https://wiki.openssl.org/api.php?action=feedcontributions&user=Bstinar&feedformat=atomOpenSSLWiki - User contributions [en]2024-03-28T18:30:21ZUser contributionsMediaWiki 1.35.6https://wiki.openssl.org/index.php?title=Compilation_and_Installation&diff=1704Compilation and Installation2014-06-06T04:43:49Z<p>Bstinar: /* Windows */</p>
<hr />
<div>== Retrieve source code ==<br />
<br />
The OpenSSL source code can be downloaded from [http://www.openssl.org/source/ www.openssl.org/source/] or any suitable [http://www.openssl.org/source/mirror.html ftp mirror]. There are various versions including stable as well as unstable versions. <br />
<br />
The source code is manged via Git, the repository is<br />
<br />
: git://git.openssl.org/openssl.git<br />
<br />
The source is also available via a [https://github.com/openssl/openssl GitHub] mirror. This repository is updated every 15 minutes.<br />
<br />
* [[Use_of_Git|Accessing OpenSSL source code via Git]]<br />
<br />
== Configuration ==<br />
<br />
OpenSSL is configured for a particular platform with protocol and behavior options using <tt>Configure</tt> and <tt>config</tt>.<br />
<br />
=== Configure & Config ===<br />
<br />
You use <tt>Configure</tt> and <tt>config</tt> to tune the compile and installation process through options and switches. The difference between is <tt>Configure</tt> properly handles the host-arch-compiler triplet, and <tt>config</tt> does not. <tt>config</tt> attempts to guess the triplet, so its a lot like autotool's <tt>config.guess</tt>.<br />
<br />
You can usually use <tt>config</tt> and it will do the right thing (from Ubuntu 13.04, x64):<br />
<br />
<pre>$ ./config <br />
Operating system: x86_64-whatever-linux2<br />
Configuring for linux-x86_64<br />
Configuring for linux-x86_64<br />
no-ec_nistp_64_gcc_128 [default] OPENSSL_NO_EC_NISTP_64_GCC_128 (skip dir)<br />
no-gmp [default] OPENSSL_NO_GMP (skip dir)<br />
no-jpake [experimental] OPENSSL_NO_JPAKE (skip dir)<br />
no-krb5 [krb5-flavor not specified] OPENSSL_NO_KRB5<br />
no-md2 [default] OPENSSL_NO_MD2 (skip dir)<br />
no-rc5 [default] OPENSSL_NO_RC5 (skip dir)<br />
no-rfc3779 [default] OPENSSL_NO_RFC3779 (skip dir)<br />
no-sctp [default] OPENSSL_NO_SCTP (skip dir)<br />
no-shared [default] <br />
no-store [experimental] OPENSSL_NO_STORE (skip dir)<br />
no-zlib [default] <br />
no-zlib-dynamic [default] <br />
...</pre><br />
<br />
Mac OSX is a problem (its often a neglected platform), and you will have to use <tt>Configure</tt>:<br />
<br />
<pre> ./Configure darwin64-x86_64-cc<br />
Configuring for darwin64-x86_64-cc<br />
no-ec_nistp_64_gcc_128 [default] OPENSSL_NO_EC_NISTP_64_GCC_128 (skip dir)<br />
no-gmp [default] OPENSSL_NO_GMP (skip dir)<br />
no-jpake [experimental] OPENSSL_NO_JPAKE (skip dir)<br />
no-krb5 [krb5-flavor not specified] OPENSSL_NO_KRB5<br />
no-md2 [default] OPENSSL_NO_MD2 (skip dir)<br />
no-rc5 [default] OPENSSL_NO_RC5 (skip dir)<br />
no-rfc3779 [default] OPENSSL_NO_RFC3779 (skip dir)<br />
no-sctp [default] OPENSSL_NO_SCTP (skip dir)<br />
no-shared [default] <br />
no-store [experimental] OPENSSL_NO_STORE (skip dir)<br />
no-zlib [default] <br />
no-zlib-dynamic [default]<br />
...</pre><br />
<br />
Running the same command with <tt>config</tt> results in:<br />
<br />
<pre>$ ./config darwin64-x86_64-cc<br />
Operating system: i686-apple-darwinDarwin Kernel Version 12.5.0: Sun Sep 29 13:33:47 PDT 2013; root:xnu-2050.48.12~1/RELEASE_X86_64<br />
WARNING! If you wish to build 64-bit library, then you have to<br />
invoke './Configure darwin64-x86_64-cc' *manually*.<br />
You have about 5 seconds to press Ctrl-C to abort.<br />
Configuring for darwin-i386-cc<br />
target already defined - darwin-i386-cc (offending arg: darwin64-x86_64-cc)</pre><br />
<br />
You can also configure on Darwin by exporting <tt>KERNEL_BITS</tt>:<br />
<br />
<pre>$ export KERNEL_BITS=64<br />
$ ./config shared no-ssl2 enable-ec_nistp_64_gcc_128 --openssldir=/usr/local/ssl/macosx-x64/<br />
Operating system: i686-apple-darwinDarwin Kernel Version 12.5.0: Sun Sep 29 13:33:47 PDT 2013; root:xnu-2050.48.12~1/RELEASE_X86_64<br />
Configuring for darwin64-x86_64-cc<br />
Configuring for darwin64-x86_64-cc<br />
no-gmp [default] OPENSSL_NO_GMP (skip dir)<br />
no-jpake [experimental] OPENSSL_NO_JPAKE (skip dir)<br />
no-krb5 [krb5-flavor not specified] OPENSSL_NO_KRB5<br />
