- NAME
- DESCRIPTION
- CA CONFIGURATION DIRECTIVES
- REQ CONFIGURATION DIRECTIVES
- X.509 EXTENSION DIRECTIVES
- SEE ALSO
- HISTORY
- AUTHOR
NAME
openssl.cnf - OpenSSL configuration file
DESCRIPTION
The file openssl.cnf contains configuration information used by three openssl (sub-)commands: ca, req and x509. The file provides default values that are used when corresponding options are omitted from the three commands; it also provides default prompts and other values that affect the way the commands interact with the user.
openssl.cnf is divided into sections that begin with bracketed identifiers. Examples include [ ca ] and [ req ], which affect the behavior of openssl's caand req commands. The first bracketed identifier in the file can be preceded by directives that affect the entire configuration file.
Within each section, directives consist of attributes (on the left-hand side), an equals sign (``=''), and value(s)
for the attribute (on the right-hand side.
CA CONFIGURATION DIRECTIVES
The directives below are used by the openssl ca (Certificate Authority) command. Many of them correspond to ca command options. In some cases, omitting the options when invoking the ca command will cause ca to use the values in the openssl.cnf file. In other cases, ca command options (-name [section], -clrexts [section], -extensions [section]) explicitly refer to sections of the openssl.cnf file that might otherwise be ignored.
[ ca ] Section
-
default_ca
-
On startup, the default behavior of openssl's ca command is to check the [ ca ] section for the value of the default_ca attribute, which references another section of the openssl.cnf file.
Thus, the following directive (in the sample openssl.cnf file shipped with OpenSSL)
default_ca = CA_default
tells the ca command to look for a section named [ CA-default ], which has the actual attributes used by the ca command.
You can override the value of the default_ca attribute by using the ca command's -name [section] option.
[ CA_default ] Section
In the default openssl.cnf file, directives for the ca command are in this section. You can change the name of this section by changing the value of the default_ca attribute in the [ ca ] section of the configuration file.
If you regularly need different sets of configuration options when issuing the ca command, you can create other sections whose contents parallel the contents of CA_default (but with different values specified). Then, when you issue the openssl ca command, specify a different section with the -name [section] option to the ca command.
-
oid_file
-
The name of a file that contains object identifier definitions. The format of this file is one definition per line, each line consisting of three columns. The first column is the numerical representation of the OID. The second column is the OID's short name, which sould be a single word composed of only upper- and lowercase letters. The third column is the OID's long name, which may be composed of multiple words and characters other than letters. (Source: Viega2002, p. 313)
oid_section
-
The name of a section (of the this configuration file) that contains object identifier definitions. Key names in the section should be the OID's short name, and the corresponding value should be the OID's numerical representation. Long names are the same as the short names for OIDs that are defined in this manner. (Source: Viega2002, p. 313)
dir
-
The default directory that ca reads from and writes to (unless told to do otherwise).
The sample openssl.cnf file has the line:
dir = ./demoCA
indicating that the demoCA directory (beneath whatever is the current working directory) contains files to be read. It is also the default directory to which new certs and keys are written.
You might want to change the value to something like ./ (the current directory).
certs
-
The directory where issued certs are kept.
The sample openssl.cnf file has the line:
certs = $dir/certs
crl_dir
-
The directory where issued certificate revocation lists are kept.
The sample openssl.cnf file has the line:
crl_dir = $dir/crl
database
-
A ``database index file''--an ASCII file with a line for every certificate issued. The third field of each entry is an index to the certs themselves, which are stored in the new_certs_dir (see below).
The sample openssl.cnf file has the line:
database = $dir/index.txt
new_certs_dir
-
A directory where a copy of each issued certificate is stored, with a name of the form nn.pem (nn = 00, 01, ... nn). The file names of the certs are indexed by the database index file (above).
You can view individual certs in the new_certs_dir by issuing a command something like:
# openssl x509 -noout -text -in <cert_file>
where: cert_file is one of the files nn.pem
The sample openssl.cnf file has the line:
new_certs_dir = $dir/newcerts
certificate
-
The name of the file that contains the certificate authority's certificate (the ``CA cert'') to be used in signing (or revoking, etc.) a cert.
