1ebfedea0SLionel SambucOpenSSL - Frequently Asked Questions 2ebfedea0SLionel Sambuc-------------------------------------- 3ebfedea0SLionel Sambuc 4ebfedea0SLionel Sambuc[MISC] Miscellaneous questions 5ebfedea0SLionel Sambuc 6ebfedea0SLionel Sambuc* Which is the current version of OpenSSL? 7ebfedea0SLionel Sambuc* Where is the documentation? 8ebfedea0SLionel Sambuc* How can I contact the OpenSSL developers? 9ebfedea0SLionel Sambuc* Where can I get a compiled version of OpenSSL? 10ebfedea0SLionel Sambuc* Why aren't tools like 'autoconf' and 'libtool' used? 11ebfedea0SLionel Sambuc* What is an 'engine' version? 12ebfedea0SLionel Sambuc* How do I check the authenticity of the OpenSSL distribution? 13ebfedea0SLionel Sambuc* How does the versioning scheme work? 14ebfedea0SLionel Sambuc 15ebfedea0SLionel Sambuc[LEGAL] Legal questions 16ebfedea0SLionel Sambuc 17ebfedea0SLionel Sambuc* Do I need patent licenses to use OpenSSL? 18ebfedea0SLionel Sambuc* Can I use OpenSSL with GPL software? 19ebfedea0SLionel Sambuc 20ebfedea0SLionel Sambuc[USER] Questions on using the OpenSSL applications 21ebfedea0SLionel Sambuc 22ebfedea0SLionel Sambuc* Why do I get a "PRNG not seeded" error message? 23ebfedea0SLionel Sambuc* Why do I get an "unable to write 'random state'" error message? 24ebfedea0SLionel Sambuc* How do I create certificates or certificate requests? 25ebfedea0SLionel Sambuc* Why can't I create certificate requests? 26ebfedea0SLionel Sambuc* Why does <SSL program> fail with a certificate verify error? 27ebfedea0SLionel Sambuc* Why can I only use weak ciphers when I connect to a server using OpenSSL? 28ebfedea0SLionel Sambuc* How can I create DSA certificates? 29ebfedea0SLionel Sambuc* Why can't I make an SSL connection using a DSA certificate? 30ebfedea0SLionel Sambuc* How can I remove the passphrase on a private key? 31ebfedea0SLionel Sambuc* Why can't I use OpenSSL certificates with SSL client authentication? 32ebfedea0SLionel Sambuc* Why does my browser give a warning about a mismatched hostname? 33ebfedea0SLionel Sambuc* How do I install a CA certificate into a browser? 34ebfedea0SLionel Sambuc* Why is OpenSSL x509 DN output not conformant to RFC2253? 35ebfedea0SLionel Sambuc* What is a "128 bit certificate"? Can I create one with OpenSSL? 36ebfedea0SLionel Sambuc* Why does OpenSSL set the authority key identifier extension incorrectly? 37ebfedea0SLionel Sambuc* How can I set up a bundle of commercial root CA certificates? 38ebfedea0SLionel Sambuc 39ebfedea0SLionel Sambuc[BUILD] Questions about building and testing OpenSSL 40ebfedea0SLionel Sambuc 41ebfedea0SLionel Sambuc* Why does the linker complain about undefined symbols? 42ebfedea0SLionel Sambuc* Why does the OpenSSL test fail with "bc: command not found"? 43ebfedea0SLionel Sambuc* Why does the OpenSSL test fail with "bc: 1 no implemented"? 44ebfedea0SLionel Sambuc* Why does the OpenSSL test fail with "bc: stack empty"? 45ebfedea0SLionel Sambuc* Why does the OpenSSL compilation fail on Alpha Tru64 Unix? 46ebfedea0SLionel Sambuc* Why does the OpenSSL compilation fail with "ar: command not found"? 47ebfedea0SLionel Sambuc* Why does the OpenSSL compilation fail on Win32 with VC++? 48ebfedea0SLionel Sambuc* What is special about OpenSSL on Redhat? 49ebfedea0SLionel Sambuc* Why does the OpenSSL compilation fail on MacOS X? 50ebfedea0SLionel Sambuc* Why does the OpenSSL test suite fail on MacOS X? 51ebfedea0SLionel Sambuc* Why does the OpenSSL test suite fail in BN_sqr test [on a 64-bit platform]? 52ebfedea0SLionel Sambuc* Why does OpenBSD-i386 build fail on des-586.s with "Unimplemented segment type"? 53ebfedea0SLionel Sambuc* Why does the OpenSSL test suite fail in sha512t on x86 CPU? 54ebfedea0SLionel Sambuc* Why does compiler fail to compile sha512.c? 55ebfedea0SLionel Sambuc* Test suite still fails, what to do? 56ebfedea0SLionel Sambuc* I think I've found a bug, what should I do? 57ebfedea0SLionel Sambuc* I'm SURE I've found a bug, how do I report it? 58ebfedea0SLionel Sambuc* I've found a security issue, how do I report it? 59ebfedea0SLionel Sambuc 60ebfedea0SLionel Sambuc[PROG] Questions about programming with OpenSSL 61ebfedea0SLionel Sambuc 62ebfedea0SLionel Sambuc* Is OpenSSL thread-safe? 63ebfedea0SLionel Sambuc* I've compiled a program under Windows and it crashes: why? 64ebfedea0SLionel Sambuc* How do I read or write a DER encoded buffer using the ASN1 functions? 65ebfedea0SLionel Sambuc* OpenSSL uses DER but I need BER format: does OpenSSL support BER? 66ebfedea0SLionel Sambuc* I've tried using <M_some_evil_pkcs12_macro> and I get errors why? 67ebfedea0SLionel Sambuc* I've called <some function> and it fails, why? 68ebfedea0SLionel Sambuc* I just get a load of numbers for the error output, what do they mean? 69ebfedea0SLionel Sambuc* Why do I get errors about unknown algorithms? 70ebfedea0SLionel Sambuc* Why can't the OpenSSH configure script detect OpenSSL? 71ebfedea0SLionel Sambuc* Can I use OpenSSL's SSL library with non-blocking I/O? 72ebfedea0SLionel Sambuc* Why doesn't my server application receive a client certificate? 73ebfedea0SLionel Sambuc* Why does compilation fail due to an undefined symbol NID_uniqueIdentifier? 74ebfedea0SLionel Sambuc* I think I've detected a memory leak, is this a bug? 75ebfedea0SLionel Sambuc* Why does Valgrind complain about the use of uninitialized data? 76ebfedea0SLionel Sambuc* Why doesn't a memory BIO work when a file does? 77ebfedea0SLionel Sambuc* Where are the declarations and implementations of d2i_X509() etc? 78ebfedea0SLionel Sambuc 79ebfedea0SLionel Sambuc=============================================================================== 80ebfedea0SLionel Sambuc 81ebfedea0SLionel Sambuc[MISC] ======================================================================== 82ebfedea0SLionel Sambuc 83ebfedea0SLionel Sambuc* Which is the current version of OpenSSL? 84ebfedea0SLionel Sambuc 85ebfedea0SLionel SambucThe current version is available from <URL: http://www.openssl.org>. 86ebfedea0SLionel SambucOpenSSL 1.0.1e was released on Feb 11th, 2013. 87ebfedea0SLionel Sambuc 88ebfedea0SLionel SambucIn addition to the current stable release, you can also access daily 89ebfedea0SLionel Sambucsnapshots of the OpenSSL development version at <URL: 90ebfedea0SLionel Sambucftp://ftp.openssl.org/snapshot/>, or get it by anonymous Git access. 91ebfedea0SLionel Sambuc 92ebfedea0SLionel Sambuc 93ebfedea0SLionel Sambuc* Where is the documentation? 94ebfedea0SLionel Sambuc 95ebfedea0SLionel SambucOpenSSL is a library that provides cryptographic functionality to 96ebfedea0SLionel Sambucapplications such as secure web servers. Be sure to read the 97ebfedea0SLionel Sambucdocumentation of the application you want to use. The INSTALL file 98ebfedea0SLionel Sambucexplains how to install this library. 99ebfedea0SLionel Sambuc 100ebfedea0SLionel SambucOpenSSL includes a command line utility that can be used to perform a 101ebfedea0SLionel Sambucvariety of cryptographic functions. It is described in the openssl(1) 102ebfedea0SLionel Sambucmanpage. Documentation for developers is currently being written. Many 103ebfedea0SLionel Sambucmanual pages are available; overviews over libcrypto and 104ebfedea0SLionel Sambuclibssl are given in the crypto(3) and ssl(3) manpages. 105ebfedea0SLionel Sambuc 106ebfedea0SLionel SambucThe OpenSSL manpages are installed in /usr/local/ssl/man/ (or a 107ebfedea0SLionel Sambucdifferent directory if you specified one as described in INSTALL). 108ebfedea0SLionel SambucIn addition, you can read the most current versions at 109ebfedea0SLionel Sambuc<URL: http://www.openssl.org/docs/>. Note that the online documents refer 110ebfedea0SLionel Sambucto the very latest development versions of OpenSSL and may include features 111ebfedea0SLionel Sambucnot present in released versions. If in doubt refer to the documentation 112ebfedea0SLionel Sambucthat came with the version of OpenSSL you are using. The pod format 113ebfedea0SLionel Sambucdocumentation is included in each OpenSSL distribution under the docs 114ebfedea0SLionel Sambucdirectory. 115ebfedea0SLionel Sambuc 116ebfedea0SLionel SambucThere is some documentation about certificate extensions and PKCS#12 117ebfedea0SLionel Sambucin doc/openssl.txt 118ebfedea0SLionel Sambuc 119ebfedea0SLionel SambucThe original SSLeay documentation is included in OpenSSL as 120ebfedea0SLionel Sambucdoc/ssleay.txt. It may be useful when none of the other resources 121ebfedea0SLionel Sambuchelp, but please note that it reflects the obsolete version SSLeay 122ebfedea0SLionel Sambuc0.6.6. 123ebfedea0SLionel Sambuc 124ebfedea0SLionel Sambuc 125ebfedea0SLionel Sambuc* How can I contact the OpenSSL developers? 126ebfedea0SLionel Sambuc 127ebfedea0SLionel SambucThe README file describes how to submit bug reports and patches to 128ebfedea0SLionel SambucOpenSSL. Information on the OpenSSL mailing lists is available from 129ebfedea0SLionel Sambuc<URL: http://www.openssl.org>. 