Warmcat homepage andy@warmcat.com
libwebsockets
{"schema":"libjg2-1", "vpath":"/git/", "avatar":"/git/avatar/", "alang":"", "gen_ut":1755717213, "reponame":"openssl", "desc":"OpenSSL", "owner": { "name": "Andy Green", "email": "andy@warmcat.com", "md5": "c50933ca2aa61e0fe2c43d46bb6b59cb" },"url":"https://warmcat.com/repo/openssl", "f":3, "items": [ {"schema":"libjg2-1", "cid":"55bdd7594371fe22451c02f63928c372", "commit": {"type":"commit", "time": 1439766149, "time_ofs": 18446744073709551376, "oid_tree": { "oid": "20d5a927cd9f28a4e3a50584bd4c7c7c51c8ab50", "alias": []}, "oid":{ "oid": "4f46473a86c9e3741203b22d4d401a3763583494", "alias": []}, "msg": "Move FAQ to the web.", "sig_commit": { "git_time": { "time": 1439766149, "offset": -240 }, "name": "Rich Salz", "email": "rsalz@openssl.org", "md5": "3ed6b9cf7bbe83902a044f6590346d26" }, "sig_author": { "git_time": { "time": 1439764704, "offset": -240 }, "name": "Rich Salz", "email": "rsalz@akamai.com", "md5": "825a7f3ef767f852ea1717d3b4a10cd3" }}, "body": "Move FAQ to the web.\n\nBest hope of keeping current.\n\nReviewed-by: Tim Hudson \u003ctjh@openssl.org\u003e\n" , "diff": "diff --git a/FAQ b/FAQ\nindex 0ff792b..22c5cf7 100644\n--- a/FAQ\n+++ b/FAQ\n@@ -1,1091 +1,2 @@\n-OpenSSL - Frequently Asked Questions\n---------------------------------------\n-\n-[MISC] Miscellaneous questions\n-\n-* Which is the current version of OpenSSL?\n-* Where is the documentation?\n-* How can I contact the OpenSSL developers?\n-* Where can I get a compiled version of OpenSSL?\n-* Why aren't tools like 'autoconf' and 'libtool' used?\n-* What is an 'engine' version?\n-* How do I check the authenticity of the OpenSSL distribution?\n-* How does the versioning scheme work?\n-\n-[LEGAL] Legal questions\n-\n-* Do I need patent licenses to use OpenSSL?\n-* Can I use OpenSSL with GPL software? \n-\n-[USER] Questions on using the OpenSSL applications\n-\n-* Why do I get a \u0022PRNG not seeded\u0022 error message?\n-* Why do I get an \u0022unable to write 'random state'\u0022 error message?\n-* How do I create certificates or certificate requests?\n-* Why can't I create certificate requests?\n-* Why does \u003cSSL program\u003e fail with a certificate verify error?\n-* Why can I only use weak ciphers when I connect to a server using OpenSSL?\n-* How can I create DSA certificates?\n-* Why can't I make an SSL connection using a DSA certificate?\n-* How can I remove the passphrase on a private key?\n-* Why can't I use OpenSSL certificates with SSL client authentication?\n-* Why does my browser give a warning about a mismatched hostname?\n-* How do I install a CA certificate into a browser?\n-* Why is OpenSSL x509 DN output not conformant to RFC2253?\n-* What is a \u0022128 bit certificate\u0022? Can I create one with OpenSSL?\n-* Why does OpenSSL set the authority key identifier extension incorrectly?\n-* How can I set up a bundle of commercial root CA certificates?\n-* Some secure servers 'hang' with OpenSSL 1.0.1, is this a bug?\n-\n-[BUILD] Questions about building and testing OpenSSL\n-\n-* Why does the linker complain about undefined symbols?\n-* Why does the OpenSSL test fail with \u0022bc: command not found\u0022?\n-* Why does the OpenSSL test fail with \u0022bc: 1 no implemented\u0022?\n-* Why does the OpenSSL test fail with \u0022bc: stack empty\u0022?\n-* Why does the OpenSSL compilation fail on Alpha Tru64 Unix?\n-* Why does the OpenSSL compilation fail with \u0022ar: command not found\u0022?\n-* Why does the OpenSSL compilation fail on Win32 with VC++?\n-* What is special about OpenSSL on Redhat?\n-* Why does the OpenSSL compilation fail on MacOS X?\n-* Why does the OpenSSL test suite fail on MacOS X?\n-* Why does the OpenSSL test suite fail in BN_sqr test [on a 64-bit platform]?\n-* Why does OpenBSD-i386 build fail on des-586.s with \u0022Unimplemented segment type\u0022?\n-* Why does the OpenSSL test suite fail in sha512t on x86 CPU?\n-* Why does compiler fail to compile sha512.c?\n-* Test suite still fails, what to do?\n-* I think I've found a bug, what should I do?\n-* I'm SURE I've found a bug, how do I report it?\n-* I've found a security issue, how do I report it?\n-\n-[PROG] Questions about programming with OpenSSL\n-\n-* Is OpenSSL thread-safe?\n-* I've compiled a program under Windows and it crashes: why?\n-* How do I read or write a DER encoded buffer using the ASN1 functions?\n-* OpenSSL uses DER but I need BER format: does OpenSSL support BER?\n-* I've tried using \u003cM_some_evil_pkcs12_macro\u003e and I get errors why?\n-* I've called \u003csome function\u003e and it fails, why?\n-* I just get a load of numbers for the error output, what do they mean?\n-* Why do I get errors about unknown algorithms?\n-* Why can't the OpenSSH configure script detect OpenSSL?\n-* Can I use OpenSSL's SSL library with non-blocking I/O?\n-* Why doesn't my server application receive a client certificate?\n-* Why does compilation fail due to an undefined symbol NID_uniqueIdentifier?\n-* I think I've detected a memory leak, is this a bug?\n-* Why does Valgrind complain about the use of uninitialized data?\n-* Why doesn't a memory BIO work when a file does?\n-* Where are the declarations and implementations of d2i_X509() etc?\n-* When debugging I observe SIGILL during OpenSSL initialization: why?\n-\n-\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n-\n-[MISC] \u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n-\n-* Which is the current version of OpenSSL?\n-\n-The current version is available from \u003cURL: http://www.openssl.org\u003e.\n-\n-In addition to the current stable release, you can also access daily\n-snapshots of the OpenSSL development version at \u003cURL:\n-ftp://ftp.openssl.org/snapshot/\u003e, or get it by anonymous Git access.\n-\n-\n-* Where is the documentation?\n-\n-OpenSSL is a library that provides cryptographic functionality to\n-applications such as secure web servers. Be sure to read the\n-documentation of the application you want to use. The INSTALL file\n-explains how to install this library.\n-\n-OpenSSL includes a command line utility that can be used to perform a\n-variety of cryptographic functions. It is described in the openssl(1)\n-manpage. Documentation for developers is currently being written. Many\n-manual pages are available; overviews over libcrypto and\n-libssl are given in the crypto(3) and ssl(3) manpages.\n-\n-The OpenSSL manpages are installed in /usr/local/ssl/man/ (or a\n-different directory if you specified one as described in INSTALL).