Updated OpenSSL docs

Reviewed by:	asmodai, jhb

en_US.ISO8859-1/books/handbook/security/chapter.sgml

@@ -1,7 +1,7 @@
 <!--
      The FreeBSD Documentation Project
 
-     $FreeBSD: doc/en_US.ISO_8859-1/books/handbook/security/chapter.sgml,v 1.23 2000/02/04 12:38:20 nbm Exp $
+     $FreeBSD: doc/en_US.ISO_8859-1/books/handbook/security/chapter.sgml,v 1.24 2000/02/11 21:34:08 jim Exp $
 -->
 
 <chapter id="security">
@@ -1608,16 +1608,10 @@ FreeBSD BUILT-19950429 (GR386) #0: Sat Apr 29 17:50:09 SAT 1995</screen>
     <para>However, some of the algorithms (specifically, RSA and IDEA)
       included in OpenSSL are protected by patents in the USA and
       elsewhere, and are not available for unrestricted use (in
-      particular IDEA is currently not available in any of FreeBSD's
-      OpenSSL distributions).  In addition, export of cryptographic code
-      from the USA has (until recently) been heavily restricted.  As a
-      result, FreeBSD has available three different versions of OpenSSL
-      depending on geographical location (USA/non-USA) and compliance with
-      the RSAREF license (see below).</para>
-
-    <para>RSA is a useful algorithm which is required for a lot of
-      third-party software which uses OpenSSL (as well as for the SSLv2
-      protocol), so you should enable it if at all possible.</para>
+      particular, IDEA is not available at all in FreeBSD's version of
+      OpenSSL).  As a result, FreeBSD has available two different
+      versions of the OpenSSL RSA libraries depending on geographical
+      location (USA/non-USA).</para>
 
     <sect2>
       <title>Source Code Installations</title>
@@ -1635,7 +1629,9 @@ FreeBSD BUILT-19950429 (GR386) #0: Sat Apr 29 17:50:09 SAT 1995</screen>
       <para>People who are located outside the USA, and who obtain their
 	crypto sources from <hostid
 	role="fqdn">internat.FreeBSD.org</hostid> (the International
-	Crypto Repository), will build a version of OpenSSL which includes
+	Crypto Repository) or an international mirror site, will build a
+	version of OpenSSL which includes the &ldquo;native&rdquo; OpenSSL
+	implementation of
 	RSA, but does not include IDEA, because the latter is restricted
 	in certain locations elsewhere in the world.  In the future a more
 	flexible geographical identification system may allow building of
@@ -1651,7 +1647,7 @@ FreeBSD BUILT-19950429 (GR386) #0: Sat Apr 29 17:50:09 SAT 1995</screen>
 
       <para>As noted above, RSA is patented in the USA, with terms
 	preventing general use without an appropriate license.  Therefore
-	the OpenSSL RSA code may not be used in the USA, and has been
+	the standard OpenSSL RSA code may not be used in the USA, and has been
 	removed from the version of OpenSSL carried on USA mirror sites.
 	The RSA patent is due to expire on September 20, 2000, at which
 	time it is intended to add the &ldquo;full&rdquo; RSA code back to
@@ -1666,13 +1662,20 @@ FreeBSD BUILT-19950429 (GR386) #0: Sat Apr 29 17:50:09 SAT 1995</screen>
 	non-commercial).</para>
 
       <para>If you meet the conditions of the RSAREF license and wish to
-	build your OpenSSL sources with RSAREF support, you must first
+	use it in conjunction with OpenSSL to provide RSA support, you can
 	install the rsaref port, which is located in
-	<filename>/usr/ports/security/rsaref</filename>, before building
-	OpenSSL (e.g., by <command>make world</command>).  Please obtain
+	<filename>/usr/ports/security/rsaref</filename>, or the
+	<literal>rsaref-2.0</literal> package.  The OpenSSL library will
+	then automatically detect and use the RSAREF libraries.  Please	obtain
 	legal advice if you are unsure of your compliance with the license
 	terms.</para>
 
+      <para> The RSAREF implementation is inferior to the
+	&ldquo;native&rdquo OpenSSL implementation (it is much slower,
+	and cannot be used with keys larger than 1024 bits).  If you are not
+	located in the USA then you are doing yourself a disadvantage by
+	using RSAREF.</para>
+
       <para>Users who have purchased an appropriate RSA source code
 	license from RSA Security may use the International version of
 	OpenSSL described above to obtain native RSA support.</para>
@@ -1685,35 +1688,25 @@ FreeBSD BUILT-19950429 (GR386) #0: Sat Apr 29 17:50:09 SAT 1995</screen>
       <title>Binary Installations</title>
 
