123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044 |
- OPENSSL INSTALLATION
- --------------------
- This document describes installation on all supported operating
- systems (the Linux/Unix family, OpenVMS and Windows)
- To install OpenSSL, you will need:
- * A make implementation
- * Perl 5 with core modules (please read NOTES.PERL)
- * The perl module Text::Template (please read NOTES.PERL)
- * an ANSI C compiler
- * a development environment in the form of development libraries and C
- header files
- * a supported operating system
- For additional platform specific requirements, solutions to specific
- issues and other details, please read one of these:
- * NOTES.UNIX (any supported Unix like system)
- * NOTES.VMS (OpenVMS)
- * NOTES.WIN (any supported Windows)
- * NOTES.DJGPP (DOS platform with DJGPP)
- Notational conventions in this document
- ---------------------------------------
- Throughout this document, we use the following conventions in command
- examples:
- $ command Any line starting with a dollar sign
- ($) is a command line.
- { word1 | word2 | word3 } This denotes a mandatory choice, to be
- replaced with one of the given words.
- A simple example would be this:
- $ echo { FOO | BAR | COOKIE }
- which is to be understood as one of
- these:
- $ echo FOO
- - or -
- $ echo BAR
- - or -
- $ echo COOKIE
- [ word1 | word2 | word3 ] Similar to { word1 | word2 | word3 }
- except it's optional to give any of
- those. In addition to the examples
- above, this would also be valid:
- $ echo
- {{ target }} This denotes a mandatory word or
- sequence of words of some sort. A
- simple example would be this:
- $ type {{ filename }}
- which is to be understood to use the
- command 'type' on some file name
- determined by the user.
- [[ options ]] Similar to {{ target }}, but is
- optional.
- Note that the notation assumes spaces around {, }, [, ], {{, }} and
- [[, ]]. This is to differentiate from OpenVMS directory
- specifications, which also use [ and ], but without spaces.
- Quick Start
- -----------
- If you want to just get on with it, do:
- on Unix:
- $ ./config
- $ make
- $ make test
- $ make install
- on OpenVMS:
- $ @config
- $ mms
- $ mms test
- $ mms install
- on Windows (only pick one of the targets for configuration):
- $ perl Configure { VC-WIN32 | VC-WIN64A | VC-WIN64I | VC-CE }
- $ nmake
- $ nmake test
- $ nmake install
- If any of these steps fails, see section Installation in Detail below.
- This will build and install OpenSSL in the default location, which is:
- Unix: normal installation directories under /usr/local
- OpenVMS: SYS$COMMON:[OPENSSL-'version'...], where 'version' is the
- OpenSSL version number with underscores instead of periods.
- Windows: C:\Program Files\OpenSSL or C:\Program Files (x86)\OpenSSL
- If you want to install it anywhere else, run config like this:
- On Unix:
- $ ./config --prefix=/opt/openssl --openssldir=/usr/local/ssl
- On OpenVMS:
- $ @config --prefix=PROGRAM:[INSTALLS] --openssldir=SYS$MANAGER:[OPENSSL]
- (Note: if you do add options to the configuration command, please make sure
- you've read more than just this Quick Start, such as relevant NOTES.* files,
- the options outline below, as configuration options may change the outcome
- in otherwise unexpected ways)
- Configuration Options
- ---------------------
- There are several options to ./config (or ./Configure) to customize
- the build (note that for Windows, the defaults for --prefix and
- --openssldir depend in what configuration is used and what Windows
- implementation OpenSSL is built on. More notes on this in NOTES.WIN):
- --api=x.y.z
- Don't build with support for deprecated APIs below the
- specified version number. For example "--api=1.1.0" will
- remove support for all APIS that were deprecated in OpenSSL
- version 1.1.0 or below.
- --cross-compile-prefix=PREFIX
- The PREFIX to include in front of commands for your
- toolchain. It's likely to have to end with dash, e.g.
- a-b-c- would invoke GNU compiler as a-b-c-gcc, etc.
