Date: Sat, 19 Feb 2000 13:26:05 -0800 (PST) From: Kris Kennaway <kris@FreeBSD.org> To: Robert Watson <robert+freebsd@cyrus.watson.org> Cc: current@freebsd.org Subject: Re: Supported ways to do RSA/OpenSSL on 4.0? Message-ID: <Pine.BSF.4.21.0002191312580.76238-100000@freefall.freebsd.org> In-Reply-To: <Pine.NEB.3.96L.1000219092406.655A-100000@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 19 Feb 2000, Robert Watson wrote: > /usr/ports/security/openssh/work/ssh/lib/../rsa.h:22: openssl/rsa.h: No > such fil > e or directory Yes, this is the same problem Jordan is seeing. I really don't know why, because it SHOULD be failing gracefully when it sees you don't have an openssl-capable libcrypto :-( I'll keep looking at it. > > See chapter 6.5 in the handbook. > > The handbook appears not to have been installed as part of the ``Novice'' > install that I selected. This suggests that the documentation is not > sufficiently accessible. Hmm, you'd have to check with Jordan about that..I haven't done an installation for a long time. > However, I did find the following: > > The OpenSSL package with RSAREF support for USA users which you can get > from ftp.FreeBSD.org. > > Note: Be sure to read the license before installing! This is NOT > licensed for general-purpose use! > > The OpenSSL package for International (non-USA) users. This is not legal > for general use in the USA, but international users should use this > version because the RSA implementation is faster and more flexible. It > is available from ftp.internat.FreeBSD.org. > > I was unable to build the OpenSSL port, and installing the RSAref port > didn't fix these build problems. Also, these directions are pretty No, because you have to install the OpenSSL-RSAREF port as well. The libraries are different when built against librsaref. Grab that port and it will pull in a rsaref dependency. > non-specific--could you throw in URLs? Also, as I mentioned for Yes, once they're actually on the FTP site ;-) Hopefully this weekend. > auto-install, either building this into sysinstall as a specific install > stage would be a good idea. Is the intent that we install the OpenSSL > package into /usr/local/lib, or will this stuff be dumped in /usr/lib? It overwrites the system copy in /usr/lib. Having a stale copy in /usr/local/lib shouldn't hurt things (Jim and I have been trying to make sure the openssl ports will not pick anything up from there if you have it in /usr/lib) but other (e.g. new) ports we haven't touched might not like it off the bat. There's a whole maze of twisty little passages involved in getting all of the n different possible combinations of openssl, openssl crypto options and FreeBSD working properly. > Having two different instances of OpenSSL with different degrees of > breakage will be pretty confusing for developers and porters of SSL > applications, suggesting that the logical target is /usr/lib. It also > might be good to have a /usr/include/openssl/README that says ``Looking > for rsa.h? You need to read section 6.5 of the handbook''. This might be a good idea. > Also, I note that we don't include an OpenSSL man page: > > cumin# man openssl > No manual entry for openssl > cumin# man ssl > No manual entry for ssl > cumin# man crypto > No manual entry for crypto > > These logical sounding potential manpages would probably be a good place > to mirror the handbook information. Are there OpenSSL man pages installed > somewhere in the base system? No, openssl 0.9.4 had no manpages. Openssl 0.9.5 rectifies this. If one of the docs guys wants to manify the handbook contents it's fine by me. > Is this an export-friendly location for non-USA folks? Any chance Jordan Nope, but John Hay has reportedly built international packages which Mark is reportedly going to be putting on internat.freebsd.org. > or someone wants to hack up an install stage? I think this is > important--especially having it automated, as the automated one-step > install of crypto-based applications is important. If we're willing to > pause the install to ask about X desktops, this sounds like a good > candidate also. It also sounds like a good time to generate an initial > value for USA_RESIDENT in make.conf. I agree. Jordan? :) > Sounds like a step in the right direction, but currently a no-start due to > lack of handbook in the install. Although it's more work, I'd rather see > an OpenSSL manpage that includes this information, a sure-fire way to > check to see what's installed, a sysinstall-phase, etc. I'll update the warning to give an actual pointer (file location and URL). > Thanks! Looks like all this will be great once it's working! Thanks. Kris ---- "How many roads must a man walk down, before you call him a man?" "Eight!" "That was a rhetorical question!" "Oh..then, seven!" -- Homer Simpson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0002191312580.76238-100000>