no-md2 [default] OPENSSL_NO_MD2 (skip dir)<br />
no-psk [option] OPENSSL_NO_PSK (skip dir)<br />
no-rc5 [default] OPENSSL_NO_RC5 (skip dir)<br />
no-rfc3779 [default] OPENSSL_NO_RFC3779 (skip dir)<br />
no-sctp [default] OPENSSL_NO_SCTP (skip dir)<br />
no-srp [option] OPENSSL_NO_SRP (skip dir)<br />
no-ssl2 [option] OPENSSL_NO_SSL2 (skip dir)<br />
no-store [experimental] OPENSSL_NO_STORE (skip dir)<br />
no-zlib [default] <br />
no-zlib-dynamic [default] <br />
...</pre><br />
<br />
If you provide a option not known to configure or ask for help, then you get a brief help message:<br />
<br />
<pre>$ ./Configure --help<br />
Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [experimental-<cipher> ...]<br />
[-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared]<br />
[[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-krb5] [sctp] [386] [--prefix=DIR]<br />
[--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]</pre><br />
<br />
And if you supply an unknown triplet: <br />
<br />
<pre>$ ./Configure darwin64-x86_64-clang<br />
Configuring for darwin64-x86_64-clang<br />
Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [experimental-<cipher> ...]<br />
[-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared]<br />
[[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-krb5] [sctp] [386] [--prefix=DIR]<br />
[--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]<br />
<br />
pick os/compiler from:<br />
BC-32 BS2000-OSD BSD-generic32 BSD-generic64 BSD-ia64 BSD-sparc64 BSD-sparcv8 <br />
BSD-x86 BSD-x86-elf BSD-x86_64 Cygwin Cygwin-pre1.3 DJGPP MPE/iX-gcc OS2-EMX <br />
OS390-Unix QNX6 QNX6-i386 ReliantUNIX SINIX SINIX-N UWIN VC-CE VC-WIN32 <br />
VC-WIN64A VC-WIN64I aix-cc aix-gcc aix3-cc aix64-cc aix64-gcc android <br />
android-armv7 android-x86 aux3-gcc beos-x86-bone beos-x86-r5 bsdi-elf-gcc cc <br />
cray-j90 cray-t3e darwin-i386-cc darwin-ppc-cc darwin64-ppc-cc <br />
darwin64-x86_64-cc dgux-R3-gcc dgux-R4-gcc dgux-R4-x86-gcc dist gcc hpux-cc <br />
hpux-gcc hpux-ia64-cc hpux-ia64-gcc hpux-parisc-cc hpux-parisc-cc-o4 <br />
hpux-parisc-gcc hpux-parisc1_1-cc hpux-parisc1_1-gcc hpux-parisc2-cc <br />
hpux-parisc2-gcc hpux64-ia64-cc hpux64-ia64-gcc hpux64-parisc2-cc <br />
hpux64-parisc2-gcc hurd-x86 iphoneos-cross irix-cc irix-gcc irix-mips3-cc <br />
irix-mips3-gcc irix64-mips4-cc irix64-mips4-gcc linux-alpha+bwx-ccc <br />
linux-alpha+bwx-gcc linux-alpha-ccc linux-alpha-gcc linux-aout linux-armv4 <br />
linux-elf linux-generic32 linux-generic64 linux-ia32-icc linux-ia64 <br />
linux-ia64-ecc linux-ia64-icc linux-ppc linux-ppc64 linux-sparcv8 <br />
linux-sparcv9 linux-x86_64 linux32-s390x linux64-s390x linux64-sparcv9 mingw <br />
mingw64 ncr-scde netware-clib netware-clib-bsdsock netware-clib-bsdsock-gcc <br />
...<br />
<br />
NOTE: If in doubt, on Unix-ish systems use './config'.</pre><br />
<br />
Finally, to delete a configuration and start anew, run <tt>make dclean</tt>.<br />
<br />
=== Configure Options ===<br />
<br />
OpenSSL has been around a long time, and it carries around a lot of cruft. For example, from above, SSLv2 is enabled by default. SSLv2 is completely broken, and you should disable it during configuration. You can disable protocols and provide other options through <tt>Configure</tt> and <tt>config</tt>, and the following lists some of them.<br />
<br />
'''Note''': if you specify a non-existent option, then the configure scripts will proceed without warning. For example, if you inadvertently specify '''no-sslv2''' rather than '''no-ssl2''', the script will configure ''with'' SSLv2 and ''without'' warning for the unknown no-sslv2.<br />
<br />
{| class="wikitable sortable" border="1"<br />
|+ OpenSSL Library Options<br />
|-<br />
! scope="col" width="150px" | Option<br />
! scope="col" class="unsortable" | Description<br />
|-<br />
| --openssldir=XXX || The installation directory. If not specified, the library will be installed at <tt>/usr/local/ssl</tt>. Header will be located at <tt>/usr/local/ssl/include/openssl</tt>, and libraries located at <tt>/usr/local/ssl/lib</tt>.<br />
|-<br />
| shared || Build a shared object in addition to the static archive<br />
|-<br />
| enable-ec_nistp_64_gcc_128 || Use on x64 platforms when GCC supports <tt>__uint128_t</tt>. ECDH is about 2 to 4 times faster. Not enabled by default because <tt>Configure</tt> can't determine it.<br />
