OpenSSLWiki - User contributions [en]

Use of Git

2014-04-26T01:02:58Z

Trawick: axe todo about Request Tracker; outline of how to contribute mentions that

Note: This is a superset of the information at http://www.openssl.org/source/repos.html

== Background information about using the Git distributed version control system ==

This page provides examples for some of the <tt>git</tt> commands used when accessing OpenSSL source code, but does not provide complete coverage.

* Refer to the <tt>git</tt> man ages and http://git-scm.com/ for more complete instructions on using the command.
* Refer to https://github.com/ for more complete instructions on interacting with Github.

== Use of Git with OpenSSL source tree ==

The OpenSSL group hosts its own Git repository at openssl.org, and this contains the master copy of OpenSSL. You can browse this at https://git.openssl.org/gitweb/?p=openssl.git;a=tree, or get a clone (checkout) of it with the command <tt>git clone git://git.openssl.org/openssl.git</tt>.

Contributors to OpenSSL should make use of the Github copy of this repository at https://github.com/openssl/openssl. Github makes it easy to maintain your own fork of OpenSSL for developing your contributions, as well as making a "pull request" to share fixes with the OpenSSL team when finished. Changes in the master Git repository are represented in the Github copy within minutes.

You can view existing pull requests against any of the branches at https://github.com/openssl/openssl/pulls

=== Getting a copy of the OpenSSL source tree ===

If you want to quickly make a copy of the OpenSSL source tree and you do not plan to publish any changes for use by others, just create a clone on your own machine.

<pre>
$ git clone https://github.com/openssl/openssl.git
</pre>

(Refer to Github documentation for instructions on other means of cloning the source tree.)

If you plan to make changes to the sources that you will share with others, including contributing changes to OpenSSL, it is recommended that you create a fork of the OpenSSL tree using your own Github id. You can use this to share changes with others whether or not you intend to submit changes to the OpenSSL team. Refer to the documentation at https://help.github.com/articles/fork-a-repo, in particular the discussion about how to track changes in the real OpenSSL repository that you forked.

=== Branches ===

The Git repositories contain multiple branches, representing development levels of OpenSSL as well as current and upcoming stable branches. An easy way to see the available branches is with the branch selector at https://github.com/openssl/openssl. The branches which are of most interest to most users are

* master (development)
* OpenSSL_1_0_2-stable (for the not-yet-released 1.0.2 series)
* OpenSSL_1_0_1-stable
* OpenSSL_1_0_0-stable

In order to access the code for a branch other than master, clone the Git repository then use the <tt>git checkout ''branchname''</tt> command to switch to a different branch. Consider using separate checkouts for each branch you are working in, with appropriate names for each, such as in the following example.

<pre>
$ git clone https://github.com/openssl/openssl.git OpenSSL-master
$ git clone https://github.com/openssl/openssl.git OpenSSL_1_0_2-stable
$ (cd OpenSSL_1_0_2-stable && git checkout OpenSSL_1_0_2-stable)
$ git clone https://github.com/openssl/openssl.git OpenSSL_1_0_1-stable
$ (cd OpenSSL_1_0_2-stable && git checkout OpenSSL_1_0_1-stable)
</pre>

If you've created your own fork of OpenSSL, replace the URL on the <tt>git clone</tt> command with the one for your fork. Also, you'll need to follow the instructions at https://help.github.com/articles/fork-a-repo for picking up changes from the master repository that you forked.

=== Making patches ===

Patches posted to OpenSSL development mailing lists or to the [https://www.openssl.org/support/rt.html OpenSSL Request Tracker] should be in Git <tt>format-patch</tt> format if at all practical, since that is easier for OpenSSL committers to apply since it contains author details.

The [http://git-scm.com/docs/git-format-patch <tt>git format-patch</tt>] documentation describes a lot of options. Here is an example of the most basic use.

:* You've been working on a particular OpenSSL branch within a Git clone of the source tree, and have made a couple of commits which you'd like to submit.
:* Print the log for those two commits and one more, the one before your commits:
<pre>
$ git log -3
commit 46983b73e04b448cb6cd9ea180044753174dec6d
Author: Jeff Trawick <trawick@gmail.com>
Date: Fri Apr 25 20:25:19 2014 -0400

spellcheck

commit 1e20bdf6bad38d9766e6cf3e64d903a99f1d9a6b
Author: Jeff Trawick <trawick@gmail.com>
Date: Fri Apr 25 14:07:07 2014 -0400

silly wording change

commit 3e124d66c8b66a48a824387b10768411a348f518
Author: Steve Marquess <marquess@opensslfoundation.com>
Date: Thu Apr 24 07:13:05 2014 -0400

Add new sponsors
(cherry picked from commit 351f0a124bffaa94d2a8abdec2e7dde5ae9c457d)
</pre>
:* Create a patch from changes '''after''' the third commit (<tt>3e124d66c8b66a48a824387b10768411a348f518</tt>), and pipe it to a file instead of letting <tt>git</tt> create a bunch of <tt>.patch</tt> files in the current directory:
<pre>
$ git format-patch 3e124d66c8b66a48a824387b10768411a348f518 --stdout >/tmp/FixWording.txt
$ cat /tmp/FixWording.txt
From 1e20bdf6bad38d9766e6cf3e64d903a99f1d9a6b Mon Sep 17 00:00:00 2001
From: Jeff Trawick <trawick@gmail.com>
Date: Fri, 25 Apr 2014 14:07:07 -0400
Subject: [PATCH 1/2] silly wording change

---
apps/s_client.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/s_client.c b/apps/s_client.c
index 01f4f34..eeb2e77 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -323,7 +323,7 @@ static void sc_usage(void)
BIO_printf(bio_err,"\n");
BIO_printf(bio_err," -host host - use -connect instead\n");
BIO_printf(bio_err," -port port - use -connect instead\n");
- BIO_printf(bio_err," -connect host:port - who to connect to (default is %s:%s)\n",SSL_HOST_NAME,PORT_STR);
+ BIO_printf(bio_err," -connect host:port - what to connect to (default is %s:%s)\n",SSL_HOST_NAME,PORT_STR);
BIO_printf(bio_err," -checkhost host - check peer certificate matches \"host\"\n");
BIO_printf(bio_err," -checkemail email - check peer certificate matches \"email\"\n");
BIO_printf(bio_err," -checkip ipaddr - check peer certificate matches \"ipaddr\"\n");
--
1.8.3.2

From 46983b73e04b448cb6cd9ea180044753174dec6d Mon Sep 17 00:00:00 2001
From: Jeff Trawick <trawick@gmail.com>
Date: Fri, 25 Apr 2014 20:25:19 -0400
Subject: [PATCH 2/2] spellcheck

---
PROBLEMS | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/PROBLEMS b/PROBLEMS
index 3eaab01..86f1e6e 100644
--- a/PROBLEMS
+++ b/PROBLEMS
@@ -41,13 +41,13 @@ passing -Wl,-search_paths_first, but it's unknown if the flag was
supported from the initial MacOS X release.

-* Parallell make leads to errors
+* Parallel make leads to errors

-While running tests, running a parallell make is a bad idea. Many test
+While running tests, running a parallel make is a bad idea. Many test
scripts use the same name for output and input files, which means different
will interfere with each other and lead to test failure.

-The solution is simple for now: don't run parallell make when testing.
+The solution is simple for now: don't run parallel make when testing.

* Bugs in gcc triggered
--
1.8.3.2
</pre>

Plan B, if you can't get <tt>git format-patch</tt> to work for some reason, is to create another, unmodified clone of the OpenSSL code, switch it to the branch you're working in, then use <tt>diff -ru</tt> as follows:

<pre>
$ diff -ru OpenSSL_1_0_2-stable-original OpenSSL_1_0_2-stable > /tmp/FixSClientUsage.txt
</pre>

(These two directories were created with <tt>git clone https://github.com/openssl/openssl.git OpenSSL_1_0_2-stable</tt> and <tt>git clone https://github.com/openssl/openssl.git OpenSSL_1_0_2-stable-original</tt>, and each was switched to the desired branch with <tt>git checkout OpenSSL_1_0_2-stable</tt>.)

Double check that only the desired changes are in the patch file. Otherwise, you probably weren't testing with the most recent OpenSSL changes.

==== Sending patches via e-mail ====

Patches sent via e-mail should be in plain text attachments instead of being pasted into the e-mail body.

=== Making pull requests ===

After developing and testing changes to OpenSSL in your checkout (clone), push them to your fork of OpenSSL (<tt>git push</tt>), then use the Github interface to submit a pull request to the master OpenSSL repository for the particular revision(s).

== Use of Git with the OpenSSL web site ==

The OpenSSL web site is also maintained in git, and can be browsed at https://git.openssl.org/gitweb/?p=openssl-web.git;a=tree.

Unlike the source code, the OpenSSL web site repository is not copied to Github. You can only interact with it via git.openssl.org, so it is not possible to submit pull requests.

Check it out as follows:

<pre>
$ git clone git://git.openssl.org/openssl-web.git
</pre>

In order to submit corrections to the web site, create a patch as described above.

Only the master branch of the web site repository is used.

Use of Git

2014-04-26T00:49:28Z

Trawick: stress git format-patch as the preferred way of creating patches to submit

Note: This is a superset of the information at http://www.openssl.org/source/repos.html

== Background information about using the Git distributed version control system ==

This page provides examples for some of the <tt>git</tt> commands used when accessing OpenSSL source code, but does not provide complete coverage.

