From kris@freefall.freebsd.org Thu Feb 10 20:57:14 2000 Date: Sat, 5 Feb 2000 22:13:00 -0800 (PST) From: Kris Kennaway To: doc@freebsd.org Subject: OpenSSL markup assistance requested Hi all, I need someone to mark up the following document for inclusion as chapter 6.5 of the handbook ("OpenSSL"). I don't yet know where the packages it refers to will reside, but that can be changed simply enough later on. Can anyone help? Kris ---- As of FreeBSD 4.0, the OpenSSL toolkit is a part of the base system. OpenSSL [http://www.openssl.org] provides a general-purpose cryptography library, as well as the Secure Sockets Layer v2/v3 (SSLv2/SSLv3) and Transport Layer Security v1 (TLSv1) network security protocols. However, some of the algorithms (specifically, RSA and IDEA) included in OpenSSL are protected by patents in the USA and elsewhere, and are not available for unrestricted use (in particular IDEA is currently not available in any of FreeBSD's OpenSSL distributions). In addition, export of cryptographic code from the USA has (until recently) been heavily restricted. As a result, FreeBSD has available three different versions of OpenSSL depending on geographical location (USA/non-USA) and compliance with the RSAREF license (see below). RSA is a useful algorithm which is required for a lot of third-party software which uses OpenSSL (as well as for the SSLv2 protocol), so you should enable it if at all possible. SOURCE-CODE INSTALLATIONS OpenSSL is part of the "src-crypto" and "src-secure" cvsup collections. See section 18.3 for more information about obtaining and updating FreeBSD source-code. INTERNATIONAL (NON-USA) USERS: People who are located outside the USA, and who obtain their crypto sources from internat.freebsd.org (the International Crypto Repository), will build a version of OpenSSL which includes RSA, but does not include IDEA, because the latter is restricted in certain locations elsewhere in the world. In the future a more flexible geographical identification system may allow building of IDEA in countries for which it is not restricted. Please be aware of any local restrictions on the import, use and redistribution of cryptography which may exist in your country. USA USERS: As noted above, RSA is patented in the USA, with terms preventing general use without an appropriate license. Therefore the OpenSSL RSA code may not be used in the USA, and has been removed from the version of OpenSSL carried on USA mirror sites. The RSA patent is due to expire on September 20, 2000, at which time it is intended to add the "full" RSA code back to the USA version of OpenSSL. However (and fortunately), the RSA patent holder (RSA Security, [http://www.rsasecurity.com]) has provided a "RSA reference implementation" toolkit ("RSAREF") which is available for *certain classes of use*, including "non-commercial use" (see the RSAREF license for the definition of "non-commercial"). If you meet the conditions of the RSAREF license and wish to build your OpenSSL sources with RSAREF support, you must first install the rsaref port in /usr/ports/security/rsaref before (re)building OpenSSL (e.g. by 'make world'). Please obtain legal advice if you are unsure of your compliance with the license terms. Users who have purchased an appropriate RSA source code license from RSA Security may use the International version of OpenSSL described above to obtain native RSA support. IDEA code is also removed from the USA version of OpenSSL for patent reasons. BINARY INSTALLATIONS If your FreeBSD installation was a binary installation (e.g. installed from CDROM, or from a snapshot downloaded from ftp.freebsd.org) and you selected to install the 'crypto' module, then you will have the non-RSA capable USA version of the OpenSSL code (see above). If you wish to install another version (USA RSAREF, or International) you will need to obtain and install one of the following packages: * OpenSSL package with RSAREF support for USA users (NOTE: Be sure to read the license before installing! This is NOT licensed for general-purpose use!) ftp://ftp.freebsd.org/pub/FreeBSD/XXX * OpenSSL package for International (non-USA) users. This is not legal for general use in the USA, but international users should use this version because the RSA implementation is faster and more flexible. ftp://ftp.internat.freebsd.org/XXX To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-doc" in the body of the message