2
0

README.080 4.9 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147
  1. This version of SSLeay has quite a lot of things different from the
  2. previous version.
  3. Basically check all callback parameters, I will be producing documentation
  4. about how to use things in th future. Currently I'm just getting 080 out
  5. the door. Please not that there are several ways to do everything, and
  6. most of the applications in the apps directory are hybrids, some using old
  7. methods and some using new methods.
  8. Have a look in demos/bio for some very simple programs and
  9. apps/s_client.c and apps/s_server.c for some more advanced versions.
  10. Notes are definitly needed but they are a week or so away.
  11. Anyway, some quick nots from Tim Hudson (tjh@cryptsoft.com)
  12. ---
  13. Quick porting notes for moving from SSLeay-0.6.x to SSLeay-0.8.x to
  14. get those people that want to move to using the new code base off to
  15. a quick start.
  16. Note that Eric has tidied up a lot of the areas of the API that were
  17. less than desirable and renamed quite a few things (as he had to break
  18. the API in lots of places anyrate). There are a whole pile of additional
  19. functions for making dealing with (and creating) certificates a lot
  20. cleaner.
  21. 01-Jul-97
  22. Tim Hudson
  23. tjh@cryptsoft.com
  24. ---8<---
  25. To maintain code that uses both SSLeay-0.6.x and SSLeay-0.8.x you could
  26. use something like the following (assuming you #include "crypto.h" which
  27. is something that you really should be doing).
  28. #if SSLEAY_VERSION_NUMBER >= 0x0800
  29. #define SSLEAY8
  30. #endif
  31. buffer.h -> splits into buffer.h and bio.h so you need to include bio.h
  32. too if you are working with BIO internal stuff (as distinct
  33. from simply using the interface in an opaque manner)
  34. #include "bio.h" - required along with "buffer.h" if you write
  35. your own BIO routines as the buffer and bio
  36. stuff that was intermixed has been separated
  37. out
  38. envelope.h -> evp.h (which should have been done ages ago)
  39. Initialisation ... don't forget these or you end up with code that
  40. is missing the bits required to do useful things (like ciphers):
  41. SSLeay_add_ssl_algorithms()
  42. (probably also want SSL_load_error_strings() too but you should have
  43. already had that call in place)
  44. SSL_CTX_new() - requires an extra method parameter
  45. SSL_CTX_new(SSLv23_method())
  46. SSL_CTX_new(SSLv2_method())
  47. SSL_CTX_new(SSLv3_method())
  48. OR to only have the server or the client code
  49. SSL_CTX_new(SSLv23_server_method())
  50. SSL_CTX_new(SSLv2_server_method())
  51. SSL_CTX_new(SSLv3_server_method())
  52. or
  53. SSL_CTX_new(SSLv23_client_method())
  54. SSL_CTX_new(SSLv2_client_method())
  55. SSL_CTX_new(SSLv3_client_method())
  56. SSL_set_default_verify_paths() ... renamed to the more appropriate
  57. SSL_CTX_set_default_verify_paths()
  58. If you want to use client certificates then you have to add in a bit
  59. of extra stuff in that a SSLv3 server sends a list of those CAs that
  60. it will accept certificates from ... so you have to provide a list to
  61. SSLeay otherwise certain browsers will not send client certs.
  62. SSL_CTX_set_client_CA_list(ctx,SSL_load_client_CA_file(s_cert_file));
  63. X509_NAME_oneline(X) -> X509_NAME_oneline(X,NULL,0)
  64. or provide a buffer and size to copy the
  65. result into
  66. X509_add_cert -> X509_STORE_add_cert (and you might want to read the
  67. notes on X509_NAME structure changes too)
  68. VERIFICATION CODE
  69. =================
  70. The codes have all be renamed from VERIFY_ERR_* to X509_V_ERR_* to
  71. more accurately reflect things.
  72. The verification callback args are now packaged differently so that
  73. extra fields for verification can be added easily in future without
  74. having to break things by adding extra parameters each release :-)
  75. X509_cert_verify_error_string -> X509_verify_cert_error_string
  76. BIO INTERNALS
  77. =============
  78. Eric has fixed things so that extra flags can be introduced in
  79. the BIO layer in future without having to play with all the BIO
  80. modules by adding in some macros.
  81. The ugly stuff using
  82. b->flags ~= (BIO_FLAGS_RW|BIO_FLAGS_SHOULD_RETRY)
  83. becomes
  84. BIO_clear_retry_flags(b)
  85. b->flags |= (BIO_FLAGS_READ|BIO_FLAGS_SHOULD_RETRY)
  86. becomes
  87. BIO_set_retry_read(b)
  88. Also ... BIO_get_retry_flags(b), BIO_set_flags(b)
  89. OTHER THINGS
  90. ============
  91. X509_NAME has been altered so that it isn't just a STACK ... the STACK
  92. is now in the "entries" field ... and there are a pile of nice functions
  93. for getting at the details in a much cleaner manner.
  94. SSL_CTX has been altered ... "cert" is no longer a direct member of this
  95. structure ... things are now down under "cert_store" (see x509_vfy.h) and
  96. things are no longer in a CERTIFICATE_CTX but instead in a X509_STORE.
  97. If your code "knows" about this level of detail then it will need some
  98. surgery.
  99. If you depending on the incorrect spelling of a number of the error codes
  100. then you will have to change your code as these have been fixed.
  101. ENV_CIPHER "type" got renamed to "nid" and as that is what it actually
  102. has been all along so this makes things clearer.
  103. ify_cert_error_string(ctx->error));
  104. SSL_R_NO_CIPHER_WE_TRUST -> SSL_R_NO_CIPHER_LIST
  105. and SSL_R_REUSE_CIPHER_LIST_NOT_ZERO