From owner-freebsd-current Sat Feb 19 13:39: 4 2000 Delivered-To: freebsd-current@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 8FDAC37BCC9; Sat, 19 Feb 2000 13:39:02 -0800 (PST) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id NAA77454; Sat, 19 Feb 2000 13:39:02 -0800 (PST) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Sat, 19 Feb 2000 13:39:01 -0800 (PST) From: Kris Kennaway To: Victor Salaman Cc: freebsd-current@freebsd.org Subject: Re: openssl in -current In-Reply-To: <200002191513.HAA01528@www.geocrawler.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sat, 19 Feb 2000, Victor Salaman wrote: > I personally think that it's braindead to add openssl to the system > and stripout parts of it (RSA & IDEA). Don't get me wrong, I love to > have So do I. Unfortunately our hands are tied - the version of FreeBSD distributed in the US must not contain these because they are patented technologies and not available for unrestricted use. Unfortunately this is also the same version distributed worldwide on FreeBSD CDs, install images, etc (although internat.freebsd.org also produces crypto snapshots which would have the international version of openssl). See chapter 6.5 in the handbook for an explanation of the problem and the solutions - if you're inside the US and comply with the rsaref license you can use the OpenSSL-rsaref package, otherwise you're legally forbidden from using RSA. There's no known workaround for IDEA, but thankfully not many ports make use of it anyway. > Imagine that you are setting up 100 FreeBSD machines, it's not an > option to do make world from sources and build a "new" non-crippled > crypto system. You just want to install it and go! Hopefully at some point in the future sysinstall will have an option at install-time for pulling in the "correct" version of openssl for your situation. At present you can still just pkg_add the relevant package post-install without having to do a make world. See http://www.freebsd.org/~kris/openssl Kris ---- "How many roads must a man walk down, before you call him a man?" "Eight!" "That was a rhetorical question!" "Oh..then, seven!" -- Homer Simpson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message