Jump to contentJump to page navigation: previous page [access key p]/next page [access key n]
SUSE Linux Enterprise Server 11

Security Module in SUSE Linux Enterprise 11

Build TLS 1.2 Compliant Infrastructures

For some time now, governmental agencies around the world, such as the United States National Institute of Standards and Technology (NIST) (NIST SP 800-52 Rev.1) and the German Bundesamt für Sicherheit in der Informationstechnik (BSI) (BSI TR-02102-2) have issued guidance to use Version 1.2 of the Transport Layer Security (TLS) cryptographic protocol as a minimum standard for encryption.

This is primarily important for HTTPS encryption of Web traffic, although other use cases, such as e-mail, are affected as well.

Allowing SUSE's customers to follow this guidance without affecting the stability and usability of their systems is challenging. In this paper we provide some background to illustrate those challenges and then show how they have been addressed.

Author: Mark Post, Software Engineer Consultant, SUSE
Publication Date: March 21, 2017

1 Background Edit source

As the name indicates, SUSE Linux Enterprise is intended for use by enterprises. One of the main attributes valued by enterprises in software is stability. SUSE achieves this in a number of ways, one of which is to not change versions of its software packages unless there is no other alternative. When SUSE Linux Enterprise 11 became generally available in 2009, OpenSSL 0.9.8 was the package included to provide encryption for the various other software that used it.

It was when the requirement for TLS 1.2 came along that a conflict arose between that need and the goal of maintaining the same software versions, and hence stability. OpenSSL version 0.9.8 simply did not provide an implementation of TLS 1.1 or 1.2 and never would provide it.

In order to provide TLS 1.2 with OpenSSL, SUSE would have to provide version 1.0 or higher. Such an update to a more recent OpenSSL version would have been nearly impossible, as OpenSSL is notoriously incompatible with itself when moving between versions. An OpenSSL version upgrade would trigger a rebuild of a significant number of other packages in SUSE Linux Enterprise 11. Subsequently this would require a high number of updates to be installed on all our customers' production systems. Worse, a version upgrade would break third party applications. This was considered unacceptable, so another approach was taken.

Fortunately, there are cryptographic libraries other than OpenSSL. Amongst those it was decided that Mozilla's Network Security Services (NSS) would be the best option:

  • The library is stable and proven to work, as it provides HTTPS support (including TLS) for the Firefox Web browser.

  • An Apache module already exists, which is derived from mod_ssl and thus easy to use for administrators used to mod_ssl.

  • The NSS library is already part of SUSE Linux Enterprise 11, and support for TLS 1.2 can be provided easily with full backward compatibility.

In late November of 2013, SUSE shipped updated versions of libfreebl3, libsoftokn3, mozilla-nspr, and mozilla-nss, along with a new package apache2-mod_nss in the maintenance channels for SUSE Linux Enterprise 11 Service Pack (SP) 2 and SP3. While this took care of the Web server and Web browser cases, it did not do the same for other network services such as e-mail or tools such as wget and curl.

2 More Challenges Edit source

The e-mail server that is included with SUSE Linux Enterprise, Postfix, does not work with NSS, only with OpenSSL. Simply shipping both OpenSSL 0.9.8 and OpenSSL 1.0 was not an option because it was all too likely that customers would install both versions of OpenSSL on their systems. Because of the incompatibilities discussed earlier, this would almost certainly have led to all sorts of application crashes.

The lack of SUSE provided packages built against OpenSSL 1.0 lead to some customers attempting to recompile them from source, with mixed success. Worse, the recompiled packages were not supported by SUSE and could affect the supportability for the entire system. Further, customers would need some way of rebuilding their in-house written applications against OpenSSL 1.0 to be compliant. Clearly something more was needed.

3 Round Two Edit source

In August of 2014, SUSE released the SUSE Linux Enterprise 11 Security Module, providing enhancements to SUSE Linux Enterprise 11 SP3, and later SP4. Available to all customers with a SUSE Linux Enterprise Server subscription, this allows customers and partners to build TLS 1.2 compliant infrastructures beyond the HTTPS protocol. The packages in the Security Module will be supported in the same way and for the same period of time as the other packages shipped with SUSE Linux Enterprise 11 (see https://www.suse.com/lifecycle/).

