server will +reject. + +The solution is to add the relevant CA certificate to your servers "trusted +CA list". How you do this depends on the server sofware in uses. You can +print out the servers list of acceptable CAs using the OpenSSL s_client tool: + +openssl s_client -connect www.some.host:443 -prexit + +If your server only requests certificates on certain URLs then you may need +to manually issue an HTTP GET command to get the list when s_client connects: + +GET /some/page/needing/a/certificate.html + +If your CA does not appear in the list then this confirms the problem. + + +* Why does my browser give a warning about a mismatched hostname? + +Browsers expect the server's hostname to match the value in the commonName +(CN) field of the certificate. If it does not then you get a warning. + + [BUILD] ======================================================================= * Why does the linker complain about undefined symbols? @@ -274,12 +326,13 @@ tests, get GNU bc from ftp://ftp.gnu.org or from your OS distributor. * Why does the OpenSSL test fail with "bc: 1 no implemented"? -On some SCO installations or versions, bc has a bug that gets triggered when -you run the test suite (using "make test"). The message returned is "bc: -1 not implemented". The best way to deal with this is to find another -implementation of bc and compile/install it. For example, GNU bc (see -http://www.gnu.org/software/software.html for download instructions) can -be safely used. +On some SCO installations or versions, bc has a bug that gets triggered +when you run the test suite (using "make test"). The message returned is +"bc: 1 not implemented". + +The best way to deal with this is to find another implementation of bc +and compile/install it. GNU bc (see http://www.gnu.org/software/software.html +for download instructions) can be safely used, for example. * Why does the OpenSSL compilation fail on Alpha True64 Unix?