       <para>If your FreeBSD installation was a binary installation (e.g.,
-	installed from CDROM, or from a snapshot downloaded from
+	installed from the Walnut Creek CDROM, or from a snapshot
+	downloaded from
 	<hostid role="fqdn">ftp.FreeBSD.org</hostid>) and you selected to
-	install the <literal>crypto</literal> module, then you will have
-	the non-RSA capable USA version of the OpenSSL code (see above).
-	If you wish to install another version (USA RSAREF, or
-	International) you will need to obtain and install one of the
-	following packages:</para>
+	install the <literal>crypto</literal> collection, then the
+	<literal>sysinstall</literal> utility will automatically select
+	the correct version to install during the installation
+	process. If the international version was selected but could
+	not be installed during sysinstall (e.g. you have not
+	configured network access, and the version must be downloaded
+	from a FTP site) then you can add the international RSA library
+	after installation as a package.</para>
 
-      <itemizedlist>
-	<listitem>
-	  <para>The OpenSSL package with RSAREF support for USA
-	    users which you can get from <hostid
-	    role="fqdn">ftp.FreeBSD.org</hostid>.</para>
-
-	  <note>
-	    <para>Be sure to read the license before installing!  This is
-	      NOT licensed for general-purpose use!</para>
-	  </note>
-	</listitem>
-
-	<listitem>
-	  <para>The OpenSSL package for International (non-USA) users.
-	    This is not legal for general use in the USA, but
-	    international users should use this version because the RSA
-	    implementation is faster and more flexible.  It is available
-	    from <hostid
-	    role="fqdn">ftp.internat.FreeBSD.org</hostid>.</para>
-	</listitem>
-      </itemizedlist>
+      <para>The <literal>librsaintl</literal> package contains the RSA
+	code for International (non-USA) users.  This is not legal for
+	use in the USA, but international users should use this version
+	because the RSA implementation is faster and more flexible.  It
+	is available from <hostid
+	role="fqdn">ftp.internat.FreeBSD.org</hostid> and does not
+	require RSAREF.</para>
     </sect2>
   </sect1>
 </chapter>

en_US.ISO_8859-1/books/handbook/security/chapter.sgml

@@ -1,7 +1,7 @@
 <!--
      The FreeBSD Documentation Project
 
-     $FreeBSD: doc/en_US.ISO_8859-1/books/handbook/security/chapter.sgml,v 1.23 2000/02/04 12:38:20 nbm Exp $
+     $FreeBSD: doc/en_US.ISO_8859-1/books/handbook/security/chapter.sgml,v 1.24 2000/02/11 21:34:08 jim Exp $
 -->
 
 <chapter id="security">
@@ -1608,16 +1608,10 @@ FreeBSD BUILT-19950429 (GR386) #0: Sat Apr 29 17:50:09 SAT 1995</screen>
     <para>However, some of the algorithms (specifically, RSA and IDEA)
       included in OpenSSL are protected by patents in the USA and
       elsewhere, and are not available for unrestricted use (in
-      particular IDEA is currently not available in any of FreeBSD's
-      OpenSSL distributions).  In addition, export of cryptographic code
-      from the USA has (until recently) been heavily restricted.  As a
-      result, FreeBSD has available three different versions of OpenSSL
-      depending on geographical location (USA/non-USA) and compliance with
-      the RSAREF license (see below).</para>
-
-    <para>RSA is a useful algorithm which is required for a lot of
-      third-party software which uses OpenSSL (as well as for the SSLv2
-      protocol), so you should enable it if at all possible.</para>
+      particular, IDEA is not available at all in FreeBSD's version of
+      OpenSSL).  As a result, FreeBSD has available two different
+      versions of the OpenSSL RSA libraries depending on geographical
+      location (USA/non-USA).</para>
 
     <sect2>
       <title>Source Code Installations</title>
@@ -1635,7 +1629,9 @@ FreeBSD BUILT-19950429 (GR386) #0: Sat Apr 29 17:50:09 SAT 1995</screen>
       <para>People who are located outside the USA, and who obtain their
 	crypto sources from <hostid
 	role="fqdn">internat.FreeBSD.org</hostid> (the International
-	Crypto Repository), will build a version of OpenSSL which includes
+	Crypto Repository) or an international mirror site, will build a
+	version of OpenSSL which includes the &ldquo;native&rdquo; OpenSSL
+	implementation of
 	RSA, but does not include IDEA, because the latter is restricted
 	in certain locations elsewhere in the world.  In the future a more
 	flexible geographical identification system may allow building of
@@ -1651,7 +1647,7 @@ FreeBSD BUILT-19950429 (GR386) #0: Sat Apr 29 17:50:09 SAT 1995</screen>
 