In this context the term module can be somewhat confusing but it comes from the optional modules that were introduced with SUSE Linux Enterprise 12 (see https://www.suse.com/products/server/features/modules.html). Essentially the Security Module is an additional package and maintenance repository for use by YaST or Zypper. There are no DVDs to order or ISO images to download. At this time, there are a total of 31 packages available in the Security Module:

curl-openssl1
cyrus-sasl-openssl1
cyrus-sasl-openssl1-32bit
cyrus-sasl-openssl1-crammd5
cyrus-sasl-openssl1-digestmd5
cyrus-sasl-openssl1-gssapi
cyrus-sasl-openssl1-ntlm
cyrus-sasl-openssl1-otp
cyrus-sasl-openssl1-plain
libcurl4-openssl1
libcurl4-openssl1-32bit
libldap-openssl1-2_4-2
libldap-openssl1-2_4-2-32bit
libopenssl1_0_0
libopenssl1_0_0-32bit
libopenssl1-devel
openldap2-client-openssl1
openssh-openssl1
openssh-openssl1-helpers
openssl1
openssl1-doc
openvpn-openssl1
openvpn-openssl1-down-root-plugin
perl-Crypt-SSLeay-openssl1
perl-Net-SSLeay-openssl1
postfix-openssl1
postfix-openssl1-devel
postfix-openssl1-doc
postfix-openssl1-mysql
postfix-openssl1-postgresql
stunnel
wget-openssl1openssh-openssl1-helpers

As you can see there are packages containing executables, runtime libraries, and development files. They are also named to be easily distinguishable from the versions built against OpenSSL 0.9.8. With a few exceptions, the OpenSSL 1.0 packages may be installed concurrently with the versions using OpenSSL 0.9.8. Those exceptions that may not be installed concurrently are:

  • libopenssl1-devel

  • openssh-openssl1

  • openssl1-doc

  • perl-Crypt-SSLeay-openssl1

  • perl-Net-SSLeay-openssl1

  • postfix-openssl1

  • postfix-openssl1-devel

For the OpenSSH and Postfix packages, it does not make sense to have more than one version installed since they provide a service for the entire system, not just for one user or application. For the Perl and -devel packages a conflict is unavoidable as the header and .so files are in the same locations. This means that only the OpenSSL 0.9.8 or the OpenSSL 1.0 version of these packages may be installed on a given system at one time.

4 Getting the Software Edit source

Since all the packages reside in a single repository or maintenance channel, there are just two major steps that need to be taken first:

  1. Verify or get access to the Security Module. See Appendix A for the gory details.

  2. Install the packages you need using either YaST (yast sw_single) or the zypper install command, for example

    zypper in curl-openssl1 wget-openssl1

    Both YaST and Zypper will automatically determine if any other packages are needed to satisfy dependencies. In any case you will be prompted to confirm the installation.

Note
Note: No Automatic Change to OpenSSL 1

Note that adding this channel or installing the SUSE provided packages does not automatically change any other existing applications to use OpenSSL 1. Unless ported or rebuilt by the vendor they will still use the OpenSSL 0.9.8 libraries. For C or C++ applications developed in-house you will need to build OpenSSL 1 versions as described in the section on how to use the development packages.

5 Using the Packages Edit source

5.1 The Interactive Packages Edit source

5.1.1 curl-openssl1 and wget-openssl1 Edit source

If you have chosen to install the curl-openssl1 or wget-openssl1 packages, you now have a choice as to which one should be the system-wide default when someone simply enters the curl command or wget command. Setting or changing this is accomplished through the use of the SUSE alternatives system (see man 8 update-alternatives for more information). We will be using the curl package for our examples, but as you would expect, the same can and should be done for the wget package.

To see which version of curl is the system default, enter the following command:

update-alternatives --display curl

You should see output similar to this:

# update-alternatives --display curl
curl - status is auto.
 link currently points to /usr/bin/curl.openssl1
/usr/bin/curl.openssl0 - priority 15
/usr/bin/curl.openssl1 - priority 20
Current 'best' version is /usr/bin/curl.openssl1.

If this is not the state you want, you can change it using the update-alternatives --set command:

update-alternatives --set curl /usr/bin/curl.openssl0
Using '/usr/bin/curl.openssl0' to provide 'curl'.

