Blame SOURCES/openssl-1.0.2a-readme-warning.patch

fd2893
diff -up openssl-1.0.2a/README.warning openssl-1.0.2a/README
fd2893
--- openssl-1.0.2a/README.warning	2015-03-20 16:00:47.000000000 +0100
fd2893
+++ openssl-1.0.2a/README	2015-03-21 09:06:11.000000000 +0100
fd2893
@@ -5,6 +5,46 @@
fd2893
  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
fd2893
  All rights reserved.
fd2893
 
fd2893
+ WARNING
fd2893
+ -------
fd2893
+
fd2893
+ This version of OpenSSL is built in a way that supports operation in
fd2893
+ the so called FIPS mode. Note though that the library as we build it
fd2893
+ is not FIPS 140-2 validated and the FIPS mode is present for testing
fd2893
+ purposes only.
fd2893
+
fd2893
+ This version also contains a few differences from the upstream code
fd2893
+ some of which are:
fd2893
+   * The FIPS validation support is significantly different from the
fd2893
+     upstream FIPS support. For example the FIPS integrity verification
fd2893
+     check is implemented differently as the FIPS module is built inside
fd2893
+     the shared library. The HMAC-SHA256 checksums of the whole shared
fd2893
+     libraries are verified. Also note that the FIPS integrity
fd2893
+     verification check requires that the libcrypto and libssl shared
fd2893
+     library files are unmodified which means that it will fail if these
fd2893
+     files are changed for example by prelink.
fd2893
+   * If the file /etc/system-fips is present the integrity verification
fd2893
+     and selftests of the crypto algorithms are run inside the library
fd2893
+     constructor code.
fd2893
+   * With the /etc/system-fips present the module respects the kernel
fd2893
+     FIPS flag /proc/sys/crypto/fips and tries to initialize the FIPS mode
fd2893
+     if it is set to 1 aborting if the FIPS mode could not be initialized.
fd2893
+     With the /etc/system-fips present it is also possible to force the
fd2893
+     OpenSSL library to FIPS mode especially for debugging purposes by
fd2893
+     setting the environment variable OPENSSL_FORCE_FIPS_MODE.
fd2893
+   * If the environment variable OPENSSL_NO_DEFAULT_ZLIB is set the module
fd2893
+     will not automatically load the built in compression method ZLIB
fd2893
+     when initialized. Applications can still explicitely ask for ZLIB
fd2893
+     compression method.
fd2893
+   * The library was patched so the certificates, CRLs and other objects
fd2893
+     signed with use of MD5 fail verification as the MD5 is too insecure
fd2893
+     to be used for signatures. If the environment variable
fd2893
+     OPENSSL_ENABLE_MD5_VERIFY is set, the verification can proceed
fd2893
+     normally.
fd2893
+   * If the OPENSSL_ENFORCE_MODULUS_BITS environment variable is set,
fd2893
+     the library will not allow generation of DSA and RSA keys with
fd2893
+     other lengths than specified in the FIPS 186-4 standard.
fd2893
+
fd2893
  DESCRIPTION
fd2893
  -----------
fd2893