130ebfedea0SLionel Sambuc 131ebfedea0SLionel Sambuc 132ebfedea0SLionel Sambuc* Where can I get a compiled version of OpenSSL? 133ebfedea0SLionel Sambuc 134ebfedea0SLionel SambucYou can finder pointers to binary distributions in 135ebfedea0SLionel Sambuc<URL: http://www.openssl.org/related/binaries.html> . 136ebfedea0SLionel Sambuc 137ebfedea0SLionel SambucSome applications that use OpenSSL are distributed in binary form. 138ebfedea0SLionel SambucWhen using such an application, you don't need to install OpenSSL 139ebfedea0SLionel Sambucyourself; the application will include the required parts (e.g. DLLs). 140ebfedea0SLionel Sambuc 141ebfedea0SLionel SambucIf you want to build OpenSSL on a Windows system and you don't have 142ebfedea0SLionel Sambuca C compiler, read the "Mingw32" section of INSTALL.W32 for information 143ebfedea0SLionel Sambucon how to obtain and install the free GNU C compiler. 144ebfedea0SLionel Sambuc 145ebfedea0SLionel SambucA number of Linux and *BSD distributions include OpenSSL. 146ebfedea0SLionel Sambuc 147ebfedea0SLionel Sambuc 148ebfedea0SLionel Sambuc* Why aren't tools like 'autoconf' and 'libtool' used? 149ebfedea0SLionel Sambuc 150ebfedea0SLionel Sambucautoconf will probably be used in future OpenSSL versions. If it was 151ebfedea0SLionel Sambucless Unix-centric, it might have been used much earlier. 152ebfedea0SLionel Sambuc 153ebfedea0SLionel Sambuc* What is an 'engine' version? 154ebfedea0SLionel Sambuc 155ebfedea0SLionel SambucWith version 0.9.6 OpenSSL was extended to interface to external crypto 156ebfedea0SLionel Sambuchardware. This was realized in a special release '0.9.6-engine'. With 157ebfedea0SLionel Sambucversion 0.9.7 the changes were merged into the main development line, 158ebfedea0SLionel Sambucso that the special release is no longer necessary. 159ebfedea0SLionel Sambuc 160ebfedea0SLionel Sambuc* How do I check the authenticity of the OpenSSL distribution? 161ebfedea0SLionel Sambuc 162ebfedea0SLionel SambucWe provide MD5 digests and ASC signatures of each tarball. 163ebfedea0SLionel SambucUse MD5 to check that a tarball from a mirror site is identical: 164ebfedea0SLionel Sambuc 165ebfedea0SLionel Sambuc md5sum TARBALL | awk '{print $1;}' | cmp - TARBALL.md5 166ebfedea0SLionel Sambuc 167ebfedea0SLionel SambucYou can check authenticity using pgp or gpg. You need the OpenSSL team 168ebfedea0SLionel Sambucmember public key used to sign it (download it from a key server, see a 169ebfedea0SLionel Sambuclist of keys at <URL: http://www.openssl.org/about/>). Then 170ebfedea0SLionel Sambucjust do: 171ebfedea0SLionel Sambuc 172ebfedea0SLionel Sambuc pgp TARBALL.asc 173ebfedea0SLionel Sambuc 174ebfedea0SLionel Sambuc* How does the versioning scheme work? 175ebfedea0SLionel Sambuc 176ebfedea0SLionel SambucAfter the release of OpenSSL 1.0.0 the versioning scheme changed. Letter 177ebfedea0SLionel Sambucreleases (e.g. 1.0.1a) can only contain bug and security fixes and no 178ebfedea0SLionel Sambucnew features. Minor releases change the last number (e.g. 1.0.2) and 179ebfedea0SLionel Sambuccan contain new features that retain binary compatibility. Changes to 180ebfedea0SLionel Sambucthe middle number are considered major releases and neither source nor 181ebfedea0SLionel Sambucbinary compatibility is guaranteed. 182ebfedea0SLionel Sambuc 183ebfedea0SLionel SambucTherefore the answer to the common question "when will feature X be 184ebfedea0SLionel Sambucbackported to OpenSSL 1.0.0/0.9.8?" is "never" but it could appear 185ebfedea0SLionel Sambucin the next minor release. 186ebfedea0SLionel Sambuc 187ebfedea0SLionel Sambuc[LEGAL] ======================================================================= 188ebfedea0SLionel Sambuc 189ebfedea0SLionel Sambuc* Do I need patent licenses to use OpenSSL? 190ebfedea0SLionel Sambuc 191ebfedea0SLionel SambucThe patents section of the README file lists patents that may apply to 192ebfedea0SLionel Sambucyou if you want to use OpenSSL. For information on intellectual 193ebfedea0SLionel Sambucproperty rights, please consult a lawyer. The OpenSSL team does not 194ebfedea0SLionel Sambucoffer legal advice. 195ebfedea0SLionel Sambuc 196ebfedea0SLionel SambucYou can configure OpenSSL so as not to use IDEA, MDC2 and RC5 by using 197ebfedea0SLionel Sambuc ./config no-idea no-mdc2 no-rc5 198ebfedea0SLionel Sambuc 199ebfedea0SLionel Sambuc 200ebfedea0SLionel Sambuc* Can I use OpenSSL with GPL software? 201ebfedea0SLionel Sambuc 202ebfedea0SLionel SambucOn many systems including the major Linux and BSD distributions, yes (the 203ebfedea0SLionel SambucGPL does not place restrictions on using libraries that are part of the 204ebfedea0SLionel Sambucnormal operating system distribution). 205ebfedea0SLionel Sambuc 206ebfedea0SLionel SambucOn other systems, the situation is less clear. Some GPL software copyright 207ebfedea0SLionel Sambucholders claim that you infringe on their rights if you use OpenSSL with 208ebfedea0SLionel Sambuctheir software on operating systems that don't normally include OpenSSL. 209ebfedea0SLionel Sambuc 210ebfedea0SLionel SambucIf you develop open source software that uses OpenSSL, you may find it 211ebfedea0SLionel Sambucuseful to choose an other license than the GPL, or state explicitly that 212ebfedea0SLionel Sambuc"This program is released under the GPL with the additional exemption that 213ebfedea0SLionel Sambuccompiling, linking, and/or using OpenSSL is allowed." If you are using 214ebfedea0SLionel SambucGPL software developed by others, you may want to ask the copyright holder 215ebfedea0SLionel Sambucfor permission to use their software with OpenSSL. 216ebfedea0SLionel Sambuc 217ebfedea0SLionel Sambuc 218ebfedea0SLionel Sambuc[USER] ======================================================================== 219ebfedea0SLionel Sambuc 220ebfedea0SLionel Sambuc* Why do I get a "PRNG not seeded" error message? 221ebfedea0SLionel Sambuc 222ebfedea0SLionel SambucCryptographic software needs a source of unpredictable data to work 223ebfedea0SLionel Sambuccorrectly. Many open source operating systems provide a "randomness 224ebfedea0SLionel Sambucdevice" (/dev/urandom or /dev/random) that serves this purpose. 225ebfedea0SLionel SambucAll OpenSSL versions try to use /dev/urandom by default; starting with 226ebfedea0SLionel Sambucversion 0.9.7, OpenSSL also tries /dev/random if /dev/urandom is not 227ebfedea0SLionel Sambucavailable. 228ebfedea0SLionel Sambuc 229ebfedea0SLionel SambucOn other systems, applications have to call the RAND_add() or 230ebfedea0SLionel SambucRAND_seed() function with appropriate data before generating keys or 231ebfedea0SLionel Sambucperforming public key encryption. (These functions initialize the 232ebfedea0SLionel Sambucpseudo-random number generator, PRNG.) Some broken applications do 233ebfedea0SLionel Sambucnot do this. As of version 0.9.5, the OpenSSL functions that need 234ebfedea0SLionel Sambucrandomness report an error if the random number generator has not been 235ebfedea0SLionel Sambucseeded with at least 128 bits of randomness. If this error occurs and 236ebfedea0SLionel Sambucis not discussed in the documentation of the application you are 237ebfedea0SLionel Sambucusing, please contact the author of that application; it is likely 238ebfedea0SLionel Sambucthat it never worked correctly. OpenSSL 0.9.5 and later make the 239ebfedea0SLionel Sambucerror visible by refusing to perform potentially insecure encryption. 240ebfedea0SLionel Sambuc 241ebfedea0SLionel SambucIf you are using Solaris 8, you can add /dev/urandom and /dev/random 242ebfedea0SLionel Sambucdevices by installing patch 112438 (Sparc) or 112439 (x86), which are 243ebfedea0SLionel Sambucavailable via the Patchfinder at <URL: http://sunsolve.sun.com> 244ebfedea0SLionel Sambuc(Solaris 9 includes these devices by default). For /dev/random support 245ebfedea0SLionel Sambucfor earlier Solaris versions, see Sun's statement at 246ebfedea0SLionel Sambuc<URL: http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsrdb/27606&zone_32=SUNWski> 247ebfedea0SLionel Sambuc(the SUNWski package is available in patch 105710). 248ebfedea0SLionel Sambuc 249ebfedea0SLionel SambucOn systems without /dev/urandom and /dev/random, it is a good idea to 250ebfedea0SLionel Sambucuse the Entropy Gathering Demon (EGD); see the RAND_egd() manpage for 251ebfedea0SLionel Sambucdetails. Starting with version 0.9.7, OpenSSL will automatically look 252ebfedea0SLionel Sambucfor an EGD socket at /var/run/egd-pool, /dev/egd-pool, /etc/egd-pool and 253ebfedea0SLionel Sambuc/etc/entropy. 