* Refer to the <tt>git</tt> man ages and http://git-scm.com/ for more complete instructions on using the command.
* Refer to https://github.com/ for more complete instructions on interacting with Github.

== Use of Git with OpenSSL source tree ==

The OpenSSL group hosts its own Git repository at openssl.org, and this contains the master copy of OpenSSL. You can browse this at https://git.openssl.org/gitweb/?p=openssl.git;a=tree, or get a clone (checkout) of it with the command <tt>git clone git://git.openssl.org/openssl.git</tt>.

Contributors to OpenSSL should make use of the Github copy of this repository at https://github.com/openssl/openssl. Github makes it easy to maintain your own fork of OpenSSL for developing your contributions, as well as making a "pull request" to share fixes with the OpenSSL team when finished. Changes in the master Git repository are represented in the Github copy within minutes.

You can view existing pull requests against any of the branches at https://github.com/openssl/openssl/pulls

=== Getting a copy of the OpenSSL source tree ===

If you want to quickly make a copy of the OpenSSL source tree and you do not plan to publish any changes for use by others, just create a clone on your own machine.

<pre>
$ git clone https://github.com/openssl/openssl.git
</pre>

(Refer to Github documentation for instructions on other means of cloning the source tree.)

If you plan to make changes to the sources that you will share with others, including contributing changes to OpenSSL, it is recommended that you create a fork of the OpenSSL tree using your own Github id. You can use this to share changes with others whether or not you intend to submit changes to the OpenSSL team. Refer to the documentation at https://help.github.com/articles/fork-a-repo, in particular the discussion about how to track changes in the real OpenSSL repository that you forked.

=== Branches ===

The Git repositories contain multiple branches, representing development levels of OpenSSL as well as current and upcoming stable branches. An easy way to see the available branches is with the branch selector at https://github.com/openssl/openssl. The branches which are of most interest to most users are

* master (development)
* OpenSSL_1_0_2-stable (for the not-yet-released 1.0.2 series)
* OpenSSL_1_0_1-stable
* OpenSSL_1_0_0-stable

In order to access the code for a branch other than master, clone the Git repository then use the <tt>git checkout ''branchname''</tt> command to switch to a different branch. Consider using separate checkouts for each branch you are working in, with appropriate names for each, such as in the following example.

<pre>
$ git clone https://github.com/openssl/openssl.git OpenSSL-master
$ git clone https://github.com/openssl/openssl.git OpenSSL_1_0_2-stable
$ (cd OpenSSL_1_0_2-stable && git checkout OpenSSL_1_0_2-stable)
$ git clone https://github.com/openssl/openssl.git OpenSSL_1_0_1-stable
$ (cd OpenSSL_1_0_2-stable && git checkout OpenSSL_1_0_1-stable)
</pre>

If you've created your own fork of OpenSSL, replace the URL on the <tt>git clone</tt> command with the one for your fork. Also, you'll need to follow the instructions at https://help.github.com/articles/fork-a-repo for picking up changes from the master repository that you forked.

=== Making patches ===

Patches posted to OpenSSL development mailing lists or to the [https://www.openssl.org/support/rt.html OpenSSL Request Tracker] should be in Git <tt>format-patch</tt> format if at all practical, since that is easier for OpenSSL committers to apply since it contains author details.

The [http://git-scm.com/docs/git-format-patch <tt>git format-patch</tt>] documentation describes a lot of options. Here is an example of the most basic use.

:* You've been working on a particular OpenSSL branch within a Git clone of the source tree, and have made a couple of commits which you'd like to submit.
:* Print the log for those two commits and one more, the one before your commits:
<pre>
$ git log -3
commit 46983b73e04b448cb6cd9ea180044753174dec6d
Author: Jeff Trawick <trawick@gmail.com>
Date: Fri Apr 25 20:25:19 2014 -0400

spellcheck

commit 1e20bdf6bad38d9766e6cf3e64d903a99f1d9a6b
Author: Jeff Trawick <trawick@gmail.com>
Date: Fri Apr 25 14:07:07 2014 -0400

silly wording change

commit 3e124d66c8b66a48a824387b10768411a348f518
Author: Steve Marquess <marquess@opensslfoundation.com>
Date: Thu Apr 24 07:13:05 2014 -0400

Add new sponsors
(cherry picked from commit 351f0a124bffaa94d2a8abdec2e7dde5ae9c457d)
</pre>
:* Create a patch from changes '''after''' the third commit (<tt>3e124d66c8b66a48a824387b10768411a348f518</tt>), and pipe it to a file instead of letting <tt>git</tt> create a bunch of <tt>.patch</tt> files in the current directory:
<pre>
$ git format-patch 3e124d66c8b66a48a824387b10768411a348f518 --stdout >/tmp/FixWording.txt
$ cat /tmp/FixWording.txt
From 1e20bdf6bad38d9766e6cf3e64d903a99f1d9a6b Mon Sep 17 00:00:00 2001
From: Jeff Trawick <trawick@gmail.com>
Date: Fri, 25 Apr 2014 14:07:07 -0400
Subject: [PATCH 1/2] silly wording change

---
apps/s_client.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/s_client.c b/apps/s_client.c
index 01f4f34..eeb2e77 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -323,7 +323,7 @@ static void sc_usage(void)
BIO_printf(bio_err,"\n");
BIO_printf(bio_err," -host host - use -connect instead\n");
BIO_printf(bio_err," -port port - use -connect instead\n");
- BIO_printf(bio_err," -connect host:port - who to connect to (default is %s:%s)\n",SSL_HOST_NAME,PORT_STR);
+ BIO_printf(bio_err," -connect host:port - what to connect to (default is %s:%s)\n",SSL_HOST_NAME,PORT_STR);
BIO_printf(bio_err," -checkhost host - check peer certificate matches \"host\"\n");
BIO_printf(bio_err," -checkemail email - check peer certificate matches \"email\"\n");
BIO_printf(bio_err," -checkip ipaddr - check peer certificate matches \"ipaddr\"\n");
--
1.8.3.2

From 46983b73e04b448cb6cd9ea180044753174dec6d Mon Sep 17 00:00:00 2001
From: Jeff Trawick <trawick@gmail.com>
Date: Fri, 25 Apr 2014 20:25:19 -0400
Subject: [PATCH 2/2] spellcheck

---
PROBLEMS | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/PROBLEMS b/PROBLEMS
index 3eaab01..86f1e6e 100644
--- a/PROBLEMS
+++ b/PROBLEMS
@@ -41,13 +41,13 @@ passing -Wl,-search_paths_first, but it's unknown if the flag was
supported from the initial MacOS X release.

-* Parallell make leads to errors
+* Parallel make leads to errors

-While running tests, running a parallell make is a bad idea. Many test
+While running tests, running a parallel make is a bad idea. Many test
scripts use the same name for output and input files, which means different
will interfere with each other and lead to test failure.

-The solution is simple for now: don't run parallell make when testing.
+The solution is simple for now: don't run parallel make when testing.

* Bugs in gcc triggered
--
1.8.3.2
</pre>

Plan B, if you can't get <tt>git format-patch</tt> to work for some reason, is to create another, unmodified clone of the OpenSSL code, switch it to the branch you're working in, then use <tt>diff -ru</tt> as follows:

<pre>
$ diff -ru OpenSSL_1_0_2-stable-original OpenSSL_1_0_2-stable > /tmp/FixSClientUsage.txt
</pre>

(These two directories were created with <tt>git clone https://github.com/openssl/openssl.git OpenSSL_1_0_2-stable</tt> and <tt>git clone https://github.com/openssl/openssl.git OpenSSL_1_0_2-stable-original</tt>, and each was switched to the desired branch with <tt>git checkout OpenSSL_1_0_2-stable</tt>.)

Double check that only the desired changes are in the patch file. Otherwise, you probably weren't testing with the most recent OpenSSL changes.

==== Sending patches via e-mail ====

Patches sent via e-mail should be in plain text attachments instead of being pasted into the e-mail body.

=== Making pull requests ===

After developing and testing changes to OpenSSL in your checkout (clone), push them to your fork of OpenSSL (<tt>git push</tt>), then use the Github interface to submit a pull request to the master OpenSSL repository for the particular revision(s).

(need to allude to other instructions about RT, right?)

== Use of Git with the OpenSSL web site ==

The OpenSSL web site is also maintained in git, and can be browsed at https://git.openssl.org/gitweb/?p=openssl-web.git;a=tree.

Unlike the source code, the OpenSSL web site repository is not copied to Github. You can only interact with it via git.openssl.org, so it is not possible to submit pull requests.

Check it out as follows:

<pre>
$ git clone git://git.openssl.org/openssl-web.git
</pre>

In order to submit corrections to the web site, create a patch as described above.

Only the master branch of the web site repository is used.

Main Page

2014-04-25T20:18:34Z

Trawick: Replace terse "do you need to discuss" statement with good words from README

If this is your first visit or to get an account please see the [[Welcome]] page. Your participation and [[Contributions]] are valued.

This wiki is intended as a place for collecting, organizing, and refining useful information about OpenSSL that is currently strewn among multiple locations and formats.

