by redmail.netbsd.org with SMTP; 3 Mar 2000 12:32:14 -0000
	by arresum.inka.de (8.9.3/8.9.3) id NAA09408
	for tech-security@netbsd.org; Fri, 3 Mar 2000 13:31:59 +0100 (MET)
From: Bernd Ernesti <netbsd@arresum.inka.de>
Message-Id: <200003031231.NAA09408@arresum.inka.de>
Subject: Re: "racoon" installation
To: tech-security@netbsd.org
Date: Fri, 3 Mar 2000 13:31:59 +0100 (MET)
In-Reply-To: <1170.952077315@coconut.itojun.org> from "itojun@iijlab.net" at Mar 03, 2000 06:55:15 PM
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

On Fri Mar  3 10:55:15 2000, itojun@iijlab.net wrote:
> 
> 
> >> 	Hello.
> >> 	KAME racoon (IKE daemon) is trying to improve certificate support.
> >> 	Use of RSA is very popular for X.509 certificates.  Therefore, with
> >> 	plain installation of NetBSD-current with crypto-{us,intl}, racoon
> >> 	cannot support certificates.  It would be a bit pity situation.
> >That can be fixed when you use PATENTEDOPENSSLSRC in /etc/mk.conf.
> >If thats not enough, then we have to provide more support to fix the problem.
> 
> 	What process we would need to install files for PATENTEDOPENSSLSRC
> 	configuration?  Where can I find documentation on it?  I believe

crypto-intl/README

You need to unpack the full openssl source and point PATENTEDOPENSSLSRC to
that direcorty.

> 	it requires non-trivial process, like swapping
> 	crypto-{intl,us}/dist/openssl by plain openssl (correct?).

No, you don't need to change the crypto-{intl,us} source tree, but it includes
IDEA and RSA at the same time, where we need a to add check so it only includes
RSA and/or IDEA.

> 	It looks to be something not everyone can do without mistake.

Then we should improve the documentation.

Bernd