INSTALL 52 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217
  1. OPENSSL INSTALLATION
  2. --------------------
  3. This document describes installation on all supported operating
  4. systems (the Unix/Linux family (which includes Mac OS/X), OpenVMS,
  5. and Windows).
  6. To install OpenSSL, you will need:
  7. * A make implementation
  8. * Perl 5 with core modules (please read NOTES.PERL)
  9. * The perl module Text::Template (please read NOTES.PERL)
  10. * an ANSI C compiler
  11. * a development environment in the form of development libraries and C
  12. header files
  13. * a supported operating system
  14. For additional platform specific requirements, solutions to specific
  15. issues and other details, please read one of these:
  16. * NOTES.UNIX (any supported Unix like system)
  17. * NOTES.VMS (OpenVMS)
  18. * NOTES.WIN (any supported Windows)
  19. * NOTES.DJGPP (DOS platform with DJGPP)
  20. * NOTES.ANDROID (obviously Android [NDK])
  21. Notational conventions in this document
  22. ---------------------------------------
  23. Throughout this document, we use the following conventions in command
  24. examples:
  25. $ command Any line starting with a dollar sign
  26. ($) is a command line.
  27. { word1 | word2 | word3 } This denotes a mandatory choice, to be
  28. replaced with one of the given words.
  29. A simple example would be this:
  30. $ echo { FOO | BAR | COOKIE }
  31. which is to be understood as one of
  32. these:
  33. $ echo FOO
  34. - or -
  35. $ echo BAR
  36. - or -
  37. $ echo COOKIE
  38. [ word1 | word2 | word3 ] Similar to { word1 | word2 | word3 }
  39. except it's optional to give any of
  40. those. In addition to the examples
  41. above, this would also be valid:
  42. $ echo
  43. {{ target }} This denotes a mandatory word or
  44. sequence of words of some sort. A
  45. simple example would be this:
  46. $ type {{ filename }}
  47. which is to be understood to use the
  48. command 'type' on some file name
  49. determined by the user.
  50. [[ options ]] Similar to {{ target }}, but is
  51. optional.
  52. Note that the notation assumes spaces around {, }, [, ], {{, }} and
  53. [[, ]]. This is to differentiate from OpenVMS directory
  54. specifications, which also use [ and ], but without spaces.
  55. Quick Start
  56. -----------
  57. If you want to just get on with it, do:
  58. on Unix (again, this includes Mac OS/X):
  59. $ ./config
  60. $ make
  61. $ make test
  62. $ make install
  63. on OpenVMS:
  64. $ @config
  65. $ mms
  66. $ mms test
  67. $ mms install
  68. on Windows (only pick one of the targets for configuration):
  69. $ perl Configure { VC-WIN32 | VC-WIN64A | VC-WIN64I | VC-CE }
  70. $ nmake
  71. $ nmake test
  72. $ nmake install
  73. If any of these steps fails, see section Installation in Detail below.
  74. This will build and install OpenSSL in the default location, which is:
  75. Unix: normal installation directories under /usr/local
  76. OpenVMS: SYS$COMMON:[OPENSSL-'version'...], where 'version' is the
  77. OpenSSL version number with underscores instead of periods.
  78. Windows: C:\Program Files\OpenSSL or C:\Program Files (x86)\OpenSSL
  79. If you want to install it anywhere else, run config like this:
  80. On Unix:
  81. $ ./config --prefix=/opt/openssl --openssldir=/usr/local/ssl
  82. On OpenVMS:
  83. $ @config --prefix=PROGRAM:[INSTALLS] --openssldir=SYS$MANAGER:[OPENSSL]
  84. (Note: if you do add options to the configuration command, please make sure
  85. you've read more than just this Quick Start, such as relevant NOTES.* files,
  86. the options outline below, as configuration options may change the outcome
  87. in otherwise unexpected ways)
  88. Configuration Options
  89. ---------------------
  90. There are several options to ./config (or ./Configure) to customize
  91. the build (note that for Windows, the defaults for --prefix and
  92. --openssldir depend in what configuration is used and what Windows
  93. implementation OpenSSL is built on. More notes on this in NOTES.WIN):
  94. --api=x.y.z
  95. Don't build with support for deprecated APIs below the
  96. specified version number. For example "--api=1.1.0" will
  97. remove support for all APIS that were deprecated in OpenSSL
  98. version 1.1.0 or below.
  99. --cross-compile-prefix=PREFIX
  100. The PREFIX to include in front of commands for your
  101. toolchain. It's likely to have to end with dash, e.g.
  102. a-b-c- would invoke GNU compiler as a-b-c-gcc, etc.
  103. Unfortunately cross-compiling is too case-specific to
  104. put together one-size-fits-all instructions. You might
  105. have to pass more flags or set up environment variables
  106. to actually make it work. Android and iOS cases are
  107. discussed in corresponding Configurations/15-*.conf
  108. files. But there are cases when this option alone is
  109. sufficient. For example to build the mingw64 target on
  110. Linux "--cross-compile-prefix=x86_64-w64-mingw32-"
  111. works. Naturally provided that mingw packages are
  112. installed. Today Debian and Ubuntu users have option to
  113. install a number of prepackaged cross-compilers along
  114. with corresponding run-time and development packages for
  115. "alien" hardware. To give another example
  116. "--cross-compile-prefix=mipsel-linux-gnu-" suffices
  117. in such case. Needless to mention that you have to
  118. invoke ./Configure, not ./config, and pass your target
  119. name explicitly. Also, note that --openssldir refers
  120. to target's file system, not one you are building on.
