6.8. OpenSSL

As of FreeBSD 4.0, the OpenSSL toolkit is a part of the base system. OpenSSL provides a general-purpose cryptography library, as well as the Secure Sockets Layer v2/v3 (SSLv2/SSLv3) and Transport Layer Security v1 (TLSv1) network security protocols.

However, some of the algorithms (specifically, RSA and IDEA) included in OpenSSL are protected by patents in the USA and elsewhere, and are not available for unrestricted use (in particular, IDEA is not available at all in FreeBSD's version of OpenSSL). As a result, FreeBSD has available two different versions of the OpenSSL RSA libraries depending on geographical location (USA/non-USA).

6.8.1. Source Code Installations

OpenSSL is part of the src-crypto and src-securecvsup collections. See the Obtaining FreeBSD section for more information about obtaining and updating FreeBSD source code.

6.8.2. International (Non-USA) Users

People who are located outside the USA, and who obtain their crypto sources from internat.FreeBSD.org (the International Crypto Repository) or an international mirror site, will build a version of OpenSSL which includes the "native" OpenSSL implementation of RSA, but does not include IDEA, because the latter is restricted in certain locations elsewhere in the world. In the future a more flexible geographical identification system may allow building of IDEA in countries for which it is not restricted.

Please be aware of any local restrictions on the import, use and redistribution of cryptography which may exist in your country.

6.8.3. USA Users

As noted above, RSA is patented in the USA, with terms preventing general use without an appropriate license. Therefore the standard OpenSSL RSA code may not be used in the USA, and has been removed from the version of OpenSSL carried on USA mirror sites. The RSA patent is due to expire on September 20, 2000, at which time it is intended to add the "full" RSA code back to the USA version of OpenSSL.

However (and fortunately), the RSA patent holder (RSA Security, has provided a "RSA reference implementation" toolkit (RSAREF) which is available for certain classes of use, including non-commercial use (see the RSAREF license for their definition of non-commercial).

If you meet the conditions of the RSAREF license and wish to use it in conjunction with OpenSSL to provide RSA support, you can install the rsaref port, which is located in /usr/ports/security/rsaref, or the rsaref-2.0 package. The OpenSSL library will then automatically detect and use the RSAREF libraries. Please obtain legal advice if you are unsure of your compliance with the license terms.

The RSAREF implementation is inferior to the "native" OpenSSL implementation (it is much slower, and cannot be used with keys larger than 1024 bits). If you are not located in the USA then you are doing yourself a disadvantage by using RSAREF.

Users who have purchased an appropriate RSA source code license from RSA Security may use the International version of OpenSSL described above to obtain native RSA support.

IDEA code is also removed from the USA version of OpenSSL for patent reasons.

6.8.4. Binary Installations

If your FreeBSD installation was a binary installation (e.g., installed from the Walnut Creek CDROM, or from a snapshot downloaded from ftp.FreeBSD.org) and you selected to install the crypto collection, then the sysinstall utility will automatically select the correct version to install during the installation process. If the international version was selected but could not be installed during sysinstall (e.g. you have not configured network access, and the version must be downloaded from a FTP site) then you can add the international RSA library after installation as a package.

The librsaintl package contains the RSA code for International (non-USA) users. This is not legal for use in the USA, but international users should use this version because the RSA implementation is faster and more flexible. It is available from ftp.internat.FreeBSD.org and does not require RSAREF.