You can then reissue the command with --display:

# update-alternatives --display curl
curl - status is manual.
 link currently points to /usr/bin/curl.openssl0
/usr/bin/curl.openssl0 - priority 15
/usr/bin/curl.openssl1 - priority 20
Current 'best' version is /usr/bin/curl.openssl1.
Note
Note: Status Change

Note that besides the link being updated, the status of it has been changed from auto to manual. That means that the curl.openssl0 command will remain the default until someone with root user authority issues another update-alternatives --set curl or update-alternatives --auto curl command.

Individual users will need to use shell aliases or fully qualified paths to the appropriate command if they want something other than the system default.

5.1.2 openssl1 Edit source

The openssl package contains two commands that might be of interest to users or system administrators, c_rehash and openssl. The openssl1 package has renamed those two commands to c_rehash1 and openssl1. Anyone who wants to be sure they are executing the OpenSSL 1 versions must use the new names explicitly. Note that the c_rehash1 command can generate signatures for both OpenSSL 0.9.8 and OpenSSL 1, but thec_rehash command cannot.

5.1.3 libldap-openssl1 Edit source

The libldap-openssl1 package contains commands such as ldapadd, ldapsearch, etc. They are located in /opt/suse/bin so they will not be used by default. If you want to execute them by default you can either specify the fully qualified path to the commands, modify your PATH environment variable to contain /opt/suse/bin before /usr/bin, or create aliases that point to the newer version.

Some consideration is being given to modifying this package to use the same update-alternatives method as the curl and wget packages. If and when that happens, the commands in /opt/suse/bin will be moved into a different package, most likely named openldap2-client-openssl1. This will make the contents and naming similar to what is being done now for the OpenSSL 0.9.8 package, openldap2-client.

5.1.4 openssh-openssl1 and postfix-openssl1 Edit source

The OpenSSH and Postfix packages contain both client and server/admin components. Since only one version can be installed at a time, by definition users will not have a choice as to which version they execute.

5.2 The Server Packages Edit source

For OpenSSH and Postfix, the post installation scripts that are executed by RPM should set up everything needed in the configuration files and then restart the services. If the services were not running at the time the packages were installed, they will not be started automatically. To ensure they are running check their status:

service sshd status
service postfix status

If either or both are not running, start them:

service sshd start
service postfix start

From this point on, there should be no differences from how the services were managed previously.

5.3 The Development Packages Edit source

The two development packages will only be of interest to customers that are doing in-house development of C or C++ software that uses these libraries. And they are relevant for customers that are installing vendor packages that require all or part of their source code to be compiled and linked to these libraries. If the corresponding -devel packages from OpenSSL 0.9.8 were never installed on a particular system, there should be no need to install the OpenSSL 1.0 versions either.

Because only one set of the development packages can be installed at any one time, it is cumbersome to try to do development against both versions on the same system. Switching between the two will require uninstalling one version and reinstalling the other, as needed.

Depending on what libraries your OpenSSL 1 application requires, you might need to also install one or all of the following packages:

  • libldap-openssl1-2_4-2

  • cyrus-sasl-openssl1

  • libcurl4-openssl1

  • cyrus-sasl-openssl1-plain

  • cyrus-sasl-openssl1-gssapi

  • cyrus-sasl-openssl1-digestmd5

If your application does not require them, then they will only be installed if needed by other packages such postfix-openssl1, etc.

These OpenSSL 1 libraries are located in /opt/suse/lib64 or /opt/suse/lib on 32-bit systems. This allows them to be installed concurrently with the OpenSSL 0.9.8 versions. Because they have exactly the same file names as the OpenSSL 0.9.8 libraries in /usr/lib64 and /usr/lib, it is important to make sure that your software build processes are referencing the correct versions.

The way to accomplish this is by telling the compiler/linker where to find the desired version. So, when compiling and linking software against OpenSSL 1, pass the following parameters to the gcc command:

-Wl,-rpath,/opt/suse/lib64

or on 32-bit systems:

-Wl,-rpath,/opt/suse/lib

This causes both the application and libraries that are built to look for the libraries in /opt/suse/lib64 or /opt/suse/lib first, and in the regular system locations later.

This can most reliably be done by updating whatever make file is being used to build the software. Note that this must be done for any libraries being built, as well as binary executables. Having a library pointing to the wrong version will be just as wrong as having the program being executed pointing to the wrong version.

When compiling and linking against OpenSSL 0.9.8, you have a choice; either leave the -Wl,-rpath out entirely, or point to /usr/lib64 or on 32-bit systems /usr/lib.

