Subject: Re: "racoon" installation
To: None <tech-security@netbsd.org>
From: Bernd Ernesti <netbsd@arresum.inka.de>
List: tech-security
Date: 03/03/2000 13:31:59
by redmail.netbsd.org with SMTP; 3 Mar 2000 12:32:14 -0000
by arresum.inka.de (8.9.3/8.9.3) id NAA09408
for tech-security@netbsd.org; Fri, 3 Mar 2000 13:31:59 +0100 (MET)
From: Bernd Ernesti <netbsd@arresum.inka.de>
Message-Id: <200003031231.NAA09408@arresum.inka.de>
Subject: Re: "racoon" installation
To: tech-security@netbsd.org
Date: Fri, 3 Mar 2000 13:31:59 +0100 (MET)
In-Reply-To: <1170.952077315@coconut.itojun.org> from "itojun@iijlab.net" at Mar 03, 2000 06:55:15 PM
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
On Fri Mar 3 10:55:15 2000, itojun@iijlab.net wrote:
>
>
> >> Hello.
> >> KAME racoon (IKE daemon) is trying to improve certificate support.
> >> Use of RSA is very popular for X.509 certificates. Therefore, with
> >> plain installation of NetBSD-current with crypto-{us,intl}, racoon
> >> cannot support certificates. It would be a bit pity situation.
> >That can be fixed when you use PATENTEDOPENSSLSRC in /etc/mk.conf.
> >If thats not enough, then we have to provide more support to fix the problem.
>
> What process we would need to install files for PATENTEDOPENSSLSRC
> configuration? Where can I find documentation on it? I believe
crypto-intl/README
You need to unpack the full openssl source and point PATENTEDOPENSSLSRC to
that direcorty.
> it requires non-trivial process, like swapping
> crypto-{intl,us}/dist/openssl by plain openssl (correct?).
No, you don't need to change the crypto-{intl,us} source tree, but it includes
IDEA and RSA at the same time, where we need a to add check so it only includes
RSA and/or IDEA.
> It looks to be something not everyone can do without mistake.
Then we should improve the documentation.
Bernd