1 |
|
2 |
OpenSSL 0.9.8zc 15 Oct 2014 |
3 |
|
4 |
Copyright (c) 1998-2011 The OpenSSL Project |
5 |
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson |
6 |
All rights reserved. |
7 |
|
8 |
DESCRIPTION |
9 |
----------- |
10 |
|
11 |
The OpenSSL Project is a collaborative effort to develop a robust, |
12 |
commercial-grade, fully featured, and Open Source toolkit implementing the |
13 |
Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) |
14 |
protocols as well as a full-strength general purpose cryptography library. |
15 |
The project is managed by a worldwide community of volunteers that use the |
16 |
Internet to communicate, plan, and develop the OpenSSL toolkit and its |
17 |
related documentation. |
18 |
|
19 |
OpenSSL is based on the excellent SSLeay library developed from Eric A. Young |
20 |
and Tim J. Hudson. The OpenSSL toolkit is licensed under a dual-license (the |
21 |
OpenSSL license plus the SSLeay license) situation, which basically means |
22 |
that you are free to get and use it for commercial and non-commercial |
23 |
purposes as long as you fulfill the conditions of both licenses. |
24 |
|
25 |
OVERVIEW |
26 |
-------- |
27 |
|
28 |
The OpenSSL toolkit includes: |
29 |
|
30 |
libssl.a: |
31 |
Implementation of SSLv2, SSLv3, TLSv1 and the required code to support |
32 |
both SSLv2, SSLv3 and TLSv1 in the one server and client. |
33 |
|
34 |
libcrypto.a: |
35 |
General encryption and X.509 v1/v3 stuff needed by SSL/TLS but not |
36 |
actually logically part of it. It includes routines for the following: |
37 |
|
38 |
Ciphers |
39 |
libdes - EAY's libdes DES encryption package which was floating |
40 |
around the net for a few years, and was then relicensed by |
41 |
him as part of SSLeay. It includes 15 'modes/variations' |
42 |
of DES (1, 2 and 3 key versions of ecb, cbc, cfb and ofb; |
43 |
pcbc and a more general form of cfb and ofb) including desx |
44 |
in cbc mode, a fast crypt(3), and routines to read |
45 |
passwords from the keyboard. |
46 |
RC4 encryption, |
47 |
RC2 encryption - 4 different modes, ecb, cbc, cfb and ofb. |
48 |
Blowfish encryption - 4 different modes, ecb, cbc, cfb and ofb. |
49 |
IDEA encryption - 4 different modes, ecb, cbc, cfb and ofb. |
50 |
|
51 |
Digests |
52 |
MD5 and MD2 message digest algorithms, fast implementations, |
53 |
SHA (SHA-0) and SHA-1 message digest algorithms, |
54 |
MDC2 message digest. A DES based hash that is popular on smart cards. |
55 |
|
56 |
Public Key |
57 |
RSA encryption/decryption/generation. |
58 |
There is no limit on the number of bits. |
59 |
DSA encryption/decryption/generation. |
60 |
There is no limit on the number of bits. |
61 |
Diffie-Hellman key-exchange/key generation. |
62 |
There is no limit on the number of bits. |
63 |
|
64 |
X.509v3 certificates |
65 |
X509 encoding/decoding into/from binary ASN1 and a PEM |
66 |
based ASCII-binary encoding which supports encryption with a |
67 |
private key. Program to generate RSA and DSA certificate |
68 |
requests and to generate RSA and DSA certificates. |
69 |
|
70 |
Systems |
71 |
The normal digital envelope routines and base64 encoding. Higher |
72 |
level access to ciphers and digests by name. New ciphers can be |
73 |
loaded at run time. The BIO io system which is a simple non-blocking |
74 |
IO abstraction. Current methods supported are file descriptors, |
75 |
sockets, socket accept, socket connect, memory buffer, buffering, SSL |
76 |
client/server, file pointer, encryption, digest, non-blocking testing |
77 |
and null. |
78 |
|
79 |
Data structures |
80 |
A dynamically growing hashing system |
81 |
A simple stack. |
82 |
A Configuration loader that uses a format similar to MS .ini files. |
83 |
|
84 |
openssl: |
85 |
A command line tool that can be used for: |
86 |
Creation of RSA, DH and DSA key parameters |
87 |
Creation of X.509 certificates, CSRs and CRLs |
88 |
Calculation of Message Digests |
89 |
Encryption and Decryption with Ciphers |
90 |
SSL/TLS Client and Server Tests |
91 |
Handling of S/MIME signed or encrypted mail |
92 |
|
93 |
|
94 |
PATENTS |
95 |
------- |
96 |
|
97 |
Various companies hold various patents for various algorithms in various |
98 |
locations around the world. _YOU_ are responsible for ensuring that your use |
99 |
of any algorithms is legal by checking if there are any patents in your |
100 |
country. The file contains some of the patents that we know about or are |
101 |
rumored to exist. This is not a definitive list. |
102 |
|
103 |
RSA Security holds software patents on the RC5 algorithm. If you |
104 |
intend to use this cipher, you must contact RSA Security for |
105 |
licensing conditions. Their web page is http://www.rsasecurity.com/. |
106 |
|
107 |
RC4 is a trademark of RSA Security, so use of this label should perhaps |
108 |
only be used with RSA Security's permission. |
109 |
|
110 |
The IDEA algorithm is patented by Ascom in Austria, France, Germany, Italy, |
111 |
Japan, the Netherlands, Spain, Sweden, Switzerland, UK and the USA. They |