\n-In addition, you can read the most current versions at\n-\u003cURL: http://www.openssl.org/docs/\u003e. Note that the online documents refer\n-to the very latest development versions of OpenSSL and may include features\n-not present in released versions. If in doubt refer to the documentation\n-that came with the version of OpenSSL you are using. The pod format\n-documentation is included in each OpenSSL distribution under the docs\n-directory.\n-\n-There is some documentation about certificate extensions and PKCS#12\n-in doc/openssl.txt\n-\n-The original SSLeay documentation is included in OpenSSL as\n-doc/ssleay.txt. It may be useful when none of the other resources\n-help, but please note that it reflects the obsolete version SSLeay\n-0.6.6.\n-\n-\n-* How can I contact the OpenSSL developers?\n-\n-The README file describes how to submit bug reports and patches to\n-OpenSSL. Information on the OpenSSL mailing lists is available from\n-\u003cURL: http://www.openssl.org\u003e.\n-\n-\n-* Where can I get a compiled version of OpenSSL?\n-\n-You can finder pointers to binary distributions in\n-\u003cURL: http://www.openssl.org/about/binaries.html\u003e .\n-\n-Some applications that use OpenSSL are distributed in binary form.\n-When using such an application, you don't need to install OpenSSL\n-yourself; the application will include the required parts (e.g. DLLs).\n-\n-If you want to build OpenSSL on a Windows system and you don't have\n-a C compiler, read the \u0022Mingw32\u0022 section of INSTALL.W32 for information\n-on how to obtain and install the free GNU C compiler.\n-\n-A number of Linux and *BSD distributions include OpenSSL.\n-\n-\n-* Why aren't tools like 'autoconf' and 'libtool' used?\n-\n-autoconf will probably be used in future OpenSSL versions. If it was\n-less Unix-centric, it might have been used much earlier.\n-\n-* What is an 'engine' version?\n-\n-With version 0.9.6 OpenSSL was extended to interface to external crypto\n-hardware. This was realized in a special release '0.9.6-engine'. With\n-version 0.9.7 the changes were merged into the main development line,\n-so that the special release is no longer necessary.\n-\n-* How do I check the authenticity of the OpenSSL distribution?\n-\n-We provide MD5 digests and ASC signatures of each tarball.\n-Use MD5 to check that a tarball from a mirror site is identical:\n-\n- md5sum TARBALL | awk '{print $1;}' | cmp - TARBALL.md5\n-\n-You can check authenticity using pgp or gpg. You need the OpenSSL team\n-member public key used to sign it (download it from a key server, see a\n-list of keys at \u003cURL: http://www.openssl.org/about/\u003e). Then\n-just do:\n-\n- pgp TARBALL.asc\n-\n-* How does the versioning scheme work?\n-\n-After the release of OpenSSL 1.0.0 the versioning scheme changed. Letter \n-releases (e.g. 1.0.1a) can only contain bug and security fixes and no\n-new features. Minor releases change the last number (e.g. 1.0.2) and \n-can contain new features that retain binary compatibility. Changes to\n-the middle number are considered major releases and neither source nor\n-binary compatibility is guaranteed.\n-\n-Therefore the answer to the common question \u0022when will feature X be\n-backported to OpenSSL 1.0.0/0.9.8?\u0022 is \u0022never\u0022 but it could appear\n-in the next minor release.\n-\n-* What happens when the letter release reaches z?\n-\n-It was decided after the release of OpenSSL 0.9.8y the next version should\n-be 0.9.8za then 0.9.8zb and so on.\n-\n-\n-[LEGAL] \u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n-\n-* Do I need patent licenses to use OpenSSL?\n-\n-For information on intellectual property rights, please consult a lawyer.\n-The OpenSSL team does not offer legal advice.\n-\n-You can configure OpenSSL so as not to use IDEA, MDC2 and RC5 by using\n- ./config no-idea no-mdc2 no-rc5\n-\n-\n-* Can I use OpenSSL with GPL software?\n-\n-On many systems including the major Linux and BSD distributions, yes (the\n-GPL does not place restrictions on using libraries that are part of the\n-normal operating system distribution).\n-\n-On other systems, the situation is less clear. Some GPL software copyright\n-holders claim that you infringe on their rights if you use OpenSSL with\n-their software on operating systems that don't normally include OpenSSL.\n-\n-If you develop open source software that uses OpenSSL, you may find it\n-useful to choose an other license than the GPL, or state explicitly that\n-\u0022This program is released under the GPL with the additional exemption that\n-compiling, linking, and/or using OpenSSL is allowed.\u0022 If you are using\n-GPL software developed by others, you may want to ask the copyright holder\n-for permission to use their software with OpenSSL.\n-\n-\n-[USER] \u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n-\n-* Why do I get a \u0022PRNG not seeded\u0022 error message?\n-\n-Cryptographic software needs a source of unpredictable data to work\n-correctly. Many open source operating systems provide a \u0022randomness\n-device\u0022 (/dev/urandom or /dev/random) that serves this purpose.\n-All OpenSSL versions try to use /dev/urandom by default; starting with\n-version 0.9.7, OpenSSL also tries /dev/random if /dev/urandom is not\n-available.\n-\n-On other systems, applications have to call the RAND_add() or\n-RAND_seed() function with appropriate data before generating keys or\n-performing public key encryption. (These functions initialize the\n-pseudo-random number generator, PRNG.) Some broken applications do\n-not do this. As of version 0.9.5, the OpenSSL functions that need\n-randomness report an error if the random number generator has not been\n-seeded with at least 128 bits of randomness. If this error occurs and\n-is not discussed in the documentation of the application you are\n-using, please contact the author of that application; it is likely\n-that it never worked correctly. OpenSSL 0.9.5 and later make the\n-error visible by refusing to perform potentially insecure encryption.\n-\n-If you are using Solaris 8, you can add /dev/urandom and /dev/random\n-devices by installing patch 112438 (Sparc) or 112439 (x86), which are\n-available via the Patchfinder at \u003cURL: http://sunsolve.sun.com\u003e\n-(Solaris 9 includes these devices by default). For /dev/random support\n-for earlier Solaris versions, see Sun's statement at\n-\u003cURL: http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc\u003dfsrdb/27606\u0026zone_32\u003dSUNWski\u003e\n-(the SUNWski package is available in patch 105710).