To confirm if your software has been built correctly, execute the following command against it:

readelf ­a /path/to/your/binaryorlibrary | grep RUNPATH

You should see something similar to this example:

readelf -a /usr/lib/postfix/smtp | grep RUNPATH
0x000000000000001d (RUNPATH)            Library runpath: [/opt/suse/lib64]

To confirm if your application is not referencing any of the OpenSSL 0.9.8 libraries, use the /usr/bin/ldd command as in this example:

ldd /usr/lib/postfix/smtp | grep /libssl.so.0
ldd /usr/lib/postfix/smtp | grep /libcrypto.so.0

You should not see any output from either of those commands when run against your application files. If you do, it means that your application was linked against the wrong version of OpenSSL and you need to re-examine your build processes.

6 Appendix A Edit source

6.1 Checking if the Security Module Repository Is Already Defined Edit source

Issue the following command as the root user:

zypper repos | grep Security

If the repository is defined, you should see something similar to this:

17 | nu_novell_com:SLE11-Security-Module | SLE11-Security-Module | No | Yes

If it is defined, skip to the section on enabling the Security Module Repository. If the repository is not defined, proceed with the following section on registering your system.

Note
Note: Usage of YaST

Note that all of this work can be done via YaST (yast repositories) as well.

6.2 Registering the System Edit source

If your initial command

zypper repos | grep Security

showed nothing in response, then you will need to register, or re-register, your system with the Novell Customer Center or your own local Subscription Management Tool (SMT) server. This can be accomplished via YaST (yast inst_suse_register) or the suse_register command. System administrators that are not already familiar with suse_register should use YaST to register the system.

Note
Note: YaST Registration

For more information about suse_register, search the relevant documentation. If your are not yet familiar with suse_register, it is highly recommended to use YaST.

When the system has been registered, you should be able to see the Security Module repository as already discussed. If you do not, contact the Customer Resolution Team for assistance.

In EMEA: <>

In all other countries: <>

6.3 Enabling the Security Module Repository Edit source

When the Security Module is defined, then all you need to do is enable it and enable automatic refreshes. Reissue the following command as the root user:

zypper repos | grep Security

The fourth column is now the one of particular interest. It shows whether the repository is enabled or not. That is, whether YaST or Zypper should look at this repository to satisfy requests or not.

17 | nu_novell_com:SLE11-Security-Module | SLE11-Security-Module | No | Yes

Our example shows that it is not enabled, so we must change that. The easiest way is by using the zypper modifyrepo command with the repository ID shown in column 1. In our example that is 17:

zypper modifyrepo -e 17

Substitute whatever repository ID that Zypper shows on your system for the 17 we have used in our example. You should see a message like this:

Repository 'nu_novell_com:SLE11-Security-Module' has been successfully enabled.

To verify, reissue the zypper repos command:

zypper repos | grep Security
17 | nu_novell_com:SLE11-Security-Module | SLE11-Security-Module | Yes | Yes

6.4 Enabling Automatic Refreshes Edit source

The last column in the display shows whether Zypper will automatically refresh the status of the repository or not. Ensuring that this is set to Yes is important so that any new or updated packages in the Security Module will show up as available updates.

17 | nu_novell_com:SLE11-Security-Module | SLE11-Security-Module | Yes | Yes

Our example shows that it is enabled. If yours is not then issue the following command:

zypper modifyrepo -r 17

Again, substitute whatever repository ID that Zypper shows on your system. If you then display your repositories again you should see a Yes in the last column, and you have completed this task.

8 GNU Free Documentation License Edit source

Copyright (C) 2000, 2001, 2002 Free Software Foundation, Inc. 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.

The purpose of this License is to make a manual, textbook, or other functional and useful document "free" in the sense of freedom: to assure everyone the effective freedom to copy and redistribute it, with or without modifying it, either commercially or non-commercially. Secondarily, this License preserves for the author and publisher a way to get credit for their work, while not being considered responsible for modifications made by others.

This License is a kind of "copyleft", which means that derivative works of the document must themselves be free in the same sense. It complements the GNU General Public License, which is a copyleft license designed for free software.

We have designed this License to use it for manuals for free software, because free software needs free documentation: a free program should come with manuals providing the same freedoms that the software does. But this License is not limited to software manuals; it can be used for any textual work, regardless of subject matter or whether it is published as a printed book. We recommend this License principally for works whose purpose is instruction or reference.