254ebfedea0SLionel Sambuc 255ebfedea0SLionel SambucMost components of the openssl command line utility automatically try 256ebfedea0SLionel Sambucto seed the random number generator from a file. The name of the 257ebfedea0SLionel Sambucdefault seeding file is determined as follows: If environment variable 258ebfedea0SLionel SambucRANDFILE is set, then it names the seeding file. Otherwise if 259ebfedea0SLionel Sambucenvironment variable HOME is set, then the seeding file is $HOME/.rnd. 260ebfedea0SLionel SambucIf neither RANDFILE nor HOME is set, versions up to OpenSSL 0.9.6 will 261ebfedea0SLionel Sambucuse file .rnd in the current directory while OpenSSL 0.9.6a uses no 262ebfedea0SLionel Sambucdefault seeding file at all. OpenSSL 0.9.6b and later will behave 263ebfedea0SLionel Sambucsimilarly to 0.9.6a, but will use a default of "C:\" for HOME on 264ebfedea0SLionel SambucWindows systems if the environment variable has not been set. 265ebfedea0SLionel Sambuc 266ebfedea0SLionel SambucIf the default seeding file does not exist or is too short, the "PRNG 267ebfedea0SLionel Sambucnot seeded" error message may occur. 268ebfedea0SLionel Sambuc 269ebfedea0SLionel SambucThe openssl command line utility will write back a new state to the 270ebfedea0SLionel Sambucdefault seeding file (and create this file if necessary) unless 271ebfedea0SLionel Sambucthere was no sufficient seeding. 272ebfedea0SLionel Sambuc 273ebfedea0SLionel SambucPointing $RANDFILE to an Entropy Gathering Daemon socket does not work. 274ebfedea0SLionel SambucUse the "-rand" option of the OpenSSL command line tools instead. 275ebfedea0SLionel SambucThe $RANDFILE environment variable and $HOME/.rnd are only used by the 276ebfedea0SLionel SambucOpenSSL command line tools. Applications using the OpenSSL library 277ebfedea0SLionel Sambucprovide their own configuration options to specify the entropy source, 278ebfedea0SLionel Sambucplease check out the documentation coming the with application. 279ebfedea0SLionel Sambuc 280ebfedea0SLionel Sambuc 281ebfedea0SLionel Sambuc* Why do I get an "unable to write 'random state'" error message? 282ebfedea0SLionel Sambuc 283ebfedea0SLionel Sambuc 284ebfedea0SLionel SambucSometimes the openssl command line utility does not abort with 285ebfedea0SLionel Sambuca "PRNG not seeded" error message, but complains that it is 286ebfedea0SLionel Sambuc"unable to write 'random state'". This message refers to the 287ebfedea0SLionel Sambucdefault seeding file (see previous answer). A possible reason 288ebfedea0SLionel Sambucis that no default filename is known because neither RANDFILE 289ebfedea0SLionel Sambucnor HOME is set. (Versions up to 0.9.6 used file ".rnd" in the 290ebfedea0SLionel Sambuccurrent directory in this case, but this has changed with 0.9.6a.) 291ebfedea0SLionel Sambuc 292ebfedea0SLionel Sambuc 293ebfedea0SLionel Sambuc* How do I create certificates or certificate requests? 294ebfedea0SLionel Sambuc 295ebfedea0SLionel SambucCheck out the CA.pl(1) manual page. This provides a simple wrapper round 296ebfedea0SLionel Sambucthe 'req', 'verify', 'ca' and 'pkcs12' utilities. For finer control check 297ebfedea0SLionel Sambucout the manual pages for the individual utilities and the certificate 298ebfedea0SLionel Sambucextensions documentation (in ca(1), req(1), x509v3_config(5) ) 299ebfedea0SLionel Sambuc 300ebfedea0SLionel Sambuc 301ebfedea0SLionel Sambuc* Why can't I create certificate requests? 302ebfedea0SLionel Sambuc 303ebfedea0SLionel SambucYou typically get the error: 304ebfedea0SLionel Sambuc 305ebfedea0SLionel Sambuc unable to find 'distinguished_name' in config 306ebfedea0SLionel Sambuc problems making Certificate Request 307ebfedea0SLionel Sambuc 308ebfedea0SLionel SambucThis is because it can't find the configuration file. Check out the 309ebfedea0SLionel SambucDIAGNOSTICS section of req(1) for more information. 310ebfedea0SLionel Sambuc 311ebfedea0SLionel Sambuc 312ebfedea0SLionel Sambuc* Why does <SSL program> fail with a certificate verify error? 313ebfedea0SLionel Sambuc 314ebfedea0SLionel SambucThis problem is usually indicated by log messages saying something like 315ebfedea0SLionel Sambuc"unable to get local issuer certificate" or "self signed certificate". 316ebfedea0SLionel SambucWhen a certificate is verified its root CA must be "trusted" by OpenSSL 317ebfedea0SLionel Sambucthis typically means that the CA certificate must be placed in a directory 318ebfedea0SLionel Sambucor file and the relevant program configured to read it. The OpenSSL program 319ebfedea0SLionel Sambuc'verify' behaves in a similar way and issues similar error messages: check 320ebfedea0SLionel Sambucthe verify(1) program manual page for more information. 321ebfedea0SLionel Sambuc 322ebfedea0SLionel Sambuc 323ebfedea0SLionel Sambuc* Why can I only use weak ciphers when I connect to a server using OpenSSL? 324ebfedea0SLionel Sambuc 325ebfedea0SLionel SambucThis is almost certainly because you are using an old "export grade" browser 326ebfedea0SLionel Sambucwhich only supports weak encryption. Upgrade your browser to support 128 bit 327ebfedea0SLionel Sambucciphers. 328ebfedea0SLionel Sambuc 329ebfedea0SLionel Sambuc 330ebfedea0SLionel Sambuc* How can I create DSA certificates? 331ebfedea0SLionel Sambuc 332ebfedea0SLionel SambucCheck the CA.pl(1) manual page for a DSA certificate example. 333ebfedea0SLionel Sambuc 334ebfedea0SLionel Sambuc 335ebfedea0SLionel Sambuc* Why can't I make an SSL connection to a server using a DSA certificate? 336ebfedea0SLionel Sambuc 337ebfedea0SLionel SambucTypically you'll see a message saying there are no shared ciphers when 338ebfedea0SLionel Sambucthe same setup works fine with an RSA certificate. There are two possible 339ebfedea0SLionel Sambuccauses. The client may not support connections to DSA servers most web 340ebfedea0SLionel Sambucbrowsers (including Netscape and MSIE) only support connections to servers 341ebfedea0SLionel Sambucsupporting RSA cipher suites. The other cause is that a set of DH parameters 342ebfedea0SLionel Sambuchas not been supplied to the server. DH parameters can be created with the 343ebfedea0SLionel Sambucdhparam(1) command and loaded using the SSL_CTX_set_tmp_dh() for example: 344ebfedea0SLionel Sambuccheck the source to s_server in apps/s_server.c for an example. 345ebfedea0SLionel Sambuc 346ebfedea0SLionel Sambuc 347ebfedea0SLionel Sambuc* How can I remove the passphrase on a private key? 348ebfedea0SLionel Sambuc 349ebfedea0SLionel SambucFirstly you should be really *really* sure you want to do this. Leaving 350ebfedea0SLionel Sambuca private key unencrypted is a major security risk. If you decide that 351ebfedea0SLionel Sambucyou do have to do this check the EXAMPLES sections of the rsa(1) and 352ebfedea0SLionel Sambucdsa(1) manual pages. 353ebfedea0SLionel Sambuc 354ebfedea0SLionel Sambuc 355ebfedea0SLionel Sambuc* Why can't I use OpenSSL certificates with SSL client authentication? 356ebfedea0SLionel Sambuc 357ebfedea0SLionel SambucWhat will typically happen is that when a server requests authentication 358ebfedea0SLionel Sambucit will either not include your certificate or tell you that you have 359ebfedea0SLionel Sambucno client certificates (Netscape) or present you with an empty list box 360ebfedea0SLionel Sambuc(MSIE). The reason for this is that when a server requests a client 361ebfedea0SLionel Sambuccertificate it includes a list of CAs names which it will accept. Browsers 362ebfedea0SLionel Sambucwill only let you select certificates from the list on the grounds that 363ebfedea0SLionel Sambucthere is little point presenting a certificate which the server will 364ebfedea0SLionel Sambucreject. 365ebfedea0SLionel Sambuc 366ebfedea0SLionel SambucThe solution is to add the relevant CA certificate to your servers "trusted 367ebfedea0SLionel SambucCA list". How you do this depends on the server software in uses. You can 368ebfedea0SLionel Sambucprint out the servers list of acceptable CAs using the OpenSSL s_client tool: 369ebfedea0SLionel Sambuc 370ebfedea0SLionel Sambucopenssl s_client -connect www.some.host:443 -prexit 371ebfedea0SLionel Sambuc 372ebfedea0SLionel SambucIf your server only requests certificates on certain URLs then you may need 373ebfedea0SLionel Sambucto manually issue an HTTP GET command to get the list when s_client connects: 374ebfedea0SLionel Sambuc 375ebfedea0SLionel SambucGET /some/page/needing/a/certificate.html 376ebfedea0SLionel Sambuc 377ebfedea0SLionel SambucIf your CA does not appear in the list then this confirms the problem. 378ebfedea0SLionel Sambuc 379ebfedea0SLionel Sambuc 380ebfedea0SLionel Sambuc* Why does my browser give a warning about a mismatched hostname? 381ebfedea0SLionel Sambuc 382ebfedea0SLionel SambucBrowsers expect the server's hostname to match the value in the commonName 383ebfedea0SLionel Sambuc(CN) field of the certificate. If it does not then you get a warning. 384ebfedea0SLionel Sambuc 385ebfedea0SLionel Sambuc 386ebfedea0SLionel Sambuc* How do I install a CA certificate into a browser? 387ebfedea0SLionel Sambuc 388ebfedea0SLionel SambucThe usual way is to send the DER encoded certificate to the browser as 389ebfedea0SLionel SambucMIME type application/x-x509-ca-cert, for example by clicking on an appropriate 390ebfedea0SLionel Sambuclink. On MSIE certain extensions such as .der or .cacert may also work, or you 391ebfedea0SLionel Sambuccan import the certificate using the certificate import wizard. 