1
by Christoph Martin
Import upstream version 0.9.7d |
1 |
INSTALLATION ON THE UNIX PLATFORM |
2 |
---------------------------------
|
|
3 |
||
4 |
[Installation on DOS (with djgpp), Windows, OpenVMS, MacOS (before MacOS X) |
|
1.1.2
by Kurt Roeckx
Import upstream version 0.9.8a |
5 |
and NetWare is described in INSTALL.DJGPP, INSTALL.W32, INSTALL.VMS, |
6 |
INSTALL.MacOS and INSTALL.NW. |
|
7 |
||
8 |
This document describes installation on operating systems in the Unix |
|
1
by Christoph Martin
Import upstream version 0.9.7d |
9 |
family.] |
10 |
||
11 |
To install OpenSSL, you will need: |
|
12 |
||
13 |
* make |
|
14 |
* Perl 5 |
|
15 |
* an ANSI C compiler |
|
16 |
* a development environment in form of development libraries and C |
|
17 |
header files |
|
18 |
* a supported Unix operating system |
|
19 |
||
20 |
Quick Start |
|
21 |
-----------
|
|
22 |
||
23 |
If you want to just get on with it, do: |
|
24 |
||
25 |
$ ./config |
|
26 |
$ make |
|
27 |
$ make test |
|
28 |
$ make install |
|
29 |
||
30 |
[If any of these steps fails, see section Installation in Detail below.] |
|
31 |
||
32 |
This will build and install OpenSSL in the default location, which is (for |
|
33 |
historical reasons) /usr/local/ssl. If you want to install it anywhere else, |
|
34 |
run config like this: |
|
35 |
||
36 |
$ ./config --prefix=/usr/local --openssldir=/usr/local/openssl |
|
37 |
||
38 |
||
39 |
Configuration Options |
|
40 |
---------------------
|
|
41 |
||
42 |
There are several options to ./config (or ./Configure) to customize |
|
43 |
the build: |
|
44 |
||
45 |
--prefix=DIR Install in DIR/bin, DIR/lib, DIR/include/openssl.
|
|
46 |
Configuration files used by OpenSSL will be in DIR/ssl |
|
47 |
or the directory specified by --openssldir. |
|
48 |
||
49 |
--openssldir=DIR Directory for OpenSSL files. If no prefix is specified,
|
|
50 |
the library files and binaries are also installed there. |
|
51 |
||
52 |
no-threads Don't try to build with support for multi-threaded |
|
53 |
applications.
|
|
54 |
||
55 |
threads Build with support for multi-threaded applications.
|
|
56 |
This will usually require additional system-dependent options!
|
|
57 |
See "Note on multi-threading" below.
|
|
58 |
||
59 |
no-zlib Don't try to build with support for zlib compression and |
|
60 |
decompression. |
|
61 |
||
62 |
zlib Build with support for zlib compression/decompression. |
|
63 |
||
64 |
zlib-dynamic Like "zlib", but has OpenSSL load the zlib library dynamically |
|
65 |
when needed. This is only supported on systems where loading |
|
66 |
of shared libraries is supported. This is the default choice. |
|
67 |
||
68 |
no-shared Don't try to create shared libraries. |
|
69 |
||
70 |
shared In addition to the usual static libraries, create shared
|
|
71 |
libraries on platforms where it's supported. See "Note on |
|
72 |
shared libraries" below. |
|
73 |
||
74 |
no-asm Do not use assembler code. |
|
75 |
||
76 |
386 Use the 80386 instruction set only (the default x86 code is |
|
77 |
more efficient, but requires at least a 486). Note: Use |
|
1.1.3
by Kurt Roeckx
Import upstream version 0.9.8b |
78 |
compiler flags for any other CPU specific configuration, |
79 |
e.g. "-m32" to build x86 code on an x64 system. |
|
80 |
||
1
by Christoph Martin
Import upstream version 0.9.7d |
81 |
no-sse2 Exclude SSE2 code pathes. Normally SSE2 extention is |
1.1.2
by Kurt Roeckx
Import upstream version 0.9.8a |
82 |
detected at run-time, but the decision whether or not the |
83 |
