FAQ revision 76866
159191SkrisOpenSSL - Frequently Asked Questions 259191Skris-------------------------------------- 359191Skris 476866Skris[MISC] Miscellaneous questions 576866Skris 659191Skris* Which is the current version of OpenSSL? 759191Skris* Where is the documentation? 859191Skris* How can I contact the OpenSSL developers? 976866Skris* Where can I get a compiled version of OpenSSL? 1076866Skris* Why aren't tools like 'autoconf' and 'libtool' used? 1176866Skris 1276866Skris[LEGAL] Legal questions 1376866Skris 1459191Skris* Do I need patent licenses to use OpenSSL? 1576866Skris* Can I use OpenSSL with GPL software? 1676866Skris 1776866Skris[USER] Questions on using the OpenSSL applications 1876866Skris 1959191Skris* Why do I get a "PRNG not seeded" error message? 2059191Skris* How do I create certificates or certificate requests? 2159191Skris* Why can't I create certificate requests? 2259191Skris* Why does <SSL program> fail with a certificate verify error? 2368651Skris* Why can I only use weak ciphers when I connect to a server using OpenSSL? 2459191Skris* How can I create DSA certificates? 2559191Skris* Why can't I make an SSL connection using a DSA certificate? 2668651Skris* How can I remove the passphrase on a private key? 2776866Skris* Why can't I use OpenSSL certificates with SSL client authentication? 2876866Skris* Why does my browser give a warning about a mismatched hostname? 2976866Skris 3076866Skris[BUILD] Questions about building and testing OpenSSL 3176866Skris 3276866Skris* Why does the linker complain about undefined symbols? 3368651Skris* Why does the OpenSSL test fail with "bc: command not found"? 3468651Skris* Why does the OpenSSL test fail with "bc: 1 no implemented"? 3568651Skris* Why does the OpenSSL compilation fail on Alpha True64 Unix? 3668651Skris* Why does the OpenSSL compilation fail with "ar: command not found"? 3776866Skris* Why does the OpenSSL compilation fail on Win32 with VC++? 3859191Skris 3976866Skris[PROG] Questions about programming with OpenSSL 4059191Skris 4176866Skris* Is OpenSSL thread-safe? 4276866Skris* I've compiled a program under Windows and it crashes: why? 4376866Skris* How do I read or write a DER encoded buffer using the ASN1 functions? 4476866Skris* I've tried using <M_some_evil_pkcs12_macro> and I get errors why? 4576866Skris* I've called <some function> and it fails, why? 4676866Skris* I just get a load of numbers for the error output, what do they mean? 4776866Skris* Why do I get errors about unknown algorithms? 4876866Skris* Why can't the OpenSSH configure script detect OpenSSL? 4976866Skris* Can I use OpenSSL's SSL library with non-blocking I/O? 5076866Skris 5176866Skris=============================================================================== 5276866Skris 5376866Skris[MISC] ======================================================================== 5476866Skris 5559191Skris* Which is the current version of OpenSSL? 5659191Skris 5759191SkrisThe current version is available from <URL: http://www.openssl.org>. 5876866SkrisOpenSSL 0.9.6a was released on April 5th, 2001. 5959191Skris 6059191SkrisIn addition to the current stable release, you can also access daily 6159191Skrissnapshots of the OpenSSL development version at <URL: 6259191Skrisftp://ftp.openssl.org/snapshot/>, or get it by anonymous CVS access. 6359191Skris 6459191Skris 6559191Skris* Where is the documentation? 6659191Skris 6759191SkrisOpenSSL is a library that provides cryptographic functionality to 6859191Skrisapplications such as secure web servers. Be sure to read the 6959191Skrisdocumentation of the application you want to use. The INSTALL file 7059191Skrisexplains how to install this library. 7159191Skris 7259191SkrisOpenSSL includes a command line utility that can be used to perform a 7359191Skrisvariety of cryptographic functions. It is described in the openssl(1) 7459191Skrismanpage. Documentation for developers is currently being written. A 7559191Skrisfew manual pages already are available; overviews over libcrypto and 7659191Skrislibssl are given in the crypto(3) and ssl(3) manpages. 7759191Skris 7859191SkrisThe OpenSSL manpages are installed in /usr/local/ssl/man/ (or a 7959191Skrisdifferent directory if you specified one as described in INSTALL). 