This version has quite a few major bug fixes and improvements. It DOES NOT do SSLv3 yet. The main things changed - A Few days ago I added the s_mult application to ssleay which is a demo of an SSL server running in an event loop type thing. It supports non-blocking IO, I have finally gotten it right, SSL_accept() can operate in non-blocking IO mode, look at the code to see how :-). Have a read of doc/s_mult as well. This program leaks memory and file descriptors everywhere but I have not cleaned it up yet. This is a demo of how to do non-blocking IO. - The SSL session management has been 'worked over' and there is now quite an expansive set of functions to manipulate them. Have a read of doc/session.doc for some-things I quickly whipped up about how it now works. This assume you know the SSLv2 protocol :-) - I can now read/write the netscape certificate format, use the -inform/-outform 'net' options to the x509 command. I have not put support for this type in the other demo programs, but it would be easy to add. - asn1parse and 'enc' have been modified so that when reading base64 encoded files (pem format), they do not require '-----BEGIN' header lines. The 'enc' program had a buffering bug fixed, it can be used as a general base64 -> binary -> base64 filter by doing 'enc -a -e' and 'enc -a -d' respecivly. Leaving out the '-a' flag in this case makes the 'enc' command into a form of 'cat'. - The 'x509' and 'req' programs have been fixed and modified a little so that they generate self-signed certificates correctly. The test script actually generates a 'CA' certificate and then 'signs' a 'user' certificate. Have a look at this shell script (test/sstest) to see how things work, it tests most possible combinations of what can be done. - The 'SSL_set_pref_cipher()' function has been 'fixed' and the prefered name of SSL_set_cipher_list() is now the correct API (stops confusion :-). If this function is used in the client, only the specified ciphers can be used, with preference given to the order the ciphers were listed. For the server, if this is used, only the specified ciphers will be used to accept connections. If this 'option' is not used, a default set of ciphers will be used. The SSL_CTX_set_cipher_list(SSL_CTX *ctx) sets this list for all ciphers started against the SSL_CTX. So the order is SSL cipher_list, if not present, SSL_CTX cipher list, if not present, then the library default. What this means is that normally ciphers like NULL-MD5 will never be used. The only way this cipher can be used for both ends to specify to use it. To enable or disable ciphers in the library at build time, modify the first field for the cipher in the ssl_ciphers array in ssl/ssl_lib.c. This file also contains the 'pref_cipher' list which is the default cipher preference order. - I'm not currently sure if the 'rsa -inform net' and the 'rsa -outform net' options work. They should, and they enable loading and writing the netscape rsa private key format. I will be re-working this section of SSLeay for the next version. What is currently in place is a quick and dirty hack. - I've re-written parts of the bignum library. This gives speedups for all platforms. I now provide assembler for use under Windows NT. I have not tested the Windows 3.1 assembler but it is quite simple code. This gives RSAprivate_key operation encryption times of 0.047s (512bit key) and 0.230s (1024bit key) on a pentium 100 which I consider reasonable. Basically the times available under linux/solaris x86 can be achieve under Windows NT. I still don't know how these times compare to RSA's BSAFE library but I have been emailing with people and with their help, I should be able to get my library's quite a bit faster still (more algorithm changes). The object file crypto/bn/asm/x86-32.obj should be used when linking under NT. - 'make makefile.one' in the top directory will generate a single makefile called 'makefile.one' This makefile contains no perl references and will build the SSLeay library into the 'tmp' and 'out' directories. util/mk1mf.pl >makefile.one is how this makefile is generated. The mk1mf.pl command take several option to generate the makefile for use with cc, gcc, Visual C++ and Borland C++. This is still under development. I have only build .lib's for NT and MSDOS I will be working on this more. I still need to play with the correct compiler setups for these compilers and add some more stuff but basically if you just want to compile the library on a 'non-unix' platform, this is a very very good file to start with :-). Have a look in the 'microsoft' directory for my current makefiles. I have not yet modified things to link with sockets under Windows NT. You guys should be able to do this since this is actually outside of the SSLeay scope :-). I will be doing it for myself soon. util/mk1mf.pl takes quite a few options including no-rc, rsaref and no-sock to build without RC2/RC4, to require RSAref for linking, and to build with no socket code. - Oh yes, the cipher that was reported to be compatible with RSA's RC2 cipher that was posted to sci.crypt has been added to the library and SSL. I take the view that if RC2 is going to be included in a standard, I'll include the cipher to make my package complete. There are NO_RC2, NO_RC4 and NO_IDEA macros to remove these ciphers at compile time. I have not tested this recently but it should all work and if you are in the USA and don't want RSA threatening to sue you, you could probably remove the RC4/RC2 code inside these sections. I may in the future include a perl script that does this code removal automatically for those in the USA :-). - I have removed all references to sed in the makefiles. So basically, the development environment requires perl and sh. The build environment does not (use the makefile.one makefile). The Configure script still requires perl, this will probably stay that way since I have perl for Windows NT :-). eric (03-May-1996) PS Have a look in the VERSION file for more details on the changes and bug fixes. .