- Unfortunately cross-compiling is too case-specific to
- put together one-size-fits-all instructions. You might
- have to pass more flags or set up environment variables
- to actually make it work. Android and iOS cases are
- discussed in corresponding Configurations/10-main.cf
- sections. But there are cases when this option alone is
- sufficient. For example to build the mingw64 target on
- Linux "--cross-compile-prefix=x86_64-w64-mingw32-"
- works. Naturally provided that mingw packages are
- installed. Today Debian and Ubuntu users have option to
- install a number of prepackaged cross-compilers along
- with corresponding run-time and development packages for
- "alien" hardware. To give another example
- "--cross-compile-prefix=mipsel-linux-gnu-" suffices
- in such case. Needless to mention that you have to
- invoke ./Configure, not ./config, and pass your target
- name explicitly.
- --debug
- Build OpenSSL with debugging symbols.
- --libdir=DIR
- The name of the directory under the top of the installation
- directory tree (see the --prefix option) where libraries will
- be installed. By default this is "lib". Note that on Windows
- only ".lib" files will be stored in this location. dll files
- will always be installed to the "bin" directory.
- --openssldir=DIR
- Directory for OpenSSL configuration files, and also the
- default certificate and key store. Defaults are:
- Unix: /usr/local/ssl
- Windows: C:\Program Files\Common Files\SSL
- or C:\Program Files (x86)\Common Files\SSL
- OpenVMS: SYS$COMMON:[OPENSSL-COMMON]
- --prefix=DIR
- The top of the installation directory tree. Defaults are:
- Unix: /usr/local
- Windows: C:\Program Files\OpenSSL
- or C:\Program Files (x86)\OpenSSL
- OpenVMS: SYS$COMMON:[OPENSSL-'version']
- --release
- Build OpenSSL without debugging symbols. This is the default.
- --strict-warnings
- This is a developer flag that switches on various compiler
- options recommended for OpenSSL development. It only works
- when using gcc or clang as the compiler. If you are
- developing a patch for OpenSSL then it is recommended that
- you use this option where possible.
- --with-zlib-include=DIR
- The directory for the location of the zlib include file. This
- option is only necessary if enable-zlib (see below) is used
- and the include file is not already on the system include
- path.
- --with-zlib-lib=LIB
- On Unix: this is the directory containing the zlib library.
- If not provided the system library path will be used.
- On Windows: this is the filename of the zlib library (with or
- without a path). This flag must be provided if the
- zlib-dynamic option is not also used. If zlib-dynamic is used
- then this flag is optional and a default value ("ZLIB1") is
- used if not provided.
- On VMS: this is the filename of the zlib library (with or
- without a path). This flag is optional and if not provided
- then "GNV$LIBZSHR", "GNV$LIBZSHR32" or "GNV$LIBZSHR64" is
- used by default depending on the pointer size chosen.
- no-afalgeng
- Don't build the AFALG engine. This option will be forced if
- on a platform that does not support AFALG.
- enable-asan
- Build with the Address sanitiser. This is a developer option
- only. It may not work on all platforms and should never be
- used in production environments. It will only work when used
- with gcc or clang and should be used in conjunction with the
- no-shared option.
- no-asm
- Do not use assembler code. On some platforms a small amount
- of assembler code may still be used.
- no-async
- Do not build support for async operations.
- no-autoalginit
- Don't automatically load all supported ciphers and digests.
- Typically OpenSSL will make available all of its supported
- ciphers and digests. For a statically linked application this
- may be undesirable if small executable size is an objective.
- This only affects libcrypto. Ciphers and digests will have to
- be loaded manually using EVP_add_cipher() and
- EVP_add_digest() if this option is used. This option will
- force a non-shared build.
- no-autoerrinit
- Don't automatically load all libcrypto/libssl error strings.
- Typically OpenSSL will automatically load human readable
- error strings. For a statically linked application this may
- be undesirable if small executable size is an objective.
- no-capieng
- Don't build the CAPI engine. This option will be forced if
- on a platform that does not support CAPI.
- no-cms
- Don't build support for CMS features
- no-comp
- Don't build support for SSL/TLS compression. If this option
- is left enabled (the default), then compression will only
- work if the zlib or zlib-dynamic options are also chosen.
- enable-crypto-mdebug
- Build support for debugging memory allocated via
- OPENSSL_malloc() or OPENSSL_zalloc().
- enable-crypto-mdebug-backtrace
- As for crypto-mdebug, but additionally provide backtrace
- information for allocated memory.