8059191SkrisIn addition, you can read the most current versions at 8159191Skris<URL: http://www.openssl.org/docs/>. 8259191Skris 8359191SkrisFor information on parts of libcrypto that are not yet documented, you 8459191Skrismight want to read Ariel Glenn's documentation on SSLeay 0.9, OpenSSL's 8559191Skrispredecessor, at <URL: http://www.columbia.edu/~ariel/ssleay/>. Much 8659191Skrisof this still applies to OpenSSL. 8759191Skris 8859191SkrisThere is some documentation about certificate extensions and PKCS#12 8959191Skrisin doc/openssl.txt 9059191Skris 9159191SkrisThe original SSLeay documentation is included in OpenSSL as 9259191Skrisdoc/ssleay.txt. It may be useful when none of the other resources 9359191Skrishelp, but please note that it reflects the obsolete version SSLeay 9459191Skris0.6.6. 9559191Skris 9659191Skris 9759191Skris* How can I contact the OpenSSL developers? 9859191Skris 9959191SkrisThe README file describes how to submit bug reports and patches to 10059191SkrisOpenSSL. Information on the OpenSSL mailing lists is available from 10159191Skris<URL: http://www.openssl.org>. 10259191Skris 10359191Skris 10476866Skris* Where can I get a compiled version of OpenSSL? 10576866Skris 10676866SkrisSome applications that use OpenSSL are distributed in binary form. 10776866SkrisWhen using such an application, you don't need to install OpenSSL 10876866Skrisyourself; the application will include the required parts (e.g. DLLs). 10976866Skris 11076866SkrisIf you want to install OpenSSL on a Windows system and you don't have 11176866Skrisa C compiler, read the "Mingw32" section of INSTALL.W32 for information 11276866Skrison how to obtain and install the free GNU C compiler. 11376866Skris 11476866SkrisA number of Linux and *BSD distributions include OpenSSL. 11576866Skris 11676866Skris 11776866Skris* Why aren't tools like 'autoconf' and 'libtool' used? 11876866Skris 11976866Skrisautoconf will probably be used in future OpenSSL versions. If it was 12076866Skrisless Unix-centric, it might have been used much earlier. 12176866Skris 12276866Skris 12376866Skris[LEGAL] ======================================================================= 12476866Skris 12559191Skris* Do I need patent licenses to use OpenSSL? 12659191Skris 12759191SkrisThe patents section of the README file lists patents that may apply to 12859191Skrisyou if you want to use OpenSSL. For information on intellectual 12959191Skrisproperty rights, please consult a lawyer. The OpenSSL team does not 13059191Skrisoffer legal advice. 13159191Skris 13259191SkrisYou can configure OpenSSL so as not to use RC5 and IDEA by using 13359191Skris ./config no-rc5 no-idea 13459191Skris 13559191Skris 13676866Skris* Can I use OpenSSL with GPL software? 13759191Skris 13876866SkrisOn many systems including the major Linux and BSD distributions, yes (the 13976866SkrisGPL does not place restrictions on using libraries that are part of the 14076866Skrisnormal operating system distribution). 14159191Skris 14276866SkrisOn other systems, the situation is less clear. Some GPL software copyright 14376866Skrisholders claim that you infringe on their rights if you use OpenSSL with 14476866Skristheir software on operating systems that don't normally include OpenSSL. 14559191Skris 14676866SkrisIf you develop open source software that uses OpenSSL, you may find it 14776866Skrisuseful to choose an other license than the GPL, or state explicitely that 14876866Skris"This program is released under the GPL with the additional exemption that 14976866Skriscompiling, linking, and/or using OpenSSL is allowed." If you are using 15076866SkrisGPL software developed by others, you may want to ask the copyright holder 15176866Skrisfor permission to use their software with OpenSSL. 15259191Skris 15376866Skris 15476866Skris[USER] ======================================================================== 15576866Skris 15659191Skris* Why do I get a "PRNG not seeded" error message? 15759191Skris 15859191SkrisCryptographic software needs a source of unpredictable data to work 15959191Skriscorrectly. Many open source operating systems provide a "randomness 16059191Skrisdevice" that serves this purpose. On other systems, applications have 16159191Skristo call the RAND_add() or RAND_seed() function with appropriate data 16259191Skrisbefore generating keys or performing public key encryption. 