392ebfedea0SLionel Sambuc 393ebfedea0SLionel SambucYou can convert a certificate to DER form using the command: 394ebfedea0SLionel Sambuc 395ebfedea0SLionel Sambucopenssl x509 -in ca.pem -outform DER -out ca.der 396ebfedea0SLionel Sambuc 397ebfedea0SLionel SambucOccasionally someone suggests using a command such as: 398ebfedea0SLionel Sambuc 399ebfedea0SLionel Sambucopenssl pkcs12 -export -out cacert.p12 -in cacert.pem -inkey cakey.pem 400ebfedea0SLionel Sambuc 401ebfedea0SLionel SambucDO NOT DO THIS! This command will give away your CAs private key and 402ebfedea0SLionel Sambucreduces its security to zero: allowing anyone to forge certificates in 403ebfedea0SLionel Sambucwhatever name they choose. 404ebfedea0SLionel Sambuc 405ebfedea0SLionel Sambuc* Why is OpenSSL x509 DN output not conformant to RFC2253? 406ebfedea0SLionel Sambuc 407ebfedea0SLionel SambucThe ways to print out the oneline format of the DN (Distinguished Name) have 408ebfedea0SLionel Sambucbeen extended in version 0.9.7 of OpenSSL. Using the new X509_NAME_print_ex() 409ebfedea0SLionel Sambucinterface, the "-nameopt" option could be introduded. See the manual 410ebfedea0SLionel Sambucpage of the "openssl x509" commandline tool for details. The old behaviour 411ebfedea0SLionel Sambuchas however been left as default for the sake of compatibility. 412ebfedea0SLionel Sambuc 413ebfedea0SLionel Sambuc* What is a "128 bit certificate"? Can I create one with OpenSSL? 414ebfedea0SLionel Sambuc 415ebfedea0SLionel SambucThe term "128 bit certificate" is a highly misleading marketing term. It does 416ebfedea0SLionel Sambuc*not* refer to the size of the public key in the certificate! A certificate 417ebfedea0SLionel Sambuccontaining a 128 bit RSA key would have negligible security. 418ebfedea0SLionel Sambuc 419ebfedea0SLionel SambucThere were various other names such as "magic certificates", "SGC 420ebfedea0SLionel Sambuccertificates", "step up certificates" etc. 421ebfedea0SLionel Sambuc 422ebfedea0SLionel SambucYou can't generally create such a certificate using OpenSSL but there is no 423ebfedea0SLionel Sambucneed to any more. Nowadays web browsers using unrestricted strong encryption 424ebfedea0SLionel Sambucare generally available. 425ebfedea0SLionel Sambuc 426ebfedea0SLionel SambucWhen there were tight restrictions on the export of strong encryption 427ebfedea0SLionel Sambucsoftware from the US only weak encryption algorithms could be freely exported 428ebfedea0SLionel Sambuc(initially 40 bit and then 56 bit). It was widely recognised that this was 429ebfedea0SLionel Sambucinadequate. A relaxation of the rules allowed the use of strong encryption but 430ebfedea0SLionel Sambuconly to an authorised server. 431ebfedea0SLionel Sambuc 432ebfedea0SLionel SambucTwo slighly different techniques were developed to support this, one used by 433ebfedea0SLionel SambucNetscape was called "step up", the other used by MSIE was called "Server Gated 434ebfedea0SLionel SambucCryptography" (SGC). When a browser initially connected to a server it would 435ebfedea0SLionel Sambuccheck to see if the certificate contained certain extensions and was issued by 436ebfedea0SLionel Sambucan authorised authority. If these test succeeded it would reconnect using 437ebfedea0SLionel Sambucstrong encryption. 438ebfedea0SLionel Sambuc 439ebfedea0SLionel SambucOnly certain (initially one) certificate authorities could issue the 440ebfedea0SLionel Sambuccertificates and they generally cost more than ordinary certificates. 441ebfedea0SLionel Sambuc 442ebfedea0SLionel SambucAlthough OpenSSL can create certificates containing the appropriate extensions 443ebfedea0SLionel Sambucthe certificate would not come from a permitted authority and so would not 444ebfedea0SLionel Sambucbe recognized. 445ebfedea0SLionel Sambuc 446ebfedea0SLionel SambucThe export laws were later changed to allow almost unrestricted use of strong 447ebfedea0SLionel Sambucencryption so these certificates are now obsolete. 448ebfedea0SLionel Sambuc 449ebfedea0SLionel Sambuc 450ebfedea0SLionel Sambuc* Why does OpenSSL set the authority key identifier (AKID) extension incorrectly? 451ebfedea0SLionel Sambuc 452ebfedea0SLionel SambucIt doesn't: this extension is often the cause of confusion. 453ebfedea0SLionel Sambuc 454ebfedea0SLionel SambucConsider a certificate chain A->B->C so that A signs B and B signs C. Suppose 455ebfedea0SLionel Sambuccertificate C contains AKID. 456ebfedea0SLionel Sambuc 457ebfedea0SLionel SambucThe purpose of this extension is to identify the authority certificate B. This 458ebfedea0SLionel Sambuccan be done either by including the subject key identifier of B or its issuer 459ebfedea0SLionel Sambucname and serial number. 460ebfedea0SLionel Sambuc 461ebfedea0SLionel SambucIn this latter case because it is identifying certifcate B it must contain the 462ebfedea0SLionel Sambucissuer name and serial number of B. 463ebfedea0SLionel Sambuc 464ebfedea0SLionel SambucIt is often wrongly assumed that it should contain the subject name of B. If it 465ebfedea0SLionel Sambucdid this would be redundant information because it would duplicate the issuer 466ebfedea0SLionel Sambucname of C. 467ebfedea0SLionel Sambuc 468ebfedea0SLionel Sambuc 469ebfedea0SLionel Sambuc* How can I set up a bundle of commercial root CA certificates? 470ebfedea0SLionel Sambuc 471ebfedea0SLionel SambucThe OpenSSL software is shipped without any root CA certificate as the 472ebfedea0SLionel SambucOpenSSL project does not have any policy on including or excluding 473ebfedea0SLionel Sambucany specific CA and does not intend to set up such a policy. Deciding 474ebfedea0SLionel Sambucabout which CAs to support is up to application developers or 475ebfedea0SLionel Sambucadministrators. 476ebfedea0SLionel Sambuc 477ebfedea0SLionel SambucOther projects do have other policies so you can for example extract the CA 478ebfedea0SLionel Sambucbundle used by Mozilla and/or modssl as described in this article: 479ebfedea0SLionel Sambuc 480ebfedea0SLionel Sambuc <URL: http://www.mail-archive.com/modssl-users@modssl.org/msg16980.html> 481ebfedea0SLionel Sambuc 482ebfedea0SLionel Sambuc 483ebfedea0SLionel Sambuc[BUILD] ======================================================================= 484ebfedea0SLionel Sambuc 485ebfedea0SLionel Sambuc* Why does the linker complain about undefined symbols? 486ebfedea0SLionel Sambuc 487ebfedea0SLionel SambucMaybe the compilation was interrupted, and make doesn't notice that 488ebfedea0SLionel Sambucsomething is missing. Run "make clean; make". 489ebfedea0SLionel Sambuc 490ebfedea0SLionel SambucIf you used ./Configure instead of ./config, make sure that you 491ebfedea0SLionel Sambucselected the right target. File formats may differ slightly between 492ebfedea0SLionel SambucOS versions (for example sparcv8/sparcv9, or a.out/elf). 493ebfedea0SLionel Sambuc 494ebfedea0SLionel SambucIn case you get errors about the following symbols, use the config 495ebfedea0SLionel Sambucoption "no-asm", as described in INSTALL: 496ebfedea0SLionel Sambuc 497ebfedea0SLionel Sambuc BF_cbc_encrypt, BF_decrypt, BF_encrypt, CAST_cbc_encrypt, 498ebfedea0SLionel Sambuc CAST_decrypt, CAST_encrypt, RC4, RC5_32_cbc_encrypt, RC5_32_decrypt, 499ebfedea0SLionel Sambuc RC5_32_encrypt, bn_add_words, bn_div_words, bn_mul_add_words, 500ebfedea0SLionel Sambuc bn_mul_comba4, bn_mul_comba8, bn_mul_words, bn_sqr_comba4, 501ebfedea0SLionel Sambuc bn_sqr_comba8, bn_sqr_words, bn_sub_words, des_decrypt3, 502ebfedea0SLionel Sambuc des_ede3_cbc_encrypt, des_encrypt, des_encrypt2, des_encrypt3, 503ebfedea0SLionel Sambuc des_ncbc_encrypt, md5_block_asm_host_order, sha1_block_asm_data_order 504ebfedea0SLionel Sambuc 505ebfedea0SLionel SambucIf none of these helps, you may want to try using the current snapshot. 506ebfedea0SLionel SambucIf the problem persists, please submit a bug report. 507ebfedea0SLionel Sambuc 508ebfedea0SLionel Sambuc 509ebfedea0SLionel Sambuc* Why does the OpenSSL test fail with "bc: command not found"? 510ebfedea0SLionel Sambuc 511ebfedea0SLionel SambucYou didn't install "bc", the Unix calculator. If you want to run the 512ebfedea0SLionel Sambuctests, get GNU bc from ftp://ftp.gnu.org or from your OS distributor. 513ebfedea0SLionel Sambuc 514ebfedea0SLionel Sambuc 515ebfedea0SLionel Sambuc* Why does the OpenSSL test fail with "bc: 1 no implemented"? 516ebfedea0SLionel Sambuc 517ebfedea0SLionel SambucOn some SCO installations or versions, bc has a bug that gets triggered 518ebfedea0SLionel Sambucwhen you run the test suite (using "make test"). The message returned is 519ebfedea0SLionel Sambuc"bc: 1 not implemented". 520ebfedea0SLionel Sambuc 521ebfedea0SLionel SambucThe best way to deal with this is to find another implementation of bc 522ebfedea0SLionel Sambucand compile/install it. GNU bc (see <URL: http://www.gnu.org/software/software.html> 523ebfedea0SLionel Sambucfor download instructions) can be safely used, for example. 