\n-\n-On systems without /dev/urandom and /dev/random, it is a good idea to\n-use the Entropy Gathering Demon (EGD); see the RAND_egd() manpage for\n-details. Starting with version 0.9.7, OpenSSL will automatically look\n-for an EGD socket at /var/run/egd-pool, /dev/egd-pool, /etc/egd-pool and\n-/etc/entropy.\n-\n-Most components of the openssl command line utility automatically try\n-to seed the random number generator from a file. The name of the\n-default seeding file is determined as follows: If environment variable\n-RANDFILE is set, then it names the seeding file. Otherwise if\n-environment variable HOME is set, then the seeding file is $HOME/.rnd.\n-If neither RANDFILE nor HOME is set, versions up to OpenSSL 0.9.6 will\n-use file .rnd in the current directory while OpenSSL 0.9.6a uses no\n-default seeding file at all. OpenSSL 0.9.6b and later will behave\n-similarly to 0.9.6a, but will use a default of \u0022C:\u005c\u0022 for HOME on\n-Windows systems if the environment variable has not been set.\n-\n-If the default seeding file does not exist or is too short, the \u0022PRNG\n-not seeded\u0022 error message may occur.\n-\n-The openssl command line utility will write back a new state to the\n-default seeding file (and create this file if necessary) unless\n-there was no sufficient seeding.\n-\n-Pointing $RANDFILE to an Entropy Gathering Daemon socket does not work.\n-Use the \u0022-rand\u0022 option of the OpenSSL command line tools instead.\n-The $RANDFILE environment variable and $HOME/.rnd are only used by the\n-OpenSSL command line tools. Applications using the OpenSSL library\n-provide their own configuration options to specify the entropy source,\n-please check out the documentation coming the with application.\n-\n-\n-* Why do I get an \u0022unable to write 'random state'\u0022 error message?\n-\n-\n-Sometimes the openssl command line utility does not abort with\n-a \u0022PRNG not seeded\u0022 error message, but complains that it is\n-\u0022unable to write 'random state'\u0022. This message refers to the\n-default seeding file (see previous answer). A possible reason\n-is that no default filename is known because neither RANDFILE\n-nor HOME is set. (Versions up to 0.9.6 used file \u0022.rnd\u0022 in the\n-current directory in this case, but this has changed with 0.9.6a.)\n-\n-\n-* How do I create certificates or certificate requests?\n-\n-Check out the CA.pl(1) manual page. This provides a simple wrapper round\n-the 'req', 'verify', 'ca' and 'pkcs12' utilities. For finer control check\n-out the manual pages for the individual utilities and the certificate\n-extensions documentation (in ca(1), req(1), x509v3_config(5) )\n-\n-\n-* Why can't I create certificate requests?\n-\n-You typically get the error:\n-\n-\tunable to find 'distinguished_name' in config\n-\tproblems making Certificate Request\n-\n-This is because it can't find the configuration file. Check out the\n-DIAGNOSTICS section of req(1) for more information.\n-\n-\n-* Why does \u003cSSL program\u003e fail with a certificate verify error?\n-\n-This problem is usually indicated by log messages saying something like\n-\u0022unable to get local issuer certificate\u0022 or \u0022self signed certificate\u0022.\n-When a certificate is verified its root CA must be \u0022trusted\u0022 by OpenSSL\n-this typically means that the CA certificate must be placed in a directory\n-or file and the relevant program configured to read it. The OpenSSL program\n-'verify' behaves in a similar way and issues similar error messages: check\n-the verify(1) program manual page for more information.\n-\n-\n-* Why can I only use weak ciphers when I connect to a server using OpenSSL?\n-\n-This is almost certainly because you are using an old \u0022export grade\u0022 browser\n-which only supports weak encryption. Upgrade your browser to support 128 bit\n-ciphers.\n-\n-\n-* How can I create DSA certificates?\n-\n-Check the CA.pl(1) manual page for a DSA certificate example.\n-\n-\n-* Why can't I make an SSL connection to a server using a DSA certificate?\n-\n-Typically you'll see a message saying there are no shared ciphers when\n-the same setup works fine with an RSA certificate. There are two possible\n-causes. The client may not support connections to DSA servers most web\n-browsers (including Netscape and MSIE) only support connections to servers\n-supporting RSA cipher suites. The other cause is that a set of DH parameters\n-has not been supplied to the server. DH parameters can be created with the\n-dhparam(1) command and loaded using the SSL_CTX_set_tmp_dh() for example:\n-check the source to s_server in apps/s_server.c for an example.\n-\n-\n-* How can I remove the passphrase on a private key?\n-\n-Firstly you should be really *really* sure you want to do this. Leaving\n-a private key unencrypted is a major security risk. If you decide that\n-you do have to do this check the EXAMPLES sections of the rsa(1) and\n-dsa(1) manual pages.\n-\n-\n-* Why can't I use OpenSSL certificates with SSL client authentication?\n-\n-What will typically happen is that when a server requests authentication\n-it will either not include your certificate or tell you that you have\n-no client certificates (Netscape) or present you with an empty list box\n-(MSIE). The reason for this is that when a server requests a client\n-certificate it includes a list of CAs names which it will accept. Browsers\n-will only let you select certificates from the list on the grounds that\n-there is little point presenting a certificate which the server will\n-reject.\n-\n-The solution is to add the relevant CA certificate to your servers \u0022trusted\n-CA list\u0022. How you do this depends on the server software in uses. You can\n-print out the servers list of acceptable CAs using the OpenSSL s_client tool:\n-\n-openssl s_client -connect www.some.host:443 -prexit\n-\n-If your server only requests certificates on certain URLs then you may need\n-to manually issue an HTTP GET command to get the list when s_client connects:\n-\n-GET /some/page/needing/a/certificate.html\n-\n-If your CA does not appear in the list then this confirms the problem.\n-\n-\n-* Why does my browser give a warning about a mismatched hostname?\n-\n-Browsers expect the server's hostname to match the value in the commonName\n-(CN) field of the certificate. If it does not then you get a warning.\n-\n-\n-* How do I install a CA certificate into a browser?\n-\n-The usual way is to send the DER encoded certificate to the browser as\n-MIME type application/x-x509-ca-cert, for example by clicking on an appropriate\n-link. On MSIE certain extensions such as .der or .cacert may also work, or you\n-can import the certificate using the certificate import wizard.