The sample openssl.cnf file has the line:
certificate = $dir/cacert.pem
You can override the value of the certificate attribute by using the ca command's -cert <filename> option.
serial
-
The serial number to use for the next certificate issued. (The serial number appears in the cert's entry in the database index file (see ``database'' above) and in the cert's file name in the new_certs_dir (see above).
The sample openssl.cnf file has the line:
serial = $dir/serial
serialfile
-
The name of a file that will be used to keep track of the next serial number that will be assigned to a certificate when it is issued. This setting is mandatory and has no corresponding command-line option. (Source: Viega2002, p. 314) [Note: This option is apparently a synonym for the serialconfiguration option.]
crl
-
The file name of the current certificate revocation list.
The sample openssl.cnf file has the line:
crl = $dir/crl.pem
private_key
-
The private key of the certificate authority that corresponds to the CA certificate referenced by the ``certificate'' attribute (see above).
The sample openssl.cnf file has the line:
private_key = $dir/private/cakey.pem
RANDFILE
-
A private random number file.
The sample openssl.cnf file has the line:
RANDFILE = $dir/private/.rand
x509_extensions
-
The name of a section (in the configuration file) that contains directives for the ca command when it signs a cert.
The sample openssl.cnf file has the line:
x509_extensions = usr_cert
See the section [ usr_cert ] below.
You can override the name of this value by using the ca command's -extension [section] option.
crl_extensions
-
The name of a section (in the configuration file) that contains directives for the ca command when it revokes certificates.
The sample openssl.cnf file has the line (commented out):
crl_extensions = crl_ext
The sample notes: ``Netscape communicator chokes on V2 CRLs so this is commented out by default to leave a V1 CRL.''
default_days
-
The default number of days a signed cert will be valid.
The sample openssl.cnf file has the line:
default_days = 365
You can override this value with one of the following options to the ca command:
-enddate <YYMMDDHHMMSSZ> -days <num_days>
default_startdate
-
The default starting date for which issued certificates will be valid. This is the same as the startdate command-line option. (Source: Viega2002, p. 313)
The format of the date is YYMMDDHHMMSSZ, where ``Z'' is the capital letter Z.
default_enddate
-
The default ending date for which issued certificates will be valid. This is the same as the enddate command-line option. (Source: Viega2002, p. 313)
The format of the date is YYMMDDHHMMSSZ, where ``Z'' is the capital letter Z.
default_crl_days
-
The default number of days before the next certificate revocation list.
The sample openssl.cnf file has the line:
default_crl_days= 30
default_crl_hours
-
The default number of hours until a new certificate revocation list is generated. This is the same as the crlhours command-line option. (Source: Viega2002, p. 313)
default_md
-
The message digest algorithm to use. Possible values include md5, sha1 and mdc2.
The sample openssl.cnf file has the line:
default_md = md5
You can override this value by using the ca command's -md <algorithm> option.
preserve
-
Indicates whether to preserve the order of the Distinguished Name (DN) fields to match the order passed in.
The sample openssl.cnf file has the line:
preserve = no
You can override this value by using the ca command's -preserveDN option.
msie_hack
-
If set to yes, certificates that are issued will work with very old versions of the Internet Explorer certificate enrollment control ``certenr3''. Avoid using this option unless you know that you absolutely need it. (Source: Viega2002, p. 314)
policy
-
The name of another section in the openssl.cnf file that defines which fields are mandatory or which must match the CA certificate.
The sample openssl.cnf file has the line:
policy = policy_match
You can override this value by using the ca command's -policy [section] option.
See [ policy_match ] and [ policy_anything ] below for examples of two policy sections that appear in the sample openssl.cnf file. (You may choose other names for your policy sections, and reference those names with the ca command's -policy [section] option or as the value of the policy attribute in the openssl.cnf file.
[ policy_match ] and [ policy_anything ] Sections
The [ policy_match ] and [ policy_anything ] sections appear in the sample openssl.cnf file.
policy_match (in the sample) indicates OIDs (attributes) that must be the same (``match''), are optional, or as supplied:
-
match
-
The OID must be present in the certificate request and must match the same OID in the CA's distinguished name.
supplied
-
Must be present in the certificate request.
optional
-
May or may not be present in the certificate request.
