File: README.debian

package info (click to toggle)
openssl 3.6.0-1
  • links: PTS, VCS
  • area: main
  • in suites: experimental
  • size: 147,548 kB
  • sloc: ansic: 612,628; perl: 248,939; asm: 6,332; sh: 1,755; pascal: 997; python: 648; makefile: 551; lisp: 35; ruby: 16; cpp: 10; sed: 6
file content (77 lines) | stat: -rw-r--r-- 2,725 bytes parent folder | download | duplicates (4) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
 
openssl for DEBIAN
----------------------

openssl replaces ssleay.

The application links to openssl like req, ca, verify and s_client
have been removed.

Instead of `<application>` please call now `openssl <application>`

eg: 
instead of `req` please call `openssl req`

TLS protocol version and RSA key size
-------------------------------------
The default system global policy is to support TLSv1.2+ and security level two.
Please see
  https://docs.openssl.org/3.3/man5/config
  https://docs.openssl.org/3.3/man3/SSL_CTX_set_security_level/#description
for configurations details of `MinProtocol' and `CipherString' in
/etc/ssl/openssl.cnf case you really require to support legacy systems.

PATENT ISSUES
-------------

Some algorithms used in the library are covered by patents.  As
a result, the following algorithms in libcrypto have been disabled:
- RC5
- MDC2
- IDEA

Also see the patents section in the README file.


Providers
---------

The legacy provider is shipped as a separate package named
openssl-provider-legacy. See README-PROVIDERS.md for mode information about
providers in openssl.

Self-signed certs and webservers:
---------------------------------

If you get with a selfsigned certificate and a webserver:
 > "The certificate is not approved for the attempted operation."

Bodo_Moeller@public.uni-hamburg.de (Bodo Moeller) writes:
>Probably you are using a CA certificate for your server; if you use
>"openssl req" to generate a new key and self-signed certificate with
>the default openssl.cnf, the certificate you get includes certain
>X.509v3 extensions that make it unfit for use as a server certificate.
>This was not so with earlier versions of the software because back
>then there was far less X.509v3 support.
>
>To look at the certificate some HTTPS server presents to its cliens,
>use "openssl s_client -port 443 -host your.server", store the output
>(at least the part from "-----BEGIN CERTIFICATE-----" up to "-----END
>CERTIFICATE-----", including these separators) in a file and use
>"openssl x509 -in the_file_you_just_stored -text" to look at it in
>readable form.  If it has in the "X509v3 extensions section" any of
>the following entries, it is not usable as a server certificate:
>
>            X509v3 Basic Constraints:
>                CA:TRUE
>
>            X509v3 Key Usage:
>                Certificate Sign, CRL Sign
>
>To quickly create a new server key and certificate that works with
>Netscape, you can just copy the original openssl.cnf file and comment
>out the "x509_extensions" entry in the "[ req ]" section.
>The, use "openssl req ..." as before to create a new certificate and
>key.


Christoph Martin <martin@uni-mainz.de>, Wed, 31 Mar 1999 16:00:51 +0200