  121. --debug
  122. Build OpenSSL with debugging symbols and zero optimization
  123. level.
  124. --libdir=DIR
  125. The name of the directory under the top of the installation
  126. directory tree (see the --prefix option) where libraries will
  127. be installed. By default this is "lib". Note that on Windows
  128. only ".lib" files will be stored in this location. dll files
  129. will always be installed to the "bin" directory.
  130. --openssldir=DIR
  131. Directory for OpenSSL configuration files, and also the
  132. default certificate and key store. Defaults are:
  133. Unix: /usr/local/ssl
  134. Windows: C:\Program Files\Common Files\SSL
  135. or C:\Program Files (x86)\Common Files\SSL
  136. OpenVMS: SYS$COMMON:[OPENSSL-COMMON]
  137. --prefix=DIR
  138. The top of the installation directory tree. Defaults are:
  139. Unix: /usr/local
  140. Windows: C:\Program Files\OpenSSL
  141. or C:\Program Files (x86)\OpenSSL
  142. OpenVMS: SYS$COMMON:[OPENSSL-'version']
  143. --release
  144. Build OpenSSL without debugging symbols. This is the default.
  145. --strict-warnings
  146. This is a developer flag that switches on various compiler
  147. options recommended for OpenSSL development. It only works
  148. when using gcc or clang as the compiler. If you are
  149. developing a patch for OpenSSL then it is recommended that
  150. you use this option where possible.
  151. --with-zlib-include=DIR
  152. The directory for the location of the zlib include file. This
  153. option is only necessary if enable-zlib (see below) is used
  154. and the include file is not already on the system include
  155. path.
  156. --with-zlib-lib=LIB
  157. On Unix: this is the directory containing the zlib library.
  158. If not provided the system library path will be used.
  159. On Windows: this is the filename of the zlib library (with or
  160. without a path). This flag must be provided if the
  161. zlib-dynamic option is not also used. If zlib-dynamic is used
  162. then this flag is optional and a default value ("ZLIB1") is
  163. used if not provided.
  164. On VMS: this is the filename of the zlib library (with or
  165. without a path). This flag is optional and if not provided
  166. then "GNV$LIBZSHR", "GNV$LIBZSHR32" or "GNV$LIBZSHR64" is
  167. used by default depending on the pointer size chosen.
  168. --with-rand-seed=seed1[,seed2,...]
  169. A comma separated list of seeding methods which will be tried
  170. by OpenSSL in order to obtain random input (a.k.a "entropy")
  171. for seeding its cryptographically secure random number
  172. generator (CSPRNG). The current seeding methods are:
  173. os: Use a trusted operating system entropy source.
  174. This is the default method if such an entropy
  175. source exists.
  176. getrandom: Use the L<getrandom(2)> or equivalent system
  177. call.
  178. devrandom: Use the the first device from the DEVRANDOM list
  179. which can be opened to read random bytes. The
  180. DEVRANDOM preprocessor constant expands to
  181. "/dev/urandom","/dev/random","/dev/srandom" on
  182. most unix-ish operating systems.
  183. egd: Check for an entropy generating daemon.
  184. rdcpu: Use the RDSEED or RDRAND command if provided by
  185. the CPU.
  186. librandom: Use librandom (not implemented yet).
  187. none: Disable automatic seeding. This is the default
  188. on some operating systems where no suitable
  189. entropy source exists, or no support for it is
  190. implemented yet.
  191. For more information, see the section 'Note on random number
  192. generation' at the end of this document.
  193. no-afalgeng
  194. Don't build the AFALG engine. This option will be forced if
  195. on a platform that does not support AFALG.
  196. enable-asan
  197. Build with the Address sanitiser. This is a developer option
  198. only. It may not work on all platforms and should never be
  199. used in production environments. It will only work when used
  200. with gcc or clang and should be used in conjunction with the
  201. no-shared option.
  202. no-asm
  203. Do not use assembler code. This should be viewed as
  204. debugging/trouble-shooting option rather than production.
  205. On some platforms a small amount of assembler code may
  206. still be used even with this option.
  207. no-async
  208. Do not build support for async operations.
  209. no-autoalginit
  210. Don't automatically load all supported ciphers and digests.
  211. Typically OpenSSL will make available all of its supported
  212. ciphers and digests. For a statically linked application this
  213. may be undesirable if small executable size is an objective.
  214. This only affects libcrypto. Ciphers and digests will have to
  215. be loaded manually using EVP_add_cipher() and
  216. EVP_add_digest() if this option is used. This option will
  217. force a non-shared build.
  218. no-autoerrinit
  219. Don't automatically load all libcrypto/libssl error strings.
  220. Typically OpenSSL will automatically load human readable
  221. error strings. For a statically linked application this may
  222. be undesirable if small executable size is an objective.
  223. no-autoload-config
  224. Don't automatically load the default openssl.cnf file.
  225. Typically OpenSSL will automatically load a system config
  226. file which configures default ssl options.
  227. no-capieng
  228. Don't build the CAPI engine. This option will be forced if
  229. on a platform that does not support CAPI.
  230. no-cms
  231. Don't build support for CMS features
  232. no-comp
  233. Don't build support for SSL/TLS compression. If this option
  234. is left enabled (the default), then compression will only
  235. work if the zlib or zlib-dynamic options are also chosen.
  236. enable-crypto-mdebug
  237. Build support for debugging memory allocated via
  238. OPENSSL_malloc() or OPENSSL_zalloc().
  239. enable-crypto-mdebug-backtrace
  240. As for crypto-mdebug, but additionally provide backtrace
  241. information for allocated memory.
