isaacpittman-hitachi / rpms / openssl

Forked from rpms/openssl 2 years ago
Clone

Blame SOURCES/openssl-1.0.0-beta5-readme-warning.patch

a5ef24
diff -up openssl-1.0.0-beta5/README.warning openssl-1.0.0-beta5/README
a5ef24
--- openssl-1.0.0-beta5/README.warning	2010-01-20 16:00:47.000000000 +0100
a5ef24
+++ openssl-1.0.0-beta5/README	2010-01-21 09:06:11.000000000 +0100
a5ef24
@@ -5,6 +5,35 @@
a5ef24
  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
a5ef24
  All rights reserved.
a5ef24
 
a5ef24
+ WARNING
a5ef24
+ -------
a5ef24
+
a5ef24
+ This version of OpenSSL is built in a way that supports operation in
a5ef24
+ the so called FIPS mode. Note though that the library as we build it
a5ef24
+ is not FIPS validated and the FIPS mode is present for testing purposes
a5ef24
+ only.
a5ef24
+ 
a5ef24
+ This version also contains a few differences from the upstream code
a5ef24
+ some of which are:
a5ef24
+   * There are added changes forward ported from the upstream OpenSSL
a5ef24
+     0.9.8 FIPS branch however the FIPS integrity verification check
a5ef24
+     is implemented differently from the upstream FIPS validated OpenSSL
a5ef24
+     module. It verifies HMAC-SHA256 checksum of the whole shared
a5ef24
+     libraries. For this reason the changes are ported to files in the
a5ef24
+     crypto directory and not in a separate fips subdirectory. Also
a5ef24
+     note that the FIPS integrity verification check requires unmodified
a5ef24
+     libcrypto and libssl shared library files which means that it will
a5ef24
+     fail if these files are modified for example by prelink.
a5ef24
+   * The module respects the kernel FIPS flag /proc/sys/crypto/fips and
a5ef24
+     tries to initialize the FIPS mode if it is set to 1 aborting if the
a5ef24
+     FIPS mode could not be initialized. It is also possible to force the
a5ef24
+     OpenSSL library to FIPS mode especially for debugging purposes by
a5ef24
+     setting the environment variable OPENSSL_FORCE_FIPS_MODE.
a5ef24
+   * If the environment variable OPENSSL_NO_DEFAULT_ZLIB is set the module
a5ef24
+     will not automatically load the built in compression method ZLIB
a5ef24
+     when initialized. Applications can still explicitely ask for ZLIB
a5ef24
+     compression method.
a5ef24
+
a5ef24
  DESCRIPTION
a5ef24
  -----------
a5ef24