16359191Skris 16459191SkrisSome broken applications do not do this. As of version 0.9.5, the 16559191SkrisOpenSSL functions that need randomness report an error if the random 16659191Skrisnumber generator has not been seeded with at least 128 bits of 16759191Skrisrandomness. If this error occurs, please contact the author of the 16859191Skrisapplication you are using. It is likely that it never worked 16959191Skriscorrectly. OpenSSL 0.9.5 and later make the error visible by refusing 17059191Skristo perform potentially insecure encryption. 17159191Skris 17259191SkrisOn systems without /dev/urandom, it is a good idea to use the Entropy 17359191SkrisGathering Demon; see the RAND_egd() manpage for details. 17459191Skris 17559191SkrisMost components of the openssl command line tool try to use the 17659191Skrisfile $HOME/.rnd (or $RANDFILE, if this environment variable is set) 17759191Skrisfor seeding the PRNG. If this file does not exist or is too short, 17859191Skristhe "PRNG not seeded" error message may occur. 17959191Skris 18059191Skris[Note to OpenSSL 0.9.5 users: The command "openssl rsa" in version 18159191Skris0.9.5 does not do this and will fail on systems without /dev/urandom 18259191Skriswhen trying to password-encrypt an RSA key! This is a bug in the 18359191Skrislibrary; try a later version instead.] 18459191Skris 18568651SkrisFor Solaris 2.6, Tim Nibbe <tnibbe@sprint.net> and others have suggested 18668651Skrisinstalling the SUNski package from Sun patch 105710-01 (Sparc) which 18768651Skrisadds a /dev/random device and make sure it gets used, usually through 18868651Skris$RANDFILE. There are probably similar patches for the other Solaris 18968651Skrisversions. However, be warned that /dev/random is usually a blocking 19068651Skrisdevice, which may have some effects on OpenSSL. 19159191Skris 19268651Skris 19376866Skris* How do I create certificates or certificate requests? 19476866Skris 19576866SkrisCheck out the CA.pl(1) manual page. This provides a simple wrapper round 19676866Skristhe 'req', 'verify', 'ca' and 'pkcs12' utilities. For finer control check 19776866Skrisout the manual pages for the individual utilities and the certificate 19876866Skrisextensions documentation (currently in doc/openssl.txt). 19976866Skris 20076866Skris 20176866Skris* Why can't I create certificate requests? 20276866Skris 20376866SkrisYou typically get the error: 20476866Skris 20576866Skris unable to find 'distinguished_name' in config 20676866Skris problems making Certificate Request 20776866Skris 20876866SkrisThis is because it can't find the configuration file. Check out the 20976866SkrisDIAGNOSTICS section of req(1) for more information. 21076866Skris 21176866Skris 21276866Skris* Why does <SSL program> fail with a certificate verify error? 21376866Skris 21476866SkrisThis problem is usually indicated by log messages saying something like 21576866Skris"unable to get local issuer certificate" or "self signed certificate". 21676866SkrisWhen a certificate is verified its root CA must be "trusted" by OpenSSL 21776866Skristhis typically means that the CA certificate must be placed in a directory 21876866Skrisor file and the relevant program configured to read it. The OpenSSL program 21976866Skris'verify' behaves in a similar way and issues similar error messages: check 22076866Skristhe verify(1) program manual page for more information. 22176866Skris 22276866Skris 22376866Skris* Why can I only use weak ciphers when I connect to a server using OpenSSL? 22476866Skris 22576866SkrisThis is almost certainly because you are using an old "export grade" browser 22676866Skriswhich only supports weak encryption. Upgrade your browser to support 128 bit 22776866Skrisciphers. 22876866Skris 22976866Skris 23076866Skris* How can I create DSA certificates? 23176866Skris 23276866SkrisCheck the CA.pl(1) manual page for a DSA certificate example. 23376866Skris 23476866Skris 23576866Skris* Why can't I make an SSL connection to a server using a DSA certificate? 