524ebfedea0SLionel Sambuc 525ebfedea0SLionel Sambuc 526ebfedea0SLionel Sambuc* Why does the OpenSSL test fail with "bc: stack empty"? 527ebfedea0SLionel Sambuc 528ebfedea0SLionel SambucOn some DG/ux versions, bc seems to have a too small stack for calculations 529ebfedea0SLionel Sambucthat the OpenSSL bntest throws at it. This gets triggered when you run the 530ebfedea0SLionel Sambuctest suite (using "make test"). The message returned is "bc: stack empty". 531ebfedea0SLionel Sambuc 532ebfedea0SLionel SambucThe best way to deal with this is to find another implementation of bc 533ebfedea0SLionel Sambucand compile/install it. GNU bc (see <URL: http://www.gnu.org/software/software.html> 534ebfedea0SLionel Sambucfor download instructions) can be safely used, for example. 535ebfedea0SLionel Sambuc 536ebfedea0SLionel Sambuc 537ebfedea0SLionel Sambuc* Why does the OpenSSL compilation fail on Alpha Tru64 Unix? 538ebfedea0SLionel Sambuc 539ebfedea0SLionel SambucOn some Alpha installations running Tru64 Unix and Compaq C, the compilation 540ebfedea0SLionel Sambucof crypto/sha/sha_dgst.c fails with the message 'Fatal: Insufficient virtual 541ebfedea0SLionel Sambucmemory to continue compilation.' As far as the tests have shown, this may be 542ebfedea0SLionel Sambuca compiler bug. What happens is that it eats up a lot of resident memory 543ebfedea0SLionel Sambucto build something, probably a table. The problem is clearly in the 544ebfedea0SLionel Sambucoptimization code, because if one eliminates optimization completely (-O0), 545ebfedea0SLionel Sambucthe compilation goes through (and the compiler consumes about 2MB of resident 546ebfedea0SLionel Sambucmemory instead of 240MB or whatever one's limit is currently). 547ebfedea0SLionel Sambuc 548ebfedea0SLionel SambucThere are three options to solve this problem: 549ebfedea0SLionel Sambuc 550ebfedea0SLionel Sambuc1. set your current data segment size soft limit higher. Experience shows 551ebfedea0SLionel Sambucthat about 241000 kbytes seems to be enough on an AlphaServer DS10. You do 552ebfedea0SLionel Sambucthis with the command 'ulimit -Sd nnnnnn', where 'nnnnnn' is the number of 553ebfedea0SLionel Sambuckbytes to set the limit to. 554ebfedea0SLionel Sambuc 555ebfedea0SLionel Sambuc2. If you have a hard limit that is lower than what you need and you can't 556ebfedea0SLionel Sambucget it changed, you can compile all of OpenSSL with -O0 as optimization 557ebfedea0SLionel Sambuclevel. This is however not a very nice thing to do for those who expect to 558ebfedea0SLionel Sambucget the best result from OpenSSL. A bit more complicated solution is the 559ebfedea0SLionel Sambucfollowing: 560ebfedea0SLionel Sambuc 561ebfedea0SLionel Sambuc----- snip:start ----- 562ebfedea0SLionel Sambuc make DIRS=crypto SDIRS=sha "`grep '^CFLAG=' Makefile.ssl | \ 563ebfedea0SLionel Sambuc sed -e 's/ -O[0-9] / -O0 /'`" 564ebfedea0SLionel Sambuc rm `ls crypto/*.o crypto/sha/*.o | grep -v 'sha_dgst\.o'` 565ebfedea0SLionel Sambuc make 566ebfedea0SLionel Sambuc----- snip:end ----- 567ebfedea0SLionel Sambuc 568ebfedea0SLionel SambucThis will only compile sha_dgst.c with -O0, the rest with the optimization 569ebfedea0SLionel Sambuclevel chosen by the configuration process. When the above is done, do the 570ebfedea0SLionel Sambuctest and installation and you're set. 571ebfedea0SLionel Sambuc 572ebfedea0SLionel Sambuc3. Reconfigure the toolkit with no-sha0 option to leave out SHA0. It 573ebfedea0SLionel Sambucshould not be used and is not used in SSL/TLS nor any other recognized 574ebfedea0SLionel Sambucprotocol in either case. 575ebfedea0SLionel Sambuc 576ebfedea0SLionel Sambuc 577ebfedea0SLionel Sambuc* Why does the OpenSSL compilation fail with "ar: command not found"? 578ebfedea0SLionel Sambuc 579ebfedea0SLionel SambucGetting this message is quite usual on Solaris 2, because Sun has hidden 580ebfedea0SLionel Sambucaway 'ar' and other development commands in directories that aren't in 581ebfedea0SLionel Sambuc$PATH by default. One of those directories is '/usr/ccs/bin'. The 582ebfedea0SLionel Sambucquickest way to fix this is to do the following (it assumes you use sh 583ebfedea0SLionel Sambucor any sh-compatible shell): 584ebfedea0SLionel Sambuc 585ebfedea0SLionel Sambuc----- snip:start ----- 586ebfedea0SLionel Sambuc PATH=${PATH}:/usr/ccs/bin; export PATH 587ebfedea0SLionel Sambuc----- snip:end ----- 588ebfedea0SLionel Sambuc 589ebfedea0SLionel Sambucand then redo the compilation. What you should really do is make sure 590ebfedea0SLionel Sambuc'/usr/ccs/bin' is permanently in your $PATH, for example through your 591ebfedea0SLionel Sambuc'.profile' (again, assuming you use a sh-compatible shell). 592ebfedea0SLionel Sambuc 593ebfedea0SLionel Sambuc 594ebfedea0SLionel Sambuc* Why does the OpenSSL compilation fail on Win32 with VC++? 595ebfedea0SLionel Sambuc 596ebfedea0SLionel SambucSometimes, you may get reports from VC++ command line (cl) that it 597ebfedea0SLionel Sambuccan't find standard include files like stdio.h and other weirdnesses. 598ebfedea0SLionel SambucOne possible cause is that the environment isn't correctly set up. 599ebfedea0SLionel SambucTo solve that problem for VC++ versions up to 6, one should run 600ebfedea0SLionel SambucVCVARS32.BAT which is found in the 'bin' subdirectory of the VC++ 601ebfedea0SLionel Sambucinstallation directory (somewhere under 'Program Files'). For VC++ 602ebfedea0SLionel Sambucversion 7 (and up?), which is also called VS.NET, the file is called 603ebfedea0SLionel SambucVSVARS32.BAT instead. 604ebfedea0SLionel SambucThis needs to be done prior to running NMAKE, and the changes are only 605ebfedea0SLionel Sambucvalid for the current DOS session. 606ebfedea0SLionel Sambuc 607ebfedea0SLionel Sambuc 608ebfedea0SLionel Sambuc* What is special about OpenSSL on Redhat? 609ebfedea0SLionel Sambuc 610ebfedea0SLionel SambucRed Hat Linux (release 7.0 and later) include a preinstalled limited 611ebfedea0SLionel Sambucversion of OpenSSL. For patent reasons, support for IDEA, RC5 and MDC2 612ebfedea0SLionel Sambucis disabled in this version. The same may apply to other Linux distributions. 613ebfedea0SLionel SambucUsers may therefore wish to install more or all of the features left out. 614ebfedea0SLionel Sambuc 615ebfedea0SLionel SambucTo do this you MUST ensure that you do not overwrite the openssl that is in 616ebfedea0SLionel Sambuc/usr/bin on your Red Hat machine. Several packages depend on this file, 617ebfedea0SLionel Sambucincluding sendmail and ssh. /usr/local/bin is a good alternative choice. The 618ebfedea0SLionel Sambuclibraries that come with Red Hat 7.0 onwards have different names and so are 619ebfedea0SLionel Sambucnot affected. (eg For Red Hat 7.2 they are /lib/libssl.so.0.9.6b and 620ebfedea0SLionel Sambuc/lib/libcrypto.so.0.9.6b with symlinks /lib/libssl.so.2 and 621ebfedea0SLionel Sambuc/lib/libcrypto.so.2 respectively). 622ebfedea0SLionel Sambuc 623ebfedea0SLionel SambucPlease note that we have been advised by Red Hat attempting to recompile the 624ebfedea0SLionel Sambucopenssl rpm with all the cryptography enabled will not work. All other 625ebfedea0SLionel Sambucpackages depend on the original Red Hat supplied openssl package. It is also 626ebfedea0SLionel Sambucworth noting that due to the way Red Hat supplies its packages, updates to 627ebfedea0SLionel Sambucopenssl on each distribution never change the package version, only the 628ebfedea0SLionel Sambucbuild number. For example, on Red Hat 7.1, the latest openssl package has 629ebfedea0SLionel Sambucversion number 0.9.6 and build number 9 even though it contains all the 630ebfedea0SLionel Sambucrelevant updates in packages up to and including 0.9.6b. 631ebfedea0SLionel Sambuc 632ebfedea0SLionel SambucA possible way around this is to persuade Red Hat to produce a non-US 633ebfedea0SLionel Sambucversion of Red Hat Linux. 634ebfedea0SLionel Sambuc 635ebfedea0SLionel SambucFYI: Patent numbers and expiry dates of US patents: 636ebfedea0SLionel SambucMDC-2: 4,908,861 13/03/2007 637ebfedea0SLionel SambucIDEA: 5,214,703 25/05/2010 638ebfedea0SLionel SambucRC5: 5,724,428 03/03/2015 639ebfedea0SLionel Sambuc 640ebfedea0SLionel Sambuc 641ebfedea0SLionel Sambuc* Why does the OpenSSL compilation fail on MacOS X? 642ebfedea0SLionel Sambuc 643ebfedea0SLionel SambucIf the failure happens when trying to build the "openssl" binary, with 644ebfedea0SLionel Sambuca large number of undefined symbols, it's very probable that you have 645ebfedea0SLionel SambucOpenSSL 0.9.6b delivered with the operating system (you can find out by 646ebfedea0SLionel Sambucrunning '/usr/bin/openssl version') and that you were trying to build 647ebfedea0SLionel SambucOpenSSL 0.9.7 or newer. The problem is that the loader ('ld') in 648ebfedea0SLionel SambucMacOS X has a misfeature that's quite difficult to go around. 649ebfedea0SLionel SambucLook in the file PROBLEMS for a more detailed explanation and for possible 650ebfedea0SLionel Sambucsolutions. 