112 |
should be contacted if that algorithm is to be used; their web page is |
113 |
http://www.ascom.ch/. |
114 |
|
115 |
NTT and Mitsubishi have patents and pending patents on the Camellia |
116 |
algorithm, but allow use at no charge without requiring an explicit |
117 |
licensing agreement: http://info.isl.ntt.co.jp/crypt/eng/info/chiteki.html |
118 |
|
119 |
INSTALLATION |
120 |
------------ |
121 |
|
122 |
To install this package under a Unix derivative, read the INSTALL file. For |
123 |
a Win32 platform, read the INSTALL.W32 file. For OpenVMS systems, read |
124 |
INSTALL.VMS. |
125 |
|
126 |
Read the documentation in the doc/ directory. It is quite rough, but it |
127 |
lists the functions; you will probably have to look at the code to work out |
128 |
how to use them. Look at the example programs. |
129 |
|
130 |
PROBLEMS |
131 |
-------- |
132 |
|
133 |
For some platforms, there are some known problems that may affect the user |
134 |
or application author. We try to collect those in doc/PROBLEMS, with current |
135 |
thoughts on how they should be solved in a future of OpenSSL. |
136 |
|
137 |
SUPPORT |
138 |
------- |
139 |
|
140 |
See the OpenSSL website www.openssl.org for details of how to obtain |
141 |
commercial technical support. |
142 |
|
143 |
If you have any problems with OpenSSL then please take the following steps |
144 |
first: |
145 |
|
146 |
- Download the current snapshot from ftp://ftp.openssl.org/snapshot/ |
147 |
to see if the problem has already been addressed |
148 |
- Remove ASM versions of libraries |
149 |
- Remove compiler optimisation flags |
150 |
|
151 |
If you wish to report a bug then please include the following information in |
152 |
any bug report: |
153 |
|
154 |
- On Unix systems: |
155 |
Self-test report generated by 'make report' |
156 |
- On other systems: |
157 |
OpenSSL version: output of 'openssl version -a' |
158 |
OS Name, Version, Hardware platform |
159 |
Compiler Details (name, version) |
160 |
- Application Details (name, version) |
161 |
- Problem Description (steps that will reproduce the problem, if known) |
162 |
- Stack Traceback (if the application dumps core) |
163 |
|
164 |
Report the bug to the OpenSSL project via the Request Tracker |
165 |
(http://www.openssl.org/support/rt.html) by mail to: |
166 |
|
167 |
openssl-bugs@openssl.org |
168 |
|
169 |
Note that the request tracker should NOT be used for general assistance |
170 |
or support queries. Just because something doesn't work the way you expect |
171 |
does not mean it is necessarily a bug in OpenSSL. |
172 |
|
173 |
Note that mail to openssl-bugs@openssl.org is recorded in the publicly |
174 |
readable request tracker database and is forwarded to a public |
175 |
mailing list. Confidential mail may be sent to openssl-security@openssl.org |
176 |
(PGP key available from the key servers). |
177 |
|
178 |
HOW TO CONTRIBUTE TO OpenSSL |
179 |
---------------------------- |
180 |
|
181 |
Development is coordinated on the openssl-dev mailing list (see |
182 |
http://www.openssl.org for information on subscribing). If you |
183 |
would like to submit a patch, send it to openssl-bugs@openssl.org with |
184 |
the string "[PATCH]" in the subject. Please be sure to include a |
185 |
textual explanation of what your patch does. |
186 |
|
187 |
If you are unsure as to whether a feature will be useful for the general |
188 |
OpenSSL community please discuss it on the openssl-dev mailing list first. |
189 |
Someone may be already working on the same thing or there may be a good |
190 |
reason as to why that feature isn't implemented. |
191 |
|
192 |
Patches should be as up to date as possible, preferably relative to the |
193 |
current Git or the last snapshot. They should follow the coding style of |
194 |
OpenSSL and compile without warnings. Some of the core team developer targets |
195 |
can be used for testing purposes, (debug-steve64, debug-geoff etc). OpenSSL |
196 |
compiles on many varied platforms: try to ensure you only use portable |
197 |
features. |
198 |
|
199 |
Note: For legal reasons, contributions from the US can be accepted only |
200 |
if a TSU notification and a copy of the patch are sent to crypt@bis.doc.gov |
201 |
(formerly BXA) with a copy to the ENC Encryption Request Coordinator; |
202 |
please take some time to look at |
203 |
http://www.bis.doc.gov/Encryption/PubAvailEncSourceCodeNofify.html [sic] |
204 |
and |
205 |
http://w3.access.gpo.gov/bis/ear/pdf/740.pdf (EAR Section 740.13(e)) |
206 |
for the details. If "your encryption source code is too large to serve as |
207 |
an email attachment", they are glad to receive it by fax instead; hope you |
208 |
have a cheap long-distance plan. |
209 |
|
210 |
Our preferred format for changes is "diff -u" output. You might |
211 |
generate it like this: |
212 |
|
213 |
# cd openssl-work |
214 |
# [your changes] |
215 |
# ./Configure dist; make clean |
216 |
# cd .. |
217 |
# diff -ur openssl-orig openssl-work > mydiffs.patch |
218 |
|