23676866Skris 23776866SkrisTypically you'll see a message saying there are no shared ciphers when 23876866Skristhe same setup works fine with an RSA certificate. There are two possible 23976866Skriscauses. The client may not support connections to DSA servers most web 24076866Skrisbrowsers (including Netscape and MSIE) only support connections to servers 24176866Skrissupporting RSA cipher suites. The other cause is that a set of DH parameters 24276866Skrishas not been supplied to the server. DH parameters can be created with the 24376866Skrisdhparam(1) command and loaded using the SSL_CTX_set_tmp_dh() for example: 24476866Skrischeck the source to s_server in apps/s_server.c for an example. 24576866Skris 24676866Skris 24776866Skris* How can I remove the passphrase on a private key? 24876866Skris 24976866SkrisFirstly you should be really *really* sure you want to do this. Leaving 25076866Skrisa private key unencrypted is a major security risk. If you decide that 25176866Skrisyou do have to do this check the EXAMPLES sections of the rsa(1) and 25276866Skrisdsa(1) manual pages. 25376866Skris 25476866Skris 25576866Skris* Why can't I use OpenSSL certificates with SSL client authentication? 25676866Skris 25776866SkrisWhat will typically happen is that when a server requests authentication 25876866Skrisit will either not include your certificate or tell you that you have 25976866Skrisno client certificates (Netscape) or present you with an empty list box 26076866Skris(MSIE). The reason for this is that when a server requests a client 26176866Skriscertificate it includes a list of CAs names which it will accept. Browsers 26276866Skriswill only let you select certificates from the list on the grounds that 26376866Skristhere is little point presenting a certificate which the server will 26476866Skrisreject. 26576866Skris 26676866SkrisThe solution is to add the relevant CA certificate to your servers "trusted 26776866SkrisCA list". How you do this depends on the server sofware in uses. You can 26876866Skrisprint out the servers list of acceptable CAs using the OpenSSL s_client tool: 26976866Skris 27076866Skrisopenssl s_client -connect www.some.host:443 -prexit 27176866Skris 27276866SkrisIf your server only requests certificates on certain URLs then you may need 27376866Skristo manually issue an HTTP GET command to get the list when s_client connects: 27476866Skris 27576866SkrisGET /some/page/needing/a/certificate.html 27676866Skris 27776866SkrisIf your CA does not appear in the list then this confirms the problem. 27876866Skris 27976866Skris 28076866Skris* Why does my browser give a warning about a mismatched hostname? 28176866Skris 28276866SkrisBrowsers expect the server's hostname to match the value in the commonName 28376866Skris(CN) field of the certificate. If it does not then you get a warning. 28476866Skris 28576866Skris 28676866Skris[BUILD] ======================================================================= 28776866Skris 28859191Skris* Why does the linker complain about undefined symbols? 28959191Skris 29059191SkrisMaybe the compilation was interrupted, and make doesn't notice that 29159191Skrissomething is missing. Run "make clean; make". 29259191Skris 29359191SkrisIf you used ./Configure instead of ./config, make sure that you 29459191Skrisselected the right target. File formats may differ slightly between 29559191SkrisOS versions (for example sparcv8/sparcv9, or a.out/elf). 29659191Skris 29759191SkrisIn case you get errors about the following symbols, use the config 29859191Skrisoption "no-asm", as described in INSTALL: 29959191Skris 30059191Skris BF_cbc_encrypt, BF_decrypt, BF_encrypt, CAST_cbc_encrypt, 30159191Skris CAST_decrypt, CAST_encrypt, RC4, RC5_32_cbc_encrypt, RC5_32_decrypt, 30259191Skris RC5_32_encrypt, bn_add_words, bn_div_words, bn_mul_add_words, 30359191Skris bn_mul_comba4, bn_mul_comba8, bn_mul_words, bn_sqr_comba4, 30459191Skris bn_sqr_comba8, bn_sqr_words, bn_sub_words, des_decrypt3, 30559191Skris des_ede3_cbc_encrypt, des_encrypt, des_encrypt2, des_encrypt3, 30659191Skris des_ncbc_encrypt, md5_block_asm_host_order, sha1_block_asm_data_order 30759191Skris 30859191SkrisIf none of these helps, you may want to try using the current snapshot. 30959191SkrisIf the problem persists, please submit a bug report. 