Difference between revisions of "Compilation and Installation"
m (Added info on Configure and Config) |
m (Improved flow.) |
||
Line 115: | Line 115: | ||
=== Library Options === | === Library Options === | ||
− | OpenSSL has been around a long time, and it carries around a lot of cruft. For example, from above, SSLv2 is enabled by default. SSLv2 is completely broken, and you should disable it during configuration. You can disable protocols and other options through <tt>Configure</tt> and <tt>config</tt>, and the following | + | OpenSSL has been around a long time, and it carries around a lot of cruft. For example, from above, SSLv2 is enabled by default. SSLv2 is completely broken, and you should disable it during configuration. You can disable protocols and provide other options through <tt>Configure</tt> and <tt>config</tt>, and the following lists some of them. |
{| class="wikitable sortable" border="1" | {| class="wikitable sortable" border="1" |
Revision as of 02:31, 19 October 2013
Retrieve source code
The OpenSSL source code can be downloaded from www.openssl.org/source/ or any suitable ftp mirror. There are various versions including stable as well as unstable versions.
The source code is manged via Git, the repository is
The source is also available via a GitHub mirror. This repository is updated every 15 minutes.
If you don't know what Git is or how to use it, see the introduction at the Git documentation page. Once you installed git you can use
$ git clone git://git.openssl.org/openssl.git
in an empty directory to download the latest (development) version. There are other branches available as well.
Configuration
OpenSSL is configured for a particular platform with protocol and behavior options using Configure and config.
Configure & Config
You use Configure and config to tune the compile and installation process through options and switches. The difference between is Configure properly handles the host-arch-compiler triplet, and config does not. config attempts to guess the triplet, so its a lot like autotool's config.guess.
You can usually use config and it will do the right thing (from Ubuntu 13.04, x64):
$ ./config Operating system: x86_64-whatever-linux2 Configuring for linux-x86_64 Configuring for linux-x86_64 no-ec_nistp_64_gcc_128 [default] OPENSSL_NO_EC_NISTP_64_GCC_128 (skip dir) no-gmp [default] OPENSSL_NO_GMP (skip dir) no-jpake [experimental] OPENSSL_NO_JPAKE (skip dir) no-krb5 [krb5-flavor not specified] OPENSSL_NO_KRB5 no-md2 [default] OPENSSL_NO_MD2 (skip dir) no-rc5 [default] OPENSSL_NO_RC5 (skip dir) no-rfc3779 [default] OPENSSL_NO_RFC3779 (skip dir) no-sctp [default] OPENSSL_NO_SCTP (skip dir) no-shared [default] no-store [experimental] OPENSSL_NO_STORE (skip dir) no-zlib [default] no-zlib-dynamic [default] ...
Mac OSX is a problem (its often a neglected platform), and you will have to use Configure:
./Configure darwin64-x86_64-cc Configuring for darwin64-x86_64-cc no-ec_nistp_64_gcc_128 [default] OPENSSL_NO_EC_NISTP_64_GCC_128 (skip dir) no-gmp [default] OPENSSL_NO_GMP (skip dir) no-jpake [experimental] OPENSSL_NO_JPAKE (skip dir) no-krb5 [krb5-flavor not specified] OPENSSL_NO_KRB5 no-md2 [default] OPENSSL_NO_MD2 (skip dir) no-rc5 [default] OPENSSL_NO_RC5 (skip dir) no-rfc3779 [default] OPENSSL_NO_RFC3779 (skip dir) no-sctp [default] OPENSSL_NO_SCTP (skip dir) no-shared [default] no-store [experimental] OPENSSL_NO_STORE (skip dir) no-zlib [default] no-zlib-dynamic [default] ...
Running the same command with config results in:
$ ./config darwin64-x86_64-cc Operating system: i686-apple-darwinDarwin Kernel Version 12.5.0: Sun Sep 29 13:33:47 PDT 2013; root:xnu-2050.48.12~1/RELEASE_X86_64 WARNING! If you wish to build 64-bit library, then you have to invoke './Configure darwin64-x86_64-cc' *manually*. You have about 5 seconds to press Ctrl-C to abort. Configuring for darwin-i386-cc target already defined - darwin-i386-cc (offending arg: darwin64-x86_64-cc)
If you provide a option not known to configure or ask for help, then you get a brief help message:
$ ./Configure --help Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [experimental-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-krb5] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]
And if you supply an unknown triplet:
$ ./Configure darwin64-x86_64-clang Configuring for darwin64-x86_64-clang Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [experimental-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-krb5] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags] pick os/compiler from: BC-32 BS2000-OSD BSD-generic32 BSD-generic64 BSD-ia64 BSD-sparc64 BSD-sparcv8 BSD-x86 BSD-x86-elf BSD-x86_64 Cygwin Cygwin-pre1.3 DJGPP MPE/iX-gcc OS2-EMX OS390-Unix QNX6 QNX6-i386 ReliantUNIX SINIX SINIX-N UWIN VC-CE VC-WIN32 VC-WIN64A VC-WIN64I aix-cc aix-gcc aix3-cc aix64-cc aix64-gcc android android-armv7 android-x86 aux3-gcc beos-x86-bone beos-x86-r5 bsdi-elf-gcc cc cray-j90 cray-t3e darwin-i386-cc darwin-ppc-cc darwin64-ppc-cc darwin64-x86_64-cc dgux-R3-gcc dgux-R4-gcc dgux-R4-x86-gcc dist gcc hpux-cc hpux-gcc hpux-ia64-cc hpux-ia64-gcc hpux-parisc-cc hpux-parisc-cc-o4 hpux-parisc-gcc hpux-parisc1_1-cc hpux-parisc1_1-gcc hpux-parisc2-cc hpux-parisc2-gcc hpux64-ia64-cc hpux64-ia64-gcc hpux64-parisc2-cc hpux64-parisc2-gcc hurd-x86 iphoneos-cross irix-cc irix-gcc irix-mips3-cc irix-mips3-gcc irix64-mips4-cc irix64-mips4-gcc linux-alpha+bwx-ccc linux-alpha+bwx-gcc linux-alpha-ccc linux-alpha-gcc linux-aout linux-armv4 linux-elf linux-generic32 linux-generic64 linux-ia32-icc linux-ia64 linux-ia64-ecc linux-ia64-icc linux-ppc linux-ppc64 linux-sparcv8 linux-sparcv9 linux-x86_64 linux32-s390x linux64-s390x linux64-sparcv9 mingw mingw64 ncr-scde netware-clib netware-clib-bsdsock netware-clib-bsdsock-gcc ... NOTE: If in doubt, on Unix-ish systems use './config'.