This License applies to any manual or other work, in any medium, that contains a notice placed by the copyright holder saying it can be distributed under the terms of this License. Such a notice grants a world-wide, royalty-free license, unlimited in duration, to use that work under the conditions stated herein. The "Document", below, refers to any such manual or work. Any member of the public is a licensee, and is addressed as "you". You accept the license if you copy, modify or distribute the work in a way requiring permission under copyright law.

A "Modified Version" of the Document means any work containing the Document or a portion of it, either copied verbatim, or with modifications and/or translated into another language.

A "Secondary Section" is a named appendix or a front-matter section of the Document that deals exclusively with the relationship of the publishers or authors of the Document to the Document's overall subject (or to related matters) and contains nothing that could fall directly within that overall subject. (Thus, if the Document is in part a textbook of mathematics, a Secondary Section may not explain any mathematics.) The relationship could be a matter of historical connection with the subject or with related matters, or of legal, commercial, philosophical, ethical or political position regarding them.

The "Invariant Sections" are certain Secondary Sections whose titles are designated, as being those of Invariant Sections, in the notice that says that the Document is released under this License. If a section does not fit the above definition of Secondary then it is not allowed to be designated as Invariant. The Document may contain zero Invariant Sections. If the Document does not identify any Invariant Sections then there are none.

The "Cover Texts" are certain short passages of text that are listed, as Front-Cover Texts or Back-Cover Texts, in the notice that says that the Document is released under this License. A Front-Cover Text may be at most 5 words, and a Back-Cover Text may be at most 25 words.

A "Transparent" copy of the Document means a machine-readable copy, represented in a format whose specification is available to the general public, that is suitable for revising the document straightforwardly with generic text editors or (for images composed of pixels) generic paint programs or (for drawings) some widely available drawing editor, and that is suitable for input to text formatters or for automatic translation to a variety of formats suitable for input to text formatters. A copy made in an otherwise Transparent file format whose markup, or absence of markup, has been arranged to thwart or discourage subsequent modification by readers is not Transparent. An image format is not Transparent if used for any substantial amount of text. A copy that is not "Transparent" is called "Opaque".

Examples of suitable formats for Transparent copies include plain ASCII without markup, Texinfo input format, LaTeX input format, SGML or XML using a publicly available DTD, and standard-conforming simple HTML, PostScript or PDF designed for human modification. Examples of transparent image formats include PNG, XCF and JPG. Opaque formats include proprietary formats that can be read and edited only by proprietary word processors, SGML or XML for which the DTD and/or processing tools are not generally available, and the machine-generated HTML, PostScript or PDF produced by some word processors for output purposes only.

The "Title Page" means, for a printed book, the title page itself, plus such following pages as are needed to hold, legibly, the material this License requires to appear in the title page. For works in formats which do not have any title page as such, "Title Page" means the text near the most prominent appearance of the work's title, preceding the beginning of the body of the text.

A section "Entitled XYZ" means a named subunit of the Document whose title either is precisely XYZ or contains XYZ in parentheses following text that translates XYZ in another language. (Here XYZ stands for a specific section name mentioned below, such as "Acknowledgements", "Dedications", "Endorsements", or "History".) To "Preserve the Title" of such a section when you modify the Document means that it remains a section "Entitled XYZ" according to this definition.

The Document may include Warranty Disclaimers next to the notice which states that this License applies to the Document. These Warranty Disclaimers are considered to be included by reference in this License, but only as regards disclaiming warranties: any other implication that these Warranty Disclaimers may have is void and has no effect on the meaning of this License.

You may copy and distribute the Document in any medium, either commercially or noncommercially, provided that this License, the copyright notices, and the license notice saying this License applies to the Document are reproduced in all copies, and that you add no other conditions whatsoever to those of this License. You may not use technical measures to obstruct or control the reading or further copying of the copies you make or distribute. However, you may accept compensation in exchange for copies. If you distribute a large enough number of copies you must also follow the conditions in section 3.

You may also lend copies, under the same conditions stated above, and you may publicly display copies.