31059191Skris 31159191Skris 31276866Skris* Why does the OpenSSL test fail with "bc: command not found"? 31359191Skris 31476866SkrisYou didn't install "bc", the Unix calculator. If you want to run the 31576866Skristests, get GNU bc from ftp://ftp.gnu.org or from your OS distributor. 31659191Skris 31759191Skris 31876866Skris* Why does the OpenSSL test fail with "bc: 1 no implemented"? 31959191Skris 32076866SkrisOn some SCO installations or versions, bc has a bug that gets triggered 32176866Skriswhen you run the test suite (using "make test"). The message returned is 32276866Skris"bc: 1 not implemented". 32359191Skris 32476866SkrisThe best way to deal with this is to find another implementation of bc 32576866Skrisand compile/install it. GNU bc (see http://www.gnu.org/software/software.html 32676866Skrisfor download instructions) can be safely used, for example. 32776866Skris 32876866Skris 32976866Skris* Why does the OpenSSL compilation fail on Alpha True64 Unix? 33076866Skris 33176866SkrisOn some Alpha installations running True64 Unix and Compaq C, the compilation 33276866Skrisof crypto/sha/sha_dgst.c fails with the message 'Fatal: Insufficient virtual 33376866Skrismemory to continue compilation.' As far as the tests have shown, this may be 33476866Skrisa compiler bug. What happens is that it eats up a lot of resident memory 33576866Skristo build something, probably a table. The problem is clearly in the 33676866Skrisoptimization code, because if one eliminates optimization completely (-O0), 33776866Skristhe compilation goes through (and the compiler consumes about 2MB of resident 33876866Skrismemory instead of 240MB or whatever one's limit is currently). 33976866Skris 34076866SkrisThere are three options to solve this problem: 34176866Skris 34276866Skris1. set your current data segment size soft limit higher. Experience shows 34376866Skristhat about 241000 kbytes seems to be enough on an AlphaServer DS10. You do 34476866Skristhis with the command 'ulimit -Sd nnnnnn', where 'nnnnnn' is the number of 34576866Skriskbytes to set the limit to. 34676866Skris 34776866Skris2. If you have a hard limit that is lower than what you need and you can't 34876866Skrisget it changed, you can compile all of OpenSSL with -O0 as optimization 34976866Skrislevel. This is however not a very nice thing to do for those who expect to 35076866Skrisget the best result from OpenSSL. A bit more complicated solution is the 35176866Skrisfollowing: 35276866Skris 35376866Skris----- snip:start ----- 35476866Skris make DIRS=crypto SDIRS=sha "`grep '^CFLAG=' Makefile.ssl | \ 35576866Skris sed -e 's/ -O[0-9] / -O0 /'`" 35676866Skris rm `ls crypto/*.o crypto/sha/*.o | grep -v 'sha_dgst\.o'` 35776866Skris make 35876866Skris----- snip:end ----- 35976866Skris 36076866SkrisThis will only compile sha_dgst.c with -O0, the rest with the optimization 36176866Skrislevel chosen by the configuration process. When the above is done, do the 36276866Skristest and installation and you're set. 36376866Skris 36476866Skris 36576866Skris* Why does the OpenSSL compilation fail with "ar: command not found"? 36676866Skris 36776866SkrisGetting this message is quite usual on Solaris 2, because Sun has hidden 36876866Skrisaway 'ar' and other development commands in directories that aren't in 36976866Skris$PATH by default. One of those directories is '/usr/ccs/bin'. The 37076866Skrisquickest way to fix this is to do the following (it assumes you use sh 37176866Skrisor any sh-compatible shell): 37276866Skris 37376866Skris----- snip:start ----- 37476866Skris PATH=${PATH}:/usr/ccs/bin; export PATH 37576866Skris----- snip:end ----- 37676866Skris 37776866Skrisand then redo the compilation. What you should really do is make sure 37876866Skris'/usr/ccs/bin' is permanently in your $PATH, for example through your 37976866Skris'.profile' (again, assuming you use a sh-compatible shell). 38076866Skris 38176866Skris 38276866Skris* Why does the OpenSSL compilation fail on Win32 with VC++? 38376866Skris 38476866SkrisSometimes, you may get reports from VC++ command line (cl) that it 38576866Skriscan't find standard include files like stdio.h and other weirdnesses. 