Add section on OpenSSL.

Submitted by:	kris

1 files changed, 122 insertions, 1 deletions

diff --git a/en_US.ISO8859-1/books/handbook/security/chapter.sgml b/en_US.ISO8859-1/books/handbook/security/chapter.sgml
index bef5d1eefa..dd7eb28868 100644
--- a/en_US.ISO8859-1/books/handbook/security/chapter.sgml
+++ b/en_US.ISO8859-1/books/handbook/security/chapter.sgml
@@ -1,7 +1,7 @@
 <!--
      The FreeBSD Documentation Project
 
-     $FreeBSD: doc/en_US.ISO_8859-1/books/handbook/security/chapter.sgml,v 1.22 2000/01/21 20:42:28 jim Exp $
+     $FreeBSD: doc/en_US.ISO_8859-1/books/handbook/security/chapter.sgml,v 1.23 2000/02/04 12:38:20 nbm Exp $
 -->
 
 <chapter id="security">
@@ -1595,6 +1595,127 @@ FreeBSD BUILT-19950429 (GR386) #0: Sat Apr 29 17:50:09 SAT 1995</screen>
 	above.</para>
     </sect2>
   </sect1>
+
+  <sect1 id="openssl">
+    <title>OpenSSL</title>
+
+    <para>As of FreeBSD 4.0, the OpenSSL toolkit is a part of the base
+      system.  <ulink url="http://www.openssl.org/">OpenSSL</ulink>
+      provides a general-purpose cryptography library, as well as the
+      Secure Sockets Layer v2/v3 (SSLv2/SSLv3) and Transport Layer
+      Security v1 (TLSv1) network security protocols.</para>
+
+    <para>However, some of the algorithms (specifically, RSA and IDEA)
+      included in OpenSSL are protected by patents in the USA and
+      elsewhere, and are not available for unrestricted use (in
+      particular IDEA is currently not available in any of FreeBSD's
+      OpenSSL distributions).  In addition, export of cryptographic code
+      from the USA has (until recently) been heavily restricted.  As a
+      result, FreeBSD has available three different versions of OpenSSL
+      depending on geographical location (USA/non-USA) and compliance with
+      the RSAREF license (see below).</para>
+
+    <para>RSA is a useful algorithm which is required for a lot of
+      third-party software which uses OpenSSL (as well as for the SSLv2
+      protocol), so you should enable it if at all possible.</para>
+
+    <sect2>
+      <title>Source Code Installations</title>
+      
+      <para>OpenSSL is part of the <literal>src-crypto</literal> and
+	<literal>src-secure</literal>cvsup collections.  See the <link
+	linkend="mirrors">Obtaining FreeBSD</link> section for more
+	information about obtaining and updating FreeBSD source
+	code.</para>
+    </sect2>
+
+    <sect2>
+      <title>International (Non-USA) Users</title>
+
+      <para>People who are located outside the USA, and who obtain their
+	crypto sources from <hostid
+	role="fqdn">internat.FreeBSD.org</hostid> (the International
+	Crypto Repository), will build a version of OpenSSL which includes
+	RSA, but does not include IDEA, because the latter is restricted
+	in certain locations elsewhere in the world.  In the future a more
+	flexible geographical identification system may allow building of
+	IDEA in countries for which it is not restricted.</para>
+
+      <para>Please be aware of any local restrictions on the import, use
+	and redistribution of cryptography which may exist in your
+	country.</para>
+    </sect2>
+
+    <sect2>
+      <title>USA Users</title>
+
+      <para>As noted above, RSA is patented in the USA, with terms
+	preventing general use without an appropriate license.  Therefore
+	the OpenSSL RSA code may not be used in the USA, and has been
+	removed from the version of OpenSSL carried on USA mirror sites.
+	The RSA patent is due to expire on September 20, 2000, at which
+	time it is intended to add the &ldquo;full&rdquo; RSA code back to
+	the USA version of OpenSSL.</para>
+
+      <para>However (and fortunately), the RSA patent holder (<ulink
+	url="http://www.rsasecurity.com/">RSA Security</ulink>, has
+	provided a &ldquo;RSA reference implementation&rdquo; toolkit
+	(RSAREF) which is available for <emphasis>certain classes of
+	use</emphasis>, including <emphasis>non-commercial use</emphasis>
+	(see the RSAREF license for their definition of
+	non-commercial).</para>
+
+      <para>If you meet the conditions of the RSAREF license and wish to
+	build your OpenSSL sources with RSAREF support, you must first
+	install the rsaref port, which is located in
+	<filename>/usr/ports/security/rsaref</filename>, before building
+	OpenSSL (e.g., by <command>make world</command>).  Please obtain
+	legal advice if you are unsure of your compliance with the license
+	terms.</para>
+
+      <para>Users who have purchased an appropriate RSA source code
+	license from RSA Security may use the International version of
+	OpenSSL described above to obtain native RSA support.</para>
+
+      <para>IDEA code is also removed from the USA version of OpenSSL for
+	patent reasons.</para>
+    </sect2>
+
+    <sect2>
+      <title>Binary Installations</title>
+
+      <para>If your FreeBSD installation was a binary installation (e.g.,
+	installed from CDROM, or from a snapshot downloaded from
+	<hostid role="fqdn">ftp.FreeBSD.org</hostid>) and you selected to
+	install the <literal>crypto</literal> module, then you will have
+	the non-RSA capable USA version of the OpenSSL code (see above).
+	If you wish to install another version (USA RSAREF, or
+	International) you will need to obtain and install one of the
+	following packages:</para>
+
+      <itemizedlist>
+	<listitem>
+	  <para>The OpenSSL package with RSAREF support for USA
+	    users which you can get from <hostid
+	    role="fqdn">ftp.FreeBSD.org</hostid>.</para>
+
+	  <note>
+	    <para>Be sure to read the license before installing!  This is
+	      NOT licensed for general-purpose use!</para>
+	  </note>
+	</listitem>
+
+	<listitem>
+	  <para>The OpenSSL package for International (non-USA) users.
+	    This is not legal for general use in the USA, but
+	    international users should use this version because the RSA
+	    implementation is faster and more flexible.  It is available
+	    from <hostid
+	    role="fqdn">ftp.internat.FreeBSD.org</hostid>.</para>
+	</listitem>
+      </itemizedlist>
+    </sect2>
+  </sect1>
 </chapter>
 
 <!--