A comment at the beginning of the [ policy_anything ] section indicates that for the [ policy_anything ] section, you must list all acceptable ``object'' types (i.e., countryName, stateOrProvinceName, localityName, organizationName, organizationalUnitName, commonName, emailAddress?)--even those that are optional. (Note that in the [ policy_match ] section, that restriction apparently doesn't apply, since the localityName attribute does not appear in the [ policy_match ] section ...)
-
countryName
-
In the [ policy_match ] section, the sample openssl.cnf file has a value of ``match'' for this attribute.
In the [ policy_anything ] section, the sample openssl.cnf file has a value of ``optional'' for this attribute.
stateOrProvinceName
-
In the [ policy_match ] section, the sample openssl.cnf file has a value of ``match'' for this attribute.
In the [ policy_anything ] section, the sample openssl.cnf file has a value of ``optional'' for this attribute.
localityName
-
This attribute does not appear in the [ policy_match ] section of the sample openssl.cnf file.
In the [ policy_anything ] section, the sample openssl.cnf file has a value of ``optional'' for this attribute.
organizationName
-
In the [ policy_match ] section, the sample openssl.cnf file has a value of ``match'' for this attribute.
In the [ policy_anything ] section, the sample openssl.cnf file has a value of ``optional'' for this attribute.
organizationalUnitName
-
This attribute has an ``optional'' value in both the policy_match and [ policy_anything ] sections of the sample openssl.cnf file.
commonName
-
This attribute has a ``supplied'' value in both the policy_match and [ policy_anything ] sections of the sample openssl.cnf file.
emailAddress
-
This attribute has an ``optional'' value in both the policy_match and [ policy_anything ] sections of the sample openssl.cnf file.
REQ CONFIGURATION DIRECTIVES
The directives below are used by the openssl req command, which creates and processes certificate requests in PKCS#10 (Public Key Cryptography Standard No. 10) format, creates self signed certificates for use as root CA certs, etc.
[ req ]
On startup, the openssl req command reads the [ req ] section of openssl.cnf for default values that are not specified as arguments or options to the reqcommand.
-
default_bits
-
The default key size in bits. This value is used when req is invoked with the -new option (for a new certificate request).
Default value: 512
The sample openssl.cnf file has the line:
default_bits = 1024
You can override this value by using the req command's -newkey option.
default_keyfile
-
The name of the file to which a newly generated private key will be written.
The sample openssl.cnf file has the line:
default_keyfile = privkey.pem
You can override this value by using the req command's -keyout <filename>
distinguished_name
-
The name of another section in the openssl.cnf file that defines the prompts used when asking the user for information needed to generate a cert. The referenced section also gives default values (if none are entered) and constraints on allowed values.
The sample openssl.cnf file has the line:
distinguished_name = req_distinguished_name
See the [ req_distinguished_name ] section (below) for a description of the abbributes and values that appear in the sample openssl.cnf file.
attributes
-
Like the distinguished_name attribute, attributes is the name of another section in the openssl.cnf file that defines the prompts used when asking the user for information needed to generate a cert. The referenced section also gives default values (if none are entered) and constraints on allowed values.
The sample openssl.cnf file has the line:
attributes = req_attributes
See the [ req_attributes ] section (below) for a description of the attributes and values that appear in the sample openssl.cnf file.
x509_extensions
-
The name of another section in the openssl.cnf file that contains a list of extensions to add to certificates generated when the req command is invoked with the -x509 option.
The sample openssl.cnf file has the line:
x509_extensions = v3_ca
See the [ v3_ca ] section (below) for a description of the attributes and values that appear in the sample openssl.cnf file.
You can override this value by using the req command's -extensions [section] option to specify the name of some other section of the file that lists extensions to add.
input_password
output_password
-
Passwords for private keys can be specified as values for the input_password and output_password attributes. If these lines are not present inopenssl.cnf, the user will be prompted for the password.
The sample openssl.cnf file has the lines (commented out):
# input_password = secret # output_password = secret
(If you decide to uncomment the above, be sure to change the password from ``secret''!)
If the above lines are not present in openssl.cnf, the user will be prompted for a password unless the req command is invoked with the -passin <filename> and/or -passout <filename> options.
string_mask
-
A mask for permitted string types.