38676866SkrisOne possible cause is that the environment isn't correctly set up. 38776866SkrisTo solve that problem, one should run VCVARS32.BAT which is found in 38876866Skristhe 'bin' subdirectory of the VC++ installation directory (somewhere 38976866Skrisunder 'Program Files'). This needs to be done prior to running NMAKE, 39076866Skrisand the changes are only valid for the current DOS session. 39176866Skris 39276866Skris 39376866Skris[PROG] ======================================================================== 39476866Skris 39576866Skris* Is OpenSSL thread-safe? 39676866Skris 39776866SkrisYes (with limitations: an SSL connection may not concurrently be used 39876866Skrisby multiple threads). On Windows and many Unix systems, OpenSSL 39976866Skrisautomatically uses the multi-threaded versions of the standard 40076866Skrislibraries. If your platform is not one of these, consult the INSTALL 40176866Skrisfile. 40276866Skris 40376866SkrisMulti-threaded applications must provide two callback functions to 40476866SkrisOpenSSL. This is described in the threads(3) manpage. 40576866Skris 40676866Skris 40759191Skris* I've compiled a program under Windows and it crashes: why? 40859191Skris 40959191SkrisThis is usually because you've missed the comment in INSTALL.W32. You 41059191Skrismust link with the multithreaded DLL version of the VC++ runtime library 41159191Skrisotherwise the conflict will cause a program to crash: typically on the 41259191Skrisfirst BIO related read or write operation. 41359191Skris 41459191Skris 41568651Skris* How do I read or write a DER encoded buffer using the ASN1 functions? 41668651Skris 41768651SkrisYou have two options. You can either use a memory BIO in conjunction 41868651Skriswith the i2d_XXX_bio() or d2i_XXX_bio() functions or you can use the 41968651Skrisi2d_XXX(), d2i_XXX() functions directly. Since these are often the 42068651Skriscause of grief here are some code fragments using PKCS7 as an example: 42168651Skris 42268651Skrisunsigned char *buf, *p; 42368651Skrisint len; 42468651Skris 42568651Skrislen = i2d_PKCS7(p7, NULL); 42668651Skrisbuf = OPENSSL_malloc(len); /* or Malloc, error checking omitted */ 42768651Skrisp = buf; 42868651Skrisi2d_PKCS7(p7, &p); 42968651Skris 43068651SkrisAt this point buf contains the len bytes of the DER encoding of 43168651Skrisp7. 43268651Skris 43368651SkrisThe opposite assumes we already have len bytes in buf: 43468651Skris 43568651Skrisunsigned char *p; 43668651Skrisp = buf; 43768651Skrisp7 = d2i_PKCS7(NULL, &p, len); 43868651Skris 43968651SkrisAt this point p7 contains a valid PKCS7 structure of NULL if an error 44068651Skrisoccurred. If an error occurred ERR_print_errors(bio) should give more 44168651Skrisinformation. 44268651Skris 44368651SkrisThe reason for the temporary variable 'p' is that the ASN1 functions 44468651Skrisincrement the passed pointer so it is ready to read or write the next 44568651Skrisstructure. This is often a cause of problems: without the temporary 44668651Skrisvariable the buffer pointer is changed to point just after the data 44768651Skristhat has been read or written. This may well be uninitialized data 44868651Skrisand attempts to free the buffer will have unpredictable results 44968651Skrisbecause it no longer points to the same address. 45068651Skris 45168651Skris 45268651Skris* I've tried using <M_some_evil_pkcs12_macro> and I get errors why? 45368651Skris 45468651SkrisThis usually happens when you try compiling something using the PKCS#12 45568651Skrismacros with a C++ compiler. There is hardly ever any need to use the 45668651SkrisPKCS#12 macros in a program, it is much easier to parse and create 45768651SkrisPKCS#12 files using the PKCS12_parse() and PKCS12_create() functions 45868651Skrisdocumented in doc/openssl.txt and with examples in demos/pkcs12. The 45968651Skris'pkcs12' application has to use the macros because it prints out 46068651Skrisdebugging information. 46168651Skris 46268651Skris 46359191Skris* I've called <some function> and it fails, why? 46459191Skris 46568651SkrisBefore submitting a report or asking in one of the mailing lists, you 46668651Skrisshould try to determine the cause. In particular, you should call 46759191SkrisERR_print_errors() or ERR_print_errors_fp() after the failed call 46868651Skrisand see if the message helps. Note that the problem may occur earlier 46968651Skristhan you think -- you should check for errors after every call where 47068651Skrisit is possible, otherwise the actual problem may be hidden because 47168651Skrissome OpenSSL functions clear the error state. 