\n-\n-You can convert a certificate to DER form using the command:\n-\n-openssl x509 -in ca.pem -outform DER -out ca.der\n-\n-Occasionally someone suggests using a command such as:\n-\n-openssl pkcs12 -export -out cacert.p12 -in cacert.pem -inkey cakey.pem\n-\n-DO NOT DO THIS! This command will give away your CAs private key and\n-reduces its security to zero: allowing anyone to forge certificates in\n-whatever name they choose.\n-\n-* Why is OpenSSL x509 DN output not conformant to RFC2253?\n-\n-The ways to print out the oneline format of the DN (Distinguished Name) have\n-been extended in version 0.9.7 of OpenSSL. Using the new X509_NAME_print_ex()\n-interface, the \u0022-nameopt\u0022 option could be introduded. See the manual\n-page of the \u0022openssl x509\u0022 command line tool for details. The old behaviour\n-has however been left as default for the sake of compatibility.\n-\n-* What is a \u0022128 bit certificate\u0022? Can I create one with OpenSSL?\n-\n-The term \u0022128 bit certificate\u0022 is a highly misleading marketing term. It does\n-*not* refer to the size of the public key in the certificate! A certificate\n-containing a 128 bit RSA key would have negligible security.\n-\n-There were various other names such as \u0022magic certificates\u0022, \u0022SGC\n-certificates\u0022, \u0022step up certificates\u0022 etc.\n-\n-You can't generally create such a certificate using OpenSSL but there is no\n-need to any more. Nowadays web browsers using unrestricted strong encryption\n-are generally available.\n-\n-When there were tight restrictions on the export of strong encryption\n-software from the US only weak encryption algorithms could be freely exported\n-(initially 40 bit and then 56 bit). It was widely recognised that this was\n-inadequate. A relaxation of the rules allowed the use of strong encryption but\n-only to an authorised server.\n-\n-Two slightly different techniques were developed to support this, one used by\n-Netscape was called \u0022step up\u0022, the other used by MSIE was called \u0022Server Gated\n-Cryptography\u0022 (SGC). When a browser initially connected to a server it would\n-check to see if the certificate contained certain extensions and was issued by\n-an authorised authority. If these test succeeded it would reconnect using\n-strong encryption.\n-\n-Only certain (initially one) certificate authorities could issue the\n-certificates and they generally cost more than ordinary certificates.\n-\n-Although OpenSSL can create certificates containing the appropriate extensions\n-the certificate would not come from a permitted authority and so would not\n-be recognized.\n-\n-The export laws were later changed to allow almost unrestricted use of strong\n-encryption so these certificates are now obsolete.\n-\n-\n-* Why does OpenSSL set the authority key identifier (AKID) extension incorrectly?\n-\n-It doesn't: this extension is often the cause of confusion.\n-\n-Consider a certificate chain A-\u003eB-\u003eC so that A signs B and B signs C. Suppose\n-certificate C contains AKID.\n-\n-The purpose of this extension is to identify the authority certificate B. This\n-can be done either by including the subject key identifier of B or its issuer\n-name and serial number.\n-\n-In this latter case because it is identifying certifcate B it must contain the\n-issuer name and serial number of B.\n-\n-It is often wrongly assumed that it should contain the subject name of B. If it\n-did this would be redundant information because it would duplicate the issuer\n-name of C.\n-\n-\n-* How can I set up a bundle of commercial root CA certificates?\n-\n-The OpenSSL software is shipped without any root CA certificate as the\n-OpenSSL project does not have any policy on including or excluding\n-any specific CA and does not intend to set up such a policy. Deciding\n-about which CAs to support is up to application developers or\n-administrators.\n-\n-Other projects do have other policies so you can for example extract the CA\n-bundle used by Mozilla and/or modssl as described in this article:\n-\n- \u003cURL: http://www.mail-archive.com/modssl-users@modssl.org/msg16980.html\u003e\n-\n-\n-* Some secure servers 'hang' with OpenSSL 1.0.1, is this a bug?\n-\n-OpenSSL 1.0.1 is the first release to support TLS 1.2, among other things,\n-this increases the size of the default ClientHello message to more than\n-255 bytes in length. Some software cannot handle this and hangs. For more\n-details and workarounds see:\n-\n- \u003cURL: http://rt.openssl.org/Ticket/Display.html?user\u003dguest\u0026pass\u003dguest\u0026id\u003d2771\u003e\n-\n-\n-[BUILD] \u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n-\n-* Why does the linker complain about undefined symbols?\n-\n-Maybe the compilation was interrupted, and make doesn't notice that\n-something is missing. Run \u0022make clean; make\u0022.\n-\n-If you used ./Configure instead of ./config, make sure that you\n-selected the right target. File formats may differ slightly between\n-OS versions (for example sparcv8/sparcv9, or a.out/elf).\n-\n-In case you get errors about the following symbols, use the config\n-option \u0022no-asm\u0022, as described in INSTALL:\n-\n- BF_cbc_encrypt, BF_decrypt, BF_encrypt, CAST_cbc_encrypt,\n- CAST_decrypt, CAST_encrypt, RC4, RC5_32_cbc_encrypt, RC5_32_decrypt,\n- RC5_32_encrypt, bn_add_words, bn_div_words, bn_mul_add_words,\n- bn_mul_comba4, bn_mul_comba8, bn_mul_words, bn_sqr_comba4,\n- bn_sqr_comba8, bn_sqr_words, bn_sub_words, des_decrypt3,\n- des_ede3_cbc_encrypt, des_encrypt, des_encrypt2, des_encrypt3,\n- des_ncbc_encrypt, md5_block_asm_host_order, sha1_block_asm_data_order\n-\n-If none of these helps, you may want to try using the current snapshot.\n-If the problem persists, please submit a bug report.\n-\n-\n-* Why does the OpenSSL test fail with \u0022bc: command not found\u0022?\n-\n-You didn't install \u0022bc\u0022, the Unix calculator. If you want to run the\n-tests, get GNU bc from ftp://ftp.gnu.org or from your OS distributor.\n-\n-\n-* Why does the OpenSSL test fail with \u0022bc: 1 no implemented\u0022?\n-\n-On some SCO installations or versions, bc has a bug that gets triggered\n-when you run the test suite (using \u0022make test\u0022). The message returned is\n-\u0022bc: 1 not implemented\u0022.\n-\n-The best way to deal with this is to find another implementation of bc\n-and compile/install it. GNU bc (see \u003cURL: http://www.gnu.org/software/software.html\u003e\n-for download instructions) can be safely used, for example.