651ebfedea0SLionel Sambuc 652ebfedea0SLionel Sambuc 653ebfedea0SLionel Sambuc* Why does the OpenSSL test suite fail on MacOS X? 654ebfedea0SLionel Sambuc 655ebfedea0SLionel SambucIf the failure happens when running 'make test' and the RC4 test fails, 656ebfedea0SLionel Sambucit's very probable that you have OpenSSL 0.9.6b delivered with the 657ebfedea0SLionel Sambucoperating system (you can find out by running '/usr/bin/openssl version') 658ebfedea0SLionel Sambucand that you were trying to build OpenSSL 0.9.6d. The problem is that 659ebfedea0SLionel Sambucthe loader ('ld') in MacOS X has a misfeature that's quite difficult to 660ebfedea0SLionel Sambucgo around and has linked the programs "openssl" and the test programs 661ebfedea0SLionel Sambucwith /usr/lib/libcrypto.dylib and /usr/lib/libssl.dylib instead of the 662ebfedea0SLionel Sambuclibraries you just built. 663ebfedea0SLionel SambucLook in the file PROBLEMS for a more detailed explanation and for possible 664ebfedea0SLionel Sambucsolutions. 665ebfedea0SLionel Sambuc 666ebfedea0SLionel Sambuc* Why does the OpenSSL test suite fail in BN_sqr test [on a 64-bit platform]? 667ebfedea0SLionel Sambuc 668ebfedea0SLionel SambucFailure in BN_sqr test is most likely caused by a failure to configure the 669ebfedea0SLionel Sambuctoolkit for current platform or lack of support for the platform in question. 670ebfedea0SLionel SambucRun './config -t' and './apps/openssl version -p'. Do these platform 671ebfedea0SLionel Sambucidentifiers match? If they don't, then you most likely failed to run 672ebfedea0SLionel Sambuc./config and you're hereby advised to do so before filing a bug report. 673ebfedea0SLionel SambucIf ./config itself fails to run, then it's most likely problem with your 674ebfedea0SLionel Sambuclocal environment and you should turn to your system administrator (or 675ebfedea0SLionel Sambucsimilar). If identifiers match (and/or no alternative identifier is 676ebfedea0SLionel Sambucsuggested by ./config script), then the platform is unsupported. There might 677ebfedea0SLionel Sambucor might not be a workaround. Most notably on SPARC64 platforms with GNU 678ebfedea0SLionel SambucC compiler you should be able to produce a working build by running 679ebfedea0SLionel Sambuc'./config -m32'. I understand that -m32 might not be what you want/need, 680ebfedea0SLionel Sambucbut the build should be operational. For further details turn to 681ebfedea0SLionel Sambuc<openssl-dev@openssl.org>. 682ebfedea0SLionel Sambuc 683ebfedea0SLionel Sambuc* Why does OpenBSD-i386 build fail on des-586.s with "Unimplemented segment type"? 684ebfedea0SLionel Sambuc 685ebfedea0SLionel SambucAs of 0.9.7 assembler routines were overhauled for position independence 686ebfedea0SLionel Sambucof the machine code, which is essential for shared library support. For 687ebfedea0SLionel Sambucsome reason OpenBSD is equipped with an out-of-date GNU assembler which 688ebfedea0SLionel Sambucfinds the new code offensive. To work around the problem, configure with 689ebfedea0SLionel Sambucno-asm (and sacrifice a great deal of performance) or patch your assembler 690ebfedea0SLionel Sambucaccording to <URL: http://www.openssl.org/~appro/gas-1.92.3.OpenBSD.patch>. 691ebfedea0SLionel SambucFor your convenience a pre-compiled replacement binary is provided at 692ebfedea0SLionel Sambuc<URL: http://www.openssl.org/~appro/gas-1.92.3.static.aout.bin>. 693ebfedea0SLionel SambucReportedly elder *BSD a.out platforms also suffer from this problem and 694ebfedea0SLionel Sambucremedy should be same. Provided binary is statically linked and should be 695ebfedea0SLionel Sambucworking across wider range of *BSD branches, not just OpenBSD. 696ebfedea0SLionel Sambuc 697ebfedea0SLionel Sambuc* Why does the OpenSSL test suite fail in sha512t on x86 CPU? 698ebfedea0SLionel Sambuc 699ebfedea0SLionel SambucIf the test program in question fails withs SIGILL, Illegal Instruction 700ebfedea0SLionel Sambucexception, then you more than likely to run SSE2-capable CPU, such as 701ebfedea0SLionel SambucIntel P4, under control of kernel which does not support SSE2 702ebfedea0SLionel Sambucinstruction extentions. See accompanying INSTALL file and 703ebfedea0SLionel SambucOPENSSL_ia32cap(3) documentation page for further information. 704ebfedea0SLionel Sambuc 705ebfedea0SLionel Sambuc* Why does compiler fail to compile sha512.c? 706ebfedea0SLionel Sambuc 707ebfedea0SLionel SambucOpenSSL SHA-512 implementation depends on compiler support for 64-bit 708ebfedea0SLionel Sambucinteger type. Few elder compilers [ULTRIX cc, SCO compiler to mention a 709ebfedea0SLionel Sambuccouple] lack support for this and therefore are incapable of compiling 710ebfedea0SLionel Sambucthe module in question. The recommendation is to disable SHA-512 by 711ebfedea0SLionel Sambucadding no-sha512 to ./config [or ./Configure] command line. Another 712ebfedea0SLionel Sambucpossible alternative might be to switch to GCC. 713ebfedea0SLionel Sambuc 714ebfedea0SLionel Sambuc* Test suite still fails, what to do? 715ebfedea0SLionel Sambuc 716ebfedea0SLionel SambucAnother common reason for failure to complete some particular test is 717ebfedea0SLionel Sambucsimply bad code generated by a buggy component in toolchain or deficiency 718ebfedea0SLionel Sambucin run-time environment. There are few cases documented in PROBLEMS file, 719ebfedea0SLionel Sambucconsult it for possible workaround before you beat the drum. Even if you 720ebfedea0SLionel Sambucdon't find solution or even mention there, do reserve for possibility of 721ebfedea0SLionel Sambuca compiler bug. Compiler bugs might appear in rather bizarre ways, they 722ebfedea0SLionel Sambucnever make sense, and tend to emerge when you least expect them. In order 723ebfedea0SLionel Sambucto identify one, drop optimization level, e.g. by editing CFLAG line in 724ebfedea0SLionel Sambuctop-level Makefile, recompile and re-run the test. 725ebfedea0SLionel Sambuc 726ebfedea0SLionel Sambuc* I think I've found a bug, what should I do? 727ebfedea0SLionel Sambuc 728ebfedea0SLionel SambucIf you are a new user then it is quite likely you haven't found a bug and 729ebfedea0SLionel Sambucsomething is happening you aren't familiar with. Check this FAQ, the associated 730ebfedea0SLionel Sambucdocumentation and the mailing lists for similar queries. If you are still 731ebfedea0SLionel Sambucunsure whether it is a bug or not submit a query to the openssl-users mailing 732ebfedea0SLionel Sambuclist. 733ebfedea0SLionel Sambuc 734ebfedea0SLionel Sambuc 735ebfedea0SLionel Sambuc* I'm SURE I've found a bug, how do I report it? 736ebfedea0SLionel Sambuc 737ebfedea0SLionel SambucBug reports with no security implications should be sent to the request 738ebfedea0SLionel Sambuctracker. This can be done by mailing the report to <rt@openssl.org> (or its 739ebfedea0SLionel Sambucalias <openssl-bugs@openssl.org>), please note that messages sent to the 740ebfedea0SLionel Sambucrequest tracker also appear in the public openssl-dev mailing list. 741ebfedea0SLionel Sambuc 742ebfedea0SLionel SambucThe report should be in plain text. Any patches should be sent as 743ebfedea0SLionel Sambucplain text attachments because some mailers corrupt patches sent inline. 744ebfedea0SLionel SambucIf your issue affects multiple versions of OpenSSL check any patches apply 745ebfedea0SLionel Sambuccleanly and, if possible include patches to each affected version. 746ebfedea0SLionel Sambuc 747ebfedea0SLionel SambucThe report should be given a meaningful subject line briefly summarising the 748ebfedea0SLionel Sambucissue. Just "bug in OpenSSL" or "bug in OpenSSL 0.9.8n" is not very helpful. 749ebfedea0SLionel Sambuc 750ebfedea0SLionel SambucBy sending reports to the request tracker the bug can then be given a priority 751ebfedea0SLionel Sambucand assigned to the appropriate maintainer. The history of discussions can be 752ebfedea0SLionel Sambucaccessed and if the issue has been addressed or a reason why not. If patches 753ebfedea0SLionel Sambucare only sent to openssl-dev they can be mislaid if a team member has to 754ebfedea0SLionel Sambucwade through months of old messages to review the discussion. 755ebfedea0SLionel Sambuc 756ebfedea0SLionel SambucSee also <URL: http://www.openssl.org/support/rt.html> 757ebfedea0SLionel Sambuc 758ebfedea0SLionel Sambuc 759ebfedea0SLionel Sambuc* I've found a security issue, how do I report it? 760ebfedea0SLionel Sambuc 761ebfedea0SLionel SambucIf you think your bug has security implications then please send it to 762ebfedea0SLionel Sambucopenssl-security@openssl.org if you don't get a prompt reply at least 763ebfedea0SLionel Sambucacknowledging receipt then resend or mail it directly to one of the 764ebfedea0SLionel Sambucmore active team members (e.g. Steve). 765ebfedea0SLionel Sambuc 766*0a6a1f1dSLionel SambucNote that bugs only present in the openssl utility are not in general 767*0a6a1f1dSLionel Sambucconsidered to be security issues. 