  242. TO BE USED WITH CARE: this uses GNU C functionality, and
  243. is therefore not usable for non-GNU config targets. If
  244. your build complains about the use of '-rdynamic' or the
  245. lack of header file execinfo.h, this option is not for you.
  246. ALSO NOTE that even though execinfo.h is available on your
  247. system (through Gnulib), the functions might just be stubs
  248. that do nothing.
  249. no-ct
  250. Don't build support for Certificate Transparency.
  251. no-deprecated
  252. Don't build with support for any deprecated APIs. This is the
  253. same as using "--api" and supplying the latest version
  254. number.
  255. no-dgram
  256. Don't build support for datagram based BIOs. Selecting this
  257. option will also force the disabling of DTLS.
  258. no-dso
  259. Don't build support for loading Dynamic Shared Objects.
  260. no-dynamic-engine
  261. Don't build the dynamically loaded engines. This only has an
  262. effect in a "shared" build
  263. no-ec
  264. Don't build support for Elliptic Curves.
  265. no-ec2m
  266. Don't build support for binary Elliptic Curves
  267. enable-ec_nistp_64_gcc_128
  268. Enable support for optimised implementations of some commonly
  269. used NIST elliptic curves.
  270. This is only supported on platforms:
  271. - with little-endian storage of non-byte types
  272. - that tolerate misaligned memory references
  273. - where the compiler:
  274. - supports the non-standard type __uint128_t
  275. - defines the built-in macro __SIZEOF_INT128__
  276. enable-egd
  277. Build support for gathering entropy from EGD (Entropy
  278. Gathering Daemon).
  279. no-engine
  280. Don't build support for loading engines.
  281. no-err
  282. Don't compile in any error strings.
  283. enable-external-tests
  284. Enable building of integration with external test suites.
  285. This is a developer option and may not work on all platforms.
  286. The only supported external test suite at the current time is
  287. the BoringSSL test suite. See the file test/README.external
  288. for further details.
  289. no-filenames
  290. Don't compile in filename and line number information (e.g.
  291. for errors and memory allocation).
  292. enable-fuzz-libfuzzer, enable-fuzz-afl
  293. Build with support for fuzzing using either libfuzzer or AFL.
  294. These are developer options only. They may not work on all
  295. platforms and should never be used in production environments.
  296. See the file fuzz/README.md for further details.
  297. no-gost
  298. Don't build support for GOST based ciphersuites. Note that
  299. if this feature is enabled then GOST ciphersuites are only
  300. available if the GOST algorithms are also available through
  301. loading an externally supplied engine.
  302. no-hw-padlock
  303. Don't build the padlock engine.
  304. no-makedepend
  305. Don't generate dependencies.
  306. no-multiblock
  307. Don't build support for writing multiple records in one
  308. go in libssl (Note: this is a different capability to the
  309. pipelining functionality).
  310. no-nextprotoneg
  311. Don't build support for the NPN TLS extension.
  312. no-ocsp
  313. Don't build support for OCSP.
  314. no-pic
  315. Don't build with support for Position Independent Code.
  316. no-posix-io
  317. Don't use POSIX IO capabilities.
  318. no-psk
  319. Don't build support for Pre-Shared Key based ciphersuites.
  320. no-rdrand
  321. Don't use hardware RDRAND capabilities.
  322. no-rfc3779
  323. Don't build support for RFC3779 ("X.509 Extensions for IP
  324. Addresses and AS Identifiers")
  325. sctp
  326. Build support for SCTP
  327. no-shared
  328. Do not create shared libraries, only static ones. See "Note
  329. on shared libraries" below.
  330. no-sock
  331. Don't build support for socket BIOs
  332. no-srp
  333. Don't build support for SRP or SRP based ciphersuites.
  334. no-srtp
  335. Don't build SRTP support
  336. no-sse2
  337. Exclude SSE2 code paths from 32-bit x86 assembly modules.
  338. Normally SSE2 extension is detected at run-time, but the
  339. decision whether or not the machine code will be executed
  340. is taken solely on CPU capability vector. This means that
  341. if you happen to run OS kernel which does not support SSE2
  342. extension on Intel P4 processor, then your application
  343. might be exposed to "illegal instruction" exception.
  344. There might be a way to enable support in kernel, e.g.
  345. FreeBSD kernel can be compiled with CPU_ENABLE_SSE, and
  346. there is a way to disengage SSE2 code paths upon application
  347. start-up, but if you aim for wider "audience" running
  348. such kernel, consider no-sse2. Both the 386 and
  349. no-asm options imply no-sse2.
  350. enable-ssl-trace
  351. Build with the SSL Trace capabilities (adds the "-trace"
  352. option to s_client and s_server).
  353. no-static-engine
  354. Don't build the statically linked engines. This only
  355. has an impact when not built "shared".
  356. no-stdio
  357. Don't use anything from the C header file "stdio.h" that
  358. makes use of the "FILE" type. Only libcrypto and libssl can
  359. be built in this way. Using this option will suppress
  360. building the command line applications. Additionally since
  361. the OpenSSL tests also use the command line applications the
  362. tests will also be skipped.
  363. no-tests
  364. Don't build test programs or run any test.
  365. no-threads
  366. Don't try to build with support for multi-threaded
  367. applications.
  368. threads
  369. Build with support for multi-threaded applications. Most
  370. platforms will enable this by default. However if on a
  371. platform where this is not the case then this will usually
  372. require additional system-dependent options! See "Note on
  373. multi-threading" below.