\n-\n-\n-* Why does the OpenSSL test fail with \u0022bc: stack empty\u0022?\n-\n-On some DG/ux versions, bc seems to have a too small stack for calculations\n-that the OpenSSL bntest throws at it. This gets triggered when you run the\n-test suite (using \u0022make test\u0022). The message returned is \u0022bc: stack empty\u0022.\n-\n-The best way to deal with this is to find another implementation of bc\n-and compile/install it. GNU bc (see \u003cURL: http://www.gnu.org/software/software.html\u003e\n-for download instructions) can be safely used, for example.\n-\n-\n-* Why does the OpenSSL compilation fail on Alpha Tru64 Unix?\n-\n-On some Alpha installations running Tru64 Unix and Compaq C, the compilation\n-of crypto/sha/sha_dgst.c fails with the message 'Fatal: Insufficient virtual\n-memory to continue compilation.' As far as the tests have shown, this may be\n-a compiler bug. What happens is that it eats up a lot of resident memory\n-to build something, probably a table. The problem is clearly in the\n-optimization code, because if one eliminates optimization completely (-O0),\n-the compilation goes through (and the compiler consumes about 2MB of resident\n-memory instead of 240MB or whatever one's limit is currently).\n-\n-There are three options to solve this problem:\n-\n-1. set your current data segment size soft limit higher. Experience shows\n-that about 241000 kbytes seems to be enough on an AlphaServer DS10. You do\n-this with the command 'ulimit -Sd nnnnnn', where 'nnnnnn' is the number of\n-kbytes to set the limit to.\n-\n-2. If you have a hard limit that is lower than what you need and you can't\n-get it changed, you can compile all of OpenSSL with -O0 as optimization\n-level. This is however not a very nice thing to do for those who expect to\n-get the best result from OpenSSL. A bit more complicated solution is the\n-following:\n-\n------ snip:start -----\n- make DIRS\u003dcrypto SDIRS\u003dsha \u0022`grep '^CFLAG\u003d' Makefile.ssl | \u005c\n- sed -e 's/ -O[0-9] / -O0 /'`\u0022\n- rm `ls crypto/*.o crypto/sha/*.o | grep -v 'sha_dgst\u005c.o'`\n- make\n------ snip:end -----\n-\n-This will only compile sha_dgst.c with -O0, the rest with the optimization\n-level chosen by the configuration process. When the above is done, do the\n-test and installation and you're set.\n-\n-3. Reconfigure the toolkit with no-sha0 option to leave out SHA0. It \n-should not be used and is not used in SSL/TLS nor any other recognized\n-protocol in either case.\n-\n-\n-* Why does the OpenSSL compilation fail with \u0022ar: command not found\u0022?\n-\n-Getting this message is quite usual on Solaris 2, because Sun has hidden\n-away 'ar' and other development commands in directories that aren't in\n-$PATH by default. One of those directories is '/usr/ccs/bin'. The\n-quickest way to fix this is to do the following (it assumes you use sh\n-or any sh-compatible shell):\n-\n------ snip:start -----\n- PATH\u003d${PATH}:/usr/ccs/bin; export PATH\n------ snip:end -----\n-\n-and then redo the compilation. What you should really do is make sure\n-'/usr/ccs/bin' is permanently in your $PATH, for example through your\n-'.profile' (again, assuming you use a sh-compatible shell).\n-\n-\n-* Why does the OpenSSL compilation fail on Win32 with VC++?\n-\n-Sometimes, you may get reports from VC++ command line (cl) that it\n-can't find standard include files like stdio.h and other weirdnesses.\n-One possible cause is that the environment isn't correctly set up.\n-To solve that problem for VC++ versions up to 6, one should run\n-VCVARS32.BAT which is found in the 'bin' subdirectory of the VC++\n-installation directory (somewhere under 'Program Files'). For VC++\n-version 7 (and up?), which is also called VS.NET, the file is called\n-VSVARS32.BAT instead.\n-This needs to be done prior to running NMAKE, and the changes are only\n-valid for the current DOS session.\n-\n-\n-* What is special about OpenSSL on Redhat?\n-\n-Red Hat Linux (release 7.0 and later) include a preinstalled limited\n-version of OpenSSL. Red Hat has chosen to disable support for IDEA, RC5 and\n-MDC2 in this version. The same may apply to other Linux distributions.\n-Users may therefore wish to install more or all of the features left out.\n-\n-To do this you MUST ensure that you do not overwrite the openssl that is in\n-/usr/bin on your Red Hat machine. Several packages depend on this file,\n-including sendmail and ssh. /usr/local/bin is a good alternative choice. The\n-libraries that come with Red Hat 7.0 onwards have different names and so are\n-not affected. (eg For Red Hat 7.2 they are /lib/libssl.so.0.9.6b and\n-/lib/libcrypto.so.0.9.6b with symlinks /lib/libssl.so.2 and\n-/lib/libcrypto.so.2 respectively).\n-\n-Please note that we have been advised by Red Hat attempting to recompile the\n-openssl rpm with all the cryptography enabled will not work. All other\n-packages depend on the original Red Hat supplied openssl package. It is also\n-worth noting that due to the way Red Hat supplies its packages, updates to\n-openssl on each distribution never change the package version, only the\n-build number. For example, on Red Hat 7.1, the latest openssl package has\n-version number 0.9.6 and build number 9 even though it contains all the\n-relevant updates in packages up to and including 0.9.6b.\n-\n-A possible way around this is to persuade Red Hat to produce a non-US\n-version of Red Hat Linux.\n-\n-\n-* Why does the OpenSSL compilation fail on MacOS X?\n-\n-If the failure happens when trying to build the \u0022openssl\u0022 binary, with\n-a large number of undefined symbols, it's very probable that you have\n-OpenSSL 0.9.6b delivered with the operating system (you can find out by\n-running '/usr/bin/openssl version') and that you were trying to build\n-OpenSSL 0.9.7 or newer. The problem is that the loader ('ld') in\n-MacOS X has a misfeature that's quite difficult to go around.\n-Look in the file PROBLEMS for a more detailed explanation and for possible\n-solutions.\n-\n-\n-* Why does the OpenSSL test suite fail on MacOS X?\n-\n-If the failure happens when running 'make test' and the RC4 test fails,\n-it's very probable that you have OpenSSL 0.9.6b delivered with the\n-operating system (you can find out by running '/usr/bin/openssl version')\n-and that you were trying to build OpenSSL 0.9.6d. The problem is that\n-the loader ('ld') in MacOS X has a misfeature that's quite difficult to\n-go around and has linked the programs \u0022openssl\u0022 and the test programs\n-with /usr/lib/libcrypto.dylib and /usr/lib/libssl.dylib instead of the\n-libraries you just built.