diff options
author | Jim Mock <jim@FreeBSD.org> | 2000-02-11 21:34:08 +0000 |
---|---|---|
committer | Jim Mock <jim@FreeBSD.org> | 2000-02-11 21:34:08 +0000 |
commit | ba7b0f969909c7fab6efe4829b43b418fef4563b (patch) | |
tree | 8ce2450be3f149f12e595ed876065b3f5e87817e /en_US.ISO8859-1 | |
parent | d3b0caed9780a73f8f7d6ab865e2567270c46a4f (diff) | |
download | doc-ba7b0f969909c7fab6efe4829b43b418fef4563b.tar.gz doc-ba7b0f969909c7fab6efe4829b43b418fef4563b.zip |
Add section on OpenSSL.
Submitted by: kris
Notes
Notes:
svn path=/head/; revision=6510
Diffstat (limited to 'en_US.ISO8859-1')
-rw-r--r-- | en_US.ISO8859-1/books/handbook/security/chapter.sgml | 123 |
1 files changed, 122 insertions, 1 deletions
diff --git a/en_US.ISO8859-1/books/handbook/security/chapter.sgml b/en_US.ISO8859-1/books/handbook/security/chapter.sgml index bef5d1eefa..dd7eb28868 100644 --- a/en_US.ISO8859-1/books/handbook/security/chapter.sgml +++ b/en_US.ISO8859-1/books/handbook/security/chapter.sgml @@ -1,7 +1,7 @@ <!-- The FreeBSD Documentation Project - $FreeBSD: doc/en_US.ISO_8859-1/books/handbook/security/chapter.sgml,v 1.22 2000/01/21 20:42:28 jim Exp $ + $FreeBSD: doc/en_US.ISO_8859-1/books/handbook/security/chapter.sgml,v 1.23 2000/02/04 12:38:20 nbm Exp $ --> <chapter id="security"> @@ -1595,6 +1595,127 @@ FreeBSD BUILT-19950429 (GR386) #0: Sat Apr 29 17:50:09 SAT 1995</screen> above.</para> </sect2> </sect1> + + <sect1 id="openssl"> + <title>OpenSSL</title> + + <para>As of FreeBSD 4.0, the OpenSSL toolkit is a part of the base + system. <ulink url="http://www.openssl.org/">OpenSSL</ulink> + provides a general-purpose cryptography library, as well as the + Secure Sockets Layer v2/v3 (SSLv2/SSLv3) and Transport Layer + Security v1 (TLSv1) network security protocols.</para> + + <para>However, some of the algorithms (specifically, RSA and IDEA) + included in OpenSSL are protected by patents in the USA and + elsewhere, and are not available for unrestricted use (in + particular IDEA is currently not available in any of FreeBSD's + OpenSSL distributions). In addition, export of cryptographic code + from the USA has (until recently) been heavily restricted. As a + result, FreeBSD has available three different versions of OpenSSL + depending on geographical location (USA/non-USA) and compliance with + the RSAREF license (see below).</para> + + <para>RSA is a useful algorithm which is required for a lot of + third-party software which uses OpenSSL (as well as for the SSLv2 + protocol), so you should enable it if at all possible.</para> + + <sect2> + <title>Source Code Installations</title> + + <para>OpenSSL is part of the <literal>src-crypto</literal> and + <literal>src-secure</literal>cvsup collections. See the <link + linkend="mirrors">Obtaining FreeBSD</link> section for more + information about obtaining and updating FreeBSD source + code.</para> + </sect2> + + <sect2> + <title>International (Non-USA) Users</title> + + <para>People who are located outside the USA, and who obtain their + crypto sources from <hostid + role="fqdn">internat.FreeBSD.org</hostid> (the International + Crypto Repository), will build a version of OpenSSL which includes + RSA, but does not include IDEA, because the latter is restricted + in certain locations elsewhere in the world. In the future a more + flexible geographical identification system may allow building of + IDEA in countries for which it is not restricted.</para> + + <para>Please be aware of any local restrictions on the import, use + and redistribution of cryptography which may exist in your + country.</para> + </sect2> + + <sect2> + <title>USA Users</title> + + <para>As noted above, RSA is patented in the USA, with terms + preventing general use without an appropriate license. Therefore + the OpenSSL RSA code may not be used in the USA, and has been + removed from the version of OpenSSL carried on USA mirror sites. + The RSA patent is due to expire on September 20, 2000, at which + time it is intended to add the “full” RSA code back to + the USA version of OpenSSL.</para> + + <para>However (and fortunately), the RSA patent holder (<ulink + url="http://www.rsasecurity.com/">RSA Security</ulink>, has + provided a “RSA reference implementation” toolkit + (RSAREF) which is available for <emphasis>certain classes of + use</emphasis>, including <emphasis>non-commercial use</emphasis> + (see the RSAREF license for their definition of + non-commercial).</para> + + <para>If you meet the conditions of the RSAREF license and wish to + build your OpenSSL sources with RSAREF support, you must first + install the rsaref port, which is located in + <filename>/usr/ports/security/rsaref</filename>, before building + OpenSSL (e.g., by <command>make world</command>). Please obtain + legal advice if you are unsure of your compliance with the license + terms.</para> + + <para>Users who have purchased an appropriate RSA source code + license from RSA Security may use the International version of + OpenSSL described above to obtain native RSA support.</para> + + <para>IDEA code is also removed from the USA version of OpenSSL for + patent reasons.</para> + </sect2> + + <sect2> + <title>Binary Installations</title> + + <para>If your FreeBSD installation was a binary installation (e.g., + installed from CDROM, or from a snapshot downloaded from + <hostid role="fqdn">ftp.FreeBSD.org</hostid>) and you selected to + install the <literal>crypto</literal> module, then you will have + the non-RSA capable USA version of the OpenSSL code (see above). + If you wish to install another version (USA RSAREF, or + International) you will need to obtain and install one of the + following packages:</para> + + <itemizedlist> + <listitem> + <para>The OpenSSL package with RSAREF support for USA + users which you can get from <hostid + role="fqdn">ftp.FreeBSD.org</hostid>.</para> + + <note> + <para>Be sure to read the license before installing! This is + NOT licensed for general-purpose use!</para> + </note> + </listitem> + + <listitem> + <para>The OpenSSL package for International (non-USA) users. + This is not legal for general use in the USA, but + international users should use this version because the RSA + implementation is faster and more flexible. It is available + from <hostid + role="fqdn">ftp.internat.FreeBSD.org</hostid>.</para> + </listitem> + </itemizedlist> + </sect2> + </sect1> </chapter> <!-- |