  374. no-ts
  375. Don't build Time Stamping Authority support.
  376. enable-ubsan
  377. Build with the Undefined Behaviour sanitiser. This is a
  378. developer option only. It may not work on all platforms and
  379. should never be used in production environments. It will only
  380. work when used with gcc or clang and should be used in
  381. conjunction with the "-DPEDANTIC" option (or the
  382. --strict-warnings option).
  383. no-ui
  384. Don't build with the "UI" capability (i.e. the set of
  385. features enabling text based prompts).
  386. enable-unit-test
  387. Enable additional unit test APIs. This should not typically
  388. be used in production deployments.
  389. enable-weak-ssl-ciphers
  390. Build support for SSL/TLS ciphers that are considered "weak"
  391. (e.g. RC4 based ciphersuites).
  392. zlib
  393. Build with support for zlib compression/decompression.
  394. zlib-dynamic
  395. Like "zlib", but has OpenSSL load the zlib library
  396. dynamically when needed. This is only supported on systems
  397. where loading of shared libraries is supported.
  398. 386
  399. In 32-bit x86 builds, when generating assembly modules,
  400. use the 80386 instruction set only (the default x86 code
  401. is more efficient, but requires at least a 486). Note:
  402. This doesn't affect code generated by compiler, you're
  403. likely to complement configuration command line with
  404. suitable compiler-specific option.
  405. no-<prot>
  406. Don't build support for negotiating the specified SSL/TLS
  407. protocol (one of ssl, ssl3, tls, tls1, tls1_1, tls1_2,
  408. tls1_3, dtls, dtls1 or dtls1_2). If "no-tls" is selected then
  409. all of tls1, tls1_1, tls1_2 and tls1_3 are disabled.
  410. Similarly "no-dtls" will disable dtls1 and dtls1_2. The
  411. "no-ssl" option is synonymous with "no-ssl3". Note this only
  412. affects version negotiation. OpenSSL will still provide the
  413. methods for applications to explicitly select the individual
  414. protocol versions.
  415. no-<prot>-method
  416. As for no-<prot> but in addition do not build the methods for
  417. applications to explicitly select individual protocol
  418. versions. Note that there is no "no-tls1_3-method" option
  419. because there is no application method for TLSv1.3. Using
  420. individual protocol methods directly is deprecated.
  421. Applications should use TLS_method() instead.
  422. enable-<alg>
  423. Build with support for the specified algorithm, where <alg>
  424. is one of: md2 or rc5.
  425. no-<alg>
  426. Build without support for the specified algorithm, where
  427. <alg> is one of: aria, bf, blake2, camellia, cast, chacha,
  428. cmac, des, dh, dsa, ecdh, ecdsa, idea, md4, mdc2, ocb,
  429. poly1305, rc2, rc4, rmd160, scrypt, seed, siphash, sm2, sm3,
  430. sm4 or whirlpool. The "ripemd" algorithm is deprecated and
  431. if used is synonymous with rmd160.
  432. -Dxxx, -Ixxx, -Wp, -lxxx, -Lxxx, -Wl, -rpath, -R, -framework, -static
  433. These system specific options will be recognised and
  434. passed through to the compiler to allow you to define
  435. preprocessor symbols, specify additional libraries, library
  436. directories or other compiler options. It might be worth
  437. noting that some compilers generate code specifically for
  438. processor the compiler currently executes on. This is not
  439. necessarily what you might have in mind, since it might be
  440. unsuitable for execution on other, typically older,
  441. processor. Consult your compiler documentation.
  442. Take note of the VAR=value documentation below and how
  443. these flags interact with those variables.
  444. -xxx, +xxx
  445. Additional options that are not otherwise recognised are
  446. passed through as they are to the compiler as well. Again,
  447. consult your compiler documentation.
  448. Take note of the VAR=value documentation below and how
  449. these flags interact with those variables.
  450. VAR=value
  451. Assignment of environment variable for Configure. These
  452. work just like normal environment variable assignments,
  453. but are supported on all platforms and are confined to
  454. the configuration scripts only. These assignments override
  455. the corresponding value in the inherited environment, if
  456. there is one.
  457. The following variables are used as "make variables" and
  458. can be used as an alternative to giving preprocessor,
  459. compiler and linker options directly as configuration.
  460. The following variables are supported:
  461. AR The static library archiver.
  462. ARFLAGS Flags for the static library archiver.
  463. AS The assembler compiler.
  464. ASFLAGS Flags for the assembler compiler.
  465. CC The C compiler.
  466. CFLAGS Flags for the C compiler.
  467. CXX The C++ compiler.
  468. CXXFLAGS Flags for the C++ compiler.
  469. CPP The C/C++ preprocessor.
  470. CPPFLAGS Flags for the C/C++ preprocessor.
  471. CPPDEFINES List of CPP macro definitions, separated
  472. by a platform specific character (':' or
  473. space for Unix, ';' for Windows, ',' for
  474. VMS). This can be used instead of using
  475. -D (or what corresponds to that on your
  476. compiler) in CPPFLAGS.
  477. CPPINCLUDES List of CPP inclusion directories, separated
  478. the same way as for CPPDEFINES. This can
  479. be used instead of -I (or what corresponds
  480. to that on your compiler) in CPPFLAGS.
  481. HASHBANGPERL Perl invocation to be inserted after '#!'
  482. in public perl scripts (only relevant on
  483. Unix).
  484. LD The program linker (not used on Unix, $(CC)
  485. is used there).
  486. LDFLAGS Flags for the shared library, DSO and
  487. program linker.
  488. LDLIBS Extra libraries to use when linking.
  489. Takes the form of a space separated list
  490. of library specifications on Unix and
  491. Windows, and as a comma separated list of
  492. libraries on VMS.