|-<br />
| no-ssl2 || Disables SSLv2<br />
|-<br />
| no-ssl3 || Disables SSLv3<br />
|-<br />
| no-comp || Disables compression independent of <tt>zlib</tt><br />
|-<br />
| no-idea || Disables IDEA algorithm. Unlike RC5 and MDC2, IDEA is enabled by default<br />
|-<br />
| no-asm || Disables assembly language routines (and uses C routines)<br />
|-<br />
| no-dtls || Disables DTLS (useful on mobile devices since carriers often block UDP)<br />
|-<br />
| no-shared || Disables shared objects (only a static library is created)<br />
|-<br />
| no-hw || Disables hardware support (useful on mobile devices)<br />
|-<br />
| no-engines || Disables hardware support (useful on mobile devices)<br />
|-<br />
| no-threads || Disables threading support<br />
|-<br />
| no-dso || Disables the OpenSSL DSO API (the library offers a shared object abstraction layer)<br />
|-<br />
| no-err || Removes all error function names and error reason text to reduce footprint<br />
|-<br />
| no-npn || Disables Next Protocol Negotiation (NPN)<br />
|-<br />
| no-psk || Disables Preshared Key (PSK). PSK provides mutual authentication independent of trusted authorities, but its rarely offered or used<br />
|-<br />
| no-srp || Disables Secure Remote Password (SRP). SRP provides mutual authentication independent of trusted authorities, but its rarely offered or used<br />
|-<br />
| no-ec2m || Used when configuring FIPS Capable Library with a FIPS Object Module that only includes prime curves. That is, use this switch if you use <tt>openssl-fips-ecp-2.0.5</tt>.<br />
|-<br />
| -DXXX || Defines XXX. For example, <tt>-DOPENSSL_NO_HEARTBEATS</tt>.<br />
|}<br />
<br />
After disabling an option, your configure output will look similar to below (notice the lack of SSLv2 and SSLv3 support).<br />
<br />
<pre>$ ./Configure darwin64-x86_64-cc no-ssl2 no-ssl3<br />
Configuring for darwin64-x86_64-cc<br />
no-ec_nistp_64_gcc_128 [default] OPENSSL_NO_EC_NISTP_64_GCC_128 (skip dir)<br />
no-gmp [default] OPENSSL_NO_GMP (skip dir)<br />
no-jpake [experimental] OPENSSL_NO_JPAKE (skip dir)<br />
no-krb5 [krb5-flavor not specified] OPENSSL_NO_KRB5<br />
no-md2 [default] OPENSSL_NO_MD2 (skip dir)<br />
no-rc5 [default] OPENSSL_NO_RC5 (skip dir)<br />
no-rfc3779 [default] OPENSSL_NO_RFC3779 (skip dir)<br />
no-sctp [default] OPENSSL_NO_SCTP (skip dir)<br />
no-shared [default] <br />
no-ssl2 [option] OPENSSL_NO_SSL2 (skip dir)<br />
no-ssl3 [option] OPENSSL_NO_SSL3 (skip dir)<br />
no-store [experimental] OPENSSL_NO_STORE (skip dir)<br />
no-zlib [default] <br />
no-zlib-dynamic [default] <br />
...</pre><br />
<br />
=== Compile Time Checking ===<br />
<br />
If you disable an option during configure, you can check if it's available through <tt>OPENSSL_NO_*</tt> defines. OpenSSL writes the configure options to <tt><openssl/opensslconf.h></tt>. For example, if you want to know if SSLv3 is available, then you would perform the following in your code:<br />
<br />
<pre>#include <openssl/opensslconf.h><br />
...<br />
<br />
#if !defined(OPENSSL_NO_SSL3)<br />
/* SSLv3 is available */<br />
#endif</pre><br />
<br />
=== Modifying Build Settings ===<br />
<br />
Sometimes you need to work around OpenSSL's selections for building the library. For example, you might want to use <tt>-Os</tt> for a mobile device (rather than <tt>-O3</tt>), or you might want to use the <tt>clang</tt> compiler (rather than <tt>gcc</tt>).<br />
<br />
In case like these, its often easier to modify <tt>Configure</tt> and <tt>Makefile.org</tt> rather than trying to add targets to the configure scripts. Below is a patch that modifies <tt>Configure</tt> and <tt>Makefile.org</tt> for use under the iOS 7.0 SDK (which lacks <tt>gcc</tt> in <tt>/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/</tt>):<br />
<br />
* Modifies <tt>Configure</tt> to use <tt>clang</tt><br />
* Modifies <tt>Makefile.org</tt> to use <tt>clang</tt><br />
* Modifies <tt>CFLAG</tt> to use <tt>-Os</tt><br />
* Modifies <tt>MAKEDEPPROG</tt> to use <tt>$(CC) -M</tt><br />
<br />
Setting and resetting of <tt>LANG</tt> is required on Mac OSX to work around a <tt>sed</tt> bug or limitation.<br />
<br />
<pre>OLD_LANG=$LANG<br />
unset LANG<br />
<br />
sed -i "" 's|\"iphoneos-cross\"\,\"llvm-gcc\:-O3|\"iphoneos-cross\"\,\"clang\:-Os|g' Configure<br />