== OpenSSL Quick Links ==

<TABLE border=0>
<TR>
<TD>[[OpenSSL Overview]]</TD>
<TD>[[Image:HTAB.png]][[Image:HTAB.png]]</TD>
<TD>[[Compilation and Installation]]</TD>
<TD>[[Image:HTAB.png]][[Image:HTAB.png]]</TD>
<TD>[[Internals]]</TD>
<TD>[[Image:HTAB.png]][[Image:HTAB.png]]</TD>
<TD>[[Mailing Lists]] </TD>
</TR>
<TR>
<TD>[[libcrypto API]]</TD>
<TD>[[Image:HTAB.png]][[Image:HTAB.png]]</TD>
<TD>[[libssl API]]</TD>
<TD>[[Image:HTAB.png]][[Image:HTAB.png]]</TD>
<TD>[[Examples]] </TD>
</TR>
<TR>
<TD>[[License]] </TD>
<TD>[[Image:HTAB.png]][[Image:HTAB.png]]</TD>
<TD>[[Command Line Utilities]]</TD>
<TD>[[Image:HTAB.png]][[Image:HTAB.png]]</TD>
<TD>[[Related Links]]</TD>
</TR>
</TABLE>

== Administrivia ==
Site guidelines, legal and admininstrative issues.
:* [[Basic rules]], [[Commercial Product Disclaimer]], [[Contributions]], [[Copyright]], [[License]]
:* Using This Wiki
:: [http://meta.wikimedia.org/wiki/Help:Contents Wiki User's Guide], [http://www.mediawiki.org/wiki/Manual:Configuration_settings Configuration settings list], [http://www.mediawiki.org/wiki/Manual:FAQ MediaWiki FAQ], [https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce MediaWiki Mailing List]

== Reference ==
This section contains the automagically generated man pages from the OpenSSL git repository, and similar "man" style reference documentation. The man pages are automatically imported from the OpenSSL git repository and local wiki modifications are submitted as patches.
:* OpenSSL Manual Pages
::* [[Manual:Openssl(1)]], [[Manual:Ssl(3)]], [[Manual:Crypto(3)]], [[Documentation Index]]
:: If you wish to edit any of the Manual page content please refer to the [[Guidelines for Manual Page Authors]] page.
:* [[API]], [[Libcrypto API]], [[Libssl API]]
:* [[FIPS mode()]], [[FIPS_mode_set()]]

== Usage and Programming ==
This section has discussions of practical issues in using OpenSSL
:* Building from Source
:: Where to find it, the different versions, how to build and install it.
:* [[OpenSSL Overview]]
:* [[Versioning]]
:* [[Compilation and Installation]]
:* [[EVP]]
:: Programming techniques and example code
:: Use of EVP is preferred for most applications and circumstances
::* [[EVP Asymmetric Encryption and Decryption of an Envelope]]
::* [[EVP Authenticated Encryption and Decryption]]
::* [[EVP Symmetric Encryption and Decryption]]
::* [[EVP Key and Parameter Generation]]
::* [[EVP Key Agreement]]
::* [[EVP Message Digests]]
::* [[EVP Key Derivation]]
::* [[EVP Signing and Verifying|EVP Signing and Verifying (including MAC codes)]]
:* [[STACK API]]
:* Low Level APIs
:: More specialized non-EVP usage
::* [[Diffie-Hellman parameters]]
:* [[FIPS Mode]]

== Concepts and Theory ==
Discussions of basic cryptographic theory and concepts
Discussions of common operational issues
:* [[Base64]]
:* [http://wiki.openssl.org/index.php/Category:FIPS_140 FIPS 140-2]
:* [[Random Numbers]]
:* [[Diffie Hellman]]
:* [[Elliptic Curve Diffie Hellman]]
:* [[Elliptic Curve Cryptography]]

== Security Issues ==

=== Heartbleed CVE-2014-0160 ===

affects all 1.0.1x version where x<'g' and 1.0.2-beta
fixed in 1.0.1g and 1.0.2-beta1

http://www.openssl.org/news/secadv_20140407.txt

== Feedback and Contributions ==
:* [https://www.openssl.org/support/faq.html#BUILD18 Notification of suspected security vulnerabilities]
:* [https://www.openssl.org/support/rt.html Contributing bug reports, other than for suspected vulnerabilities]
:* [[Contributions|General background on source and documentation contributions - '''must read''']]
:* Contributing code fixes, other than for suspected vulnerabilities, as well as fixes and other improvements to manual pages
::* Follow the [[Use of Git#Use_of_Git_with_OpenSSL_source_tree|instructions for accessing source code]] in the appropriate branches
:::* Note that manual pages and the FAQ are maintained with the source code.
::* If you are unsure as to whether a feature will be useful for the general OpenSSL community please discuss it on the [https://www.openssl.org/support/community.html openssl-dev mailing list] first. Someone may be already working on the same thing or there may be a good reason as to why that feature isn't implemented.
::* Submit a pull request for each separate fix (also documented [[Use of Git#Use_of_Git_with_OpenSSL_source_tree|there]])
::* Submit a bug report for the issue and reference the pull request
:* Contributing fixes and other improvements to the web site
::* Follow the [[Use_of_Git#Use_of_Git_with_the_OpenSSL_web_site|instructions for accessing web site sources]]
::* Create a patch (also documented [[Use_of_Git#Use_of_Git_with_the_OpenSSL_web_site|there]])
::* Submit a bug report and add the patch as an attachment
:* [[Welcome|Contributing to this wiki]]

== Internals and Development ==
This section is for internal details of primary interest to OpenSSL maintainers and power users
:* [[Internals]]
:* [[Code Quality]]
:* [[Static and Dynamic Analysis]]
:* [[OCB|OCB Licence details]]
:* [[Defect and Feature Review Process]]

Main Page

2014-04-25T20:10:44Z

Trawick: Add new section covering various types of feedback and contributions

If this is your first visit or to get an account please see the [[Welcome]] page. Your participation and [[Contributions]] are valued.

This wiki is intended as a place for collecting, organizing, and refining useful information about OpenSSL that is currently strewn among multiple locations and formats.

== OpenSSL Quick Links ==

<TABLE border=0>
<TR>
<TD>[[OpenSSL Overview]]</TD>
<TD>[[Image:HTAB.png]][[Image:HTAB.png]]</TD>
<TD>[[Compilation and Installation]]</TD>
<TD>[[Image:HTAB.png]][[Image:HTAB.png]]</TD>
<TD>[[Internals]]</TD>
<TD>[[Image:HTAB.png]][[Image:HTAB.png]]</TD>
<TD>[[Mailing Lists]] </TD>
</TR>
<TR>
<TD>[[libcrypto API]]</TD>
<TD>[[Image:HTAB.png]][[Image:HTAB.png]]</TD>
<TD>[[libssl API]]</TD>
<TD>[[Image:HTAB.png]][[Image:HTAB.png]]</TD>
<TD>[[Examples]] </TD>
</TR>
<TR>
<TD>[[License]] </TD>
<TD>[[Image:HTAB.png]][[Image:HTAB.png]]</TD>
<TD>[[Command Line Utilities]]</TD>
<TD>[[Image:HTAB.png]][[Image:HTAB.png]]</TD>
<TD>[[Related Links]]</TD>
</TR>
</TABLE>

== Administrivia ==
Site guidelines, legal and admininstrative issues.
:* [[Basic rules]], [[Commercial Product Disclaimer]], [[Contributions]], [[Copyright]], [[License]]
:* Using This Wiki
:: [http://meta.wikimedia.org/wiki/Help:Contents Wiki User's Guide], [http://www.mediawiki.org/wiki/Manual:Configuration_settings Configuration settings list], [http://www.mediawiki.org/wiki/Manual:FAQ MediaWiki FAQ], [https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce MediaWiki Mailing List]

== Reference ==
This section contains the automagically generated man pages from the OpenSSL git repository, and similar "man" style reference documentation. The man pages are automatically imported from the OpenSSL git repository and local wiki modifications are submitted as patches.
:* OpenSSL Manual Pages
::* [[Manual:Openssl(1)]], [[Manual:Ssl(3)]], [[Manual:Crypto(3)]], [[Documentation Index]]
:: If you wish to edit any of the Manual page content please refer to the [[Guidelines for Manual Page Authors]] page.
:* [[API]], [[Libcrypto API]], [[Libssl API]]
:* [[FIPS mode()]], [[FIPS_mode_set()]]

== Usage and Programming ==
This section has discussions of practical issues in using OpenSSL
:* Building from Source
:: Where to find it, the different versions, how to build and install it.
:* [[OpenSSL Overview]]
:* [[Versioning]]
:* [[Compilation and Installation]]
:* [[EVP]]
:: Programming techniques and example code
:: Use of EVP is preferred for most applications and circumstances
::* [[EVP Asymmetric Encryption and Decryption of an Envelope]]
::* [[EVP Authenticated Encryption and Decryption]]
::* [[EVP Symmetric Encryption and Decryption]]
::* [[EVP Key and Parameter Generation]]
::* [[EVP Key Agreement]]
::* [[EVP Message Digests]]
::* [[EVP Key Derivation]]
::* [[EVP Signing and Verifying|EVP Signing and Verifying (including MAC codes)]]
:* [[STACK API]]
:* Low Level APIs
:: More specialized non-EVP usage
::* [[Diffie-Hellman parameters]]
:* [[FIPS Mode]]