  493. RANLIB The library archive indexer.
  494. RC The Windows resource compiler.
  495. RCFLAGS Flags for the Windows resource compiler.
  496. RM The command to remove files and directories.
  497. These cannot be mixed with compiling / linking flags given
  498. on the command line. In other words, something like this
  499. isn't permitted.
  500. ./config -DFOO CPPFLAGS=-DBAR -DCOOKIE
  501. Backward compatibility note:
  502. To be compatible with older configuration scripts, the
  503. environment variables are ignored if compiling / linking
  504. flags are given on the command line, except for these:
  505. AR, CC, CXX, CROSS_COMPILE, HASHBANGPERL, PERL, RANLIB, RC
  506. and WINDRES
  507. For example, the following command will not see -DBAR:
  508. CPPFLAGS=-DBAR ./config -DCOOKIE
  509. However, the following will see both set variables:
  510. CC=gcc CROSS_COMPILE=x86_64-w64-mingw32- \
  511. ./config -DCOOKIE
  512. reconf
  513. reconfigure
  514. Reconfigure from earlier data. This fetches the previous
  515. command line options and environment from data saved in
  516. "configdata.pm", and runs the configuration process again,
  517. using these options and environment.
  518. Note: NO other option is permitted together with "reconf".
  519. This means that you also MUST use "./Configure" (or
  520. what corresponds to that on non-Unix platforms) directly
  521. to invoke this option.
  522. Note: The original configuration saves away values for ALL
  523. environment variables that were used, and if they weren't
  524. defined, they are still saved away with information that
  525. they weren't originally defined. This information takes
  526. precedence over environment variables that are defined
  527. when reconfiguring.
  528. Displaying configuration data
  529. -----------------------------
  530. The configuration script itself will say very little, and finishes by
  531. creating "configdata.pm". This perl module can be loaded by other scripts
  532. to find all the configuration data, and it can also be used as a script to
  533. display all sorts of configuration data in a human readable form.
  534. For more information, please do:
  535. $ ./configdata.pm --help # Unix
  536. or
  537. $ perl configdata.pm --help # Windows and VMS
  538. Installation in Detail
  539. ----------------------
  540. 1a. Configure OpenSSL for your operation system automatically:
  541. NOTE: This is not available on Windows.
  542. $ ./config [[ options ]] # Unix
  543. or
  544. $ @config [[ options ]] ! OpenVMS
  545. For the remainder of this text, the Unix form will be used in all
  546. examples, please use the appropriate form for your platform.
  547. This guesses at your operating system (and compiler, if necessary) and
  548. configures OpenSSL based on this guess. Run ./config -t to see
  549. if it guessed correctly. If you want to use a different compiler, you
  550. are cross-compiling for another platform, or the ./config guess was
  551. wrong for other reasons, go to step 1b. Otherwise go to step 2.
  552. On some systems, you can include debugging information as follows:
  553. $ ./config -d [[ options ]]
  554. 1b. Configure OpenSSL for your operating system manually
  555. OpenSSL knows about a range of different operating system, hardware and
  556. compiler combinations. To see the ones it knows about, run
  557. $ ./Configure # Unix
  558. or
  559. $ perl Configure # All other platforms
  560. For the remainder of this text, the Unix form will be used in all
  561. examples, please use the appropriate form for your platform.
  562. Pick a suitable name from the list that matches your system. For most
  563. operating systems there is a choice between using "cc" or "gcc". When
  564. you have identified your system (and if necessary compiler) use this name
  565. as the argument to Configure. For example, a "linux-elf" user would
  566. run:
  567. $ ./Configure linux-elf [[ options ]]
  568. If your system isn't listed, you will have to create a configuration
  569. file named Configurations/{{ something }}.conf and add the correct
  570. configuration for your system. See the available configs as examples
  571. and read Configurations/README and Configurations/README.design for
  572. more information.
  573. The generic configurations "cc" or "gcc" should usually work on 32 bit
  574. Unix-like systems.
  575. Configure creates a build file ("Makefile" on Unix, "makefile" on Windows
  576. and "descrip.mms" on OpenVMS) from a suitable template in Configurations,
  577. and defines various macros in include/openssl/opensslconf.h (generated from
  578. include/openssl/opensslconf.h.in).
  579. 1c. Configure OpenSSL for building outside of the source tree.
  580. OpenSSL can be configured to build in a build directory separate from
  581. the directory with the source code. It's done by placing yourself in
  582. some other directory and invoking the configuration commands from
  583. there.
  584. Unix example:
  585. $ mkdir /var/tmp/openssl-build
  586. $ cd /var/tmp/openssl-build
  587. $ /PATH/TO/OPENSSL/SOURCE/config [[ options ]]
  588. or
  589. $ /PATH/TO/OPENSSL/SOURCE/Configure {{ target }} [[ options ]]
  590. OpenVMS example:
  591. $ set default sys$login:
  592. $ create/dir [.tmp.openssl-build]
  593. $ set default [.tmp.openssl-build]
  594. $ @[PATH.TO.OPENSSL.SOURCE]config [[ options ]]
  595. or
  596. $ @[PATH.TO.OPENSSL.SOURCE]Configure {{ target }} [[ options ]]
  597. Windows example:
  598. $ C:
  599. $ mkdir \temp-openssl
  600. $ cd \temp-openssl
  601. $ perl d:\PATH\TO\OPENSSL\SOURCE\Configure {{ target }} [[ options ]]
  602. Paths can be relative just as well as absolute. Configure will
  603. do its best to translate them to relative paths whenever possible.