sed -i "" 's/CC= cc/CC= clang/g' Makefile.org<br />
sed -i "" 's/CFLAG= -O/CFLAG= -Os/g' Makefile.org<br />
sed -i "" 's/MAKEDEPPROG=makedepend/MAKEDEPPROG=$(CC) -M/g' Makefile.org<br />
<br />
export LANG=$OLD_LANG</pre><br />
<br />
After modification, be sure to dclean and configure again so the new settings are picked up:<br />
<br />
<pre>make dclean<br />
<br />
./config<br />
make depend<br />
make all<br />
...</pre><br />
<br />
=== Fedora and Red Hat ===<br />
<br />
On Fedora and Red Hat systems, be sure to export <tt>CFLAGS="-fPIC"</tt> and explicitly specify <tt>shared</tt> to <tt>config</tt>. Failing to do so will result in static libraries only.That is, you will be missing the shared objects and engines. The commands would look similar to below.<br />
<br />
<pre>$ export CFLAGS="-fPIC"<br />
$ ./config shared no-ssl2 no-ssl3 --openssldir=/usr/local/ssl<br />
...<br />
$ make depend<br />
...<br />
$ make all<br />
...<br />
$ sudo -E make install</pre><br />
<br />
=== FIPS Capable Library ===<br />
<br />
If you want to use FIPS validated cryptography, you download, build and install the FIPS Object Module (<tt>openssl-fips-2.0.5.tar.gz</tt>) according to the [https://www.openssl.org/docs/fips/UserGuide-2.0.pdf FIPS User Guide 2.0] and [https://www.openssl.org/docs/fips/SecurityPolicy-2.0.pdf FIPS 140-2 Security Policy]. You then download, build and install the FIPS Capable Library (<tt>openssl-1.0.1e.tar.gz</tt>).<br />
<br />
When configuring the FIPS Capable Library, you must use <tt>fips</tt> as an option:<br />
<br />
<pre>./config fips <other options ...></pre><br />
<br />
If you are configuring the FIPS Capable Library with only prime curves (<tt>openssl-fips-ecp-2.0.5.tar.gz</tt>), then you must configure with <tt>no-ec2m</tt>:<br />
<br />
<pre>./config fips no-ec2m <other options ...></pre><br />
<br />
== Compilation ==<br />
<br />
Once you untar the source files (or fetched them from source control), its a good idea to look at README provided in it.<br />
<br />
cat README<br />
<br />
where you will understand that you have to read another file INSTALL :<br />
<br />
cat INSTALL <br />
<br />
Depending on your platform you will have to pick up the right INSTALL by example INSTALL.W64.<br />
Default is for Unix based systems.<br />
<br />
==== Quick ====<br />
<br />
<pre>./config <nowiki><options ...></nowiki><br />
make depend<br />
make<br />
make test<br />
make install</pre><br />
<br />
Various options can be found examining the <tt>Configure</tt> file (there is a well commented block at its top). OpenSSL ships with SSLv2, SSLv3 and Compression enabled by default (see <tt>my $disabled</tt>), so you might want to use <tt>no-ssl2</tt>, <tt>no-ssl3</tt>, and <tt>no-comp</tt>.<br />
<br />
== Platfom specific ==<br />
<br />
=== Linux ===<br />
<br />
==== Intel ====<br />
<br />
==== ARM ====<br />
<br />
=== Windows ===<br />
3noch wrote a VERY good guide [http://developer.covenanteyes.com/building-openssl-for-visual-studio/ here].<br />
Like he said in his article, make absolutely sure to create separate directories for 32 and 64 bit versions.<br />
<br />
==== W32 / Windows NT - Windows 9x ====<br />
<br />
type INSTALL.W32<br />
<br />
* you need Perl for Win32. Unless you will build on Cygwin, you will need ActiveState Perl, available from http://www.activestate.com/ActivePerl.<br />
* one of the following C compilers:<br />
** Visual C++<br />
** Borland C<br />
** GNU C (Cygwin or MinGW)<br />
* Netwide Assembler, a.k.a. NASM, available from http://nasm.sourceforge.net/ is required if you intend to utilize assembler modules. Note that NASM is now the only supported assembler.<br />
<br />
==== W64 ====<br />
<br />
type INSTALL.W64<br />
<br />
basically some specific 64bits information, default Windows build information is still in INSTALL.W32<br />
<br />
==== Windows CE ====<br />
<br />
=== Mac ===<br />
<br />
=== iOS ===<br />
<br />
=== Android ===<br />
<br />
Visit [[Android]] and [[FIPS Library and Android]].<br />
<br />
=== More ===<br />
<br />
==== VAX/VMS ====<br />
<br />
I you wonder what are files ending with .com like test/testca.com those are VAX/VMX scripts.<br />
This code is still maintained.<br />
<br />
==== OS/2 ====<br />
<br />
==== NetWare ====<br />
5.x 6.x<br />
<br />
==== HP-UX ====<br />