Possible values:
default PrintableString, T61String, BMPString
pkix PrintableString, BMPString
utf8only only UTF8Strings
nombstr PrintableString, T61String (no BMPStrings or UTF8Strings)
MASK XXXX a literal mask value
The sample openssl.cnf file has the line:
string_mask = nombstr
WARNING: Current versions of Netscape crash on BMPStrings or UTF8Strings so use this option with caution!
req_extensions
-
The name of another section in the openssl.cnf file that contains a list of extensions to add to a certificate request.
The sample openssl.cnf file has the line (commented out):
# req_extensions = v3_req
See the [ v3_req ] section (below) for a description of the attributes and values that appear in the sample openssl.cnf file.
You can override this value by using the req command's -reqexts [section] option to specify the name of some other section of the file that lists extensions to add.
[ req_distinguished_name ] Section
This section defines the prompts when asking the user for information needed to generate a cert. It also gives default values (if the user doesn't enter any) and constraints on allowed values.
Note: If a set of related attributes includes one with a ``_default'' suffix, then if the user enters no value for the attribute, the default value will be used. To specify that no value is desired, enter ``.''
-
countryName
-
The text to display when prompting the user for the country name (C=) component of the distinguished name. In the sample openssl.cnf file, countryName has the value ``Country Name (2 letter code)''
countryName_default
-
The default country name. In the sample openssl.cnf file, countryName_default has the value ``AU''
countryName_min
-
The minimum allowable country name length. In the sample openssl.cnf file, countryName_min has the value 2.
countryName_max
-
The maximum allowable country name length. In the sample openssl.cnf file, countryName_max has the value 2.
The country name should be ISO 3166 two-letter country code.
Note: For the country name, be sure to specify the ISO 3166 country code. In cases where the ISO country code is different from the Internet country domain name, use the ISO 3166 code. (Example: The United Kingdom (Internet country domain: uk; ISO 3166 country code: GB. Use GB.)
stateOrProvinceName
-
The text to display when prompting the user for the state or province name (ST=) component of the distinguished name. In the sample openssl.cnf file, stateOrProvinceName has the value ``State or Province Name (full name)''
stateOrProvinceName_default
-
The default state or province name. In the sample openssl.cnf file, countryName_default has the value ``State or Province Name (full name)''
localityName
-
The text to display when prompting the user for the locality name (L=) component of the distinguished name. In the sample openssl.cnf file, localityName has the value ``Locality Name (eg, city)''
- organizationName
The text to display when prompting the user for the organization name (O=) component of the distinguished name. In the sample openssl.cnf file, 0.organizationName has the value ``Organization Name (eg, company)''
- organizationName_default
The default organization name. In the sample openssl.cnf file, 0.organizationName has the value ``Internet Widgits Pty Ltd''
- organizationName
The text to display when prompting the user for an additional organization name (O=) component of the distinguished name. In the sample openssl.cnffile, the commented out line for 1.organizationName has the value ``Second Organization Name (eg, company)''
- organizationName_default
The default second organization name. In the sample openssl.cnf file, 1.organizationName is commented out and has the value ``World Wide Web Pty Ltd''
organizationalUnitName
- organizationName
-
The text to display when prompting the user for the optional (in the sample openssl.cnf, at least) organizational unit name (OU=) component of the distinguished name. In the sample openssl.cnf file, organizationalUnitName has the value ``Organizational Unit Name (eg, section)''
organizationalUnitName_default
-
The default organizational unit name. In the sample openssl.cnf file, organizationalUnitName_default is commented out and has no value.
commonName
-
The text to display when prompting the user for the common name (CN=) component of the distinguished name. In the sample openssl.cnf file, commonName has the value ``Common Name (eg, YOUR name)''
Note: Even though the prompt indicates ``YOUR name'' as a possibility, it *might* be more appropriate for it to read something like ``Common Name (e.g., fully qualified domain name of the server to be secured)'' since, the common name generally corresponds to the server's name when generating certificates.
commonName_max
-
The maximum allowable common name length. In the sample openssl.cnf file, commonName_max has the value 64.
emailAddress
-
The text to display when prompting the user for the email address of the distinguished name. In the sample openssl.cnf file, emailAddress has the value ``Email Address''
[ req_attributes ] Section
This section defines the prompts when asking the user for certain information (in addition to the [ req_distinguished_name ] section above) needed to generate a cert. It also gives constraints on the allowed values.