  604. 2. Build OpenSSL by running:
  605. $ make # Unix
  606. $ mms ! (or mmk) OpenVMS
  607. $ nmake # Windows
  608. This will build the OpenSSL libraries (libcrypto.a and libssl.a on
  609. Unix, corresponding on other platforms) and the OpenSSL binary
  610. ("openssl"). The libraries will be built in the top-level directory,
  611. and the binary will be in the "apps" subdirectory.
  612. Troubleshooting:
  613. If the build fails, look at the output. There may be reasons
  614. for the failure that aren't problems in OpenSSL itself (like
  615. missing standard headers).
  616. If the build succeeded previously, but fails after a source or
  617. configuration change, it might be helpful to clean the build tree
  618. before attempting another build. Use this command:
  619. $ make clean # Unix
  620. $ mms clean ! (or mmk) OpenVMS
  621. $ nmake clean # Windows
  622. Assembler error messages can sometimes be sidestepped by using the
  623. "no-asm" configuration option.
  624. Compiling parts of OpenSSL with gcc and others with the system
  625. compiler will result in unresolved symbols on some systems.
  626. If you are still having problems you can get help by sending an email
  627. to the openssl-users email list (see
  628. https://www.openssl.org/community/mailinglists.html for details). If
  629. it is a bug with OpenSSL itself, please open an issue on GitHub, at
  630. https://github.com/openssl/openssl/issues. Please review the existing
  631. ones first; maybe the bug was already reported or has already been
  632. fixed.
  633. 3. After a successful build, the libraries should be tested. Run:
  634. $ make test # Unix
  635. $ mms test ! OpenVMS
  636. $ nmake test # Windows
  637. NOTE: you MUST run the tests from an unprivileged account (or
  638. disable your privileges temporarily if your platform allows it).
  639. If some tests fail, look at the output. There may be reasons for
  640. the failure that isn't a problem in OpenSSL itself (like a
  641. malfunction with Perl). You may want increased verbosity, that
  642. can be accomplished like this:
  643. $ make VERBOSE=1 test # Unix
  644. $ mms /macro=(VERBOSE=1) test ! OpenVMS
  645. $ nmake VERBOSE=1 test # Windows
  646. If you want to run just one or a few specific tests, you can use
  647. the make variable TESTS to specify them, like this:
  648. $ make TESTS='test_rsa test_dsa' test # Unix
  649. $ mms/macro="TESTS=test_rsa test_dsa" test ! OpenVMS
  650. $ nmake TESTS='test_rsa test_dsa' test # Windows
  651. And of course, you can combine (Unix example shown):
  652. $ make VERBOSE=1 TESTS='test_rsa test_dsa' test
  653. You can find the list of available tests like this:
  654. $ make list-tests # Unix
  655. $ mms list-tests ! OpenVMS
  656. $ nmake list-tests # Windows
  657. Have a look at the manual for the perl module Test::Harness to
  658. see what other HARNESS_* variables there are.
  659. If you find a problem with OpenSSL itself, try removing any
  660. compiler optimization flags from the CFLAGS line in Makefile and
  661. run "make clean; make" or corresponding.
  662. To report a bug please open an issue on GitHub, at
  663. https://github.com/openssl/openssl/issues.
  664. For more details on how the make variables TESTS can be used,
  665. see section TESTS in Detail below.
  666. 4. If everything tests ok, install OpenSSL with
  667. $ make install # Unix
  668. $ mms install ! OpenVMS
  669. $ nmake install # Windows
  670. This will install all the software components in this directory
  671. tree under PREFIX (the directory given with --prefix or its
  672. default):
  673. Unix:
  674. bin/ Contains the openssl binary and a few other
  675. utility scripts.
  676. include/openssl
  677. Contains the header files needed if you want
  678. to build your own programs that use libcrypto
  679. or libssl.
  680. lib Contains the OpenSSL library files.
  681. lib/engines Contains the OpenSSL dynamically loadable engines.
  682. share/man/man1 Contains the OpenSSL command line man-pages.
  683. share/man/man3 Contains the OpenSSL library calls man-pages.
  684. share/man/man5 Contains the OpenSSL configuration format man-pages.
  685. share/man/man7 Contains the OpenSSL other misc man-pages.
  686. share/doc/openssl/html/man1
  687. share/doc/openssl/html/man3
  688. share/doc/openssl/html/man5
  689. share/doc/openssl/html/man7
  690. Contains the HTML rendition of the man-pages.
  691. OpenVMS ('arch' is replaced with the architecture name, "Alpha"
  692. or "ia64", 'sover' is replaced with the shared library version
  693. (0101 for 1.1), and 'pz' is replaced with the pointer size
  694. OpenSSL was built with):
  695. [.EXE.'arch'] Contains the openssl binary.
  696. [.EXE] Contains a few utility scripts.
  697. [.include.openssl]
  698. Contains the header files needed if you want
  699. to build your own programs that use libcrypto
  700. or libssl.
  701. [.LIB.'arch'] Contains the OpenSSL library files.
  702. [.ENGINES'sover''pz'.'arch']
  703. Contains the OpenSSL dynamically loadable engines.
  704. [.SYS$STARTUP] Contains startup, login and shutdown scripts.
  705. These define appropriate logical names and
  706. command symbols.
  707. [.SYSTEST] Contains the installation verification procedure.
  708. [.HTML] Contains the HTML rendition of the manual pages.
  709. Additionally, install will add the following directories under
  710. OPENSSLDIR (the directory given with --openssldir or its default)
  711. for you convenience:
  712. certs Initially empty, this is the default location
  713. for certificate files.
  714. private Initially empty, this is the default location
  715. for private key files.