\n-Look in the file PROBLEMS for a more detailed explanation and for possible\n-solutions.\n-\n-* Why does the OpenSSL test suite fail in BN_sqr test [on a 64-bit platform]?\n-\n-Failure in BN_sqr test is most likely caused by a failure to configure the\n-toolkit for current platform or lack of support for the platform in question.\n-Run './config -t' and './apps/openssl version -p'. Do these platform\n-identifiers match? If they don't, then you most likely failed to run\n-./config and you're hereby advised to do so before filing a bug report.\n-If ./config itself fails to run, then it's most likely problem with your\n-local environment and you should turn to your system administrator (or\n-similar). If identifiers match (and/or no alternative identifier is\n-suggested by ./config script), then the platform is unsupported. There might\n-or might not be a workaround. Most notably on SPARC64 platforms with GNU\n-C compiler you should be able to produce a working build by running\n-'./config -m32'. I understand that -m32 might not be what you want/need,\n-but the build should be operational. For further details turn to\n-\u003copenssl-dev@openssl.org\u003e.\n-\n-* Why does OpenBSD-i386 build fail on des-586.s with \u0022Unimplemented segment type\u0022?\n-\n-As of 0.9.7 assembler routines were overhauled for position independence\n-of the machine code, which is essential for shared library support. For\n-some reason OpenBSD is equipped with an out-of-date GNU assembler which\n-finds the new code offensive. To work around the problem, configure with\n-no-asm (and sacrifice a great deal of performance) or patch your assembler\n-according to \u003cURL: http://www.openssl.org/~appro/gas-1.92.3.OpenBSD.patch\u003e.\n-For your convenience a pre-compiled replacement binary is provided at\n-\u003cURL: http://www.openssl.org/~appro/gas-1.92.3.static.aout.bin\u003e.\n-Reportedly elder *BSD a.out platforms also suffer from this problem and\n-remedy should be same. Provided binary is statically linked and should be\n-working across wider range of *BSD branches, not just OpenBSD.\n-\n-* Why does the OpenSSL test suite fail in sha512t on x86 CPU?\n-\n-If the test program in question fails withs SIGILL, Illegal Instruction\n-exception, then you more than likely to run SSE2-capable CPU, such as\n-Intel P4, under control of kernel which does not support SSE2\n-instruction extensions. See accompanying INSTALL file and\n-OPENSSL_ia32cap(3) documentation page for further information.\n-\n-* Why does compiler fail to compile sha512.c?\n-\n-OpenSSL SHA-512 implementation depends on compiler support for 64-bit\n-integer type. Few elder compilers [ULTRIX cc, SCO compiler to mention a\n-couple] lack support for this and therefore are incapable of compiling\n-the module in question. The recommendation is to disable SHA-512 by\n-adding no-sha512 to ./config [or ./Configure] command line. Another\n-possible alternative might be to switch to GCC.\n-\n-* Test suite still fails, what to do?\n-\n-Another common reason for test failures is bugs in the toolchain\n-or run-time environment. Known cases of this are documented in the\n-PROBLEMS file, please review it before you beat the drum. Even if you\n-don't find anything in that file, please do consider the possibility\n-of a compiler bug. Compiler bugs often appear in rather bizarre ways,\n-they never make sense, and tend to emerge when you least expect\n-them. One thing to try is to reduce the level of optimization (such\n-as by editing the CFLAG variable line in the top-level Makefile),\n-and then recompile and re-run the test.\n-\n-* I think I've found a bug, what should I do?\n-\n-If you are a new user then it is quite likely you haven't found a bug and\n-something is happening you aren't familiar with. Check this FAQ, the associated\n-documentation and the mailing lists for similar queries. If you are still\n-unsure whether it is a bug or not submit a query to the openssl-users mailing\n-list.\n-\n-If you think you have found a bug based on the output of static analysis tools\n-then please manually check the issue is genuine. Such tools can produce a\n-LOT of false positives.\n-\n-\n-* I'm SURE I've found a bug, how do I report it?\n-\n-To avoid duplicated reports check the mailing lists and release notes for the\n-relevant version of OpenSSL to see if the problem has been reported already.\n-\n-Bug reports with no security implications should be sent to the request\n-tracker. This can be done by mailing the report to \u003crt@openssl.org\u003e (or its\n-alias \u003copenssl-bugs@openssl.org\u003e), please note that messages sent to the\n-request tracker also appear in the public openssl-dev mailing list.\n-\n-The report should be in plain text. Any patches should be sent as\n-plain text attachments because some mailers corrupt patches sent inline.\n-If your issue affects multiple versions of OpenSSL check any patches apply\n-cleanly and, if possible include patches to each affected version.\n-\n-The report should be given a meaningful subject line briefly summarising the\n-issue. Just \u0022bug in OpenSSL\u0022 or \u0022bug in OpenSSL 0.9.8n\u0022 is not very helpful.\n-\n-By sending reports to the request tracker the bug can then be given a priority\n-and assigned to the appropriate maintainer. The history of discussions can be\n-accessed and if the issue has been addressed or a reason why not. If patches\n-are only sent to openssl-dev they can be mislaid if a team member has to\n-wade through months of old messages to review the discussion.\n-\n-See also \u003cURL: http://www.openssl.org/support/rt.html\u003e\n-\n-\n-* I've found a security issue, how do I report it?\n-\n-If you think your bug has security implications then please send it to\n-openssl-security@openssl.org if you don't get a prompt reply at least \n-acknowledging receipt then resend or mail it directly to one of the\n-more active team members (e.g. Steve). If you wish to use PGP to send\n-in a report please use one or more of the keys of the team members listed\n-at \u003cURL: http://www.openssl.org/about/\u003e\n-\n-Note that bugs only present in the openssl utility are not in general\n-considered to be security issues. \n-\n-[PROG] \u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n-\n-* Is OpenSSL thread-safe?\n-\n-Provided an application sets up the thread callback functions, the\n-answer is yes. There are limitations; for example, an SSL connection\n-cannot be used concurrently by multiple threads. This is true for\n-most OpenSSL objects.