forked from rpms/openssl
51 lines
2.5 KiB
Diff
51 lines
2.5 KiB
Diff
|
diff -up openssl-1.0.2a/README.warning openssl-1.0.2a/README
|
||
|
--- openssl-1.0.2a/README.warning 2015-03-20 16:00:47.000000000 +0100
|
||
|
+++ openssl-1.0.2a/README 2015-03-21 09:06:11.000000000 +0100
|
||
|
@@ -5,6 +5,46 @@
|
||
|
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
|
||
|
All rights reserved.
|
||
|
|
||
|
+ WARNING
|
||
|
+ -------
|
||
|
+
|
||
|
+ This version of OpenSSL is built in a way that supports operation in
|
||
|
+ the so called FIPS mode. Note though that the library as we build it
|
||
|
+ is not FIPS 140-2 validated and the FIPS mode is present for testing
|
||
|
+ purposes only.
|
||
|
+
|
||
|
+ This version also contains a few differences from the upstream code
|
||
|
+ some of which are:
|
||
|
+ * The FIPS validation support is significantly different from the
|
||
|
+ upstream FIPS support. For example the FIPS integrity verification
|
||
|
+ check is implemented differently as the FIPS module is built inside
|
||
|
+ the shared library. The HMAC-SHA256 checksums of the whole shared
|
||
|
+ libraries are verified. Also note that the FIPS integrity
|
||
|
+ verification check requires that the libcrypto and libssl shared
|
||
|
+ library files are unmodified which means that it will fail if these
|
||
|
+ files are changed for example by prelink.
|
||
|
+ * If the file /etc/system-fips is present the integrity verification
|
||
|
+ and selftests of the crypto algorithms are run inside the library
|
||
|
+ constructor code.
|
||
|
+ * With the /etc/system-fips present the module respects the kernel
|
||
|
+ FIPS flag /proc/sys/crypto/fips and tries to initialize the FIPS mode
|
||
|
+ if it is set to 1 aborting if the FIPS mode could not be initialized.
|
||
|
+ With the /etc/system-fips present it is also possible to force the
|
||
|
+ OpenSSL library to FIPS mode especially for debugging purposes by
|
||
|
+ setting the environment variable OPENSSL_FORCE_FIPS_MODE.
|
||
|
+ * If the environment variable OPENSSL_NO_DEFAULT_ZLIB is set the module
|
||
|
+ will not automatically load the built in compression method ZLIB
|
||
|
+ when initialized. Applications can still explicitely ask for ZLIB
|
||
|
+ compression method.
|
||
|
+ * The library was patched so the certificates, CRLs and other objects
|
||
|
+ signed with use of MD5 fail verification as the MD5 is too insecure
|
||
|
+ to be used for signatures. If the environment variable
|
||
|
+ OPENSSL_ENABLE_MD5_VERIFY is set, the verification can proceed
|
||
|
+ normally.
|
||
|
+ * If the OPENSSL_ENFORCE_MODULUS_BITS environment variable is set,
|
||
|
+ the library will not allow generation of DSA and RSA keys with
|
||
|
+ other lengths than specified in the FIPS 186-4 standard.
|
||
|
+
|
||
|
DESCRIPTION
|
||
|
-----------
|
||
|
|