  716. misc Various scripts.
  717. Package builders who want to configure the library for standard
  718. locations, but have the package installed somewhere else so that
  719. it can easily be packaged, can use
  720. $ make DESTDIR=/tmp/package-root install # Unix
  721. $ mms/macro="DESTDIR=TMP:[PACKAGE-ROOT]" install ! OpenVMS
  722. The specified destination directory will be prepended to all
  723. installation target paths.
  724. Compatibility issues with previous OpenSSL versions:
  725. * COMPILING existing applications
  726. OpenSSL 1.1.0 hides a number of structures that were previously
  727. open. This includes all internal libssl structures and a number
  728. of EVP types. Accessor functions have been added to allow
  729. controlled access to the structures' data.
  730. This means that some software needs to be rewritten to adapt to
  731. the new ways of doing things. This often amounts to allocating
  732. an instance of a structure explicitly where you could previously
  733. allocate them on the stack as automatic variables, and using the
  734. provided accessor functions where you would previously access a
  735. structure's field directly.
  736. Some APIs have changed as well. However, older APIs have been
  737. preserved when possible.
  738. Environment Variables
  739. ---------------------
  740. A number of environment variables can be used to provide additional control
  741. over the build process. Typically these should be defined prior to running
  742. config or Configure. Not all environment variables are relevant to all
  743. platforms.
  744. AR
  745. The name of the ar executable to use.
  746. BUILDFILE
  747. Use a different build file name than the platform default
  748. ("Makefile" on Unix-like platforms, "makefile" on native Windows,
  749. "descrip.mms" on OpenVMS). This requires that there is a
  750. corresponding build file template. See Configurations/README
  751. for further information.
  752. CC
  753. The compiler to use. Configure will attempt to pick a default
  754. compiler for your platform but this choice can be overridden
  755. using this variable. Set it to the compiler executable you wish
  756. to use, e.g. "gcc" or "clang".
  757. CROSS_COMPILE
  758. This environment variable has the same meaning as for the
  759. "--cross-compile-prefix" Configure flag described above. If both
  760. are set then the Configure flag takes precedence.
  761. NM
  762. The name of the nm executable to use.
  763. OPENSSL_LOCAL_CONFIG_DIR
  764. OpenSSL comes with a database of information about how it
  765. should be built on different platforms as well as build file
  766. templates for those platforms. The database is comprised of
  767. ".conf" files in the Configurations directory. The build
  768. file templates reside there as well as ".tmpl" files. See the
  769. file Configurations/README for further information about the
  770. format of ".conf" files as well as information on the ".tmpl"
  771. files.
  772. In addition to the standard ".conf" and ".tmpl" files, it is
  773. possible to create your own ".conf" and ".tmpl" files and store
  774. them locally, outside the OpenSSL source tree. This environment
  775. variable can be set to the directory where these files are held
  776. and will be considered by Configure before it looks in the
  777. standard directories.
  778. PERL
  779. The name of the Perl executable to use when building OpenSSL.
  780. This variable is used in config script only. Configure on the
  781. other hand imposes the interpreter by which it itself was
  782. executed on the whole build procedure.
  783. HASHBANGPERL
  784. The command string for the Perl executable to insert in the
  785. #! line of perl scripts that will be publically installed.
  786. Default: /usr/bin/env perl
  787. Note: the value of this variable is added to the same scripts
  788. on all platforms, but it's only relevant on Unix-like platforms.
  789. RC
  790. The name of the rc executable to use. The default will be as
  791. defined for the target platform in the ".conf" file. If not
  792. defined then "windres" will be used. The WINDRES environment
  793. variable is synonymous to this. If both are defined then RC
  794. takes precedence.
  795. RANLIB
  796. The name of the ranlib executable to use.
  797. WINDRES
  798. See RC.
  799. Makefile targets
  800. ----------------
  801. The Configure script generates a Makefile in a format relevant to the specific
  802. platform. The Makefiles provide a number of targets that can be used. Not all
  803. targets may be available on all platforms. Only the most common targets are
  804. described here. Examine the Makefiles themselves for the full list.
  805. all
  806. The default target to build all the software components.
  807. clean
  808. Remove all build artefacts and return the directory to a "clean"
  809. state.
  810. depend
  811. Rebuild the dependencies in the Makefiles. This is a legacy
  812. option that no longer needs to be used in OpenSSL 1.1.0.
  813. install
  814. Install all OpenSSL components.
  815. install_sw
  816. Only install the OpenSSL software components.
  817. install_docs
  818. Only install the OpenSSL documentation components.
  819. install_man_docs
  820. Only install the OpenSSL man pages (Unix only).
  821. install_html_docs
  822. Only install the OpenSSL html documentation.
  823. list-tests
  824. Prints a list of all the self test names.
  825. test
  826. Build and run the OpenSSL self tests.
  827. uninstall
  828. Uninstall all OpenSSL components.
  829. reconfigure
  830. reconf
  831. Re-run the configuration process, as exactly as the last time
  832. as possible.
  833. update
  834. This is a developer option. If you are developing a patch for
  835. OpenSSL you may need to use this if you want to update
  836. automatically generated files; add new error codes or add new
  837. (or change the visibility of) public API functions. (Unix only).
  838. TESTS in Detail
  839. ---------------
  840. The make variable TESTS supports a versatile set of space separated tokens
  841. with which you can specify a set of tests to be performed. With a "current
  842. set of tests" in mind, initially being empty, here are the possible tokens:
  843. alltests The current set of tests becomes the whole set of available
  844. tests (as listed when you do 'make list-tests' or similar).