[[HP-UX Itanium FIPS and OpenSSL build]]<br />
<br />
[[Category:Shell level]]<br />
[[Category:Installation]]<br />
[[Category:Compilation]]</div>Bstinarhttps://wiki.openssl.org/index.php?title=Compilation_and_Installation&diff=1703Compilation and Installation2014-06-06T04:43:06Z<p>Bstinar: /* Windows */</p>
<hr />
<div>== Retrieve source code ==<br />
<br />
The OpenSSL source code can be downloaded from [http://www.openssl.org/source/ www.openssl.org/source/] or any suitable [http://www.openssl.org/source/mirror.html ftp mirror]. There are various versions including stable as well as unstable versions. <br />
<br />
The source code is manged via Git, the repository is<br />
<br />
: git://git.openssl.org/openssl.git<br />
<br />
The source is also available via a [https://github.com/openssl/openssl GitHub] mirror. This repository is updated every 15 minutes.<br />
<br />
* [[Use_of_Git|Accessing OpenSSL source code via Git]]<br />
<br />
== Configuration ==<br />
<br />
OpenSSL is configured for a particular platform with protocol and behavior options using <tt>Configure</tt> and <tt>config</tt>.<br />
<br />
=== Configure & Config ===<br />
<br />
You use <tt>Configure</tt> and <tt>config</tt> to tune the compile and installation process through options and switches. The difference between is <tt>Configure</tt> properly handles the host-arch-compiler triplet, and <tt>config</tt> does not. <tt>config</tt> attempts to guess the triplet, so its a lot like autotool's <tt>config.guess</tt>.<br />
<br />
You can usually use <tt>config</tt> and it will do the right thing (from Ubuntu 13.04, x64):<br />
<br />
<pre>$ ./config <br />
Operating system: x86_64-whatever-linux2<br />
Configuring for linux-x86_64<br />
Configuring for linux-x86_64<br />
no-ec_nistp_64_gcc_128 [default] OPENSSL_NO_EC_NISTP_64_GCC_128 (skip dir)<br />
no-gmp [default] OPENSSL_NO_GMP (skip dir)<br />
no-jpake [experimental] OPENSSL_NO_JPAKE (skip dir)<br />
no-krb5 [krb5-flavor not specified] OPENSSL_NO_KRB5<br />
no-md2 [default] OPENSSL_NO_MD2 (skip dir)<br />
no-rc5 [default] OPENSSL_NO_RC5 (skip dir)<br />
no-rfc3779 [default] OPENSSL_NO_RFC3779 (skip dir)<br />
no-sctp [default] OPENSSL_NO_SCTP (skip dir)<br />
no-shared [default] <br />
no-store [experimental] OPENSSL_NO_STORE (skip dir)<br />
no-zlib [default] <br />
no-zlib-dynamic [default] <br />
...</pre><br />
<br />
Mac OSX is a problem (its often a neglected platform), and you will have to use <tt>Configure</tt>:<br />
<br />
<pre> ./Configure darwin64-x86_64-cc<br />
Configuring for darwin64-x86_64-cc<br />
no-ec_nistp_64_gcc_128 [default] OPENSSL_NO_EC_NISTP_64_GCC_128 (skip dir)<br />
no-gmp [default] OPENSSL_NO_GMP (skip dir)<br />
no-jpake [experimental] OPENSSL_NO_JPAKE (skip dir)<br />
no-krb5 [krb5-flavor not specified] OPENSSL_NO_KRB5<br />
no-md2 [default] OPENSSL_NO_MD2 (skip dir)<br />
no-rc5 [default] OPENSSL_NO_RC5 (skip dir)<br />
no-rfc3779 [default] OPENSSL_NO_RFC3779 (skip dir)<br />
no-sctp [default] OPENSSL_NO_SCTP (skip dir)<br />
no-shared [default] <br />
no-store [experimental] OPENSSL_NO_STORE (skip dir)<br />
no-zlib [default] <br />
no-zlib-dynamic [default]<br />
...</pre><br />
<br />
Running the same command with <tt>config</tt> results in:<br />
<br />
<pre>$ ./config darwin64-x86_64-cc<br />
Operating system: i686-apple-darwinDarwin Kernel Version 12.5.0: Sun Sep 29 13:33:47 PDT 2013; root:xnu-2050.48.12~1/RELEASE_X86_64<br />
WARNING! If you wish to build 64-bit library, then you have to<br />
invoke './Configure darwin64-x86_64-cc' *manually*.<br />
You have about 5 seconds to press Ctrl-C to abort.<br />
Configuring for darwin-i386-cc<br />
target already defined - darwin-i386-cc (offending arg: darwin64-x86_64-cc)</pre><br />
<br />
You can also configure on Darwin by exporting <tt>KERNEL_BITS</tt>:<br />
<br />
<pre>$ export KERNEL_BITS=64<br />
$ ./config shared no-ssl2 enable-ec_nistp_64_gcc_128 --openssldir=/usr/local/ssl/macosx-x64/<br />
Operating system: i686-apple-darwinDarwin Kernel Version 12.5.0: Sun Sep 29 13:33:47 PDT 2013; root:xnu-2050.48.12~1/RELEASE_X86_64<br />
Configuring for darwin64-x86_64-cc<br />
Configuring for darwin64-x86_64-cc<br />
no-gmp [default] OPENSSL_NO_GMP (skip dir)<br />
no-jpake [experimental] OPENSSL_NO_JPAKE (skip dir)<br />
no-krb5 [krb5-flavor not specified] OPENSSL_NO_KRB5<br />
