faq

mediastreamer2是开源的网络传输媒体流的库

OpenSSL  -  Frequently Asked Questions
--------------------------------------

[MISC] Miscellaneous questions

* Which is the current version of OpenSSL?
* Where is the documentation?
* How can I contact the OpenSSL developers?
* Where can I get a compiled version of OpenSSL?
* Why aren't tools like 'autoconf' and 'libtool' used?
* What is an 'engine' version?
* How do I check the authenticity of the OpenSSL distribution?

[LEGAL] Legal questions

* Do I need patent licenses to use OpenSSL?
* Can I use OpenSSL with GPL software? 

[USER] Questions on using the OpenSSL applications

* Why do I get a "PRNG not seeded" error message?
* Why do I get an "unable to write 'random state'" error message?
* How do I create certificates or certificate requests?
* Why can't I create certificate requests?
* Why does <SSL program> fail with a certificate verify error?
* Why can I only use weak ciphers when I connect to a server using OpenSSL?
* How can I create DSA certificates?
* Why can't I make an SSL connection using a DSA certificate?
* How can I remove the passphrase on a private key?
* Why can't I use OpenSSL certificates with SSL client authentication?
* Why does my browser give a warning about a mismatched hostname?
* How do I install a CA certificate into a browser?
* Why is OpenSSL x509 DN output not conformant to RFC2253?

[BUILD] Questions about building and testing OpenSSL

* Why does the linker complain about undefined symbols?
* Why does the OpenSSL test fail with "bc: command not found"?
* Why does the OpenSSL test fail with "bc: 1 no implemented"?
* Why does the OpenSSL test fail with "bc: stack empty"?
* Why does the OpenSSL compilation fail on Alpha Tru64 Unix?
* Why does the OpenSSL compilation fail with "ar: command not found"?
* Why does the OpenSSL compilation fail on Win32 with VC++?
* What is special about OpenSSL on Redhat?
* Why does the OpenSSL compilation fail on MacOS X?
* Why does the OpenSSL test suite fail on MacOS X?
* Why does the OpenSSL test suite fail in BN_sqr test [on a 64-bit platform]?
* Why does OpenBSD-i386 build fail on des-586.s with "Unimplemented segment type"?
* Why does the OpenSSL test suite fail in sha512t on x86 CPU?
* Why does compiler fail to compile sha512.c?

[PROG] Questions about programming with OpenSSL

* Is OpenSSL thread-safe?
* I've compiled a program under Windows and it crashes: why?
* How do I read or write a DER encoded buffer using the ASN1 functions?
* OpenSSL uses DER but I need BER format: does OpenSSL support BER?
* I've tried using <M_some_evil_pkcs12_macro> and I get errors why?
* I've called <some function> and it fails, why?
* I just get a load of numbers for the error output, what do they mean?
* Why do I get errors about unknown algorithms?
* Why can't the OpenSSH configure script detect OpenSSL?
* Can I use OpenSSL's SSL library with non-blocking I/O?
* Why doesn't my server application receive a client certificate?
* Why does compilation fail due to an undefined symbol NID_uniqueIdentifier?
* I think I've detected a memory leak, is this a bug?

===============================================================================

[MISC] ========================================================================

* Which is the current version of OpenSSL?

The current version is available from <URL: http://www.openssl.org>.
OpenSSL 0.9.8a was released on October 11th, 2005.

In addition to the current stable release, you can also access daily
snapshots of the OpenSSL development version at <URL:
ftp://ftp.openssl.org/snapshot/>, or get it by anonymous CVS access.


* Where is the documentation?

OpenSSL is a library that provides cryptographic functionality to
applications such as secure web servers.  Be sure to read the
documentation of the application you want to use.  The INSTALL file
explains how to install this library.

OpenSSL includes a command line utility that can be used to perform a
variety of cryptographic functions.  It is described in the openssl(1)
manpage.  Documentation for developers is currently being written.  A
few manual pages already are available; overviews over libcrypto and
libssl are given in the crypto(3) and ssl(3) manpages.

The OpenSSL manpages are installed in /usr/local/ssl/man/ (or a
different directory if you specified one as described in INSTALL).
In addition, you can read the most current versions at
<URL: http://www.openssl.org/docs/>.

For information on parts of libcrypto that are not yet documented, you
might want to read Ariel Glenn's documentation on SSLeay 0.9, OpenSSL's
predecessor, at <URL: http://www.columbia.edu/~ariel/ssleay/>.  Much
of this still applies to OpenSSL.

There is some documentation about certificate extensions and PKCS#12
in doc/openssl.txt

The original SSLeay documentation is included in OpenSSL as
doc/ssleay.txt.  It may be useful when none of the other resources
help, but please note that it reflects the obsolete version SSLeay
0.6.6.


* How can I contact the OpenSSL developers?

The README file describes how to submit bug reports and patches to
OpenSSL.  Information on the OpenSSL mailing lists is available from
<URL: http://www.openssl.org>.


* Where can I get a compiled version of OpenSSL?

You can finder pointers to binary distributions in
http://www.openssl.org/related/binaries.html .

Some applications that use OpenSSL are distributed in binary form.
When using such an application, you don't need to install OpenSSL
yourself; the application will include the required parts (e.g. DLLs).

If you want to build OpenSSL on a Windows system and you don't have
a C compiler, read the "Mingw32" section of INSTALL.W32 for information
on how to obtain and install the free GNU C compiler.

A number of Linux and *BSD distributions include OpenSSL.


* Why aren't tools like 'autoconf' and 'libtool' used?

autoconf will probably be used in future OpenSSL versions. If it was
less Unix-centric, it might have been used much earlier.