  845. xxx Adds the test 'xxx' to the current set of tests.
  846. -xxx Removes 'xxx' from the current set of tests. If this is the
  847. first token in the list, the current set of tests is first
  848. assigned the whole set of available tests, effectively making
  849. this token equivalent to TESTS="alltests -xxx".
  850. nn Adds the test group 'nn' (which is a number) to the current
  851. set of tests.
  852. -nn Removes the test group 'nn' from the current set of tests.
  853. If this is the first token in the list, the current set of
  854. tests is first assigned the whole set of available tests,
  855. effectively making this token equivalent to
  856. TESTS="alltests -xxx".
  857. Also, all tokens except for "alltests" may have wildcards, such as *.
  858. (on Unix and Windows, BSD style wildcards are supported, while on VMS,
  859. it's VMS style wildcards)
  860. Example: All tests except for the fuzz tests:
  861. $ make TESTS=-test_fuzz test
  862. or (if you want to be explicit)
  863. $ make TESTS='alltests -test_fuzz' test
  864. Example: All tests that have a name starting with "test_ssl" but not those
  865. starting with "test_ssl_":
  866. $ make TESTS='test_ssl* -test_ssl_*' test
  867. Example: Only test group 10:
  868. $ make TESTS='10'
  869. Example: All tests except the slow group (group 99):
  870. $ make TESTS='-99'
  871. Example: All tests in test groups 80 to 99 except for tests in group 90:
  872. $ make TESTS='[89]? -90'
  873. Note on multi-threading
  874. -----------------------
  875. For some systems, the OpenSSL Configure script knows what compiler options
  876. are needed to generate a library that is suitable for multi-threaded
  877. applications. On these systems, support for multi-threading is enabled
  878. by default; use the "no-threads" option to disable (this should never be
  879. necessary).
  880. On other systems, to enable support for multi-threading, you will have
  881. to specify at least two options: "threads", and a system-dependent option.
  882. (The latter is "-D_REENTRANT" on various systems.) The default in this
  883. case, obviously, is not to include support for multi-threading (but
  884. you can still use "no-threads" to suppress an annoying warning message
  885. from the Configure script.)
  886. OpenSSL provides built-in support for two threading models: pthreads (found on
  887. most UNIX/Linux systems), and Windows threads. No other threading models are
  888. supported. If your platform does not provide pthreads or Windows threads then
  889. you should Configure with the "no-threads" option.
  890. Notes on shared libraries
  891. -------------------------
  892. For most systems the OpenSSL Configure script knows what is needed to
  893. build shared libraries for libcrypto and libssl. On these systems
  894. the shared libraries will be created by default. This can be suppressed and
  895. only static libraries created by using the "no-shared" option. On systems
  896. where OpenSSL does not know how to build shared libraries the "no-shared"
  897. option will be forced and only static libraries will be created.
  898. Shared libraries are named a little differently on different platforms.
  899. One way or another, they all have the major OpenSSL version number as
  900. part of the file name, i.e. for OpenSSL 1.1.x, 1.1 is somehow part of
  901. the name.
  902. On most POSIX platforms, shared libraries are named libcrypto.so.1.1
  903. and libssl.so.1.1.
  904. on Cygwin, shared libraries are named cygcrypto-1.1.dll and cygssl-1.1.dll
  905. with import libraries libcrypto.dll.a and libssl.dll.a.
  906. On Windows build with MSVC or using MingW, shared libraries are named
  907. libcrypto-1_1.dll and libssl-1_1.dll for 32-bit Windows, libcrypto-1_1-x64.dll
  908. and libssl-1_1-x64.dll for 64-bit x86_64 Windows, and libcrypto-1_1-ia64.dll
  909. and libssl-1_1-ia64.dll for IA64 Windows. With MSVC, the import libraries
  910. are named libcrypto.lib and libssl.lib, while with MingW, they are named
  911. libcrypto.dll.a and libssl.dll.a.
  912. On VMS, shareable images (VMS speak for shared libraries) are named
  913. ossl$libcrypto0101_shr.exe and ossl$libssl0101_shr.exe. However, when
  914. OpenSSL is specifically built for 32-bit pointers, the shareable images
  915. are named ossl$libcrypto0101_shr32.exe and ossl$libssl0101_shr32.exe
  916. instead, and when built for 64-bit pointers, they are named
  917. ossl$libcrypto0101_shr64.exe and ossl$libssl0101_shr64.exe.
  918. Note on random number generation
  919. --------------------------------
  920. Availability of cryptographically secure random numbers is required for
  921. secret key generation. OpenSSL provides several options to seed the
  922. internal CSPRNG. If not properly seeded, the internal CSPRNG will refuse
  923. to deliver random bytes and a "PRNG not seeded error" will occur.
  924. The seeding method can be configured using the --with-rand-seed option,
  925. which can be used to specify a comma separated list of seed methods.
  926. However in most cases OpenSSL will choose a suitable default method,
  927. so it is not necessary to explicitly provide this option. Note also
  928. that not all methods are available on all platforms.
  929. I) On operating systems which provide a suitable randomness source (in
  930. form of a system call or system device), OpenSSL will use the optimal
  931. available method to seed the CSPRNG from the operating system's
  932. randomness sources. This corresponds to the option --with-rand-seed=os.
  933. II) On systems without such a suitable randomness source, automatic seeding
  934. and reseeding is disabled (--with-rand-seed=none) and it may be necessary
  935. to install additional support software to obtain a random seed and reseed
  936. the CSPRNG manually. Please check out the manual pages for RAND_add(),
  937. RAND_bytes(), RAND_egd(), and the FAQ for more information.