- TO BE USED WITH CARE: this uses GNU C functionality, and
- is therefore not usable for non-GNU config targets. If
- your build complains about the use of '-rdynamic' or the
- lack of header file execinfo.h, this option is not for you.
- ALSO NOTE that even though execinfo.h is available on your
- system (through Gnulib), the functions might just be stubs
- that do nothing.
- no-ct
- Don't build support for Certificate Transparency.
- no-deprecated
- Don't build with support for any deprecated APIs. This is the
- same as using "--api" and supplying the latest version
- number.
- no-dgram
- Don't build support for datagram based BIOs. Selecting this
- option will also force the disabling of DTLS.
- no-dso
- Don't build support for loading Dynamic Shared Objects.
- no-dynamic-engine
- Don't build the dynamically loaded engines. This only has an
- effect in a "shared" build
- no-ec
- Don't build support for Elliptic Curves.
- no-ec2m
- Don't build support for binary Elliptic Curves
- enable-ec_nistp_64_gcc_128
- Enable support for optimised implementations of some commonly
- used NIST elliptic curves. This is only supported on some
- platforms.
- enable-egd
- Build support for gathering entropy from EGD (Entropy
- Gathering Daemon).
- no-engine
- Don't build support for loading engines.
- no-err
- Don't compile in any error strings.
- enable-external-tests
- Enable building of integration with external test suites.
- This is a developer option and may not work on all platforms.
- The only supported external test suite at the current time is
- the BoringSSL test suite. See the file test/README.external
- for further details.
- no-filenames
- Don't compile in filename and line number information (e.g.
- for errors and memory allocation).
- enable-fuzz-libfuzzer, enable-fuzz-afl
- Build with support for fuzzing using either libfuzzer or AFL.
- These are developer options only. They may not work on all
- platforms and should never be used in production environments.
- See the file fuzz/README.md for further details.
- no-gost
- Don't build support for GOST based ciphersuites. Note that
- if this feature is enabled then GOST ciphersuites are only
- available if the GOST algorithms are also available through
- loading an externally supplied engine.
- no-hw-padlock
- Don't build the padlock engine.
- no-makedepend
- Don't generate dependencies.
- no-multiblock
- Don't build support for writing multiple records in one
- go in libssl (Note: this is a different capability to the
- pipelining functionality).
- no-nextprotoneg
- Don't build support for the NPN TLS extension.
- no-ocsp
- Don't build support for OCSP.
- no-pic
- Don't build with support for Position Independent Code.
- no-posix-io
- Don't use POSIX IO capabilities.
- no-psk
- Don't build support for Pre-Shared Key based ciphersuites.
- no-rdrand
- Don't use hardware RDRAND capabilities.
- no-rfc3779
- Don't build support for RFC3779 ("X.509 Extensions for IP
- Addresses and AS Identifiers")
- sctp
- Build support for SCTP
- no-shared
- Do not create shared libraries, only static ones. See "Note
- on shared libraries" below.
- no-sock
- Don't build support for socket BIOs
- no-srp
- Don't build support for SRP or SRP based ciphersuites.
- no-srtp
- Don't build SRTP support
- no-sse2
- Exclude SSE2 code paths from 32-bit x86 assembly modules.
- Normally SSE2 extension is detected at run-time, but the
- decision whether or not the machine code will be executed
- is taken solely on CPU capability vector. This means that
- if you happen to run OS kernel which does not support SSE2
- extension on Intel P4 processor, then your application
- might be exposed to "illegal instruction" exception.
- There might be a way to enable support in kernel, e.g.
- FreeBSD kernel can be compiled with CPU_ENABLE_SSE, and
- there is a way to disengage SSE2 code paths upon application
- start-up, but if you aim for wider "audience" running
- such kernel, consider no-sse2. Both the 386 and
- no-asm options imply no-sse2.
- enable-ssl-trace
- Build with the SSL Trace capabilities (adds the "-trace"
- option to s_client and s_server).
- no-static-engine
- Don't build the statically linked engines. This only
- has an impact when not built "shared".
- no-stdio
- Don't use any C "stdio" features. Only libcrypto and libssl
- can be built in this way. Using this option will suppress
- building the command line applications. Additionally since
- the OpenSSL tests also use the command line applications the
- tests will also be skipped.
- no-tests
- Don't build test programs or run any test.
- no-threads
- Don't try to build with support for multi-threaded
- applications.
