Date: Tue, 25 Jan 2000 00:49:04 -0800 (PST) From: Kris Kennaway <kris@hub.freebsd.org> To: current@freebsd.org Cc: security@freebsd.org Subject: OpenSSL docs for FAQ Message-ID: <Pine.BSF.4.21.0001250046160.20991-100000@hub.freebsd.org>
next in thread | raw e-mail | index | archive | help
Can people please review this for style and content, for inclusion in the FAQ? I'll also need someone to mark it up once it's ready since SGML is currently not among my abilities :-) Thanks, Kris ---- As of FreeBSD 4.0, the OpenSSL toolkit is a part of the base system. OpenSSL [http://www.openssl.org] provides a general-purpose cryptography library, as well as the Secure Sockets Layer v2/v3 (SSLv2/SSLv3) and Transport Layer Security v1 (TLSv1) network security protocols. However, some of the algorithms (specifically, RSA and IDEA) included in OpenSSL are protected by patents in the USA and elsewhere and are not available for unrestricted use. In addition, export of cryptographic code from the USA has (until recently) been heavily restricted. As a result, FreeBSD has available three different versions of OpenSSL depending on geographical location (US/non-US) and compliance with the RSAREF license (see below). RSA is a useful algorithm which is required for a lot of third-party software which uses OpenSSL (as well as for the SSLv2 protocol), so you should enable it if at all possible. See below for more information. SOURCE-CODE INSTALLATIONS INTERNATIONAL (NON-US) USERS: People who are located outside the USA, and who obtain their crypto sources from internat.freebsd.org (the International Crypto Repository), will build a version of OpenSSL which includes RSA, but does not include IDEA, because the latter is restricted in certain locations elsewhere in the world. In the future a more flexible identification system may allow building of IDEA in countries for which it is not restricted. US USERS: As noted above, RSA is patented in the US, with terms preventing general use without an appropriate license. Therefore the OpenSSL RSA code may not be used in the US, and has been removed from the version of OpenSSL carried on US mirror sites. The RSA patent is due to expire on September 20, 2000, at which time it is intended to add the "full" RSA code back to the US version of OpenSSL. However (and fortunately), the RSA patent holder (RSA Security, [http://www.rsasecurity.com]) has provided a "RSA reference implementation" toolkit ("RSAREF") which is available for *certain classes of use*, including "non-commercial use" (see the RSAREF license [XXX - We should put this on the website too since I can't find an external URL for it] for the definition of "non-commercial"). If you meet the conditions of the RSAREF license and wish to build your OpenSSL sources with RSAREF support, you must first install the rsaref port in /usr/ports/security/rsaref before (re)building OpenSSL (e.g. by 'make world'). Please obtain legal advice if you are unsure of your compliance with the license terms. IDEA code is also removed from the US version of OpenSSL for patent reasons. BINARY INSTALLATIONS If your FreeBSD installation was a binary installation (e.g. installed from CDROM, or from a snapshot downloaded from ftp.freebsd.org) and you selected to install the 'crypto' module, then you will have the non-RSA capable US version of the OpenSSL code (see above). If you wish to install another version (US RSAREF, or International) you will need to obtain and install one of the following packages: * OpenSSL package with RSAREF support for US users (NOTE: Be sure to read the license before installing! This is NOT licensed for general-purpose use!) ftp://ftp.freebsd.org/XXX * OpenSSL package for International (non-US) users. This is not legal for use in the US, but international users should use this one because the RSA implementation is faster and more flexible. ftp://internat.freebsd.org/XXX ---- "How many roads must a man walk down, before you call him a man?" "Eight!" "That was a rhetorical question!" "Oh..then, seven!" -- Homer Simpson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0001250046160.20991-100000>