       <para>As noted above, RSA is patented in the USA, with terms
 	preventing general use without an appropriate license.  Therefore
-	the OpenSSL RSA code may not be used in the USA, and has been
+	the standard OpenSSL RSA code may not be used in the USA, and has been
 	removed from the version of OpenSSL carried on USA mirror sites.
 	The RSA patent is due to expire on September 20, 2000, at which
 	time it is intended to add the &ldquo;full&rdquo; RSA code back to
@@ -1666,13 +1662,20 @@ FreeBSD BUILT-19950429 (GR386) #0: Sat Apr 29 17:50:09 SAT 1995</screen>
 	non-commercial).</para>
 
       <para>If you meet the conditions of the RSAREF license and wish to
-	build your OpenSSL sources with RSAREF support, you must first
+	use it in conjunction with OpenSSL to provide RSA support, you can
 	install the rsaref port, which is located in
-	<filename>/usr/ports/security/rsaref</filename>, before building
-	OpenSSL (e.g., by <command>make world</command>).  Please obtain
+	<filename>/usr/ports/security/rsaref</filename>, or the
+	<literal>rsaref-2.0</literal> package.  The OpenSSL library will
+	then automatically detect and use the RSAREF libraries.  Please	obtain
 	legal advice if you are unsure of your compliance with the license
 	terms.</para>
 
+      <para> The RSAREF implementation is inferior to the
+	&ldquo;native&rdquo OpenSSL implementation (it is much slower,
+	and cannot be used with keys larger than 1024 bits).  If you are not
+	located in the USA then you are doing yourself a disadvantage by
+	using RSAREF.</para>
+
       <para>Users who have purchased an appropriate RSA source code
 	license from RSA Security may use the International version of
 	OpenSSL described above to obtain native RSA support.</para>
@@ -1685,35 +1688,25 @@ FreeBSD BUILT-19950429 (GR386) #0: Sat Apr 29 17:50:09 SAT 1995</screen>
       <title>Binary Installations</title>
 
       <para>If your FreeBSD installation was a binary installation (e.g.,
-	installed from CDROM, or from a snapshot downloaded from
+	installed from the Walnut Creek CDROM, or from a snapshot
+	downloaded from
 	<hostid role="fqdn">ftp.FreeBSD.org</hostid>) and you selected to
-	install the <literal>crypto</literal> module, then you will have
-	the non-RSA capable USA version of the OpenSSL code (see above).
-	If you wish to install another version (USA RSAREF, or
-	International) you will need to obtain and install one of the
-	following packages:</para>
+	install the <literal>crypto</literal> collection, then the
+	<literal>sysinstall</literal> utility will automatically select
+	the correct version to install during the installation
+	process. If the international version was selected but could
+	not be installed during sysinstall (e.g. you have not
+	configured network access, and the version must be downloaded
+	from a FTP site) then you can add the international RSA library
+	after installation as a package.</para>
 
-      <itemizedlist>
-	<listitem>
-	  <para>The OpenSSL package with RSAREF support for USA
-	    users which you can get from <hostid
-	    role="fqdn">ftp.FreeBSD.org</hostid>.</para>
-
-	  <note>
-	    <para>Be sure to read the license before installing!  This is
-	      NOT licensed for general-purpose use!</para>
-	  </note>
-	</listitem>
-
-	<listitem>
-	  <para>The OpenSSL package for International (non-USA) users.
-	    This is not legal for general use in the USA, but
-	    international users should use this version because the RSA
-	    implementation is faster and more flexible.  It is available
-	    from <hostid
-	    role="fqdn">ftp.internat.FreeBSD.org</hostid>.</para>
-	</listitem>
-      </itemizedlist>
+      <para>The <literal>librsaintl</literal> package contains the RSA
+	code for International (non-USA) users.  This is not legal for
+	use in the USA, but international users should use this version
+	because the RSA implementation is faster and more flexible.  It
+	is available from <hostid
+	role="fqdn">ftp.internat.FreeBSD.org</hostid> and does not
+	require RSAREF.</para>
     </sect2>
   </sect1>
 </chapter>