- threads
- Build with support for multi-threaded applications. Most
- platforms will enable this by default. However if on a
- platform where this is not the case then this will usually
- require additional system-dependent options! See "Note on
- multi-threading" below.
- enable-tls13downgrade
- TODO(TLS1.3): Make this enabled by default and remove the
- option when TLSv1.3 is out of draft
- TLSv1.3 offers a downgrade protection mechanism. This is
- implemented but disabled by default. It should not typically
- be enabled except for testing purposes. Otherwise this could
- cause problems if a pre-RFC version of OpenSSL talks to an
- RFC implementation (it will erroneously be detected as a
- downgrade).
- no-ts
- Don't build Time Stamping Authority support.
- enable-ubsan
- Build with the Undefined Behaviour sanitiser. This is a
- developer option only. It may not work on all platforms and
- should never be used in production environments. It will only
- work when used with gcc or clang and should be used in
- conjunction with the "-DPEDANTIC" option (or the
- --strict-warnings option).
- no-ui
- Don't build with the "UI" capability (i.e. the set of
- features enabling text based prompts).
- enable-unit-test
- Enable additional unit test APIs. This should not typically
- be used in production deployments.
- enable-weak-ssl-ciphers
- Build support for SSL/TLS ciphers that are considered "weak"
- (e.g. RC4 based ciphersuites).
- zlib
- Build with support for zlib compression/decompression.
- zlib-dynamic
- Like "zlib", but has OpenSSL load the zlib library
- dynamically when needed. This is only supported on systems
- where loading of shared libraries is supported.
- 386
- In 32-bit x86 builds, when generating assembly modules,
- use the 80386 instruction set only (the default x86 code
- is more efficient, but requires at least a 486). Note:
- This doesn't affect code generated by compiler, you're
- likely to complement configuration command line with
- suitable compiler-specific option.
- enable-tls1_3
- TODO(TLS1.3): Make this enabled by default
- Build support for TLS1.3. Note: This is a WIP feature and
- only a single draft version is supported. Implementations
- of different draft versions will negotiate TLS 1.2 instead
- of (draft) TLS 1.3. Use with caution!!
- no-<prot>
- Don't build support for negotiating the specified SSL/TLS
- protocol (one of ssl, ssl3, tls, tls1, tls1_1, tls1_2, dtls,
- dtls1 or dtls1_2). If "no-tls" is selected then all of tls1,
- tls1_1 and tls1_2 are disabled. Similarly "no-dtls" will
- disable dtls1 and dtls1_2. The "no-ssl" option is synonymous
- with "no-ssl3". Note this only affects version negotiation.
- OpenSSL will still provide the methods for applications to
- explicitly select the individual protocol versions.
- no-<prot>-method
- As for no-<prot> but in addition do not build the methods for
- applications to explicitly select individual protocol
- versions.
- enable-<alg>
- Build with support for the specified algorithm, where <alg>
- is one of: md2 or rc5.
- no-<alg>
- Build without support for the specified algorithm, where
- <alg> is one of: bf, blake2, camellia, cast, chacha, cmac,
- des, dh, dsa, ecdh, ecdsa, idea, md4, mdc2, ocb, poly1305,
- rc2, rc4, rmd160, scrypt, seed, siphash or whirlpool. The
- "ripemd" algorithm is deprecated and if used is synonymous
- with rmd160.
- -Dxxx, lxxx, -Lxxx, -Wl, -rpath, -R, -framework, -static
- These system specific options will be recognised and
- passed through to the compiler to allow you to define
- preprocessor symbols, specify additional libraries, library
- directories or other compiler options. It might be worth
- noting that some compilers generate code specifically for
- processor the compiler currently executes on. This is not
- necessarily what you might have in mind, since it might be
- unsuitable for execution on other, typically older,
- processor. Consult your compiler documentation.
- -xxx, +xxx
- Additional options that are not otherwise recognised are
- passed through as they are to the compiler as well. Again,
- consult your compiler documentation.
- Installation in Detail
- ----------------------
- 1a. Configure OpenSSL for your operation system automatically:
- NOTE: This is not available on Windows.
- $ ./config [[ options ]] # Unix
- or
- $ @config [[ options ]] ! OpenVMS
- For the remainder of this text, the Unix form will be used in all
- examples, please use the appropriate form for your platform.