== Concepts and Theory ==
Discussions of basic cryptographic theory and concepts
Discussions of common operational issues
:* [[Base64]]
:* [http://wiki.openssl.org/index.php/Category:FIPS_140 FIPS 140-2]
:* [[Random Numbers]]
:* [[Diffie Hellman]]
:* [[Elliptic Curve Diffie Hellman]]
:* [[Elliptic Curve Cryptography]]

== Security Issues ==

=== Heartbleed CVE-2014-0160 ===

affects all 1.0.1x version where x<'g' and 1.0.2-beta
fixed in 1.0.1g and 1.0.2-beta1

http://www.openssl.org/news/secadv_20140407.txt

== Feedback and Contributions ==
:* [https://www.openssl.org/support/faq.html#BUILD18 Notification of suspected security vulnerabilities]
:* [https://www.openssl.org/support/rt.html Contributing bug reports, other than for suspected vulnerabilities]
:* [[Contributions|General background on source and documentation contributions - '''must read''']]
:* Contributing code fixes, other than for suspected vulnerabilities, as well as fixes and other improvements to manual pages
::* Follow the [[Use of Git#Use_of_Git_with_OpenSSL_source_tree|instructions for accessing source code]] in the appropriate branches
:::* Note that manual pages and the FAQ are maintained with the source code.
::* If the changes need to be discussed first, use the [https://www.openssl.org/support/community.html openssl-dev@openssl.org] mailing list.
::* Submit a pull request for each separate fix (also documented [[Use of Git#Use_of_Git_with_OpenSSL_source_tree|there]])
::* Submit a bug report for the issue and reference the pull request
:* Contributing fixes and other improvements to the web site
::* Follow the [[Use_of_Git#Use_of_Git_with_the_OpenSSL_web_site|instructions for accessing web site sources]]
::* Create a patch (also documented [[Use_of_Git#Use_of_Git_with_the_OpenSSL_web_site|there]])
::* Submit a bug report and add the patch as an attachment
:* [[Welcome|Contributing to this wiki]]

== Internals and Development ==
This section is for internal details of primary interest to OpenSSL maintainers and power users
:* [[Internals]]
:* [[Code Quality]]
:* [[Static and Dynamic Analysis]]
:* [[OCB|OCB Licence details]]
:* [[Defect and Feature Review Process]]

Contributions

2014-04-25T19:41:10Z

Trawick: replace TBD with link to new doc on making patches

There are a number of reasons why code or documentation contributions may not be adopted by the OpenSSL maintainers.
See http://www.opensslfoundation.com/contributions.html for a personal perspective on OpenSSL contributions.

=== Technical Concerns ===

==== Compatibility ====
Binary incompatible changes can only occur on major releases (the next is 1.1.0) and releases
are often years apart.
OpenSSL has a painful history of problems caused by references to OpenSSL internals, a
history that has left the survivors very paranoid about referencing or changing APIs or
structures (even those which seem to be clearly for internal use only).

New features cannot be added to existing stable releases as this violates the [[versioning]]
rule So adding new functionality to OpenSSL 0.9.8, 1.0.0 or 1.0.1 just isn't going to
happen ''unless'' that new functionality is needed to address a security hole or bug.

==== Security Issues ====
It is all too easy to inadvertently introduce security vulnerabilities that may not be
immediately apparent even to experts. For instance, side channel attacks that exploit
subtle timing differences between different code paths.

==== Platform Portability ====
OpenSSL runs on an enormous variety of platforms -- processor architectures, operating
systems, compilers -- some of which have subtle and obscure quirks. Any changes to
OpenSSL should at a minimum not break support for any existing platforms. The typical
contributor will not be aware of all the potential platform portability pitfalls and
so the code will require careful review by the OpenSSL team.

==== Future Directions ====
(TBD)

==== Maintainability ====
Incorporation of new code into OpenSSL means an implicit obligation to support it
forever. There are many subtleties about OpenSSL which even surprise the experts at
times: new code may have unfortunate consequences and open up security holes. OpenSSL
is used on a very wide range of applications including a sizeable proportions of the
world's web servers and as a result the developers have to be pretty darned sure new
additions wont have unfortunate consequences. Comments and/or documentation can help
a lot here especially for addition of new features to OpenSSL itself.

=== Presentation ===
(TBD)

==== Patch Format ====
Methods of creating patches in the recommended format are covered in the
[[Use of Git#Making patches|documentation for accessing OpenSSL source code]].

==== Coding Style ====
Although there are some exceptions most of the OpenSSL code is indented in a rather
quirky way. That style isn't documented but if you can't figure it out from looking
at existing source you haven't spend nearly enough time with OpenSSL to think about
changing it. If a reviewer has to reformat everything to fit with the current code
style that counts against it.

=== Documentation ===
(TBD)

==== Code Maturity ====
With documentation there is another factor. People rely on documentation as showing the preferred way of using the software, and once documented an API it effectively "cast in stone" for future versions of OpenSSL. There is a reluctance to document features that may not yet be in a final form.

==== Abstraction Level ====
With OpenSSL there is usually a preferred general high-level API (EVP) and then
many lower level function calls that can be used to achieve similar outcomes.
The higher level abstractions are usually the best solution for all common application
requirements. As a result there is a reluctance to adopt and publish documentation of
low level APIs when the corresponding preferred high level approach is not yet
adequately documented.

=== Licensing and Copyright ===
Is the code compatible with the [[License|OpenSSL license]]? New contributions will receive
appropriate credit but they can't be expected to require every OpenSSL application to
acknowledge the author in the documentation by adding additional attribution requirements.

Use of Git

2014-04-25T18:20:03Z

Trawick: expand section on creating patches

Note: This is a superset of the information at http://www.openssl.org/source/repos.html

== Background information about using the Git distributed version control system ==

The following information provides examples for some of the <tt>git</tt> commands used when accessing OpenSSL source code.

* Refer to the <tt>git</tt> man ages and http://git-scm.com/ for more complete instructions on using the command.
* Refer to https://github.com/ for more complete instructions on interacting with Github.

== Use of Git with OpenSSL source tree ==

The OpenSSL group hosts its own Git repository at openssl.org, and this contains the master copy of OpenSSL. You can browse this at https://git.openssl.org/gitweb/?p=openssl.git;a=tree, or get a clone (checkout) of it with the command <tt>git clone git://git.openssl.org/openssl.git</tt>.

Contributors to OpenSSL should make use of the Github copy of this repository at https://github.com/openssl/openssl. Github makes it easy to maintain your own fork of OpenSSL for developing your contributions, as well as making a "pull request" to share fixes with the OpenSSL team when finished. Changes in the master Git repository are represented in the Github copy within minutes.

You can view existing pull requests against any of the branches at https://github.com/openssl/openssl/pulls

=== Getting a copy of the OpenSSL source tree ===

If you want to quickly make a copy of the OpenSSL source tree and you do not plan to publish any changes for use by others, just create a clone on your own machine.

<pre>
$ git clone https://github.com/openssl/openssl.git
</pre>

(Refer to Github documentation for instructions on other means of cloning the source tree.)

If you plan to make changes to the sources that you will share with others, including contributing changes to OpenSSL, it is recommended that you create a fork of the OpenSSL tree using your own Github id. You can use this to share changes with others whether or not you intend to submit changes to the OpenSSL team. Refer to the documentation at https://help.github.com/articles/fork-a-repo, in particular the discussion about how to track changes in the real OpenSSL repository that you forked.

=== Branches ===

The Git repositories contain multiple branches, representing development levels of OpenSSL as well as current and upcoming stable branches. An easy way to see the available branches is with the branch selector at https://github.com/openssl/openssl. The branches which are of most interest to most users are

* master (development)
* OpenSSL_1_0_2-stable (for the not-yet-released 1.0.2 series)
* OpenSSL_1_0_1-stable
* OpenSSL_1_0_0-stable

In order to access the code for a branch other than master, clone the Git repository then use the <tt>git checkout ''branchname''</tt> command to switch to a different branch. Consider using separate checkouts for each branch you are working in, with appropriate names for each, such as in the following example.

<pre>
$ git clone https://github.com/openssl/openssl.git OpenSSL-master
$ git clone https://github.com/openssl/openssl.git OpenSSL_1_0_2-stable
$ (cd OpenSSL_1_0_2-stable && git checkout OpenSSL_1_0_2-stable)
$ git clone https://github.com/openssl/openssl.git OpenSSL_1_0_1-stable
$ (cd OpenSSL_1_0_2-stable && git checkout OpenSSL_1_0_1-stable)
</pre>

If you've created your own fork of OpenSSL, replace the URL on the <tt>git clone</tt> command with the one for your fork. Also, you'll need to follow the instructions at https://help.github.com/articles/fork-a-repo for picking up changes from the master repository that you forked.

=== Making patches ===

Patches posted to OpenSSL development mailing lists or to the [https://www.openssl.org/support/rt.html OpenSSL Request Tracker] should be in unified diff format, showing the differences compared with the latest OpenSSL code from that branch.

