From owner-freebsd-current Sun Feb 20 15:38:25 2000 Delivered-To: freebsd-current@freebsd.org Received: from news-ma.rhein-neckar.de (news-ma.rhein-neckar.de [193.197.90.3]) by hub.freebsd.org (Postfix) with ESMTP id 015BE37C003 for ; Sun, 20 Feb 2000 15:38:21 -0800 (PST) (envelope-from daemon@bigeye.rhein-neckar.de) Received: from bigeye.rhein-neckar.de (uucp@localhost) by news-ma.rhein-neckar.de (8.8.8/8.8.8) with bsmtp id AAA16005 for freebsd-current@freebsd.org; Mon, 21 Feb 2000 00:38:16 +0100 (CET) (envelope-from daemon@bigeye.rhein-neckar.de) Received: (from daemon@localhost) by bigeye.rhein-neckar.de (8.9.3/8.9.3) id AAA71839 for freebsd-current@freebsd.org; Mon, 21 Feb 2000 00:36:49 +0100 (CET) (envelope-from daemon) From: naddy@mips.rhein-neckar.de (Christian Weisgerber) Subject: Re: openssl in -current Date: 21 Feb 2000 00:36:49 +0100 Message-ID: <88ptqh$264i$1@bigeye.rhein-neckar.de> References: <58727.951031902@zippy.cdrom.com> <20000220131247.C14682@dragon.nuxi.com> To: freebsd-current@freebsd.org Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG David O'Brien wrote: > How does OpenBSD deal with it? Why is it so easy for them? 0. RSA situation In the USA, the RSA algorithm(!) is patented by RSA Inc. It doesn't matter where the actual code is from, any use of RSA needs permission by the patent holder. RSA Inc. provides a reference implentation (RSAREF), which is free for private/educational/whatever use. Other implementations are not covered by this license, i.e. their use infringes on the patent. Commercial users need to get an explicit license from RSA Inc., which from what I hear you can't get in practice. The American RSA patent does not affect the rest of the world, which can freely use the algorithm in whatever implementation. In short again: - USA, non-commercial: must use RSAREF - USA, commercial: no RSA - international: free RSA 1. Installation As distributed on CD/FTP, OpenBSD ships with a shared libcrypto in /usr/lib that doesn't contain RSA. It has some stubs that will abort the program with an error message, if it tries to call the RSA routines. In order to provide RSA, the user needs to install an additional package from the net. This exists in two versions, the international one containing OpenSSL's own RSA implementation, and the USA one with RSAREF. This package installs a new libcrypto in /usr/local/lib. The RSA-enabled shared library has a higher version number, so on program start-up it will be picked up in preference to the non-RSA one. (This whole setup collapses for those architectures that don't support shared libraries, but I don't think I need to get into this now as it doesn't concern FreeBSD.) In short again: - no RSA out of the box - must add international or USA package with RSA after installation 2. Source OpenSSL is integrated into the OpenBSD source tree. However, the RSA routines are missing and are not in the CVS repository. A separate source package--again in international and USA versions--is available by FTP. This can simply be dropped at the appropriate place into the OpenBSD source tree and will be automatically picked up by a world build to produce an RSA-enabled libcrypto. Otherwise a non-RSA library will be built. In short again: - no RSA in OpenBSD repository - source available as drop-in external package 3. Commentary The OpenBSD solution is not all that easy. However, it is not that difficult from a user's perspective either. The install script (OpenBSD uses a comprehensive shell script in place of sysinstall) asks the user whether to install the RSA-enabled libraries and as an alternative points to ssl(8) for information on how to do this later. If we want to have OpenSSL in the base system, we necessarily will need to use an approach similar to the OpenBSD one. I would like to point out that OpenBSD has made it a major advocacy point that they ship with OpenSSL and OpenSSH out of the box, nicely omitting the fact that you need to install a separate package off the net to actually make it work. However, the favorable user comments/reviews I see seem to suggest that people very much like the OpenBSD approach. Again and again it is mentioned that contrary to other operating systems OpenBSD ships with encryption out of the box, that you don't need to install additional ports or packages, and the additional install step either isn't even mentioned or only in passing, with a remark how easy this is. There's also the argument that OpenBSD is optimally prepared for the running out of the RSA patent at the end of the year. Now, I'm the first to agree that OpenBSD's OpenSSL integration doesn't buy all that much. Users seem to disagree though. It's a perception thing, I guess. Of course, if you want to actually integrate OpenSSL-using software into the base system (OpenBSD has OpenSSH and Apache), then you obviously also need to have OpenSSL or at least a stub for it in the base system. FWIW, I support Kris' push to put OpenSSL in the base system. -- Christian "naddy" Weisgerber naddy@mips.rhein-neckar.de To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message