- This guesses at your operating system (and compiler, if necessary) and
- configures OpenSSL based on this guess. Run ./config -t to see
- if it guessed correctly. If you want to use a different compiler, you
- are cross-compiling for another platform, or the ./config guess was
- wrong for other reasons, go to step 1b. Otherwise go to step 2.
- On some systems, you can include debugging information as follows:
- $ ./config -d [[ options ]]
- 1b. Configure OpenSSL for your operating system manually
- OpenSSL knows about a range of different operating system, hardware and
- compiler combinations. To see the ones it knows about, run
- $ ./Configure # Unix
- or
- $ perl Configure # All other platforms
- For the remainder of this text, the Unix form will be used in all
- examples, please use the appropriate form for your platform.
- Pick a suitable name from the list that matches your system. For most
- operating systems there is a choice between using "cc" or "gcc". When
- you have identified your system (and if necessary compiler) use this name
- as the argument to Configure. For example, a "linux-elf" user would
- run:
- $ ./Configure linux-elf [[ options ]]
- If your system isn't listed, you will have to create a configuration
- file named Configurations/{{ something }}.conf and add the correct
- configuration for your system. See the available configs as examples
- and read Configurations/README and Configurations/README.design for
- more information.
- The generic configurations "cc" or "gcc" should usually work on 32 bit
- Unix-like systems.
- Configure creates a build file ("Makefile" on Unix, "makefile" on Windows
- and "descrip.mms" on OpenVMS) from a suitable template in Configurations,
- and defines various macros in include/openssl/opensslconf.h (generated from
- include/openssl/opensslconf.h.in).
- 1c. Configure OpenSSL for building outside of the source tree.
- OpenSSL can be configured to build in a build directory separate from
- the directory with the source code. It's done by placing yourself in
- some other directory and invoking the configuration commands from
- there.
- Unix example:
- $ mkdir /var/tmp/openssl-build
- $ cd /var/tmp/openssl-build
- $ /PATH/TO/OPENSSL/SOURCE/config [[ options ]]
- or
- $ /PATH/TO/OPENSSL/SOURCE/Configure {{ target }} [[ options ]]
- OpenVMS example:
- $ set default sys$login:
- $ create/dir [.tmp.openssl-build]
- $ set default [.tmp.openssl-build]
- $ @[PATH.TO.OPENSSL.SOURCE]config [[ options ]]
- or
- $ @[PATH.TO.OPENSSL.SOURCE]Configure {{ target }} [[ options ]]
- Windows example:
- $ C:
- $ mkdir \temp-openssl
- $ cd \temp-openssl
- $ perl d:\PATH\TO\OPENSSL\SOURCE\Configure {{ target }} [[ options ]]
- Paths can be relative just as well as absolute. Configure will
- do its best to translate them to relative paths whenever possible.
- 2. Build OpenSSL by running:
- $ make # Unix
- $ mms ! (or mmk) OpenVMS
- $ nmake # Windows
- This will build the OpenSSL libraries (libcrypto.a and libssl.a on
- Unix, corresponding on other platforms) and the OpenSSL binary
- ("openssl"). The libraries will be built in the top-level directory,
- and the binary will be in the "apps" subdirectory.
- If the build fails, look at the output. There may be reasons
- for the failure that aren't problems in OpenSSL itself (like
- missing standard headers). If you are having problems you can
- get help by sending an email to the openssl-users email list (see
- https://www.openssl.org/community/mailinglists.html for details). If
- it is a bug with OpenSSL itself, please open an issue on GitHub, at
- https://github.com/openssl/openssl/issues. Please review the existing
- ones first; maybe the bug was already reported or has already been
- fixed.
- (If you encounter assembler error messages, try the "no-asm"
- configuration option as an immediate fix.)
- Compiling parts of OpenSSL with gcc and others with the system
- compiler will result in unresolved symbols on some systems.
- 3. After a successful build, the libraries should be tested. Run:
- $ make test # Unix
- $ mms test ! OpenVMS
- $ nmake test # Windows
- NOTE: you MUST run the tests from an unprivileged account (or
- disable your privileges temporarily if your platform allows it).