If you publish printed copies (or copies in media that commonly have printed covers) of the Document, numbering more than 100, and the Document's license notice requires Cover Texts, you must enclose the copies in covers that carry, clearly and legibly, all these Cover Texts: Front-Cover Texts on the front cover, and Back-Cover Texts on the back cover. Both covers must also clearly and legibly identify you as the publisher of these copies. The front cover must present the full title with all words of the title equally prominent and visible. You may add other material on the covers in addition. Copying with changes limited to the covers, as long as they preserve the title of the Document and satisfy these conditions, can be treated as verbatim copying in other respects.

If the required texts for either cover are too voluminous to fit legibly, you should put the first ones listed (as many as fit reasonably) on the actual cover, and continue the rest onto adjacent pages.

If you publish or distribute Opaque copies of the Document numbering more than 100, you must either include a machine-readable Transparent copy along with each Opaque copy, or state in or with each Opaque copy a computer-network location from which the general network-using public has access to download using public-standard network protocols a complete Transparent copy of the Document, free of added material. If you use the latter option, you must take reasonably prudent steps, when you begin distribution of Opaque copies in quantity, to ensure that this Transparent copy will remain thus accessible at the stated location until at least one year after the last time you distribute an Opaque copy (directly or through your agents or retailers) of that edition to the public.

It is requested, but not required, that you contact the authors of the Document well before redistributing any large number of copies, to give them a chance to provide you with an updated version of the Document.

You may copy and distribute a Modified Version of the Document under the conditions of sections 2 and 3 above, provided that you release the Modified Version under precisely this License, with the Modified Version filling the role of the Document, thus licensing distribution and modification of the Modified Version to whoever possesses a copy of it. In addition, you must do these things in the Modified Version:

  1. Use in the Title Page (and on the covers, if any) a title distinct from that of the Document, and from those of previous versions (which should, if there were any, be listed in the History section of the Document). You may use the same title as a previous version if the original publisher of that version gives permission.

  2. List on the Title Page, as authors, one or more persons or entities responsible for authorship of the modifications in the Modified Version, together with at least five of the principal authors of the Document (all of its principal authors, if it has fewer than five), unless they release you from this requirement.

  3. State on the Title page the name of the publisher of the Modified Version, as the publisher.

  4. Preserve all the copyright notices of the Document.

  5. Add an appropriate copyright notice for your modifications adjacent to the other copyright notices.

  6. Include, immediately after the copyright notices, a license notice giving the public permission to use the Modified Version under the terms of this License, in the form shown in the Addendum below.

  7. Preserve in that license notice the full lists of Invariant Sections and required Cover Texts given in the Document's license notice.

  8. Include an unaltered copy of this License.

  9. Preserve the section Entitled "History", Preserve its Title, and add to it an item stating at least the title, year, new authors, and publisher of the Modified Version as given on the Title Page. If there is no section Entitled "History" in the Document, create one stating the title, year, authors, and publisher of the Document as given on its Title Page, then add an item describing the Modified Version as stated in the previous sentence.

  10. Preserve the network location, if any, given in the Document for public access to a Transparent copy of the Document, and likewise the network locations given in the Document for previous versions it was based on. These may be placed in the "History" section. You may omit a network location for a work that was published at least four years before the Document itself, or if the original publisher of the version it refers to gives permission.

  11. For any section Entitled "Acknowledgements" or "Dedications", Preserve the Title of the section, and preserve in the section all the substance and tone of each of the contributor acknowledgements and/or dedications given therein.

  12. Preserve all the Invariant Sections of the Document, unaltered in their text and in their titles. Section numbers or the equivalent are not considered part of the section titles.

  13. Delete any section Entitled "Endorsements". Such a section may not be included in the Modified Version.

  14. Do not retitle any existing section to be Entitled "Endorsements" or to conflict in title with any Invariant Section.

  15. Preserve any Warranty Disclaimers.

If the Modified Version includes new front-matter sections or appendices that qualify as Secondary Sections and contain no material copied from the Document, you may at your option designate some or all of these sections as invariant. To do this, add their titles to the list of Invariant Sections in the Modified Version's license notice. These titles must be distinct from any other section titles.

You may add a section Entitled "Endorsements", provided it contains nothing but endorsements of your Modified Version by various parties--for example, statements of peer review or that the text has been approved by an organization as the authoritative definition of a standard.