For an uncommitted change in your '''up-to-date''' clone, that could be as simple as

<pre>
$ git diff -u > /tmp/FixSClientUsage.txt
$ cat /tmp/FixSClientUsage.txt
diff --git a/apps/s_client.c b/apps/s_client.c
index 01f4f34..eeb2e77 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -323,7 +323,7 @@ static void sc_usage(void)
BIO_printf(bio_err,"\n");
BIO_printf(bio_err," -host host - use -connect instead\n");
BIO_printf(bio_err," -port port - use -connect instead\n");
- BIO_printf(bio_err," -connect host:port - who to connect to (default is %s:%s)\n",SSL_HOST_NAME,PORT_STR);
+ BIO_printf(bio_err," -connect host:port - what to connect to (default is %s:%s)\n",SSL_HOST_NAME,PORT_STR);
BIO_printf(bio_err," -checkhost host - check peer certificate matches \"host\"\n");
BIO_printf(bio_err," -checkemail email - check peer certificate matches \"email\"\n");
BIO_printf(bio_err," -checkip ipaddr - check peer certificate matches \"ipaddr\"\n");
</pre>

If it has been committed already, you can find the change in the output of <tt>git log -p</tt>.

If multiple commits to your clone comprise a change that you want to submit, it may be easiest to get another, unmodified clone of the OpenSSL code, then use <tt>diff -ru</tt> as follows:

<pre>
$ git diff -ru OpenSSL_1_0_2-stable-original OpenSSL_1_0_2-stable > /tmp/FixSClientUsage.txt
</pre>

(These two directories were created with <tt>git clone https://github.com/openssl/openssl.git OpenSSL_1_0_2-stable</tt> and <tt>git clone https://github.com/openssl/openssl.git OpenSSL_1_0_2-stable-original</tt>, and each was switched to the desired branch with <tt>git checkout OpenSSL_1_0_2-stable</tt>.)

Double check that only the desired changes are in the patch file. Otherwise, you probably weren't testing with the most recent OpenSSL changes.

==== Sending patches via e-mail ====

Patches sent via e-mail should be in plain text attachments instead of being pasted into the e-mail body.

=== Making pull requests ===

After developing and testing changes to OpenSSL in your checkout (clone), push them to your fork of OpenSSL (<tt>git push</tt>), then use the Github interface to submit a pull request to the master OpenSSL repository for the particular revision(s).

(need to allude to other instructions about RT, right?)

== Use of Git with the OpenSSL web site ==

The OpenSSL web site is also maintained in git, and can be browsed at https://git.openssl.org/gitweb/?p=openssl-web.git;a=tree.

Unlike the source code, the OpenSSL web site repository is not copied to Github. You can only interact with it via git.openssl.org, so it is not possible to submit pull requests.

Check it out as follows:

<pre>
$ git clone git://git.openssl.org/openssl-web.git
</pre>

In order to submit corrections to the web site, create a patch as described above.

Only the master branch of the web site repository is used.

Compilation and Installation

2014-04-25T17:23:08Z

Trawick: spelling

== Retrieve source code ==

The OpenSSL source code can be downloaded from [http://www.openssl.org/source/ www.openssl.org/source/] or any suitable [http://www.openssl.org/source/mirror.html ftp mirror]. There are various versions including stable as well as unstable versions.

The source code is manged via Git, the repository is

: git://git.openssl.org/openssl.git

The source is also available via a [https://github.com/openssl/openssl GitHub] mirror. This repository is updated every 15 minutes.

* [[Use_of_Git|Accessing OpenSSL source code via Git]]

== Configuration ==

OpenSSL is configured for a particular platform with protocol and behavior options using <tt>Configure</tt> and <tt>config</tt>.

=== Configure & Config ===

You use <tt>Configure</tt> and <tt>config</tt> to tune the compile and installation process through options and switches. The difference between is <tt>Configure</tt> properly handles the host-arch-compiler triplet, and <tt>config</tt> does not. <tt>config</tt> attempts to guess the triplet, so its a lot like autotool's <tt>config.guess</tt>.

You can usually use <tt>config</tt> and it will do the right thing (from Ubuntu 13.04, x64):

<pre>$ ./config
Operating system: x86_64-whatever-linux2
Configuring for linux-x86_64
Configuring for linux-x86_64
no-ec_nistp_64_gcc_128 [default] OPENSSL_NO_EC_NISTP_64_GCC_128 (skip dir)
no-gmp [default] OPENSSL_NO_GMP (skip dir)
no-jpake [experimental] OPENSSL_NO_JPAKE (skip dir)
no-krb5 [krb5-flavor not specified] OPENSSL_NO_KRB5
no-md2 [default] OPENSSL_NO_MD2 (skip dir)
no-rc5 [default] OPENSSL_NO_RC5 (skip dir)
no-rfc3779 [default] OPENSSL_NO_RFC3779 (skip dir)
no-sctp [default] OPENSSL_NO_SCTP (skip dir)
no-shared [default]
no-store [experimental] OPENSSL_NO_STORE (skip dir)
no-zlib [default]
no-zlib-dynamic [default]
...</pre>

Mac OSX is a problem (its often a neglected platform), and you will have to use <tt>Configure</tt>:

<pre> ./Configure darwin64-x86_64-cc
Configuring for darwin64-x86_64-cc
no-ec_nistp_64_gcc_128 [default] OPENSSL_NO_EC_NISTP_64_GCC_128 (skip dir)
no-gmp [default] OPENSSL_NO_GMP (skip dir)
no-jpake [experimental] OPENSSL_NO_JPAKE (skip dir)
no-krb5 [krb5-flavor not specified] OPENSSL_NO_KRB5
no-md2 [default] OPENSSL_NO_MD2 (skip dir)
no-rc5 [default] OPENSSL_NO_RC5 (skip dir)
no-rfc3779 [default] OPENSSL_NO_RFC3779 (skip dir)
no-sctp [default] OPENSSL_NO_SCTP (skip dir)
no-shared [default]
no-store [experimental] OPENSSL_NO_STORE (skip dir)
no-zlib [default]
no-zlib-dynamic [default]
...</pre>

Running the same command with <tt>config</tt> results in:

<pre>$ ./config darwin64-x86_64-cc
Operating system: i686-apple-darwinDarwin Kernel Version 12.5.0: Sun Sep 29 13:33:47 PDT 2013; root:xnu-2050.48.12~1/RELEASE_X86_64
WARNING! If you wish to build 64-bit library, then you have to
invoke './Configure darwin64-x86_64-cc' *manually*.
You have about 5 seconds to press Ctrl-C to abort.
Configuring for darwin-i386-cc
target already defined - darwin-i386-cc (offending arg: darwin64-x86_64-cc)</pre>

If you provide a option not known to configure or ask for help, then you get a brief help message:

<pre>$ ./Configure --help
Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [experimental-<cipher> ...]
[-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared]
[[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-krb5] [sctp] [386] [--prefix=DIR]
[--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]</pre>

And if you supply an unknown triplet:

<pre>$ ./Configure darwin64-x86_64-clang
Configuring for darwin64-x86_64-clang
Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [experimental-<cipher> ...]
[-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared]
[[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-krb5] [sctp] [386] [--prefix=DIR]
[--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]

pick os/compiler from:
BC-32 BS2000-OSD BSD-generic32 BSD-generic64 BSD-ia64 BSD-sparc64 BSD-sparcv8
BSD-x86 BSD-x86-elf BSD-x86_64 Cygwin Cygwin-pre1.3 DJGPP MPE/iX-gcc OS2-EMX
OS390-Unix QNX6 QNX6-i386 ReliantUNIX SINIX SINIX-N UWIN VC-CE VC-WIN32
VC-WIN64A VC-WIN64I aix-cc aix-gcc aix3-cc aix64-cc aix64-gcc android
android-armv7 android-x86 aux3-gcc beos-x86-bone beos-x86-r5 bsdi-elf-gcc cc
cray-j90 cray-t3e darwin-i386-cc darwin-ppc-cc darwin64-ppc-cc
darwin64-x86_64-cc dgux-R3-gcc dgux-R4-gcc dgux-R4-x86-gcc dist gcc hpux-cc
hpux-gcc hpux-ia64-cc hpux-ia64-gcc hpux-parisc-cc hpux-parisc-cc-o4
hpux-parisc-gcc hpux-parisc1_1-cc hpux-parisc1_1-gcc hpux-parisc2-cc
hpux-parisc2-gcc hpux64-ia64-cc hpux64-ia64-gcc hpux64-parisc2-cc
hpux64-parisc2-gcc hurd-x86 iphoneos-cross irix-cc irix-gcc irix-mips3-cc
irix-mips3-gcc irix64-mips4-cc irix64-mips4-gcc linux-alpha+bwx-ccc
linux-alpha+bwx-gcc linux-alpha-ccc linux-alpha-gcc linux-aout linux-armv4
linux-elf linux-generic32 linux-generic64 linux-ia32-icc linux-ia64
linux-ia64-ecc linux-ia64-icc linux-ppc linux-ppc64 linux-sparcv8
linux-sparcv9 linux-x86_64 linux32-s390x linux64-s390x linux64-sparcv9 mingw
mingw64 ncr-scde netware-clib netware-clib-bsdsock netware-clib-bsdsock-gcc
...

NOTE: If in doubt, on Unix-ish systems use './config'.</pre>

Finally, to delete a configuration and start anew, run <tt>make dclean</tt>.

=== Library Options ===

OpenSSL has been around a long time, and it carries around a lot of cruft. For example, from above, SSLv2 is enabled by default. SSLv2 is completely broken, and you should disable it during configuration. You can disable protocols and provide other options through <tt>Configure</tt> and <tt>config</tt>, and the following lists some of them.