- If some tests fail, look at the output. There may be reasons for
- the failure that isn't a problem in OpenSSL itself (like a
- malfunction with Perl). You may want increased verbosity, that
- can be accomplished like this:
- $ make VERBOSE=1 test # Unix
- $ mms /macro=(VERBOSE=1) test ! OpenVMS
- $ nmake VERBOSE=1 test # Windows
- If you want to run just one or a few specific tests, you can use
- the make variable TESTS to specify them, like this:
- $ make TESTS='test_rsa test_dsa' test # Unix
- $ mms/macro="TESTS=test_rsa test_dsa" test ! OpenVMS
- $ nmake TESTS='test_rsa test_dsa' test # Windows
- And of course, you can combine (Unix example shown):
-
- $ make VERBOSE=1 TESTS='test_rsa test_dsa' test
- You can find the list of available tests like this:
- $ make list-tests # Unix
- $ mms list-tests ! OpenVMS
- $ nmake list-tests # Windows
- Have a look at the manual for the perl module Test::Harness to
- see what other HARNESS_* variables there are.
- If you find a problem with OpenSSL itself, try removing any
- compiler optimization flags from the CFLAGS line in Makefile and
- run "make clean; make" or corresponding.
- Please send bug reports to <rt@openssl.org>.
- For more details on how the make variables TESTS can be used,
- see section TESTS in Detail below.
- 4. If everything tests ok, install OpenSSL with
- $ make install # Unix
- $ mms install ! OpenVMS
- $ nmake install # Windows
- This will install all the software components in this directory
- tree under PREFIX (the directory given with --prefix or its
- default):
- Unix:
- bin/ Contains the openssl binary and a few other
- utility scripts.
- include/openssl
- Contains the header files needed if you want
- to build your own programs that use libcrypto
- or libssl.
- lib Contains the OpenSSL library files.
- lib/engines Contains the OpenSSL dynamically loadable engines.
- share/man/man1 Contains the OpenSSL command line man-pages.
- share/man/man3 Contains the OpenSSL library calls man-pages.
- share/man/man5 Contains the OpenSSL configuration format man-pages.
- share/man/man7 Contains the OpenSSL other misc man-pages.
- share/doc/openssl/html/man1
- share/doc/openssl/html/man3
- share/doc/openssl/html/man5
- share/doc/openssl/html/man7
- Contains the HTML rendition of the man-pages.
- OpenVMS ('arch' is replaced with the architecture name, "Alpha"
- or "ia64", 'sover' is replaced with the shared library version
- (0101 for 1.1), and 'pz' is replaced with the pointer size
- OpenSSL was built with):
- [.EXE.'arch'] Contains the openssl binary.
- [.EXE] Contains a few utility scripts.
- [.include.openssl]
- Contains the header files needed if you want
- to build your own programs that use libcrypto
- or libssl.
- [.LIB.'arch'] Contains the OpenSSL library files.
- [.ENGINES'sover''pz'.'arch']
- Contains the OpenSSL dynamically loadable engines.
- [.SYS$STARTUP] Contains startup, login and shutdown scripts.
- These define appropriate logical names and
- command symbols.
- [.SYSTEST] Contains the installation verification procedure.
- [.HTML] Contains the HTML rendition of the manual pages.
-
- Additionally, install will add the following directories under
- OPENSSLDIR (the directory given with --openssldir or its default)
- for you convenience:
- certs Initially empty, this is the default location
- for certificate files.
- private Initially empty, this is the default location
- for private key files.
- misc Various scripts.
- Package builders who want to configure the library for standard
- locations, but have the package installed somewhere else so that
- it can easily be packaged, can use
- $ make DESTDIR=/tmp/package-root install # Unix
- $ mms/macro="DESTDIR=TMP:[PACKAGE-ROOT]" install ! OpenVMS
- The specified destination directory will be prepended to all
- installation target paths.
- Compatibility issues with previous OpenSSL versions:
- * COMPILING existing applications
- OpenSSL 1.1.0 hides a number of structures that were previously
- open. This includes all internal libssl structures and a number
- of EVP types. Accessor functions have been added to allow
- controlled access to the structures' data.
- This means that some software needs to be rewritten to adapt to
- the new ways of doing things. This often amounts to allocating
- an instance of a structure explicitly where you could previously
- allocate them on the stack as automatic variables, and using the
- provided accessor functions where you would previously access a
- structure's field directly.