\n-\n-To do this, your application must call CRYPTO_set_locking_callback()\n-and one of the CRYPTO_THREADID_set...() API's. See the OpenSSL threads\n-manpage for details and \u0022note on multi-threading\u0022 in the INSTALL file in\n-the source distribution.\n-\n-* I've compiled a program under Windows and it crashes: why?\n-\n-This is usually because you've missed the comment in INSTALL.W32.\n-Your application must link against the same version of the Win32\n-C-Runtime against which your openssl libraries were linked. The\n-default version for OpenSSL is /MD - \u0022Multithreaded DLL\u0022.\n-\n-If you are using Microsoft Visual C++'s IDE (Visual Studio), in\n-many cases, your new project most likely defaulted to \u0022Debug\n-Singlethreaded\u0022 - /ML. This is NOT interchangeable with /MD and your\n-program will crash, typically on the first BIO related read or write\n-operation.\n-\n-For each of the six possible link stage configurations within Win32,\n-your application must link against the same by which OpenSSL was\n-built. If you are using MS Visual C++ (Studio) this can be changed\n-by:\n-\n- 1. Select Settings... from the Project Menu.\n- 2. Select the C/C++ Tab.\n- 3. Select \u0022Code Generation from the \u0022Category\u0022 drop down list box\n- 4. Select the Appropriate library (see table below) from the \u0022Use\n- run-time library\u0022 drop down list box. Perform this step for both\n- your debug and release versions of your application (look at the\n- top left of the settings panel to change between the two)\n-\n- Single Threaded /ML - MS VC++ often defaults to\n- this for the release\n- version of a new project.\n- Debug Single Threaded /MLd - MS VC++ often defaults to\n- this for the debug version\n- of a new project.\n- Multithreaded /MT\n- Debug Multithreaded /MTd\n- Multithreaded DLL /MD - OpenSSL defaults to this.\n- Debug Multithreaded DLL /MDd\n-\n-Note that debug and release libraries are NOT interchangeable. If you\n-built OpenSSL with /MD your application must use /MD and cannot use /MDd.\n-\n-As per 0.9.8 the above limitation is eliminated for .DLLs. OpenSSL\n-.DLLs compiled with some specific run-time option [we insist on the\n-default /MD] can be deployed with application compiled with different\n-option or even different compiler. But there is a catch! Instead of\n-re-compiling OpenSSL toolkit, as you would have to with prior versions,\n-you have to compile small C snippet with compiler and/or options of\n-your choice. The snippet gets installed as\n-\u003cinstall-root\u003e/include/openssl/applink.c and should be either added to\n-your application project or simply #include-d in one [and only one]\n-of your application source files. Failure to link this shim module\n-into your application manifests itself as fatal \u0022no OPENSSL_Applink\u0022\n-run-time error. An explicit reminder is due that in this situation\n-[mixing compiler options] it is as important to add CRYPTO_malloc_init\n-prior first call to OpenSSL.\n-\n-* How do I read or write a DER encoded buffer using the ASN1 functions?\n-\n-You have two options. You can either use a memory BIO in conjunction\n-with the i2d_*_bio() or d2i_*_bio() functions or you can use the\n-i2d_*(), d2i_*() functions directly. Since these are often the\n-cause of grief here are some code fragments using PKCS7 as an example:\n-\n------ snip:start -----\n- unsigned char *buf, *p;\n- int len \u003d i2d_PKCS7(p7, NULL);\n-\n- buf \u003d OPENSSL_malloc(len); /* error checking omitted */\n- p \u003d buf;\n- i2d_PKCS7(p7, \u0026p);\n------ snip:end -----\n-\n-At this point buf contains the len bytes of the DER encoding of\n-p7.\n-\n-The opposite assumes we already have len bytes in buf:\n-\n------ snip:start -----\n- unsigned char *p \u003d buf;\n-\n- p7 \u003d d2i_PKCS7(NULL, \u0026p, len);\n------ snip:end -----\n-\n-At this point p7 contains a valid PKCS7 structure or NULL if an error\n-occurred. If an error occurred ERR_print_errors(bio) should give more\n-information.\n-\n-The reason for the temporary variable 'p' is that the ASN1 functions\n-increment the passed pointer so it is ready to read or write the next\n-structure. This is often a cause of problems: without the temporary\n-variable the buffer pointer is changed to point just after the data\n-that has been read or written. This may well be uninitialized data\n-and attempts to free the buffer will have unpredictable results\n-because it no longer points to the same address.\n-\n-Memory allocation and encoding can also be combined in a single\n-operation by the ASN1 routines:\n-\n------ snip:start -----\n- unsigned char *buf \u003d NULL;\n- int len \u003d i2d_PKCS7(p7, \u0026buf);\n-\n- if (len \u003c 0) {\n- /* Error */\n- }\n- /* Do some things with 'buf' */\n- /* Finished with buf: free it */\n- OPENSSL_free(buf);\n------ snip:end -----\n-\n-In this special case the \u0022buf\u0022 parameter is *not* incremented, it points\n-to the start of the encoding.\n-\n-\n-* OpenSSL uses DER but I need BER format: does OpenSSL support BER?\n-\n-The short answer is yes, because DER is a special case of BER and OpenSSL\n-ASN1 decoders can process BER.\n-\n-The longer answer is that ASN1 structures can be encoded in a number of\n-different ways. One set of ways is the Basic Encoding Rules (BER) with various\n-permissible encodings. A restriction of BER is the Distinguished Encoding\n-Rules (DER): these uniquely specify how a given structure is encoded.\n-\n-Therefore, because DER is a special case of BER, DER is an acceptable encoding\n-for BER.\n-\n-\n-* I've tried using \u003cM_some_evil_pkcs12_macro\u003e and I get errors why?\n-\n-This usually happens when you try compiling something using the PKCS#12\n-macros with a C++ compiler. There is hardly ever any need to use the\n-PKCS#12 macros in a program, it is much easier to parse and create\n-PKCS#12 files using the PKCS12_parse() and PKCS12_create() functions\n-documented in doc/openssl.txt and with examples in demos/pkcs12. The\n-'pkcs12' application has to use the macros because it prints out \n-debugging information.\n-\n-\n-* I've called \u003csome function\u003e and it fails, why?\n-\n-Before submitting a report or asking in one of the mailing lists, you\n-should try to determine the cause. In particular, you should call\n-ERR_print_errors() or ERR_print_errors_fp() after the failed call\n-and see if the message helps. Note that the problem may occur earlier\n-than you think -- you should check for errors after every call where\n-it is possible, otherwise the actual problem may be hidden because\n-some OpenSSL functions clear the error state.