You may add a passage of up to five words as a Front-Cover Text, and a passage of up to 25 words as a Back-Cover Text, to the end of the list of Cover Texts in the Modified Version. Only one passage of Front-Cover Text and one of Back-Cover Text may be added by (or through arrangements made by) any one entity. If the Document already includes a cover text for the same cover, previously added by you or by arrangement made by the same entity you are acting on behalf of, you may not add another; but you may replace the old one, on explicit permission from the previous publisher that added the old one.

The author(s) and publisher(s) of the Document do not by this License give permission to use their names for publicity for or to assert or imply endorsement of any Modified Version.

You may combine the Document with other documents released under this License, under the terms defined in section 4 above for modified versions, provided that you include in the combination all of the Invariant Sections of all of the original documents, unmodified, and list them all as Invariant Sections of your combined work in its license notice, and that you preserve all their Warranty Disclaimers.

The combined work need only contain one copy of this License, and multiple identical Invariant Sections may be replaced with a single copy. If there are multiple Invariant Sections with the same name but different contents, make the title of each such section unique by adding at the end of it, in parentheses, the name of the original author or publisher of that section if known, or else a unique number. Make the same adjustment to the section titles in the list of Invariant Sections in the license notice of the combined work.

In the combination, you must combine any sections Entitled "History" in the various original documents, forming one section Entitled "History"; likewise combine any sections Entitled "Acknowledgements", and any sections Entitled "Dedications". You must delete all sections Entitled "Endorsements".

You may make a collection consisting of the Document and other documents released under this License, and replace the individual copies of this License in the various documents with a single copy that is included in the collection, provided that you follow the rules of this License for verbatim copying of each of the documents in all other respects.

You may extract a single document from such a collection, and distribute it individually under this License, provided you insert a copy of this License into the extracted document, and follow this License in all other respects regarding verbatim copying of that document.

A compilation of the Document or its derivatives with other separate and independent documents or works, in or on a volume of a storage or distribution medium, is called an "aggregate" if the copyright resulting from the compilation is not used to limit the legal rights of the compilation's users beyond what the individual works permit. When the Document is included in an aggregate, this License does not apply to the other works in the aggregate which are not themselves derivative works of the Document.

If the Cover Text requirement of section 3 is applicable to these copies of the Document, then if the Document is less than one half of the entire aggregate, the Document's Cover Texts may be placed on covers that bracket the Document within the aggregate, or the electronic equivalent of covers if the Document is in electronic form. Otherwise they must appear on printed covers that bracket the whole aggregate.

Translation is considered a kind of modification, so you may distribute translations of the Document under the terms of section 4. Replacing Invariant Sections with translations requires special permission from their copyright holders, but you may include translations of some or all Invariant Sections in addition to the original versions of these Invariant Sections. You may include a translation of this License, and all the license notices in the Document, and any Warranty Disclaimers, provided that you also include the original English version of this License and the original versions of those notices and disclaimers. In case of a disagreement between the translation and the original version of this License or a notice or disclaimer, the original version will prevail.

If a section in the Document is Entitled "Acknowledgements", "Dedications", or "History", the requirement (section 4) to Preserve its Title (section 1) will typically require changing the actual title.

You may not copy, modify, sublicense, or distribute the Document except as expressly provided for under this License. Any other attempt to copy, modify, sublicense or distribute the Document is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance.

The Free Software Foundation may publish new, revised versions of the GNU Free Documentation License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. See http://www.gnu.org/copyleft/.

Each version of the License is given a distinguishing version number. If the Document specifies that a particular numbered version of this License "or any later version" applies to it, you have the option of following the terms and conditions either of that specified version or of any later version that has been published (not as a draft) by the Free Software Foundation. If the Document does not specify a version number of this License, you may choose any version ever published (not as a draft) by the Free Software Foundation.

Copyright (c) YEAR YOUR NAME.
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License, Version 1.2
or any later version published by the Free Software Foundation;
with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.
A copy of the license is included in the section entitled "GNU
 Free Documentation License".

If you have Invariant Sections, Front-Cover Texts and Back-Cover Texts, replace the "with...Texts". line with this:

with the Invariant Sections being LIST THEIR TITLES, with the
Front-Cover Texts being LIST, and with the Back-Cover Texts being LIST.

If you have Invariant Sections without Cover Texts, or some other combination of the three, merge those two alternatives to suit the situation.

If your document contains nontrivial examples of program code, we recommend releasing these examples in parallel under your choice of free software license, such as the GNU General Public License, to permit their use in free software.

Print this page