'''Note''': if you specify a non-existent option, then the configure scripts will proceed without warning. For example, if you inadvertently specify '''no-sslv2''' rather than '''no-ssl2''', the script will configure ''with'' SSLv2 and ''without'' warning for the unknown no-sslv2.

{| class="wikitable sortable" border="1"
|+ OpenSSL Library Options
|-
! scope="col" width="150px" | Option
! scope="col" class="unsortable" | Description
|-
| --openssldir=XXX || The installation directory. If not specified, the library will be installed at <tt>/usr/local/ssl</tt>. Header will be located at <tt>/usr/local/ssl/include/openssl</tt>, and libraries located at <tt>/usr/local/ssl/lib</tt>.
|-
| shared || Build a shared object in addition to the static archive
|-
| enable-ec_nistp_64_gcc_128 || Use on x64 platforms when GCC supports <tt>__uint128_t</tt>. ECDH is about 2 to 4 times faster. Not enabled by default because <tt>Configure</tt> can't determine it.
|-
| no-ssl2 || Disables SSLv2
|-
| no-ssl3 || Disables SSLv3
|-
| no-comp || Disables compression independent of <tt>zlib</tt>
|-
| no-asm || Disables assembly language routines (and uses C routines)
|-
| no-dtls || Disables DTLS (useful on mobile devices since carriers often block UDP)
|-
| no-shared || Disables shared objects (only a static library is created)
|-
| no-hw || Disables hardware support (useful on mobile devices)
|-
| no-engines || Disables hardware support (useful on mobile devices)
|-
| no-dso || Disables the OpenSSL DSO API (the library offers a shared object abstraction layer)
|-
| no-psk || Disables Preshared Key (PSK). PSK provides mutual authentication independent of trusted authorities, but its rarely offered or used
|-
| no-srp || Disables Secure Remote Password (SRP). SRP provides mutual authentication independent of trusted authorities, but its rarely offered or used
|-
| no-ec2m || Used when configuring FIPS Capable Library with a FIPS Object Module that only includes prime curves. That is, use this switch if you use <tt>openssl-fips-ecp-2.0.5</tt>.
|}

After disabling an option, your configure output will look similar to below (notice the lack of SSLv2 and SSLv3 support).

<pre>$ ./Configure darwin64-x86_64-cc no-ssl2 no-ssl3
Configuring for darwin64-x86_64-cc
no-ec_nistp_64_gcc_128 [default] OPENSSL_NO_EC_NISTP_64_GCC_128 (skip dir)
no-gmp [default] OPENSSL_NO_GMP (skip dir)
no-jpake [experimental] OPENSSL_NO_JPAKE (skip dir)
no-krb5 [krb5-flavor not specified] OPENSSL_NO_KRB5
no-md2 [default] OPENSSL_NO_MD2 (skip dir)
no-rc5 [default] OPENSSL_NO_RC5 (skip dir)
no-rfc3779 [default] OPENSSL_NO_RFC3779 (skip dir)
no-sctp [default] OPENSSL_NO_SCTP (skip dir)
no-shared [default]
no-ssl2 [option] OPENSSL_NO_SSL2 (skip dir)
no-ssl3 [option] OPENSSL_NO_SSL3 (skip dir)
no-store [experimental] OPENSSL_NO_STORE (skip dir)
no-zlib [default]
no-zlib-dynamic [default]
...</pre>

=== Compile Time Checking ===

If you disable an option during configure, you can check if it's available through <tt>OPENSSL_NO_*</tt> defines. OpenSSL writes the configure options to <tt><openssl/opensslconf.h></tt>. For example, if you want to know if SSLv3 is available, then you would perform the following in your code:

<pre>#include <openssl/opensslconf.h>
...

#if !defined(OPENSSL_NO_SSL3)
/* SSLv3 is available */
#endif</pre>

=== Modifying Build Settings ===

Sometimes you need to work around OpenSSL's selections for building the library. For example, you might want to use <tt>-Os</tt> for a mobile device (rather than <tt>-O3</tt>), or you might want to use the <tt>clang</tt> compiler (rather than <tt>gcc</tt>).

In case like these, its often easier to modify <tt>Configure</tt> and <tt>Makefile.org</tt> rather than trying to add targets to the configure scripts. Below is a patch that modifies <tt>Configure</tt> and <tt>Makefile.org</tt> for use under the iOS 7.0 SDK (which lacks <tt>gcc</tt> in <tt>/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/</tt>):

* Modifies <tt>Configure</tt> to use <tt>clang</tt>
* Modifies <tt>Makefile.org</tt> to use <tt>clang</tt>
* Modifies <tt>CFLAG</tt> to use <tt>-Os</tt>
* Modifies <tt>MAKEDEPPROG</tt> to use <tt>$(CC) -M</tt>

Setting and resetting of <tt>LANG</tt> is required on Mac OSX to work around a <tt>sed</tt> bug or limitation.

<pre>OLD_LANG=$LANG
unset LANG

sed -i "" 's|\"iphoneos-cross\"\,\"llvm-gcc\:-O3|\"iphoneos-cross\"\,\"clang\:-Os|g' Configure
sed -i "" 's/CC= cc/CC= clang/g' Makefile.org
sed -i "" 's/CFLAG= -O/CFLAG= -Os/g' Makefile.org
sed -i "" 's/MAKEDEPPROG=makedepend/MAKEDEPPROG=$(CC) -M/g' Makefile.org

export LANG=$OLD_LANG</pre>

After modification, be sure to dclean and configure again so the new settings are picked up:

<pre>make dclean

./config
make depend
make all
...</pre>

=== Fedora and Red Hat ===

On Fedora and Red Hat systems, be sure to export <tt>CFLAGS="-fPIC"</tt> and explicitly specify <tt>shared</tt> to <tt>config</tt>. Failing to do so will result in static libraries only.That is, you will be missing the shared objects and engines. The commands would look similar to below.

<pre>$ export CFLAGS="-fPIC"
$ ./config shared no-ssl2 no-ssl3 --openssldir=/usr/local/ssl
...
$ make depend
...
$ make all
...
$ sudo -E make install</pre>

=== FIPS Capable Library ===

If you want to use FIPS validated cryptography, you download, build and install the FIPS Object Module (<tt>openssl-fips-2.0.5.tar.gz</tt>) according to the [https://www.openssl.org/docs/fips/UserGuide-2.0.pdf FIPS User Guide 2.0] and [https://www.openssl.org/docs/fips/SecurityPolicy-2.0.pdf FIPS 140-2 Security Policy]. You then download, build and install the FIPS Capable Library (<tt>openssl-1.0.1e.tar.gz</tt>).

When configuring the FIPS Capable Library, you must use <tt>fips</tt> as an option:

<pre>./config fips <other options ...></pre>

If you are configuring the FIPS Capable Library with only prime curves (<tt>openssl-fips-ecp-2.0.5.tar.gz</tt>), then you must configure with <tt>no-ec2m</tt>:

<pre>./config fips no-ec2m <other options ...></pre>

== Compilation ==

Once you untar the source files (or fetched them from source control), its a good idea to look at README provided in it.

cat README

where you will understand that you have to read another file INSTALL :

cat INSTALL

Depending on your platform you will have to pick up the right INSTALL by example INSTALL.W64.
Default is for Unix based systems.

==== Quick ====

<pre>./config <nowiki><options ...></nowiki>
make depend
make
make test
make install</pre>

Various options can be found examining the <tt>Configure</tt> file (there is a well commented block at its top). OpenSSL ships with SSLv2, SSLv3 and Compression enabled by default (see <tt>my $disabled</tt>), so you might want to use <tt>no-ssl2</tt>, <tt>no-ssl3</tt>, and <tt>no-comp</tt>.

== Platfom specific ==

=== Linux ===

==== Intel ====

==== ARM ====

=== Windows ===

==== W32 / Windows NT - Windows 9x ====

type INSTALL.W32

* you need Perl for Win32. Unless you will build on Cygwin, you will need ActiveState Perl, available from http://www.activestate.com/ActivePerl.
* one of the following C compilers:
** Visual C++
** Borland C
** GNU C (Cygwin or MinGW)
* Netwide Assembler, a.k.a. NASM, available from http://nasm.sourceforge.net/ is required if you intend to utilize assembler modules. Note that NASM is now the only supported assembler.

==== W64 ====

type INSTALL.W64

basically some specific 64bits information, default Windows build information is still in INSTALL.W32

==== Windows CE ====

=== Mac ===

=== More ===

==== VAX/VMS ====

I you wonder what are files ending with .com like test/testca.com those are VAX/VMX scripts.
This code is still maintained.

==== OS/2 ====

==== NetWare ====
5.x 6.x

==== HP-UX ====
[[HP-UX Itanium FIPS and OpenSSL build]]

[[Category:Shell level]]
[[Category:Installation]]
[[Category:Compilation]]

Compilation and Installation

2014-04-25T17:20:51Z

Trawick: replace git command with link to page that shows available branches and how to access them

== Retrieve source code ==

The OpenSSL source code can be downloaded from [http://www.openssl.org/source/ www.openssl.org/source/] or any suitable [http://www.openssl.org/source/mirror.html ftp mirror]. There are various versions including stable as well as unstable versions.

