| Apache/2.4.7 (Ubuntu) Linux sman1baleendah 3.13.0-24-generic #46-Ubuntu SMP Thu Apr 10 19:11:08 UTC 2014 x86_64 uid=33(www-data) gid=33(www-data) groups=33(www-data) safemode : OFF MySQL: ON | Perl: ON | cURL: OFF | WGet: ON > / usr / share / doc / openssl / | server ip : 104.21.89.46 your ip : 108.162.241.149 H O M E |
| Filename | /usr/share/doc/openssl/README.Debian |
| Size | 2.07 kb |
| Permission | rw-r--r-- |
| Owner | root : root |
| Create time | 27-Apr-2025 09:55 |
| Last modified | 02-May-2006 02:46 |
| Last accessed | 06-Jul-2025 21:19 |
| Actions | edit | rename | delete | download (gzip) |
| View | text | code | image |
openssl for DEBIAN
----------------------
openssl replaces ssleay.
The application links to openssl like req, ca, verify and s_client
have been removed.
Instead of `<application>` please call now `openssl <application>`
eg:
instead of `req` please call `openssl req`
PATENT ISSUES
-------------
Some algorithms used in the library are covered by patents. As
a result, the following algorithms in libcrypto have been disabled:
- RC5
- MDC2
- IDEA
Also see the patents section in the README file.
Self-signed certs and webservers:
---------------------------------
If you get with a selfsigned certificate and a webserver:
> "The certificate is not approved for the attempted operation."
[email protected] (Bodo Moeller) writes:
>Probably you are using a CA certificate for your server; if you use
>"openssl req" to generate a new key and self-signed certificate with
>the default openssl.cnf, the certificate you get includes certain
>X.509v3 extensions that make it unfit for use as a server certificate.
>This was not so with earlier versions of the software because back
>then there was far less X.509v3 support.
>
>To look at the certificate some HTTPS server presents to its cliens,
>use "openssl s_client -port 443 -host your.server", store the output
>(at least the part from "-----BEGIN CERTIFICATE-----" up to "-----END
>CERTIFICATE-----", including these separators) in a file and use
>"openssl x509 -in the_file_you_just_stored -text" to look at it in
>readable form. If it has in the "X509v3 extensions section" any of
>the following entries, it is not usable as a server certificate:
>
> X509v3 Basic Constraints:
> CA:TRUE
>
> X509v3 Key Usage:
> Certificate Sign, CRL Sign
>
>To quickly create a new server key and certificate that works with
>Netscape, you can just copy the original openssl.cnf file and comment
>out the "x509_extensions" entry in the "[ req ]" section.
>The, use "openssl req ..." as before to create a new certificate and
>key.
Christoph Martin <[email protected]>, Wed, 31 Mar 1999 16:00:51 +0200
----------------------
openssl replaces ssleay.
The application links to openssl like req, ca, verify and s_client
have been removed.
Instead of `<application>` please call now `openssl <application>`
eg:
instead of `req` please call `openssl req`
PATENT ISSUES
-------------
Some algorithms used in the library are covered by patents. As
a result, the following algorithms in libcrypto have been disabled:
- RC5
- MDC2
- IDEA
Also see the patents section in the README file.
Self-signed certs and webservers:
---------------------------------
If you get with a selfsigned certificate and a webserver:
> "The certificate is not approved for the attempted operation."
[email protected] (Bodo Moeller) writes:
>Probably you are using a CA certificate for your server; if you use
>"openssl req" to generate a new key and self-signed certificate with
>the default openssl.cnf, the certificate you get includes certain
>X.509v3 extensions that make it unfit for use as a server certificate.
>This was not so with earlier versions of the software because back
>then there was far less X.509v3 support.
>
>To look at the certificate some HTTPS server presents to its cliens,
>use "openssl s_client -port 443 -host your.server", store the output
>(at least the part from "-----BEGIN CERTIFICATE-----" up to "-----END
>CERTIFICATE-----", including these separators) in a file and use
>"openssl x509 -in the_file_you_just_stored -text" to look at it in
>readable form. If it has in the "X509v3 extensions section" any of
>the following entries, it is not usable as a server certificate:
>
> X509v3 Basic Constraints:
> CA:TRUE
>
> X509v3 Key Usage:
> Certificate Sign, CRL Sign
>
>To quickly create a new server key and certificate that works with
>Netscape, you can just copy the original openssl.cnf file and comment
>out the "x509_extensions" entry in the "[ req ]" section.
>The, use "openssl req ..." as before to create a new certificate and
>key.
Christoph Martin <[email protected]>, Wed, 31 Mar 1999 16:00:51 +0200