47259191Skris 47359191Skris 47459191Skris* I just get a load of numbers for the error output, what do they mean? 47559191Skris 47659191SkrisThe actual format is described in the ERR_print_errors() manual page. 47759191SkrisYou should call the function ERR_load_crypto_strings() before hand and 47859191Skristhe message will be output in text form. If you can't do this (for example 47959191Skrisit is a pre-compiled binary) you can use the errstr utility on the error 48059191Skriscode itself (the hex digits after the second colon). 48159191Skris 48259191Skris 48359191Skris* Why do I get errors about unknown algorithms? 48459191Skris 48559191SkrisThis can happen under several circumstances such as reading in an 48659191Skrisencrypted private key or attempting to decrypt a PKCS#12 file. The cause 48759191Skrisis forgetting to load OpenSSL's table of algorithms with 48859191SkrisOpenSSL_add_all_algorithms(). See the manual page for more information. 48959191Skris 49059191Skris 49159191Skris* Why can't the OpenSSH configure script detect OpenSSL? 49259191Skris 49359191SkrisThere is a problem with OpenSSH 1.2.2p1, in that the configure script 49459191Skriscan't find the installed OpenSSL libraries. The problem is actually 49559191Skrisa small glitch that is easily solved with the following patch to be 49659191Skrisapplied to the OpenSSH distribution: 49759191Skris 49859191Skris----- snip:start ----- 49959191Skris--- openssh-1.2.2p1/configure.in.orig Thu Mar 23 18:56:58 2000 50059191Skris+++ openssh-1.2.2p1/configure.in Thu Mar 23 18:55:05 2000 50159191Skris@@ -152,10 +152,10 @@ 50259191Skris AC_MSG_CHECKING([for OpenSSL/SSLeay directory]) 50359191Skris for ssldir in "" $tryssldir /usr /usr/local/openssl /usr/lib/openssl /usr/local/ssl /usr/lib/ssl /usr/local /usr/pkg /opt /opt/openssl ; do 50459191Skris if test ! -z "$ssldir" ; then 50559191Skris- LIBS="$saved_LIBS -L$ssldir" 50659191Skris+ LIBS="$saved_LIBS -L$ssldir/lib" 50759191Skris CFLAGS="$CFLAGS -I$ssldir/include" 50859191Skris if test "x$need_dash_r" = "x1" ; then 50959191Skris- LIBS="$LIBS -R$ssldir" 51059191Skris+ LIBS="$LIBS -R$ssldir/lib" 51159191Skris fi 51259191Skris fi 51359191Skris LIBS="$LIBS -lcrypto" 51459191Skris--- openssh-1.2.2p1/configure.orig Thu Mar 23 18:55:02 2000 51559191Skris+++ openssh-1.2.2p1/configure Thu Mar 23 18:57:08 2000 51659191Skris@@ -1890,10 +1890,10 @@ 51759191Skris echo "configure:1891: checking for OpenSSL/SSLeay directory" >&5 51859191Skris for ssldir in "" $tryssldir /usr /usr/local/openssl /usr/lib/openssl /usr/local/ssl /usr/lib/ssl /usr/local /usr/pkg /opt /opt/openssl ; do 51959191Skris if test ! -z "$ssldir" ; then 52059191Skris- LIBS="$saved_LIBS -L$ssldir" 52159191Skris+ LIBS="$saved_LIBS -L$ssldir/lib" 52259191Skris CFLAGS="$CFLAGS -I$ssldir/include" 52359191Skris if test "x$need_dash_r" = "x1" ; then 52459191Skris- LIBS="$LIBS -R$ssldir" 52559191Skris+ LIBS="$LIBS -R$ssldir/lib" 52659191Skris fi 52759191Skris fi 52859191Skris LIBS="$LIBS -lcrypto" 52959191Skris----- snip:end ----- 53068651Skris 53168651Skris 53276866Skris* Can I use OpenSSL's SSL library with non-blocking I/O? 53368651Skris 53476866SkrisYes; make sure to read the SSL_get_error(3) manual page! 53568651Skris 53676866SkrisA pitfall to avoid: Don't assume that SSL_read() will just read from 53776866Skristhe underlying transport or that SSL_write() will just write to it -- 53876866Skrisit is also possible that SSL_write() cannot do any useful work until 53976866Skristhere is data to read, or that SSL_read() cannot do anything until it 54076866Skrisis possible to send data. One reason for this is that the peer may 54176866Skrisrequest a new TLS/SSL handshake at any time during the protocol, 54276866Skrisrequiring a bi-directional message exchange; both SSL_read() and 54376866SkrisSSL_write() will try to continue any pending handshake. 54468651Skris 54568651Skris 54676866Skris=============================================================================== 54768651Skris 548