Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 5 Feb 2000 22:13:00 -0800 (PST)
From:      Kris Kennaway <kris@freefall.freebsd.org>
To:        doc@freebsd.org
Subject:   OpenSSL markup assistance requested

| raw e-mail | index | archive | help
Hi all,

I need someone to mark up the following document for inclusion as chapter
6.5 of the handbook ("OpenSSL"). I don't yet know where the packages it
refers to will reside, but that can be changed simply enough later on. Can
anyone help?

Kris

----

As of FreeBSD 4.0, the OpenSSL toolkit is a part of the base
system. OpenSSL [http://www.openssl.org] provides a general-purpose
cryptography library, as well as the Secure Sockets Layer v2/v3
(SSLv2/SSLv3) and Transport Layer Security v1 (TLSv1) network security
protocols.

However, some of the algorithms (specifically, RSA and IDEA) included in
OpenSSL are protected by patents in the USA and elsewhere, and are not
available for unrestricted use (in particular IDEA is currently not
available in any of FreeBSD's OpenSSL distributions). In addition, export
of cryptographic code from the USA has (until recently) been heavily
restricted. As a result, FreeBSD has available three different versions of
OpenSSL depending on geographical location (USA/non-USA) and compliance
with the RSAREF license (see below).

RSA is a useful algorithm which is required for a lot of third-party
software which uses OpenSSL (as well as for the SSLv2 protocol), so you
should enable it if at all possible.

SOURCE-CODE INSTALLATIONS

OpenSSL is part of the "src-crypto" and "src-secure" cvsup collections. See
section 18.3 for more information about obtaining and updating FreeBSD
source-code.

INTERNATIONAL (NON-USA) USERS:

People who are located outside the USA, and who obtain their crypto sources
from internat.freebsd.org (the International Crypto Repository), will build
a version of OpenSSL which includes RSA, but does not include IDEA, because
the latter is restricted in certain locations elsewhere in the world. In
the future a more flexible geographical identification system may allow
building of IDEA in countries for which it is not restricted.

Please be aware of any local restrictions on the import, use and
redistribution of cryptography which may exist in your country.

USA USERS:

As noted above, RSA is patented in the USA, with terms preventing general
use without an appropriate license. Therefore the OpenSSL RSA code may not
be used in the USA, and has been removed from the version of OpenSSL carried
on USA mirror sites. The RSA patent is due to expire on September 20, 2000,
at which time it is intended to add the "full" RSA code back to the USA
version of OpenSSL.

However (and fortunately), the RSA patent holder (RSA Security,
[http://www.rsasecurity.com]) has provided a "RSA reference implementation"
toolkit ("RSAREF") which is available for *certain classes of use*,
including "non-commercial use" (see the RSAREF license for the definition
of "non-commercial").

If you meet the conditions of the RSAREF license and wish to build your
OpenSSL sources with RSAREF support, you must first install the rsaref port
in /usr/ports/security/rsaref before (re)building OpenSSL (e.g. by 'make
world'). Please obtain legal advice if you are unsure of your compliance
with the license terms.

Users who have purchased an appropriate RSA source code license from RSA
Security may use the International version of OpenSSL described above to
obtain native RSA support.

IDEA code is also removed from the USA version of OpenSSL for patent
reasons.

BINARY INSTALLATIONS

If your FreeBSD installation was a binary installation (e.g. installed from
CDROM, or from a snapshot downloaded from ftp.freebsd.org) and you selected
to install the 'crypto' module, then you will have the non-RSA capable USA
version of the OpenSSL code (see above). If you wish to install another
version (USA RSAREF, or International) you will need to obtain and install
one of the following packages:

* OpenSSL package with RSAREF support for USA users (NOTE: Be sure to
  read the license before installing! This is NOT licensed for
  general-purpose use!)

	ftp://ftp.freebsd.org/pub/FreeBSD/XXX

* OpenSSL package for International (non-USA) users. This is not legal
  for general use in the USA, but international users should use this
  version because the RSA implementation is faster and more flexible.

	ftp://ftp.internat.freebsd.org/XXX




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-doc" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?>