768*0a6a1f1dSLionel Sambuc 769ebfedea0SLionel Sambuc[PROG] ======================================================================== 770ebfedea0SLionel Sambuc 771ebfedea0SLionel Sambuc* Is OpenSSL thread-safe? 772ebfedea0SLionel Sambuc 773ebfedea0SLionel SambucYes (with limitations: an SSL connection may not concurrently be used 774ebfedea0SLionel Sambucby multiple threads). On Windows and many Unix systems, OpenSSL 775ebfedea0SLionel Sambucautomatically uses the multi-threaded versions of the standard 776ebfedea0SLionel Sambuclibraries. If your platform is not one of these, consult the INSTALL 777ebfedea0SLionel Sambucfile. 778ebfedea0SLionel Sambuc 779ebfedea0SLionel SambucMulti-threaded applications must provide two callback functions to 780ebfedea0SLionel SambucOpenSSL by calling CRYPTO_set_locking_callback() and 781ebfedea0SLionel SambucCRYPTO_set_id_callback(), for all versions of OpenSSL up to and 782ebfedea0SLionel Sambucincluding 0.9.8[abc...]. As of version 1.0.0, CRYPTO_set_id_callback() 783ebfedea0SLionel Sambucand associated APIs are deprecated by CRYPTO_THREADID_set_callback() 784ebfedea0SLionel Sambucand friends. This is described in the threads(3) manpage. 785ebfedea0SLionel Sambuc 786ebfedea0SLionel Sambuc* I've compiled a program under Windows and it crashes: why? 787ebfedea0SLionel Sambuc 788ebfedea0SLionel SambucThis is usually because you've missed the comment in INSTALL.W32. 789ebfedea0SLionel SambucYour application must link against the same version of the Win32 790ebfedea0SLionel SambucC-Runtime against which your openssl libraries were linked. The 791ebfedea0SLionel Sambucdefault version for OpenSSL is /MD - "Multithreaded DLL". 792ebfedea0SLionel Sambuc 793ebfedea0SLionel SambucIf you are using Microsoft Visual C++'s IDE (Visual Studio), in 794ebfedea0SLionel Sambucmany cases, your new project most likely defaulted to "Debug 795ebfedea0SLionel SambucSinglethreaded" - /ML. This is NOT interchangeable with /MD and your 796ebfedea0SLionel Sambucprogram will crash, typically on the first BIO related read or write 797ebfedea0SLionel Sambucoperation. 798ebfedea0SLionel Sambuc 799ebfedea0SLionel SambucFor each of the six possible link stage configurations within Win32, 800ebfedea0SLionel Sambucyour application must link against the same by which OpenSSL was 801ebfedea0SLionel Sambucbuilt. If you are using MS Visual C++ (Studio) this can be changed 802ebfedea0SLionel Sambucby: 803ebfedea0SLionel Sambuc 804ebfedea0SLionel Sambuc 1. Select Settings... from the Project Menu. 805ebfedea0SLionel Sambuc 2. Select the C/C++ Tab. 806ebfedea0SLionel Sambuc 3. Select "Code Generation from the "Category" drop down list box 807ebfedea0SLionel Sambuc 4. Select the Appropriate library (see table below) from the "Use 808ebfedea0SLionel Sambuc run-time library" drop down list box. Perform this step for both 809ebfedea0SLionel Sambuc your debug and release versions of your application (look at the 810ebfedea0SLionel Sambuc top left of the settings panel to change between the two) 811ebfedea0SLionel Sambuc 812ebfedea0SLionel Sambuc Single Threaded /ML - MS VC++ often defaults to 813ebfedea0SLionel Sambuc this for the release 814ebfedea0SLionel Sambuc version of a new project. 815ebfedea0SLionel Sambuc Debug Single Threaded /MLd - MS VC++ often defaults to 816ebfedea0SLionel Sambuc this for the debug version 817ebfedea0SLionel Sambuc of a new project. 818ebfedea0SLionel Sambuc Multithreaded /MT 819ebfedea0SLionel Sambuc Debug Multithreaded /MTd 820ebfedea0SLionel Sambuc Multithreaded DLL /MD - OpenSSL defaults to this. 821ebfedea0SLionel Sambuc Debug Multithreaded DLL /MDd 822ebfedea0SLionel Sambuc 823ebfedea0SLionel SambucNote that debug and release libraries are NOT interchangeable. If you 824ebfedea0SLionel Sambucbuilt OpenSSL with /MD your application must use /MD and cannot use /MDd. 825ebfedea0SLionel Sambuc 826ebfedea0SLionel SambucAs per 0.9.8 the above limitation is eliminated for .DLLs. OpenSSL 827ebfedea0SLionel Sambuc.DLLs compiled with some specific run-time option [we insist on the 828ebfedea0SLionel Sambucdefault /MD] can be deployed with application compiled with different 829ebfedea0SLionel Sambucoption or even different compiler. But there is a catch! Instead of 830ebfedea0SLionel Sambucre-compiling OpenSSL toolkit, as you would have to with prior versions, 831ebfedea0SLionel Sambucyou have to compile small C snippet with compiler and/or options of 832ebfedea0SLionel Sambucyour choice. The snippet gets installed as 833ebfedea0SLionel Sambuc<install-root>/include/openssl/applink.c and should be either added to 834ebfedea0SLionel Sambucyour application project or simply #include-d in one [and only one] 835ebfedea0SLionel Sambucof your application source files. Failure to link this shim module 836ebfedea0SLionel Sambucinto your application manifests itself as fatal "no OPENSSL_Applink" 837ebfedea0SLionel Sambucrun-time error. An explicit reminder is due that in this situation 838ebfedea0SLionel Sambuc[mixing compiler options] it is as important to add CRYPTO_malloc_init 839ebfedea0SLionel Sambucprior first call to OpenSSL. 840ebfedea0SLionel Sambuc 841ebfedea0SLionel Sambuc* How do I read or write a DER encoded buffer using the ASN1 functions? 842ebfedea0SLionel Sambuc 843ebfedea0SLionel SambucYou have two options. You can either use a memory BIO in conjunction 844ebfedea0SLionel Sambucwith the i2d_*_bio() or d2i_*_bio() functions or you can use the 845ebfedea0SLionel Sambuci2d_*(), d2i_*() functions directly. Since these are often the 846ebfedea0SLionel Sambuccause of grief here are some code fragments using PKCS7 as an example: 847ebfedea0SLionel Sambuc 848ebfedea0SLionel Sambuc unsigned char *buf, *p; 849ebfedea0SLionel Sambuc int len; 850ebfedea0SLionel Sambuc 851ebfedea0SLionel Sambuc len = i2d_PKCS7(p7, NULL); 852ebfedea0SLionel Sambuc buf = OPENSSL_malloc(len); /* or Malloc, error checking omitted */ 853ebfedea0SLionel Sambuc p = buf; 854ebfedea0SLionel Sambuc i2d_PKCS7(p7, &p); 855ebfedea0SLionel Sambuc 856ebfedea0SLionel SambucAt this point buf contains the len bytes of the DER encoding of 857ebfedea0SLionel Sambucp7. 858ebfedea0SLionel Sambuc 859ebfedea0SLionel SambucThe opposite assumes we already have len bytes in buf: 860ebfedea0SLionel Sambuc 861ebfedea0SLionel Sambuc unsigned char *p; 862ebfedea0SLionel Sambuc p = buf; 863ebfedea0SLionel Sambuc p7 = d2i_PKCS7(NULL, &p, len); 864ebfedea0SLionel Sambuc 865ebfedea0SLionel SambucAt this point p7 contains a valid PKCS7 structure of NULL if an error 866ebfedea0SLionel Sambucoccurred. If an error occurred ERR_print_errors(bio) should give more 867ebfedea0SLionel Sambucinformation. 868ebfedea0SLionel Sambuc 869ebfedea0SLionel SambucThe reason for the temporary variable 'p' is that the ASN1 functions 870ebfedea0SLionel Sambucincrement the passed pointer so it is ready to read or write the next 871ebfedea0SLionel Sambucstructure. This is often a cause of problems: without the temporary 872ebfedea0SLionel Sambucvariable the buffer pointer is changed to point just after the data 873ebfedea0SLionel Sambucthat has been read or written. This may well be uninitialized data 874ebfedea0SLionel Sambucand attempts to free the buffer will have unpredictable results 875ebfedea0SLionel Sambucbecause it no longer points to the same address. 876ebfedea0SLionel Sambuc 877ebfedea0SLionel Sambuc 878ebfedea0SLionel Sambuc* OpenSSL uses DER but I need BER format: does OpenSSL support BER? 879ebfedea0SLionel Sambuc 880ebfedea0SLionel SambucThe short answer is yes, because DER is a special case of BER and OpenSSL 881ebfedea0SLionel SambucASN1 decoders can process BER. 882ebfedea0SLionel Sambuc 883ebfedea0SLionel SambucThe longer answer is that ASN1 structures can be encoded in a number of 884ebfedea0SLionel Sambucdifferent ways. One set of ways is the Basic Encoding Rules (BER) with various 885ebfedea0SLionel Sambucpermissible encodings. A restriction of BER is the Distinguished Encoding 886ebfedea0SLionel SambucRules (DER): these uniquely specify how a given structure is encoded. 887ebfedea0SLionel Sambuc 888ebfedea0SLionel SambucTherefore, because DER is a special case of BER, DER is an acceptable encoding 889ebfedea0SLionel Sambucfor BER. 890ebfedea0SLionel Sambuc 891ebfedea0SLionel Sambuc 892ebfedea0SLionel Sambuc* I've tried using <M_some_evil_pkcs12_macro> and I get errors why? 893ebfedea0SLionel Sambuc 894ebfedea0SLionel SambucThis usually happens when you try compiling something using the PKCS#12 895ebfedea0SLionel Sambucmacros with a C++ compiler. There is hardly ever any need to use the 896ebfedea0SLionel SambucPKCS#12 macros in a program, it is much easier to parse and create 897ebfedea0SLionel SambucPKCS#12 files using the PKCS12_parse() and PKCS12_create() functions 898ebfedea0SLionel Sambucdocumented in doc/openssl.txt and with examples in demos/pkcs12. The 899ebfedea0SLionel Sambuc'pkcs12' application has to use the macros because it prints out 900ebfedea0SLionel Sambucdebugging information. 