* What is an 'engine' version?

With version 0.9.6 OpenSSL was extended to interface to external crypto
hardware. This was realized in a special release '0.9.6-engine'. With
version 0.9.7 the changes were merged into the main development line,
so that the special release is no longer necessary.

* How do I check the authenticity of the OpenSSL distribution?

We provide MD5 digests and ASC signatures of each tarball.
Use MD5 to check that a tarball from a mirror site is identical:

   md5sum TARBALL | awk '{print $1;}' | cmp - TARBALL.md5

You can check authenticity using pgp or gpg. You need the OpenSSL team
member public key used to sign it (download it from a key server, see a
list of keys at <URL: http://www.openssl.org/about/>). Then
just do:

   pgp TARBALL.asc

[LEGAL] =======================================================================

* Do I need patent licenses to use OpenSSL?

The patents section of the README file lists patents that may apply to
you if you want to use OpenSSL.  For information on intellectual
property rights, please consult a lawyer.  The OpenSSL team does not
offer legal advice.

You can configure OpenSSL so as not to use IDEA, MDC2 and RC5 by using
 ./config no-idea no-mdc2 no-rc5


* Can I use OpenSSL with GPL software?

On many systems including the major Linux and BSD distributions, yes (the
GPL does not place restrictions on using libraries that are part of the
normal operating system distribution).

On other systems, the situation is less clear. Some GPL software copyright
holders claim that you infringe on their rights if you use OpenSSL with
their software on operating systems that don't normally include OpenSSL.

If you develop open source software that uses OpenSSL, you may find it
useful to choose an other license than the GPL, or state explicitly that
"This program is released under the GPL with the additional exemption that
compiling, linking, and/or using OpenSSL is allowed."  If you are using
GPL software developed by others, you may want to ask the copyright holder
for permission to use their software with OpenSSL.


[USER] ========================================================================

* Why do I get a "PRNG not seeded" error message?

Cryptographic software needs a source of unpredictable data to work
correctly.  Many open source operating systems provide a "randomness
device" (/dev/urandom or /dev/random) that serves this purpose.
All OpenSSL versions try to use /dev/urandom by default; starting with
version 0.9.7, OpenSSL also tries /dev/random if /dev/urandom is not
available.

On other systems, applications have to call the RAND_add() or
RAND_seed() function with appropriate data before generating keys or
performing public key encryption. (These functions initialize the
pseudo-random number generator, PRNG.)  Some broken applications do
not do this.  As of version 0.9.5, the OpenSSL functions that need
randomness report an error if the random number generator has not been
seeded with at least 128 bits of randomness.  If this error occurs and
is not discussed in the documentation of the application you are
using, please contact the author of that application; it is likely
that it never worked correctly.  OpenSSL 0.9.5 and later make the
error visible by refusing to perform potentially insecure encryption.

If you are using Solaris 8, you can add /dev/urandom and /dev/random
devices by installing patch 112438 (Sparc) or 112439 (x86), which are
available via the Patchfinder at <URL: http://sunsolve.sun.com>
(Solaris 9 includes these devices by default). For /dev/random support
for earlier Solaris versions, see Sun's statement at
<URL: http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsrdb/27606&zone_32=SUNWski>
(the SUNWski package is available in patch 105710).

On systems without /dev/urandom and /dev/random, it is a good idea to
use the Entropy Gathering Demon (EGD); see the RAND_egd() manpage for
details.  Starting with version 0.9.7, OpenSSL will automatically look
for an EGD socket at /var/run/egd-pool, /dev/egd-pool, /etc/egd-pool and
/etc/entropy.

Most components of the openssl command line utility automatically try
to seed the random number generator from a file.  The name of the
default seeding file is determined as follows: If environment variable
RANDFILE is set, then it names the seeding file.  Otherwise if
environment variable HOME is set, then the seeding file is $HOME/.rnd.
If neither RANDFILE nor HOME is set, versions up to OpenSSL 0.9.6 will
use file .rnd in the current directory while OpenSSL 0.9.6a uses no
default seeding file at all.  OpenSSL 0.9.6b and later will behave
similarly to 0.9.6a, but will use a default of "C:\" for HOME on
Windows systems if the environment variable has not been set.

If the default seeding file does not exist or is too short, the "PRNG
not seeded" error message may occur.

The openssl command line utility will write back a new state to the
default seeding file (and create this file if necessary) unless
there was no sufficient seeding.

Pointing $RANDFILE to an Entropy Gathering Daemon socket does not work.
Use the "-rand" option of the OpenSSL command line tools instead.
The $RANDFILE environment variable and $HOME/.rnd are only used by the
OpenSSL command line tools. Applications using the OpenSSL library
provide their own configuration options to specify the entropy source,
please check out the documentation coming the with application.


* Why do I get an "unable to write 'random state'" error message?


Sometimes the openssl command line utility does not abort with
a "PRNG not seeded" error message, but complains that it is
"unable to write 'random state'".  This message refers to the
default seeding file (see previous answer).  A possible reason
is that no default filename is known because neither RANDFILE
nor HOME is set.  (Versions up to 0.9.6 used file ".rnd" in the
current directory in this case, but this has changed with 0.9.6a.)


* How do I create certificates or certificate requests?

Check out the CA.pl(1) manual page. This provides a simple wrapper round
the 'req', 'verify', 'ca' and 'pkcs12' utilities. For finer control check
out the manual pages for the individual utilities and the certificate
extensions documentation (currently in doc/openssl.txt).


* Why can't I create certificate requests?

You typically get the error:

	unable to find 'distinguished_name' in config
	problems making Certificate Request