-
challengePassword
-
The text to display when prompting the user for a challenge password. In the sample openssl.cnf file, challengePassword has the value ``A challenge password''
challengePassword_min
-
The minimum length of the challenge password. In the sample openssl.cnf file, challengePassword_min has a value of 4.
challengePassword_max
-
The maximum length of the challenge password. In the sample openssl.cnf file, challengePassword_max has a value of 20.
unstructuredName
-
The text to display when prompting the user for an unstructured name. In the sample openssl.cnf file, unstructuredName has the value ``An optional company name''
X.509 EXTENSION DIRECTIVES
The directives below are used when requesting or signing certs. Many of the attributes can appear in any of the sections [ usr_cert ], [ v3_req ] and [ v3_ca ], with different values on the right-hand side, depending on whether the operation is signing of certs ([ usr_cert ]), adding a certificate request ([ v3_req ]) or creating a CA cert ([ v3_ca ] )
[ usr_cert ] Section
This section is referenced by the x509_extensions attribute in the [ CA_default ] section (above) of the sample openssl.cnf file. It contains directives used by the ca command when it signs a request (cert).
In the sample openssl.cnf file, most of the directives in this section are commented out (because they are deprecated?). Only four directives actually appear uncommented: basicConstraints, nsComment, subjectKeyIdentifier and authorityKeyIdentifier.
-
basicConstraints
-
Is this certificate valid as a certificate authority cert? (Can this certificate be used to sign or revoke other certificates?)
Possible values are CA:FALSE and CA:TRUE.
The sample openssl.cnf file has the line:
basicConstraints= CA:FALSE
indicating that the certificate's purposes do not include signing/revoking other certificates.
subjectKeyIdentifier
-
Specifies how to identify the public key being certified (so that distinct keys used by the same subject can be differentiated--as key updating occurs, for example).
The sample openssl.cnf file has the line:
subjectKeyIdentifier=hash
The IETF Public Key Infrastructure (PKIX) working group recommends the above default.
authorityKeyIdentifier
-
Specifies how to identify the public key used to verify the signature on this certificate or certificate revocation list (CRL). Enables distinct keys used by the same CA to be distinguished (e.g. as keypair updating occurs).
The sample openssl.cnf file has the line:
authorityKeyIdentifier=keyid,issuer:always
The IETF Public Key Infrastructure (PKIX) working group recommends the above default.
nsComment
-
A comment to be displayed in Netscape's comment listbox for the certificate signer. Provide a suitable description for the certificate..
The sample openssl.cnf file has the line:
nsComment = ``OpenSSL Generated Certificate''
The following (mostly Netscape-specific) attributes are all commented out in the sample openssl.cnf file:
nsCertType
-
The nsCertType attribute can specify the cert's capabilities (purposes).
If nsCertType is omitted, the certificate can be used for anything except for object signing (CA use).
If nsCertType is included, one or more of the following (separated by commas) can appear as the value of this attribute: client, server, email, objsign, reserved, sslCA, emailCA, objCA.
Examples (commented out in sample openssl.cnf):
nsCertType = server for an SSL server
nsCertType = objsign for an object signing certificate
nsCertType = client, email for ``normal'' client use
nsCertType = client, email, objsign for ``everything including object signing''
subjectAltName
-
Relates to the alternate name for the certificate holder.
The format in the sample openssl.cnf:
subjectAltName=email:copy
causes OpenSSL to import the e-mail address.
issuerAltName
-
Relates to the alternate name for the certificate or CRL issuer (CA).
The format in the sample openssl.cnf:
issuerAltName=issuer:copy
causes OpenSSL to copy subject details.
nsCaRevocationUrl
-
The revocation URL for the Root CA Certificate The sample openssl.cnf file includes the following (commented out):
nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
nsBaseUrl
-
Can give the general base URL. =item nsRevocationUrl
The revocation URL for other (non-Root CA) certificates. The URL is of the form ../foo.cgi?aaaa. ``aaaa'' is the ASCII-encoded serial number of the cert.
nsRenewalUrl
-
A URL to visit to renew SSL/TLS certificates.
nsCaPolicyUrl
-
Gives the URL of the CA's policy.
nsSslServerName
-
The name of the Netscape SSL Server. Be careful with this attribute--it can crash certain versions of Netscape.
keyUsage
Possible values: digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign, cRLSign, encipherOnly, decipherOnly
[ v3_req ] Section
This section is referenced by the req section's req_extensions attribute (commented out in the sample openssl.cnf file; see the [ req ] section above).
