Difference between revisions of "Compilation and Installation"

From OpenSSLWiki
Jump to navigationJump to search
m (Added info on Configure and Config)
m (Improved flow.)
Line 115: Line 115:
 
=== Library Options ===
 
=== Library Options ===
  
OpenSSL has been around a long time, and it carries around a lot of cruft. For example, from above, SSLv2 is enabled by default. SSLv2 is completely broken, and you should disable it during configuration. You can disable protocols and other options through <tt>Configure</tt> and <tt>config</tt>, and the following will list some of them.
+
OpenSSL has been around a long time, and it carries around a lot of cruft. For example, from above, SSLv2 is enabled by default. SSLv2 is completely broken, and you should disable it during configuration. You can disable protocols and provide other options through <tt>Configure</tt> and <tt>config</tt>, and the following lists some of them.
  
 
{| class="wikitable sortable" border="1"
 
{| class="wikitable sortable" border="1"

Revision as of 02:31, 19 October 2013

Retrieve source code

The OpenSSL source code can be downloaded from www.openssl.org/source/ or any suitable ftp mirror. There are various versions including stable as well as unstable versions.

The source code is manged via Git, the repository is

git://git.openssl.org/openssl.git

The source is also available via a GitHub mirror. This repository is updated every 15 minutes.

If you don't know what Git is or how to use it, see the introduction at the Git documentation page. Once you installed git you can use

$ git clone git://git.openssl.org/openssl.git

in an empty directory to download the latest (development) version. There are other branches available as well.

Configuration

OpenSSL is configured for a particular platform with protocol and behavior options using Configure and config.

Configure & Config

You use Configure and config to tune the compile and installation process through options and switches. The difference between is Configure properly handles the host-arch-compiler triplet, and config does not. config attempts to guess the triplet, so its a lot like autotool's config.guess.

You can usually use config and it will do the right thing (from Ubuntu 13.04, x64):

$ ./config 
Operating system: x86_64-whatever-linux2
Configuring for linux-x86_64
Configuring for linux-x86_64
    no-ec_nistp_64_gcc_128 [default]  OPENSSL_NO_EC_NISTP_64_GCC_128 (skip dir)
    no-gmp          [default]  OPENSSL_NO_GMP (skip dir)
    no-jpake        [experimental] OPENSSL_NO_JPAKE (skip dir)
    no-krb5         [krb5-flavor not specified] OPENSSL_NO_KRB5
    no-md2          [default]  OPENSSL_NO_MD2 (skip dir)
    no-rc5          [default]  OPENSSL_NO_RC5 (skip dir)
    no-rfc3779      [default]  OPENSSL_NO_RFC3779 (skip dir)
    no-sctp         [default]  OPENSSL_NO_SCTP (skip dir)
    no-shared       [default] 
    no-store        [experimental] OPENSSL_NO_STORE (skip dir)
    no-zlib         [default] 
    no-zlib-dynamic [default] 
    ...

Mac OSX is a problem (its often a neglected platform), and you will have to use Configure:

 ./Configure darwin64-x86_64-cc
Configuring for darwin64-x86_64-cc
    no-ec_nistp_64_gcc_128 [default]  OPENSSL_NO_EC_NISTP_64_GCC_128 (skip dir)
    no-gmp          [default]  OPENSSL_NO_GMP (skip dir)
    no-jpake        [experimental] OPENSSL_NO_JPAKE (skip dir)
    no-krb5         [krb5-flavor not specified] OPENSSL_NO_KRB5
    no-md2          [default]  OPENSSL_NO_MD2 (skip dir)
    no-rc5          [default]  OPENSSL_NO_RC5 (skip dir)
    no-rfc3779      [default]  OPENSSL_NO_RFC3779 (skip dir)
    no-sctp         [default]  OPENSSL_NO_SCTP (skip dir)
    no-shared       [default] 
    no-store        [experimental] OPENSSL_NO_STORE (skip dir)
    no-zlib         [default] 
    no-zlib-dynamic [default]
    ...

Running the same command with config results in:

$ ./config darwin64-x86_64-cc
Operating system: i686-apple-darwinDarwin Kernel Version 12.5.0: Sun Sep 29 13:33:47 PDT 2013; root:xnu-2050.48.12~1/RELEASE_X86_64
WARNING! If you wish to build 64-bit library, then you have to
         invoke './Configure darwin64-x86_64-cc' *manually*.
         You have about 5 seconds to press Ctrl-C to abort.
Configuring for darwin-i386-cc
target already defined - darwin-i386-cc (offending arg: darwin64-x86_64-cc)

If you provide a option not known to configure or ask for help, then you get a brief help message:

$ ./Configure --help
Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [experimental-<cipher> ...]
[-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared]
[[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-krb5] [sctp] [386] [--prefix=DIR]
[--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]

And if you supply an unknown triplet:

$ ./Configure darwin64-x86_64-clang
Configuring for darwin64-x86_64-clang
Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [experimental-<cipher> ...]
[-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared]
[[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-krb5] [sctp] [386] [--prefix=DIR]
[--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]