\n-\n-\n-* I just get a load of numbers for the error output, what do they mean?\n-\n-The actual format is described in the ERR_print_errors() manual page.\n-You should call the function ERR_load_crypto_strings() before hand and\n-the message will be output in text form. If you can't do this (for example\n-it is a pre-compiled binary) you can use the errstr utility on the error\n-code itself (the hex digits after the second colon).\n-\n-\n-* Why do I get errors about unknown algorithms?\n-\n-The cause is forgetting to load OpenSSL's table of algorithms with\n-OpenSSL_add_all_algorithms(). See the manual page for more information. This\n-can cause several problems such as being unable to read in an encrypted\n-PEM file, unable to decrypt a PKCS#12 file or signature failure when\n-verifying certificates.\n-\n-* Why can't the OpenSSH configure script detect OpenSSL?\n-\n-Several reasons for problems with the automatic detection exist.\n-OpenSSH requires at least version 0.9.5a of the OpenSSL libraries.\n-Sometimes the distribution has installed an older version in the system\n-locations that is detected instead of a new one installed. The OpenSSL\n-library might have been compiled for another CPU or another mode (32/64 bits).\n-Permissions might be wrong.\n-\n-The general answer is to check the config.log file generated when running\n-the OpenSSH configure script. It should contain the detailed information\n-on why the OpenSSL library was not detected or considered incompatible.\n-\n-\n-* Can I use OpenSSL's SSL library with non-blocking I/O?\n-\n-Yes; make sure to read the SSL_get_error(3) manual page!\n-\n-A pitfall to avoid: Don't assume that SSL_read() will just read from\n-the underlying transport or that SSL_write() will just write to it --\n-it is also possible that SSL_write() cannot do any useful work until\n-there is data to read, or that SSL_read() cannot do anything until it\n-is possible to send data. One reason for this is that the peer may\n-request a new TLS/SSL handshake at any time during the protocol,\n-requiring a bi-directional message exchange; both SSL_read() and\n-SSL_write() will try to continue any pending handshake.\n-\n-\n-* Why doesn't my server application receive a client certificate?\n-\n-Due to the TLS protocol definition, a client will only send a certificate,\n-if explicitly asked by the server. Use the SSL_VERIFY_PEER flag of the\n-SSL_CTX_set_verify() function to enable the use of client certificates.\n-\n-\n-* Why does compilation fail due to an undefined symbol NID_uniqueIdentifier?\n-\n-For OpenSSL 0.9.7 the OID table was extended and corrected. In earlier\n-versions, uniqueIdentifier was incorrectly used for X.509 certificates.\n-The correct name according to RFC2256 (LDAP) is x500UniqueIdentifier.\n-Change your code to use the new name when compiling against OpenSSL 0.9.7.\n-\n-\n-* I think I've detected a memory leak, is this a bug?\n-\n-In most cases the cause of an apparent memory leak is an OpenSSL internal table\n-that is allocated when an application starts up. Since such tables do not grow\n-in size over time they are harmless.\n-\n-These internal tables can be freed up when an application closes using various\n-functions. Currently these include following:\n-\n-Thread-local cleanup functions:\n-\n- ERR_remove_state()\n-\n-Application-global cleanup functions that are aware of usage (and therefore\n-thread-safe):\n-\n- ENGINE_cleanup() and CONF_modules_unload()\n-\n-\u0022Brutal\u0022 (thread-unsafe) Application-global cleanup functions:\n-\n- ERR_free_strings(), EVP_cleanup() and CRYPTO_cleanup_all_ex_data().\n-\n-\n-* Why does Valgrind complain about the use of uninitialized data?\n-\n-When OpenSSL's PRNG routines are called to generate random numbers the supplied\n-buffer contents are mixed into the entropy pool: so it technically does not\n-matter whether the buffer is initialized at this point or not. Valgrind (and\n-other test tools) will complain about this. When using Valgrind, make sure the\n-OpenSSL library has been compiled with the PURIFY macro defined (-DPURIFY)\n-to get rid of these warnings.\n-\n-\n-* Why doesn't a memory BIO work when a file does?\n-\n-This can occur in several cases for example reading an S/MIME email message.\n-The reason is that a memory BIO can do one of two things when all the data\n-has been read from it.\n-\n-The default behaviour is to indicate that no more data is available and that\n-the call should be retried, this is to allow the application to fill up the BIO\n-again if necessary.\n-\n-Alternatively it can indicate that no more data is available and that EOF has\n-been reached.\n-\n-If a memory BIO is to behave in the same way as a file this second behaviour\n-is needed. This must be done by calling:\n-\n- BIO_set_mem_eof_return(bio, 0);\n-\n-See the manual pages for more details.\n-\n-\n-* Where are the declarations and implementations of d2i_X509() etc?\n-\n-These are defined and implemented by macros of the form:\n-\n-\n- DECLARE_ASN1_FUNCTIONS(X509) and IMPLEMENT_ASN1_FUNCTIONS(X509)\n-\n-The implementation passes an ASN1 \u0022template\u0022 defining the structure into an\n-ASN1 interpreter using generalised functions such as ASN1_item_d2i().\n-\n-* When debugging I observe SIGILL during OpenSSL initialization: why?\n-\n-OpenSSL adapts to processor it executes on and for this reason has to\n-query its capabilities. Unfortunately on some processors the only way\n-to achieve this for non-privileged code is to attempt instructions\n-that can cause Illegal Instruction exceptions. The initialization\n-procedure is coded to handle these exceptions to manipulate corresponding\n-bits in capabilities vector. This normally appears transparent, except\n-when you execute it under debugger, which stops prior delivering signal\n-to handler. Simply resuming execution does the trick, but when debugging\n-a lot it might feel counterproductive. Two options. Either set explicit\n-capability environment variable in order to bypass the capability query\n-(see corresponding crypto/*cap.c for details). Or configure debugger not\n-to stop upon SIGILL exception, e.g. in gdb case add 'handle SIGILL nostop'\n-to your .gdbinit.\n-\n-\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n+The FAQ is now maintained on the web:\n+ https://www.openssl.org/docs/faq.html\n","s":{"c":1755717213,"u": 3937}} ],"g": 6423,"chitpc": 0,"ehitpc": 0,"indexed":0 , "ab": 0, "si": 0, "db":0, "di":0, "sat":0, "lfc": "0000"}