- Some APIs have changed as well. However, older APIs have been
- preserved when possible.
- Environment Variables
- ---------------------
- A number of environment variables can be used to provide additional control
- over the build process. Typically these should be defined prior to running
- config or Configure. Not all environment variables are relevant to all
- platforms.
- AR
- The name of the ar executable to use.
- BUILDFILE
- Use a different build file name than the platform default
- ("Makefile" on Unixly platforms, "makefile" on native Windows,
- "descrip.mms" on OpenVMS). This requires that there is a
- corresponding build file template. See Configurations/README
- for further information.
- CC
- The compiler to use. Configure will attempt to pick a default
- compiler for your platform but this choice can be overridden
- using this variable. Set it to the compiler executable you wish
- to use, e.g. "gcc" or "clang".
- CROSS_COMPILE
- This environment variable has the same meaning as for the
- "--cross-compile-prefix" Configure flag described above. If both
- are set then the Configure flag takes precedence.
- NM
- The name of the nm executable to use.
- OPENSSL_LOCAL_CONFIG_DIR
- OpenSSL comes with a database of information about how it
- should be built on different platforms as well as build file
- templates for those platforms. The database is comprised of
- ".conf" files in the Configurations directory. The build
- file templates reside there as well as ".tmpl" files. See the
- file Configurations/README for further information about the
- format of ".conf" files as well as information on the ".tmpl"
- files.
- In addition to the standard ".conf" and ".tmpl" files, it is
- possible to create your own ".conf" and ".tmpl" files and store
- them locally, outside the OpenSSL source tree. This environment
- variable can be set to the directory where these files are held
- and will be considered by Configure before it looks in the
- standard directories.
- PERL
- The name of the Perl executable to use when building OpenSSL.
- This variable is used in config script only. Configure on the
- other hand imposes the interpreter by which it itself was
- executed on the whole build procedure.
- HASHBANGPERL
- The command string for the Perl executable to insert in the
- #! line of perl scripts that will be publically installed.
- Default: /usr/bin/env perl
- Note: the value of this variable is added to the same scripts
- on all platforms, but it's only relevant on Unix-like platforms.
- RC
- The name of the rc executable to use. The default will be as
- defined for the target platform in the ".conf" file. If not
- defined then "windres" will be used. The WINDRES environment
- variable is synonymous to this. If both are defined then RC
- takes precedence.
- RANLIB
- The name of the ranlib executable to use.
- WINDRES
- See RC.
- Makefile targets
- ----------------
- The Configure script generates a Makefile in a format relevant to the specific
- platform. The Makefiles provide a number of targets that can be used. Not all
- targets may be available on all platforms. Only the most common targets are
- described here. Examine the Makefiles themselves for the full list.
- all
- The default target to build all the software components.
- clean
- Remove all build artefacts and return the directory to a "clean"
- state.
- depend
- Rebuild the dependencies in the Makefiles. This is a legacy
- option that no longer needs to be used in OpenSSL 1.1.0.
- install
- Install all OpenSSL components.
- install_sw
- Only install the OpenSSL software components.
- install_docs
- Only install the OpenSSL documentation components.
- install_man_docs
- Only install the OpenSSL man pages (Unix only).
- install_html_docs
- Only install the OpenSSL html documentation.
- list-tests
- Prints a list of all the self test names.
- test
- Build and run the OpenSSL self tests.
- uninstall
- Uninstall all OpenSSL components.
- update
- This is a developer option. If you are developing a patch for
- OpenSSL you may need to use this if you want to update
- automatically generated files; add new error codes or add new
- (or change the visibility of) public API functions. (Unix only).
- TESTS in Detail
- ---------------
- The make variable TESTS supports a versatile set of space separated tokens
- with which you can specify a set of tests to be performed. With a "current
- set of tests" in mind, initially being empty, here are the possible tokens:
- alltests The current set of tests becomes the whole set of available
- tests (as listed when you do 'make list-tests' or similar).
- xxx Adds the test 'xxx' to the current set of tests.
- -xxx Removes 'xxx' from the current set of tests. If this is the
- first token in the list, the current set of tests is first
- assigned the whole set of available tests, effectively making
- this token equivalent to TESTS="alltests -xxx".