The source code is manged via Git, the repository is

: git://git.openssl.org/openssl.git

The source is also available via a [https://github.com/openssl/openssl GitHub] mirror. This repository is updated every 15 minutes.

* [[Use_of_Git|Accessing OpenSSL source code via Git]]

== Configuration ==

OpenSSL is configured for a particular platform with protocol and behavior options using <tt>Configure</tt> and <tt>config</tt>.

=== Configure & Config ===

You use <tt>Configure</tt> and <tt>config</tt> to tune the compile and installation process through options and switches. The difference between is <tt>Configure</tt> properly handles the host-arch-compiler triplet, and <tt>config</tt> does not. <tt>config</tt> attempts to guess the triplet, so its a lot like autotool's <tt>config.guess</tt>.

You can usually use <tt>config</tt> and it will do the right thing (from Ubuntu 13.04, x64):

<pre>$ ./config
Operating system: x86_64-whatever-linux2
Configuring for linux-x86_64
Configuring for linux-x86_64
no-ec_nistp_64_gcc_128 [default] OPENSSL_NO_EC_NISTP_64_GCC_128 (skip dir)
no-gmp [default] OPENSSL_NO_GMP (skip dir)
no-jpake [experimental] OPENSSL_NO_JPAKE (skip dir)
no-krb5 [krb5-flavor not specified] OPENSSL_NO_KRB5
no-md2 [default] OPENSSL_NO_MD2 (skip dir)
no-rc5 [default] OPENSSL_NO_RC5 (skip dir)
no-rfc3779 [default] OPENSSL_NO_RFC3779 (skip dir)
no-sctp [default] OPENSSL_NO_SCTP (skip dir)
no-shared [default]
no-store [experimental] OPENSSL_NO_STORE (skip dir)
no-zlib [default]
no-zlib-dynamic [default]
...</pre>

Mac OSX is a problem (its often a neglected platform), and you will have to use <tt>Configure</tt>:

<pre> ./Configure darwin64-x86_64-cc
Configuring for darwin64-x86_64-cc
no-ec_nistp_64_gcc_128 [default] OPENSSL_NO_EC_NISTP_64_GCC_128 (skip dir)
no-gmp [default] OPENSSL_NO_GMP (skip dir)
no-jpake [experimental] OPENSSL_NO_JPAKE (skip dir)
no-krb5 [krb5-flavor not specified] OPENSSL_NO_KRB5
no-md2 [default] OPENSSL_NO_MD2 (skip dir)
no-rc5 [default] OPENSSL_NO_RC5 (skip dir)
no-rfc3779 [default] OPENSSL_NO_RFC3779 (skip dir)
no-sctp [default] OPENSSL_NO_SCTP (skip dir)
no-shared [default]
no-store [experimental] OPENSSL_NO_STORE (skip dir)
no-zlib [default]
no-zlib-dynamic [default]
...</pre>

Running the same command with <tt>config</tt> results in:

<pre>$ ./config darwin64-x86_64-cc
Operating system: i686-apple-darwinDarwin Kernel Version 12.5.0: Sun Sep 29 13:33:47 PDT 2013; root:xnu-2050.48.12~1/RELEASE_X86_64
WARNING! If you wish to build 64-bit library, then you have to
invoke './Configure darwin64-x86_64-cc' *manually*.
You have about 5 seconds to press Ctrl-C to abort.
Configuring for darwin-i386-cc
target already defined - darwin-i386-cc (offending arg: darwin64-x86_64-cc)</pre>

If you provide a option not known to configure or ask for help, then you get a brief help message:

<pre>$ ./Configure --help
Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [experimental-<cipher> ...]
[-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared]
[[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-krb5] [sctp] [386] [--prefix=DIR]
[--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]</pre>

And if you supply an unknown triplet:

<pre>$ ./Configure darwin64-x86_64-clang
Configuring for darwin64-x86_64-clang
Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [experimental-<cipher> ...]
[-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared]
[[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-krb5] [sctp] [386] [--prefix=DIR]
[--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]

pick os/compiler from:
BC-32 BS2000-OSD BSD-generic32 BSD-generic64 BSD-ia64 BSD-sparc64 BSD-sparcv8
BSD-x86 BSD-x86-elf BSD-x86_64 Cygwin Cygwin-pre1.3 DJGPP MPE/iX-gcc OS2-EMX
OS390-Unix QNX6 QNX6-i386 ReliantUNIX SINIX SINIX-N UWIN VC-CE VC-WIN32
VC-WIN64A VC-WIN64I aix-cc aix-gcc aix3-cc aix64-cc aix64-gcc android
android-armv7 android-x86 aux3-gcc beos-x86-bone beos-x86-r5 bsdi-elf-gcc cc
cray-j90 cray-t3e darwin-i386-cc darwin-ppc-cc darwin64-ppc-cc
darwin64-x86_64-cc dgux-R3-gcc dgux-R4-gcc dgux-R4-x86-gcc dist gcc hpux-cc
hpux-gcc hpux-ia64-cc hpux-ia64-gcc hpux-parisc-cc hpux-parisc-cc-o4
hpux-parisc-gcc hpux-parisc1_1-cc hpux-parisc1_1-gcc hpux-parisc2-cc
hpux-parisc2-gcc hpux64-ia64-cc hpux64-ia64-gcc hpux64-parisc2-cc
hpux64-parisc2-gcc hurd-x86 iphoneos-cross irix-cc irix-gcc irix-mips3-cc
irix-mips3-gcc irix64-mips4-cc irix64-mips4-gcc linux-alpha+bwx-ccc
linux-alpha+bwx-gcc linux-alpha-ccc linux-alpha-gcc linux-aout linux-armv4
linux-elf linux-generic32 linux-generic64 linux-ia32-icc linux-ia64
linux-ia64-ecc linux-ia64-icc linux-ppc linux-ppc64 linux-sparcv8
linux-sparcv9 linux-x86_64 linux32-s390x linux64-s390x linux64-sparcv9 mingw
mingw64 ncr-scde netware-clib netware-clib-bsdsock netware-clib-bsdsock-gcc
...

NOTE: If in doubt, on Unix-ish systems use './config'.</pre>

Finally, to delete a configuration and start anew, run <tt>make dclean</tt>.

=== Library Options ===

OpenSSL has been around a long time, and it carries around a lot of cruft. For example, from above, SSLv2 is enabled by default. SSLv2 is completely broken, and you should disable it during configuration. You can disable protocols and provide other options through <tt>Configure</tt> and <tt>config</tt>, and the following lists some of them.

'''Note''': if you specify a non-existent option, then the configure scripts will proceed without warning. For example, if you inadvertently specify '''no-sslv2''' rather than '''no-ssl2''', the script will configure ''with'' SSLv2 and ''without'' warning for the unknown no-sslv2.

{| class="wikitable sortable" border="1"
|+ OpenSSL Library Options
|-
! scope="col" width="150px" | Option
! scope="col" class="unsortable" | Description
|-
| --openssldir=XXX || The installation directory. If not specified, the library will be installed at <tt>/usr/local/ssl</tt>. Header will be located at <tt>/usr/local/ssl/include/openssl</tt>, and libraries located at <tt>/usr/local/ssl/lib</tt>.
|-
| shared || Build a shared object in addition to the static archive
|-
| enable-ec_nistp_64_gcc_128 || Use on x64 platforms when GCC supports <tt>__uint128_t</tt>. ECDH is about 2 to 4 times faster. Not enabled by default because <tt>Configure</tt> can't determine it.
|-
| no-ssl2 || Disables SSLv2
|-
| no-ssl3 || Disables SSLv3
|-
| no-comp || Disables compression independent of <tt>zlib</tt>
|-
| no-asm || Disables assembly language routines (and uses C routines)
|-
| no-dtls || Disables DTLS (useful on mobile devices since carries often block UDP)
|-
| no-shared || Disables shared objects (only a static library is created)
|-
| no-hw || Disables hardware support (useful on mobile devices)
|-
| no-engines || Disables hardware support (useful on mobile devices)
|-
| no-dso || Disables the OpenSSL DSO API (the library offers a shared object abstraction layer)
|-
| no-psk || Disables Preshared Key (PSK). PSK provides mutual authentication independent of trusted authorities, but its rarely offered or used
|-
| no-srp || Disables Secure Remote Password (SRP). SRP provides mutual authentication independent of trusted authorities, but its rarely offered or used
|-
| no-ec2m || Used when configuring FIPS Capable Library with a FIPS Object Module that only includes prime curves. That is, use this switch if you use <tt>openssl-fips-ecp-2.0.5</tt>.
|}

After disabling an option, your configure output will look similar to below (notice the lack of SSLv2 and SSLv3 support).