If not commented out--or if referenced by the -extensions [section] option of the req command--it contains directives used by the req command when it requests certs.
In the sample openssl.cnf file, the [ v3_req ] section has only two directives: basicConstraints and keyUsage.
-
basicConstraints
-
See the description in the [ usr_cert ] section (above).
The sample openssl.cnf file has the line:
basicConstraints= CA:FALSE
keyUsage
-
See the description in the [ usr_cert ] section (above).
The sample openssl.cnf file has the line:
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ] Section
This section of extensions for a typical CA is referenced by the [ req ] section's x509_extensions attribute. It is a list of extensions to add to certificates generated when the req command is invoked with the -x509 option.
-
subjectKeyIdentifier
-
See the description in the [ usr_cert ] section (above).
The sample openssl.cnf file has the line:
subjectKeyIdentifier=hash
as recommended by the IETF Public Key Infrastructure (PKIX) working group.
authorityKeyIdentifier
-
See the description in the [ usr_cert ] section (above).
The sample openssl.cnf file has the line: authorityKeyIdentifier=keyid:always,issuer:always
as recommended by the IETF Public Key Infrastructure (PKIX) working group.
basicConstraints
-
See the description in the [ usr_cert ] section (above).
The sample openssl.cnf file has the line:
basicConstraints = CA:true
as well as a commented out:
basicConstraints = critical,CA:true
Although the PKIX recomments the commented out version, ``some broken software chokes on critical extensions,'' so the sample openssl.cnf omits ``critical.'' However, it *does* indicate that the purposes of this certificate should include Certificate Authority.
The sample openssl.cnf file also includes a commented out:
basicConstraints= critical, DER:30:03:01:01:FF
illustrating how to override a supported extension with a Distinguished Encoding Rules (DER) encoding of an extension.
keyUsage
-
See the description in the [ usr_cert ] section (above).
The sample openssl.cnf file has the line (commented out):
keyUsage = cRLSign, keyCertSign
(The sample openssl.cnf omits the above even though it is typical for a CA certificate, ``since it will prevent it being used as an test self-signed certificate.'')
nsCertType
-
See the description in the [ usr_cert ] section (above).
The sample openssl.cnf file has the line (commented out):
nsCertType = sslCA, emailCA
subjectAltName
-
See the description in the [ usr_cert ] section (above).
The sample openssl.cnf file has the line commented out:
subjectAltName=email:copy
even though it is a PKIX recommendation.
issuerAltName
-
See the description in the [ usr_cert ] section (above).
The sample openssl.cnf file has the line commented out:
issuerAltName=issuer:copy
even though it is a PKIX recommendation.
obj
-
Introduces an extension encoded in hex with DER.
The sample openssl.cnf file has the line (commented out):
obj=DER:02:03
where ``obj'' is a standard or added object. (``Beware experts only!''
[ crl_ext ] Section
This section of extensions associated with certificate revocation lists (CRLs). ``Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.''
The [ crl_ext ] section is referenced by the CA_default section's crl_extensions attribute (commented out in the sample openssl.cnf file; see the [ CA_default ] section above).
If not commented out--or if referenced by the -crlexts [section] option of the ca command--it contains directives used by the ca command when it revokes certs.
The sample openssl.cnf notes: ``Netscape communicator chokes on V2 CRLs so this is commented out by default to leave a V1 CRL.''
-
issuerAltName
-
See the description in the [ usr_cert ] section (above).
The sample openssl.cnf file has the line commented out:
issuerAltName=issuer:copy
authorityKeyIdentifier
-
See the description in the [ usr_cert ] section (above).
The sample openssl.cnf file has the line:
authorityKeyIdentifier=keyid:always,issuer:always
SEE ALSO
openssl(1),
ca(1),
req(1),
x509(1)
HISTORY
06 May 2003: First draft, based on sample openssl.cnf 25 Jul 2003: Second draft, with additions from Appendix of Viega's OpenSSL book.
AUTHOR
Morris Inouye <minouye@technoids.org>
Copyright (c) 2003 Morris Inouye