- nn Adds the test group 'nn' (which is a number) to the current
- set of tests.
- -nn Removes the test group 'nn' from the current set of tests.
- If this is the first token in the list, the current set of
- tests is first assigned the whole set of available tests,
- effectively making this token equivalent to
- TESTS="alltests -xxx".
- Also, all tokens except for "alltests" may have wildcards, such as *.
- (on Unix and Windows, BSD style wildcards are supported, while on VMS,
- it's VMS style wildcards)
- Example: All tests except for the fuzz tests:
- $ make TESTS=-test_fuzz test
- or (if you want to be explicit)
- $ make TESTS='alltests -test_fuzz' test
- Example: All tests that have a name starting with "test_ssl" but not those
- starting with "test_ssl_":
- $ make TESTS='test_ssl* -test_ssl_*' test
- Example: Only test group 10:
- $ make TESTS='10'
- Example: All tests except the slow group (group 99):
- $ make TESTS='-99'
- Example: All tests in test groups 80 to 99 except for tests in group 90:
- $ make TESTS='[89]? -90'
- Note on multi-threading
- -----------------------
- For some systems, the OpenSSL Configure script knows what compiler options
- are needed to generate a library that is suitable for multi-threaded
- applications. On these systems, support for multi-threading is enabled
- by default; use the "no-threads" option to disable (this should never be
- necessary).
- On other systems, to enable support for multi-threading, you will have
- to specify at least two options: "threads", and a system-dependent option.
- (The latter is "-D_REENTRANT" on various systems.) The default in this
- case, obviously, is not to include support for multi-threading (but
- you can still use "no-threads" to suppress an annoying warning message
- from the Configure script.)
- OpenSSL provides built-in support for two threading models: pthreads (found on
- most UNIX/Linux systems), and Windows threads. No other threading models are
- supported. If your platform does not provide pthreads or Windows threads then
- you should Configure with the "no-threads" option.
- Notes on shared libraries
- -------------------------
- For most systems the OpenSSL Configure script knows what is needed to
- build shared libraries for libcrypto and libssl. On these systems
- the shared libraries will be created by default. This can be suppressed and
- only static libraries created by using the "no-shared" option. On systems
- where OpenSSL does not know how to build shared libraries the "no-shared"
- option will be forced and only static libraries will be created.
- Shared libraries are named a little differently on different platforms.
- One way or another, they all have the major OpenSSL version number as
- part of the file name, i.e. for OpenSSL 1.1.x, 1.1 is somehow part of
- the name.
- On most POSIXly platforms, shared libraries are named libcrypto.so.1.1
- and libssl.so.1.1.
- on Cygwin, shared libraries are named cygcrypto-1.1.dll and cygssl-1.1.dll
- with import libraries libcrypto.dll.a and libssl.dll.a.
- On Windows build with MSVC or using MingW, shared libraries are named
- libcrypto-1_1.dll and libssl-1_1.dll for 32-bit Windows, libcrypto-1_1-x64.dll
- and libssl-1_1-x64.dll for 64-bit x86_64 Windows, and libcrypto-1_1-ia64.dll
- and libssl-1_1-ia64.dll for IA64 Windows. With MSVC, the import libraries
- are named libcrypto.lib and libssl.lib, while with MingW, they are named
- libcrypto.dll.a and libssl.dll.a.
- On VMS, shareable images (VMS speak for shared libraries) are named
- ossl$libcrypto0101_shr.exe and ossl$libssl0101_shr.exe. However, when
- OpenSSL is specifically built for 32-bit pointers, the shareable images
- are named ossl$libcrypto0101_shr32.exe and ossl$libssl0101_shr32.exe
- instead, and when built for 64-bit pointers, they are named
- ossl$libcrypto0101_shr64.exe and ossl$libssl0101_shr64.exe.
- Note on random number generation
- --------------------------------
- Availability of cryptographically secure random numbers is required for
- secret key generation. OpenSSL provides several options to seed the
- internal PRNG. If not properly seeded, the internal PRNG will refuse
- to deliver random bytes and a "PRNG not seeded error" will occur.
- On systems without /dev/urandom (or similar) device, it may be necessary
- to install additional support software to obtain a random seed.
- Please check out the manual pages for RAND_add(), RAND_bytes(), RAND_egd(),
- and the FAQ for more information.
|