<pre>$ ./Configure darwin64-x86_64-cc no-ssl2 no-ssl3
Configuring for darwin64-x86_64-cc
no-ec_nistp_64_gcc_128 [default] OPENSSL_NO_EC_NISTP_64_GCC_128 (skip dir)
no-gmp [default] OPENSSL_NO_GMP (skip dir)
no-jpake [experimental] OPENSSL_NO_JPAKE (skip dir)
no-krb5 [krb5-flavor not specified] OPENSSL_NO_KRB5
no-md2 [default] OPENSSL_NO_MD2 (skip dir)
no-rc5 [default] OPENSSL_NO_RC5 (skip dir)
no-rfc3779 [default] OPENSSL_NO_RFC3779 (skip dir)
no-sctp [default] OPENSSL_NO_SCTP (skip dir)
no-shared [default]
no-ssl2 [option] OPENSSL_NO_SSL2 (skip dir)
no-ssl3 [option] OPENSSL_NO_SSL3 (skip dir)
no-store [experimental] OPENSSL_NO_STORE (skip dir)
no-zlib [default]
no-zlib-dynamic [default]
...</pre>

=== Compile Time Checking ===

If you disable an option during configure, you can check if its available through <tt>OPENSSL_NO_*</tt> defines. OpenSSL writes the configure options to <tt><openssl/opensslconf.h></tt>. For example, if you want to know if SSLv3 is available, then you would perform the following in your code:

<pre>#include <openssl/opensslconf.h>
...

#if !defined(OPENSSL_NO_SSL3)
/* SSLv3 is available */
#endif</pre>

=== Modifying Build Settings ===

Sometimes you need to work around OpenSSL's selections for building the library. For example, you might want to use <tt>-Os</tt> for a mobile device (rather than <tt>-O3</tt>), or you might want to use the <tt>clang</tt> compiler (rather than <tt>gcc</tt>).

In case like these, its often easier to modify <tt>Configure</tt> and <tt>Makefile.org</tt> rather than trying to add targets to the configure scripts. Below is a patch that modifies <tt>Configure</tt> and <tt>Makefile.org</tt> for use under the iOS 7.0 SDK (which lacks <tt>gcc</tt> in <tt>/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/</tt>):

* Modifies <tt>Configure</tt> to use <tt>clang</tt>
* Modifies <tt>Makefile.org</tt> to use <tt>clang</tt>
* Modifies <tt>CFLAG</tt> to use <tt>-Os</tt>
* Modifies <tt>MAKEDEPPROG</tt> to use <tt>$(CC) -M</tt>

Setting and resetting of <tt>LANG</tt> is required on Mac OSX to work around a <tt>sed</tt> bug or limitation.

<pre>OLD_LANG=$LANG
unset LANG

sed -i "" 's|\"iphoneos-cross\"\,\"llvm-gcc\:-O3|\"iphoneos-cross\"\,\"clang\:-Os|g' Configure
sed -i "" 's/CC= cc/CC= clang/g' Makefile.org
sed -i "" 's/CFLAG= -O/CFLAG= -Os/g' Makefile.org
sed -i "" 's/MAKEDEPPROG=makedepend/MAKEDEPPROG=$(CC) -M/g' Makefile.org

export LANG=$OLD_LANG</pre>

After modification, be sure to dclean and configure again so the new settings are picked up:

<pre>make dclean

./config
make depend
make all
...</pre>

=== Fedora and Red Hat ===

On Fedora and Red Hat systems, be sure to export <tt>CFLAGS="-fPIC"</tt> and explicitly specify <tt>shared</tt> to <tt>config</tt>. Failing to do so will result in static libraries only.That is, you will be missing the shared objects and engines. The commands would look similar to below.

<pre>$ export CFLAGS="-fPIC"
$ ./config shared no-ssl2 no-ssl3 --openssldir=/usr/local/ssl
...
$ make depend
...
$ make all
...
$ sudo -E make install</pre>

=== FIPS Capable Library ===

If you want to use FIPS validated cryptography, you download, build and install the FIPS Object Module (<tt>openssl-fips-2.0.5.tar.gz</tt>) according to the [https://www.openssl.org/docs/fips/UserGuide-2.0.pdf FIPS User Guide 2.0] and [https://www.openssl.org/docs/fips/SecurityPolicy-2.0.pdf FIPS 140-2 Security Policy]. You then download, build and install the FIPS Capable Library (<tt>openssl-1.0.1e.tar.gz</tt>).

When configuring the FIPS Capable Library, you must use <tt>fips</tt> as an option:

<pre>./config fips <other options ...></pre>

If you are configuring the FIPS Capable Library with only prime curves (<tt>openssl-fips-ecp-2.0.5.tar.gz</tt>), then you must configure with <tt>no-ec2m</tt>:

<pre>./config fips no-ec2m <other options ...></pre>

== Compilation ==

Once you untar the source files (or fetched them from source control), its a good idea to look at README provided in it.

cat README

where you will understand that you have to read another file INSTALL :

cat INSTALL

Depending on your platform you will have to pick up the right INSTALL by example INSTALL.W64.
Default is for Unix based systems.

==== Quick ====

<pre>./config <nowiki><options ...></nowiki>
make depend
make
make test
make install</pre>

Various options can be found examining the <tt>Configure</tt> file (there is a well commented block at its top). OpenSSL ships with SSLv2, SSLv3 and Compression enabled by default (see <tt>my $disabled</tt>), so you might want to use <tt>no-ssl2</tt>, <tt>no-ssl3</tt>, and <tt>no-comp</tt>.

== Platfom specific ==

=== Linux ===

==== Intel ====

==== ARM ====

=== Windows ===

==== W32 / Windows NT - Windows 9x ====

type INSTALL.W32

* you need Perl for Win32. Unless you will build on Cygwin, you will need ActiveState Perl, available from http://www.activestate.com/ActivePerl.
* one of the following C compilers:
** Visual C++
** Borland C
** GNU C (Cygwin or MinGW)
* Netwide Assembler, a.k.a. NASM, available from http://nasm.sourceforge.net/ is required if you intend to utilize assembler modules. Note that NASM is now the only supported assembler.

==== W64 ====

type INSTALL.W64

basically some specific 64bits information, default Windows build information is still in INSTALL.W32

==== Windows CE ====

=== Mac ===

=== More ===

==== VAX/VMS ====

I you wonder what are files ending with .com like test/testca.com those are VAX/VMX scripts.
This code is still maintained.

==== OS/2 ====

==== NetWare ====
5.x 6.x

==== HP-UX ====
[[HP-UX Itanium FIPS and OpenSSL build]]

[[Category:Shell level]]
[[Category:Installation]]
[[Category:Compilation]]

Use of Git

2014-04-25T17:13:26Z

Trawick: add sections on accessing the source for the web site and background info about git; link to the existing (less complete) page on repos on the web site; add link to the git.openssl.org

Use of Git

2014-04-25T15:51:19Z

Trawick: describe use of Git by OpenSSL committers and other contributors

== Use of Git with OpenSSL ==

The OpenSSL group hosts its own Git repository at openssl.org, and this contains the master copy of OpenSSL.

Contributors to OpenSSL should make use of the Github copy of this repository at https://github.com/openssl/openssl. Github makes it easy to maintain your own fork of OpenSSL for developing your contributions, as well as making a "pull request" to share fixes with the OpenSSL team when finished. Changes in the master Git repository are represented in the Github copy within minutes.

=== Getting a copy of the OpenSSL source tree ===

If you want to quickly make a copy of the OpenSSL source tree and you do not plan to publish any changes for use by others, just create a clone on your own machine.

<pre>
$ git clone https://github.com/openssl/openssl.git
</pre>

(Refer to Github documentation for instructions on other means of cloning the source tree.)

If you plan to make changes to the sources that you will share with others, including contributing changes to OpenSSL, it is recommended that you create a fork of the OpenSSL tree using your own Github id. You can use this to share changes with others whether or not you intend to submit changes to the OpenSSL team. Refer to the documentation at https://help.github.com/articles/fork-a-repo, in particular the discussion about how to track changes in the real OpenSSL repository that you forked.

=== Branches ===

The Git repositories contain multiple branches, representing development levels of OpenSSL as well as current and upcoming stable branches. An easy way to see the available branches is with the branch selector at https://github.com/openssl/openssl. The branches which are of most interest to most users are

* master (development)
* OpenSSL_1_0_2-stable (for the not-yet-released 1.0.2 series)
* OpenSSL_1_0_1-stable
* OpenSSL_1_0_0-stable

In order to access the code for a branch other than master, clone the Git repository then use the <tt>git checkout ''branchname''</tt> command to switch to a different branch. Consider using separate checkouts for each branch you are working in, with appropriate names for each, such as in the following example.

<pre>
$ git clone https://github.com/openssl/openssl.git OpenSSL-master
$ git clone https://github.com/openssl/openssl.git OpenSSL_1_0_2-stable
$ (cd OpenSSL_1_0_2-stable && git checkout OpenSSL_1_0_2-stable)
$ git clone https://github.com/openssl/openssl.git OpenSSL_1_0_1-stable
$ (cd OpenSSL_1_0_2-stable && git checkout OpenSSL_1_0_1-stable)
</pre>

If you've created your own fork of OpenSSL, replace the URL on the <tt>git clone</tt> command with the one for your fork. Also, you'll need to follow the instructions at https://help.github.com/articles/fork-a-repo for picking up changes from the master repository that you forked.

=== Making patches ===

If you need to post a patch to the OpenSSL development mailing list for discussion, create the patch as follows:

(consolidate existing info about patch format, but in the form of a <tt>git diff</tt> invocation)

=== Making pull requests ===

After developing and testing changes to OpenSSL in your checkout (clone), push them to your fork of OpenSSL (<tt>git push</tt>), then use the Github interface to submit a pull request to the master OpenSSL repository for the particular revision(s).

(need to allude to other instructions about RT, right?)