Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 25 Jan 2000 00:49:04 -0800 (PST)
From:      Kris Kennaway <kris@hub.freebsd.org>
To:        current@freebsd.org
Cc:        security@freebsd.org
Subject:   OpenSSL docs for FAQ
Message-ID:  <Pine.BSF.4.21.0001250046160.20991-100000@hub.freebsd.org>

next in thread | raw e-mail | index | archive | help
Can people please review this for style and content, for inclusion in
the FAQ? I'll also need someone to mark it up once it's ready since SGML
is currently not among my abilities :-)

Thanks,
Kris

----
As of FreeBSD 4.0, the OpenSSL toolkit is a part of the base
system. OpenSSL [http://www.openssl.org] provides a general-purpose
cryptography library, as well as the Secure Sockets Layer v2/v3
(SSLv2/SSLv3) and Transport Layer Security v1 (TLSv1) network security
protocols.

However, some of the algorithms (specifically, RSA and IDEA) included
in OpenSSL are protected by patents in the USA and elsewhere and are
not available for unrestricted use. In addition, export of
cryptographic code from the USA has (until recently) been heavily
restricted. As a result, FreeBSD has available three different
versions of OpenSSL depending on geographical location (US/non-US) and
compliance with the RSAREF license (see below).

RSA is a useful algorithm which is required for a lot of third-party
software which uses OpenSSL (as well as for the SSLv2 protocol), so
you should enable it if at all possible. See below for more
information.

SOURCE-CODE INSTALLATIONS

INTERNATIONAL (NON-US) USERS:

People who are located outside the USA, and who obtain their crypto
sources from internat.freebsd.org (the International Crypto
Repository), will build a version of OpenSSL which includes RSA, but
does not include IDEA, because the latter is restricted in certain
locations elsewhere in the world. In the future a more flexible
identification system may allow building of IDEA in countries for
which it is not restricted.

US USERS:

As noted above, RSA is patented in the US, with terms preventing
general use without an appropriate license. Therefore the OpenSSL RSA
code may not be used in the US, and has been removed from the version
of OpenSSL carried on US mirror sites. The RSA patent is due to expire
on September 20, 2000, at which time it is intended to add the "full"
RSA code back to the US version of OpenSSL.

However (and fortunately), the RSA patent holder (RSA Security,
[http://www.rsasecurity.com]) has provided a "RSA reference
implementation" toolkit ("RSAREF") which is available for *certain
classes of use*, including "non-commercial use" (see the RSAREF
license [XXX - We should put this on the website too since I can't
find an external URL for it] for the definition of
"non-commercial").

If you meet the conditions of the RSAREF license and wish to build
your OpenSSL sources with RSAREF support, you must first install the
rsaref port in /usr/ports/security/rsaref before (re)building OpenSSL
(e.g. by 'make world'). Please obtain legal advice if you are unsure
of your compliance with the license terms.

IDEA code is also removed from the US version of OpenSSL for patent
reasons.

BINARY INSTALLATIONS

If your FreeBSD installation was a binary installation (e.g. installed
from CDROM, or from a snapshot downloaded from ftp.freebsd.org) and
you selected to install the 'crypto' module, then you will have the
non-RSA capable US version of the OpenSSL code (see above). If you
wish to install another version (US RSAREF, or International) you will
need to obtain and install one of the following packages:

* OpenSSL package with RSAREF support for US users (NOTE: Be sure to
  read the license before installing! This is NOT licensed for
  general-purpose use!)

	ftp://ftp.freebsd.org/XXX

* OpenSSL package for International (non-US) users. This is not legal
  for use in the US, but international users should use this one
  because the RSA implementation is faster and more flexible.

	ftp://internat.freebsd.org/XXX

----
"How many roads must a man walk down, before you call him a man?"
"Eight!"
"That was a rhetorical question!"
"Oh..then, seven!" -- Homer Simpson



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0001250046160.20991-100000>