no-md2 [default] OPENSSL_NO_MD2 (skip dir)<br />
no-psk [option] OPENSSL_NO_PSK (skip dir)<br />
no-rc5 [default] OPENSSL_NO_RC5 (skip dir)<br />
no-rfc3779 [default] OPENSSL_NO_RFC3779 (skip dir)<br />
no-sctp [default] OPENSSL_NO_SCTP (skip dir)<br />
no-srp [option] OPENSSL_NO_SRP (skip dir)<br />
no-ssl2 [option] OPENSSL_NO_SSL2 (skip dir)<br />
no-store [experimental] OPENSSL_NO_STORE (skip dir)<br />
no-zlib [default] <br />
no-zlib-dynamic [default] <br />
...</pre><br />
<br />
If you provide a option not known to configure or ask for help, then you get a brief help message:<br />
<br />
<pre>$ ./Configure --help<br />
Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [experimental-<cipher> ...]<br />
[-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared]<br />
[[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-krb5] [sctp] [386] [--prefix=DIR]<br />
[--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]</pre><br />
<br />
And if you supply an unknown triplet: <br />
<br />
<pre>$ ./Configure darwin64-x86_64-clang<br />
Configuring for darwin64-x86_64-clang<br />
Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [experimental-<cipher> ...]<br />
[-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared]<br />
[[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-krb5] [sctp] [386] [--prefix=DIR]<br />
[--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]<br />
<br />
pick os/compiler from:<br />
BC-32 BS2000-OSD BSD-generic32 BSD-generic64 BSD-ia64 BSD-sparc64 BSD-sparcv8 <br />
BSD-x86 BSD-x86-elf BSD-x86_64 Cygwin Cygwin-pre1.3 DJGPP MPE/iX-gcc OS2-EMX <br />
OS390-Unix QNX6 QNX6-i386 ReliantUNIX SINIX SINIX-N UWIN VC-CE VC-WIN32 <br />
VC-WIN64A VC-WIN64I aix-cc aix-gcc aix3-cc aix64-cc aix64-gcc android <br />
android-armv7 android-x86 aux3-gcc beos-x86-bone beos-x86-r5 bsdi-elf-gcc cc <br />
cray-j90 cray-t3e darwin-i386-cc darwin-ppc-cc darwin64-ppc-cc <br />
darwin64-x86_64-cc dgux-R3-gcc dgux-R4-gcc dgux-R4-x86-gcc dist gcc hpux-cc <br />
hpux-gcc hpux-ia64-cc hpux-ia64-gcc hpux-parisc-cc hpux-parisc-cc-o4 <br />
hpux-parisc-gcc hpux-parisc1_1-cc hpux-parisc1_1-gcc hpux-parisc2-cc <br />
hpux-parisc2-gcc hpux64-ia64-cc hpux64-ia64-gcc hpux64-parisc2-cc <br />
hpux64-parisc2-gcc hurd-x86 iphoneos-cross irix-cc irix-gcc irix-mips3-cc <br />
irix-mips3-gcc irix64-mips4-cc irix64-mips4-gcc linux-alpha+bwx-ccc <br />
linux-alpha+bwx-gcc linux-alpha-ccc linux-alpha-gcc linux-aout linux-armv4 <br />
linux-elf linux-generic32 linux-generic64 linux-ia32-icc linux-ia64 <br />
linux-ia64-ecc linux-ia64-icc linux-ppc linux-ppc64 linux-sparcv8 <br />
linux-sparcv9 linux-x86_64 linux32-s390x linux64-s390x linux64-sparcv9 mingw <br />
mingw64 ncr-scde netware-clib netware-clib-bsdsock netware-clib-bsdsock-gcc <br />
...<br />
<br />
NOTE: If in doubt, on Unix-ish systems use './config'.</pre><br />
<br />
Finally, to delete a configuration and start anew, run <tt>make dclean</tt>.<br />
<br />
=== Configure Options ===<br />
<br />
OpenSSL has been around a long time, and it carries around a lot of cruft. For example, from above, SSLv2 is enabled by default. SSLv2 is completely broken, and you should disable it during configuration. You can disable protocols and provide other options through <tt>Configure</tt> and <tt>config</tt>, and the following lists some of them.<br />
<br />
'''Note''': if you specify a non-existent option, then the configure scripts will proceed without warning. For example, if you inadvertently specify '''no-sslv2''' rather than '''no-ssl2''', the script will configure ''with'' SSLv2 and ''without'' warning for the unknown no-sslv2.<br />
<br />
{| class="wikitable sortable" border="1"<br />
|+ OpenSSL Library Options<br />
|-<br />
! scope="col" width="150px" | Option<br />
! scope="col" class="unsortable" | Description<br />
|-<br />
| --openssldir=XXX || The installation directory. If not specified, the library will be installed at <tt>/usr/local/ssl</tt>. Header will be located at <tt>/usr/local/ssl/include/openssl</tt>, and libraries located at <tt>/usr/local/ssl/lib</tt>.<br />
|-<br />
| shared || Build a shared object in addition to the static archive<br />
|-<br />
| enable-ec_nistp_64_gcc_128 || Use on x64 platforms when GCC supports <tt>__uint128_t</tt>. ECDH is about 2 to 4 times faster. Not enabled by default because <tt>Configure</tt> can't determine it.<br />