Finally, to delete a configuration and start anew, run make dclean.
Library Options
OpenSSL has been around a long time, and it carries around a lot of cruft. For example, from above, SSLv2 is enabled by default. SSLv2 is completely broken, and you should disable it during configuration. You can disable protocols and provide other options through Configure and config, and the following lists some of them.
Option | Description |
---|---|
--openssldir=XXX | The installation directory. In not speoicified, the library will be installed at /usr/local/ssl. Header will be located at /usr/local/ssl/include/openssl, and libraries located at /usr/local/ssl/lib. |
-no-ssl2 | Disables SSLv2 |
-no-ssl3 | Disables SSLv3 |
-no-comp | Disables compression independent of zlib |
-no-dtls | Disables DTLS (useful on mobile devices since carries often block UDP) |
-no-shared | Disables shared objects (only a static library is created) |
-no-hw | Disables hardware support (useful on mobile devices) |
-no-engines | Disables hardware support (useful on mobile devices) |
-no-dso | Disable the OpenSSL DSO API (the library offers a shared object abstraction layer) |
After disabling an option, your configure output will look similar to below (notice the lack of SSLv2 and SSLv3 support).
$ ./Configure darwin64-x86_64-cc -no-ssl2 -no-ssl3 Configuring for darwin64-x86_64-cc no-ec_nistp_64_gcc_128 [default] OPENSSL_NO_EC_NISTP_64_GCC_128 (skip dir) no-gmp [default] OPENSSL_NO_GMP (skip dir) no-jpake [experimental] OPENSSL_NO_JPAKE (skip dir) no-krb5 [krb5-flavor not specified] OPENSSL_NO_KRB5 no-md2 [default] OPENSSL_NO_MD2 (skip dir) no-rc5 [default] OPENSSL_NO_RC5 (skip dir) no-rfc3779 [default] OPENSSL_NO_RFC3779 (skip dir) no-sctp [default] OPENSSL_NO_SCTP (skip dir) no-shared [default] no-ssl2 [option] OPENSSL_NO_SSL2 (skip dir) no-ssl3 [option] OPENSSL_NO_SSL3 (skip dir) no-store [experimental] OPENSSL_NO_STORE (skip dir) no-zlib [default] no-zlib-dynamic [default] ...
Compile Time Checking
If you disable an option during configure, you can check if its available through OPENSSL_* defines. OpenSSL writes the configure options to <openssl/opensslconf.h>. For example, if you want to know if SSLv3 is available, then you would perform the following in your code:
#include <openssl/opensslconf.h> ... #if !defined(OPENSSL_NO_SSL3) /* SSLv3 is available */ # endif
Compilation
Once you untar the source files (or fetched them from source control), its a good idea to look at README provided in it.
cat README
where you will understand that you have to read another file INSTALL :
cat INSTALL
Depending on your platform you will have to pick up the right INSTALL by example INSTALL.W64. Default is for Unix based systems.
Quick
./config <options ...> make depend make make test make install
Various options can be found examining the Configure file (there is a well commented block at its top). OpenSSL ships with SSLv2, SSLv3 and Compression enabled by default (see my $disabled), so you might want to use -no-ssl2, -no-ssl3, and -no-comp.
Platfom specific
Linux
Intel
ARM
Windows
W32 / Windows NT - Windows 9x
type INSTALL.W32
- you need Perl for Win32. Unless you will build on Cygwin, you will need ActiveState Perl, available from http://www.activestate.com/ActivePerl.
- one of the following C compilers:
- Visual C++
- Borland C
- GNU C (Cygwin or MinGW)
- Netwide Assembler, a.k.a. NASM, available from http://nasm.sourceforge.net/ is required if you intend to utilize assembler modules. Note that NASM is now the only supported assembler.
W64
type INSTALL.W64
basically some specific 64bits information, default Windows build information is still in INSTALL.W32
Windows CE
Mac
More
VAX/VMS
I you wonder what are files ending with .com like test/testca.com those are VAX/VMX scripts. This code is still maintained.
OS/2
NetWare
5.x 6.x