pick os/compiler from:
BC-32 BS2000-OSD BSD-generic32 BSD-generic64 BSD-ia64 BSD-sparc64 BSD-sparcv8 
BSD-x86 BSD-x86-elf BSD-x86_64 Cygwin Cygwin-pre1.3 DJGPP MPE/iX-gcc OS2-EMX 
OS390-Unix QNX6 QNX6-i386 ReliantUNIX SINIX SINIX-N UWIN VC-CE VC-WIN32 
VC-WIN64A VC-WIN64I aix-cc aix-gcc aix3-cc aix64-cc aix64-gcc android 
android-armv7 android-x86 aux3-gcc beos-x86-bone beos-x86-r5 bsdi-elf-gcc cc 
cray-j90 cray-t3e darwin-i386-cc darwin-ppc-cc darwin64-ppc-cc 
darwin64-x86_64-cc dgux-R3-gcc dgux-R4-gcc dgux-R4-x86-gcc dist gcc hpux-cc 
hpux-gcc hpux-ia64-cc hpux-ia64-gcc hpux-parisc-cc hpux-parisc-cc-o4 
hpux-parisc-gcc hpux-parisc1_1-cc hpux-parisc1_1-gcc hpux-parisc2-cc 
hpux-parisc2-gcc hpux64-ia64-cc hpux64-ia64-gcc hpux64-parisc2-cc 
hpux64-parisc2-gcc hurd-x86 iphoneos-cross irix-cc irix-gcc irix-mips3-cc 
irix-mips3-gcc irix64-mips4-cc irix64-mips4-gcc linux-alpha+bwx-ccc 
linux-alpha+bwx-gcc linux-alpha-ccc linux-alpha-gcc linux-aout linux-armv4 
linux-elf linux-generic32 linux-generic64 linux-ia32-icc linux-ia64 
linux-ia64-ecc linux-ia64-icc linux-ppc linux-ppc64 linux-sparcv8 
linux-sparcv9 linux-x86_64 linux32-s390x linux64-s390x linux64-sparcv9 mingw 
mingw64 ncr-scde netware-clib netware-clib-bsdsock netware-clib-bsdsock-gcc 
...

NOTE: If in doubt, on Unix-ish systems use './config'.

Finally, to delete a configuration and start anew, run make dclean.

Library Options

OpenSSL has been around a long time, and it carries around a lot of cruft. For example, from above, SSLv2 is enabled by default. SSLv2 is completely broken, and you should disable it during configuration. You can disable protocols and provide other options through Configure and config, and the following lists some of them.

OpenSSL Library Options
Option Description
--openssldir=XXX The installation directory. In not speoicified, the library will be installed at /usr/local/ssl. Header will be located at /usr/local/ssl/include/openssl, and libraries located at /usr/local/ssl/lib.
-no-ssl2 Disables SSLv2
-no-ssl3 Disables SSLv3
-no-comp Disables compression independent of zlib
-no-dtls Disables DTLS (useful on mobile devices since carries often block UDP)
-no-shared Disables shared objects (only a static library is created)
-no-hw Disables hardware support (useful on mobile devices)
-no-engines Disables hardware support (useful on mobile devices)
-no-dso Disable the OpenSSL DSO API (the library offers a shared object abstraction layer)

After disabling an option, your configure output will look similar to below (notice the lack of SSLv2 and SSLv3 support).

$ ./Configure darwin64-x86_64-cc -no-ssl2 -no-ssl3
Configuring for darwin64-x86_64-cc
    no-ec_nistp_64_gcc_128 [default]  OPENSSL_NO_EC_NISTP_64_GCC_128 (skip dir)
    no-gmp          [default]  OPENSSL_NO_GMP (skip dir)
    no-jpake        [experimental] OPENSSL_NO_JPAKE (skip dir)
    no-krb5         [krb5-flavor not specified] OPENSSL_NO_KRB5
    no-md2          [default]  OPENSSL_NO_MD2 (skip dir)
    no-rc5          [default]  OPENSSL_NO_RC5 (skip dir)
    no-rfc3779      [default]  OPENSSL_NO_RFC3779 (skip dir)
    no-sctp         [default]  OPENSSL_NO_SCTP (skip dir)
    no-shared       [default] 
    no-ssl2         [option]   OPENSSL_NO_SSL2 (skip dir)
    no-ssl3         [option]   OPENSSL_NO_SSL3 (skip dir)
    no-store        [experimental] OPENSSL_NO_STORE (skip dir)
    no-zlib         [default] 
    no-zlib-dynamic [default] 
    ...

Compile Time Checking

If you disable an option during configure, you can check if its available through OPENSSL_* defines. OpenSSL writes the configure options to <openssl/opensslconf.h>. For example, if you want to know if SSLv3 is available, then you would perform the following in your code:

#include <openssl/opensslconf.h>
...
#if !defined(OPENSSL_NO_SSL3)
  /* SSLv3 is available */
# endif

Compilation

Once you untar the source files (or fetched them from source control), its a good idea to look at README provided in it.

cat README

where you will understand that you have to read another file INSTALL :

cat INSTALL

Depending on your platform you will have to pick up the right INSTALL by example INSTALL.W64. Default is for Unix based systems.

Quick

./config <options ...>
make depend
make
make test
make install

Various options can be found examining the Configure file (there is a well commented block at its top). OpenSSL ships with SSLv2, SSLv3 and Compression enabled by default (see my $disabled), so you might want to use -no-ssl2, -no-ssl3, and -no-comp.

Platfom specific

Linux

Intel

ARM

Windows

W32 / Windows NT - Windows 9x

type INSTALL.W32

  • you need Perl for Win32. Unless you will build on Cygwin, you will need ActiveState Perl, available from http://www.activestate.com/ActivePerl.
  • one of the following C compilers:
    • Visual C++
    • Borland C
    • GNU C (Cygwin or MinGW)
  • Netwide Assembler, a.k.a. NASM, available from http://nasm.sourceforge.net/ is required if you intend to utilize assembler modules. Note that NASM is now the only supported assembler.

W64

type INSTALL.W64

basically some specific 64bits information, default Windows build information is still in INSTALL.W32

Windows CE

Mac

More

VAX/VMS

I you wonder what are files ending with .com like test/testca.com those are VAX/VMX scripts. This code is still maintained.

OS/2

NetWare

5.x 6.x