|-<br />
| no-ssl2 || Disables SSLv2<br />
|-<br />
| no-ssl3 || Disables SSLv3<br />
|-<br />
| no-comp || Disables compression independent of <tt>zlib</tt><br />
|-<br />
| no-idea || Disables IDEA algorithm. Unlike RC5 and MDC2, IDEA is enabled by default<br />
|-<br />
| no-asm || Disables assembly language routines (and uses C routines)<br />
|-<br />
| no-dtls || Disables DTLS (useful on mobile devices since carriers often block UDP)<br />
|-<br />
| no-shared || Disables shared objects (only a static library is created)<br />
|-<br />
| no-hw || Disables hardware support (useful on mobile devices)<br />
|-<br />
| no-engines || Disables hardware support (useful on mobile devices)<br />
|-<br />
| no-threads || Disables threading support<br />
|-<br />
| no-dso || Disables the OpenSSL DSO API (the library offers a shared object abstraction layer)<br />
|-<br />
| no-err || Removes all error function names and error reason text to reduce footprint<br />
|-<br />
| no-npn || Disables Next Protocol Negotiation (NPN)<br />
|-<br />
| no-psk || Disables Preshared Key (PSK). PSK provides mutual authentication independent of trusted authorities, but its rarely offered or used<br />
|-<br />
| no-srp || Disables Secure Remote Password (SRP). SRP provides mutual authentication independent of trusted authorities, but its rarely offered or used<br />
|-<br />
| no-ec2m || Used when configuring FIPS Capable Library with a FIPS Object Module that only includes prime curves. That is, use this switch if you use <tt>openssl-fips-ecp-2.0.5</tt>.<br />
|-<br />
| -DXXX || Defines XXX. For example, <tt>-DOPENSSL_NO_HEARTBEATS</tt>.<br />
|}<br />
<br />
After disabling an option, your configure output will look similar to below (notice the lack of SSLv2 and SSLv3 support).<br />
<br />
<pre>$ ./Configure darwin64-x86_64-cc no-ssl2 no-ssl3<br />
Configuring for darwin64-x86_64-cc<br />
no-ec_nistp_64_gcc_128 [default] OPENSSL_NO_EC_NISTP_64_GCC_128 (skip dir)<br />
no-gmp [default] OPENSSL_NO_GMP (skip dir)<br />
no-jpake [experimental] OPENSSL_NO_JPAKE (skip dir)<br />
no-krb5 [krb5-flavor not specified] OPENSSL_NO_KRB5<br />
no-md2 [default] OPENSSL_NO_MD2 (skip dir)<br />
no-rc5 [default] OPENSSL_NO_RC5 (skip dir)<br />
no-rfc3779 [default] OPENSSL_NO_RFC3779 (skip dir)<br />
no-sctp [default] OPENSSL_NO_SCTP (skip dir)<br />
no-shared [default] <br />
no-ssl2 [option] OPENSSL_NO_SSL2 (skip dir)<br />
no-ssl3 [option] OPENSSL_NO_SSL3 (skip dir)<br />
no-store [experimental] OPENSSL_NO_STORE (skip dir)<br />
no-zlib [default] <br />
no-zlib-dynamic [default] <br />
...</pre><br />
<br />
=== Compile Time Checking ===<br />
<br />
If you disable an option during configure, you can check if it's available through <tt>OPENSSL_NO_*</tt> defines. OpenSSL writes the configure options to <tt><openssl/opensslconf.h></tt>. For example, if you want to know if SSLv3 is available, then you would perform the following in your code:<br />
<br />
<pre>#include <openssl/opensslconf.h><br />
...<br />
<br />
#if !defined(OPENSSL_NO_SSL3)<br />
/* SSLv3 is available */<br />
#endif</pre><br />
<br />
=== Modifying Build Settings ===<br />
<br />
Sometimes you need to work around OpenSSL's selections for building the library. For example, you might want to use <tt>-Os</tt> for a mobile device (rather than <tt>-O3</tt>), or you might want to use the <tt>clang</tt> compiler (rather than <tt>gcc</tt>).<br />
<br />
In case like these, its often easier to modify <tt>Configure</tt> and <tt>Makefile.org</tt> rather than trying to add targets to the configure scripts. Below is a patch that modifies <tt>Configure</tt> and <tt>Makefile.org</tt> for use under the iOS 7.0 SDK (which lacks <tt>gcc</tt> in <tt>/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/</tt>):<br />
<br />
* Modifies <tt>Configure</tt> to use <tt>clang</tt><br />
* Modifies <tt>Makefile.org</tt> to use <tt>clang</tt><br />
* Modifies <tt>CFLAG</tt> to use <tt>-Os</tt><br />
* Modifies <tt>MAKEDEPPROG</tt> to use <tt>$(CC) -M</tt><br />
<br />
Setting and resetting of <tt>LANG</tt> is required on Mac OSX to work around a <tt>sed</tt> bug or limitation.<br />
<br />
<pre>OLD_LANG=$LANG<br />
unset LANG<br />
<br />
sed -i "" 's|\"iphoneos-cross\"\,\"llvm-gcc\:-O3|\"iphoneos-cross\"\,\"clang\:-Os|g' Configure<br />