901ebfedea0SLionel Sambuc 902ebfedea0SLionel Sambuc 903ebfedea0SLionel Sambuc* I've called <some function> and it fails, why? 904ebfedea0SLionel Sambuc 905ebfedea0SLionel SambucBefore submitting a report or asking in one of the mailing lists, you 906ebfedea0SLionel Sambucshould try to determine the cause. In particular, you should call 907ebfedea0SLionel SambucERR_print_errors() or ERR_print_errors_fp() after the failed call 908ebfedea0SLionel Sambucand see if the message helps. Note that the problem may occur earlier 909ebfedea0SLionel Sambucthan you think -- you should check for errors after every call where 910ebfedea0SLionel Sambucit is possible, otherwise the actual problem may be hidden because 911ebfedea0SLionel Sambucsome OpenSSL functions clear the error state. 912ebfedea0SLionel Sambuc 913ebfedea0SLionel Sambuc 914ebfedea0SLionel Sambuc* I just get a load of numbers for the error output, what do they mean? 915ebfedea0SLionel Sambuc 916ebfedea0SLionel SambucThe actual format is described in the ERR_print_errors() manual page. 917ebfedea0SLionel SambucYou should call the function ERR_load_crypto_strings() before hand and 918ebfedea0SLionel Sambucthe message will be output in text form. If you can't do this (for example 919ebfedea0SLionel Sambucit is a pre-compiled binary) you can use the errstr utility on the error 920ebfedea0SLionel Sambuccode itself (the hex digits after the second colon). 921ebfedea0SLionel Sambuc 922ebfedea0SLionel Sambuc 923ebfedea0SLionel Sambuc* Why do I get errors about unknown algorithms? 924ebfedea0SLionel Sambuc 925ebfedea0SLionel SambucThe cause is forgetting to load OpenSSL's table of algorithms with 926ebfedea0SLionel SambucOpenSSL_add_all_algorithms(). See the manual page for more information. This 927ebfedea0SLionel Sambuccan cause several problems such as being unable to read in an encrypted 928ebfedea0SLionel SambucPEM file, unable to decrypt a PKCS#12 file or signature failure when 929ebfedea0SLionel Sambucverifying certificates. 930ebfedea0SLionel Sambuc 931ebfedea0SLionel Sambuc* Why can't the OpenSSH configure script detect OpenSSL? 932ebfedea0SLionel Sambuc 933ebfedea0SLionel SambucSeveral reasons for problems with the automatic detection exist. 934ebfedea0SLionel SambucOpenSSH requires at least version 0.9.5a of the OpenSSL libraries. 935ebfedea0SLionel SambucSometimes the distribution has installed an older version in the system 936ebfedea0SLionel Sambuclocations that is detected instead of a new one installed. The OpenSSL 937ebfedea0SLionel Sambuclibrary might have been compiled for another CPU or another mode (32/64 bits). 938ebfedea0SLionel SambucPermissions might be wrong. 939ebfedea0SLionel Sambuc 940ebfedea0SLionel SambucThe general answer is to check the config.log file generated when running 941ebfedea0SLionel Sambucthe OpenSSH configure script. It should contain the detailed information 942ebfedea0SLionel Sambucon why the OpenSSL library was not detected or considered incompatible. 943ebfedea0SLionel Sambuc 944ebfedea0SLionel Sambuc 945ebfedea0SLionel Sambuc* Can I use OpenSSL's SSL library with non-blocking I/O? 946ebfedea0SLionel Sambuc 947ebfedea0SLionel SambucYes; make sure to read the SSL_get_error(3) manual page! 948ebfedea0SLionel Sambuc 949ebfedea0SLionel SambucA pitfall to avoid: Don't assume that SSL_read() will just read from 950ebfedea0SLionel Sambucthe underlying transport or that SSL_write() will just write to it -- 951ebfedea0SLionel Sambucit is also possible that SSL_write() cannot do any useful work until 952ebfedea0SLionel Sambucthere is data to read, or that SSL_read() cannot do anything until it 953ebfedea0SLionel Sambucis possible to send data. One reason for this is that the peer may 954ebfedea0SLionel Sambucrequest a new TLS/SSL handshake at any time during the protocol, 955ebfedea0SLionel Sambucrequiring a bi-directional message exchange; both SSL_read() and 956ebfedea0SLionel SambucSSL_write() will try to continue any pending handshake. 957ebfedea0SLionel Sambuc 958ebfedea0SLionel Sambuc 959ebfedea0SLionel Sambuc* Why doesn't my server application receive a client certificate? 960ebfedea0SLionel Sambuc 961ebfedea0SLionel SambucDue to the TLS protocol definition, a client will only send a certificate, 962ebfedea0SLionel Sambucif explicitly asked by the server. Use the SSL_VERIFY_PEER flag of the 963ebfedea0SLionel SambucSSL_CTX_set_verify() function to enable the use of client certificates. 964ebfedea0SLionel Sambuc 965ebfedea0SLionel Sambuc 966ebfedea0SLionel Sambuc* Why does compilation fail due to an undefined symbol NID_uniqueIdentifier? 967ebfedea0SLionel Sambuc 968ebfedea0SLionel SambucFor OpenSSL 0.9.7 the OID table was extended and corrected. In earlier 969ebfedea0SLionel Sambucversions, uniqueIdentifier was incorrectly used for X.509 certificates. 970ebfedea0SLionel SambucThe correct name according to RFC2256 (LDAP) is x500UniqueIdentifier. 971ebfedea0SLionel SambucChange your code to use the new name when compiling against OpenSSL 0.9.7. 972ebfedea0SLionel Sambuc 973ebfedea0SLionel Sambuc 974ebfedea0SLionel Sambuc* I think I've detected a memory leak, is this a bug? 975ebfedea0SLionel Sambuc 976ebfedea0SLionel SambucIn most cases the cause of an apparent memory leak is an OpenSSL internal table 977ebfedea0SLionel Sambucthat is allocated when an application starts up. Since such tables do not grow 978ebfedea0SLionel Sambucin size over time they are harmless. 979ebfedea0SLionel Sambuc 980ebfedea0SLionel SambucThese internal tables can be freed up when an application closes using various 981ebfedea0SLionel Sambucfunctions. Currently these include following: 982ebfedea0SLionel Sambuc 983ebfedea0SLionel SambucThread-local cleanup functions: 984ebfedea0SLionel Sambuc 985ebfedea0SLionel Sambuc ERR_remove_state() 986ebfedea0SLionel Sambuc 987ebfedea0SLionel SambucApplication-global cleanup functions that are aware of usage (and therefore 988ebfedea0SLionel Sambucthread-safe): 989ebfedea0SLionel Sambuc 990ebfedea0SLionel Sambuc ENGINE_cleanup() and CONF_modules_unload() 991ebfedea0SLionel Sambuc 992ebfedea0SLionel Sambuc"Brutal" (thread-unsafe) Application-global cleanup functions: 993ebfedea0SLionel Sambuc 994ebfedea0SLionel Sambuc ERR_free_strings(), EVP_cleanup() and CRYPTO_cleanup_all_ex_data(). 995ebfedea0SLionel Sambuc 996ebfedea0SLionel Sambuc 997ebfedea0SLionel Sambuc* Why does Valgrind complain about the use of uninitialized data? 998ebfedea0SLionel Sambuc 999ebfedea0SLionel SambucWhen OpenSSL's PRNG routines are called to generate random numbers the supplied 1000ebfedea0SLionel Sambucbuffer contents are mixed into the entropy pool: so it technically does not 1001ebfedea0SLionel Sambucmatter whether the buffer is initialized at this point or not. Valgrind (and 1002ebfedea0SLionel Sambucother test tools) will complain about this. When using Valgrind, make sure the 1003ebfedea0SLionel SambucOpenSSL library has been compiled with the PURIFY macro defined (-DPURIFY) 1004ebfedea0SLionel Sambucto get rid of these warnings. 1005ebfedea0SLionel Sambuc 1006ebfedea0SLionel Sambuc 1007ebfedea0SLionel Sambuc* Why doesn't a memory BIO work when a file does? 1008ebfedea0SLionel Sambuc 1009ebfedea0SLionel SambucThis can occur in several cases for example reading an S/MIME email message. 1010ebfedea0SLionel SambucThe reason is that a memory BIO can do one of two things when all the data 1011ebfedea0SLionel Sambuchas been read from it. 1012ebfedea0SLionel Sambuc 1013ebfedea0SLionel SambucThe default behaviour is to indicate that no more data is available and that 1014ebfedea0SLionel Sambucthe call should be retried, this is to allow the application to fill up the BIO 1015ebfedea0SLionel Sambucagain if necessary. 1016ebfedea0SLionel Sambuc 1017ebfedea0SLionel SambucAlternatively it can indicate that no more data is available and that EOF has 1018ebfedea0SLionel Sambucbeen reached. 1019ebfedea0SLionel Sambuc 1020ebfedea0SLionel SambucIf a memory BIO is to behave in the same way as a file this second behaviour 1021ebfedea0SLionel Sambucis needed. This must be done by calling: 1022ebfedea0SLionel Sambuc 1023ebfedea0SLionel Sambuc BIO_set_mem_eof_return(bio, 0); 1024ebfedea0SLionel Sambuc 1025ebfedea0SLionel SambucSee the manual pages for more details. 1026ebfedea0SLionel Sambuc 1027ebfedea0SLionel Sambuc 1028ebfedea0SLionel Sambuc* Where are the declarations and implementations of d2i_X509() etc? 1029ebfedea0SLionel Sambuc 1030ebfedea0SLionel SambucThese are defined and implemented by macros of the form: 1031ebfedea0SLionel Sambuc 1032ebfedea0SLionel Sambuc 1033ebfedea0SLionel Sambuc DECLARE_ASN1_FUNCTIONS(X509) and IMPLEMENT_ASN1_FUNCTIONS(X509) 1034ebfedea0SLionel Sambuc 1035ebfedea0SLionel SambucThe implementation passes an ASN1 "template" defining the structure into an 1036ebfedea0SLionel SambucASN1 interpreter using generalised functions such as ASN1_item_d2i(). 1037ebfedea0SLionel Sambuc 1038ebfedea0SLionel Sambuc 1039ebfedea0SLionel Sambuc=============================================================================== 1040