sed -i "" 's/CC= cc/CC= clang/g' Makefile.org<br />
sed -i "" 's/CFLAG= -O/CFLAG= -Os/g' Makefile.org<br />
sed -i "" 's/MAKEDEPPROG=makedepend/MAKEDEPPROG=$(CC) -M/g' Makefile.org<br />
<br />
export LANG=$OLD_LANG</pre><br />
<br />
After modification, be sure to dclean and configure again so the new settings are picked up:<br />
<br />
<pre>make dclean<br />
<br />
./config<br />
make depend<br />
make all<br />
...</pre><br />
<br />
=== Fedora and Red Hat ===<br />
<br />
On Fedora and Red Hat systems, be sure to export <tt>CFLAGS="-fPIC"</tt> and explicitly specify <tt>shared</tt> to <tt>config</tt>. Failing to do so will result in static libraries only.That is, you will be missing the shared objects and engines. The commands would look similar to below.<br />
<br />
<pre>$ export CFLAGS="-fPIC"<br />
$ ./config shared no-ssl2 no-ssl3 --openssldir=/usr/local/ssl<br />
...<br />
$ make depend<br />
...<br />
$ make all<br />
...<br />
$ sudo -E make install</pre><br />
<br />
=== FIPS Capable Library ===<br />
<br />
If you want to use FIPS validated cryptography, you download, build and install the FIPS Object Module (<tt>openssl-fips-2.0.5.tar.gz</tt>) according to the [https://www.openssl.org/docs/fips/UserGuide-2.0.pdf FIPS User Guide 2.0] and [https://www.openssl.org/docs/fips/SecurityPolicy-2.0.pdf FIPS 140-2 Security Policy]. You then download, build and install the FIPS Capable Library (<tt>openssl-1.0.1e.tar.gz</tt>).<br />
<br />
When configuring the FIPS Capable Library, you must use <tt>fips</tt> as an option:<br />
<br />
<pre>./config fips <other options ...></pre><br />
<br />
If you are configuring the FIPS Capable Library with only prime curves (<tt>openssl-fips-ecp-2.0.5.tar.gz</tt>), then you must configure with <tt>no-ec2m</tt>:<br />
<br />
<pre>./config fips no-ec2m <other options ...></pre><br />
<br />
== Compilation ==<br />
<br />
Once you untar the source files (or fetched them from source control), its a good idea to look at README provided in it.<br />
<br />
cat README<br />
<br />
where you will understand that you have to read another file INSTALL :<br />
<br />
cat INSTALL <br />
<br />
Depending on your platform you will have to pick up the right INSTALL by example INSTALL.W64.<br />
Default is for Unix based systems.<br />
<br />
==== Quick ====<br />
<br />
<pre>./config <nowiki><options ...></nowiki><br />
make depend<br />
make<br />
make test<br />
make install</pre><br />
<br />
Various options can be found examining the <tt>Configure</tt> file (there is a well commented block at its top). OpenSSL ships with SSLv2, SSLv3 and Compression enabled by default (see <tt>my $disabled</tt>), so you might want to use <tt>no-ssl2</tt>, <tt>no-ssl3</tt>, and <tt>no-comp</tt>.<br />
<br />
== Platfom specific ==<br />
<br />
=== Linux ===<br />
<br />
==== Intel ====<br />
<br />
==== ARM ====<br />
<br />
=== Windows ===<br />
3noch wrote a VERY good guide [http://developer.covenanteyes.com/building-openssl-for-visual-studio/ here].<br />
<br />
==== W32 / Windows NT - Windows 9x ====<br />
<br />
type INSTALL.W32<br />
<br />
* you need Perl for Win32. Unless you will build on Cygwin, you will need ActiveState Perl, available from http://www.activestate.com/ActivePerl.<br />
* one of the following C compilers:<br />
** Visual C++<br />
** Borland C<br />
** GNU C (Cygwin or MinGW)<br />
* Netwide Assembler, a.k.a. NASM, available from http://nasm.sourceforge.net/ is required if you intend to utilize assembler modules. Note that NASM is now the only supported assembler.<br />
<br />
==== W64 ====<br />
<br />
type INSTALL.W64<br />
<br />
basically some specific 64bits information, default Windows build information is still in INSTALL.W32<br />
<br />
==== Windows CE ====<br />
<br />
=== Mac ===<br />
<br />
=== iOS ===<br />
<br />
=== Android ===<br />
<br />
Visit [[Android]] and [[FIPS Library and Android]].<br />
<br />
=== More ===<br />
<br />
==== VAX/VMS ====<br />
<br />
I you wonder what are files ending with .com like test/testca.com those are VAX/VMX scripts.<br />
This code is still maintained.<br />
<br />
==== OS/2 ====<br />
<br />
==== NetWare ====<br />
5.x 6.x<br />
<br />
==== HP-UX ====<br />
[[HP-UX Itanium FIPS and OpenSSL build]]<br />
<br />
[[Category:Shell level]]<br />
[[Category:Installation]]<br />
[[Category:Compilation]]</div>Bstinar