machine code will be executed is taken solely on CPU |
|
84 |
capability vector. This means that if you happen to run OS |
|
85 |
kernel which does not support SSE2 extension on Intel P4 |
|
86 |
processor, then your application might be exposed to |
|
87 |
"illegal instruction" exception. There might be a way |
|
88 |
to enable support in kernel, e.g. FreeBSD kernel can be |
|
89 |
compiled with CPU_ENABLE_SSE, and there is a way to |
|
90 |
disengage SSE2 code pathes upon application start-up, |
|
91 |
but if you aim for wider "audience" running such kernel, |
|
92 |
consider no-sse2. Both 386 and no-asm options above imply |
|
93 |
no-sse2. |
|
94 |
||
95 |
no-<cipher> Build without the specified cipher (bf, cast, des, dh, dsa, |
|
1
by Christoph Martin
Import upstream version 0.9.7d |
96 |
hmac, md2, md5, mdc2, rc2, rc4, rc5, rsa, sha). |
97 |
The crypto/<cipher> directory can be removed after running |
|
98 |
"make depend". |
|
99 |
||
100 |
-Dxxx, -lxxx, -Lxxx, -fxxx, -mxxx, -Kxxx These system specific options will |
|
1.1.3
by Kurt Roeckx
Import upstream version 0.9.8b |
101 |
be passed through to the compiler to allow you to |
1
by Christoph Martin
Import upstream version 0.9.7d |
102 |
define preprocessor symbols, specify additional libraries, |
103 |
library directories or other compiler options. |
|
104 |
||
105 |
||
106 |
Installation in Detail |
|
107 |
----------------------
|
|
108 |
||
109 |
1a. Configure OpenSSL for your operation system automatically: |
|
110 |
||
111 |
$ ./config [options] |
|
112 |
||
113 |
This guesses at your operating system (and compiler, if necessary) and |
|
114 |
configures OpenSSL based on this guess. Run ./config -t to see |
|
115 |
if it guessed correctly. If you want to use a different compiler, you |
|
116 |
are cross-compiling for another platform, or the ./config guess was |
|
117 |
wrong for other reasons, go to step 1b. Otherwise go to step 2. |
|
118 |
||
119 |
On some systems, you can include debugging information as follows: |
|
120 |
||
121 |
$ ./config -d [options] |
|
122 |
||
123 |
1b. Configure OpenSSL for your operating system manually |
|
124 |
||
125 |
OpenSSL knows about a range of different operating system, hardware and |
|
126 |
compiler combinations. To see the ones it knows about, run |
|
127 |
||
128 |
$ ./Configure |
|
129 |
||
130 |
Pick a suitable name from the list that matches your system. For most |
|
131 |
operating systems there is a choice between using "cc" or "gcc". When |
|
132 |
you have identified your system (and if necessary compiler) use this name |
|
133 |
as the argument to ./Configure. For example, a "linux-elf" user would |
|
134 |
run: |
|
135 |
||
136 |
$ ./Configure linux-elf [options] |
|
137 |
||
138 |
If your system is not available, you will have to edit the Configure |
|
139 |
program and add the correct configuration for your system. The |
|
140 |
generic configurations "cc" or "gcc" should usually work on 32 bit |
|
141 |
systems. |
|
142 |
||
143 |
Configure creates the file Makefile.ssl from Makefile.org and |
|
1.1.2
by Kurt Roeckx
Import upstream version 0.9.8a |
144 |
defines various macros in crypto/opensslconf.h (generated from |
1
by Christoph Martin
Import upstream version 0.9.7d |
145 |
crypto/opensslconf.h.in). |
146 |
||
147 |
2. Build OpenSSL by running: |
|
148 |
||
149 |
$ make |
|
150 |
||
151 |
This will build the OpenSSL libraries (libcrypto.a and libssl.a) and the |
|
152 |
OpenSSL binary ("openssl"). The libraries will be built in the top-level |
|
153 |
directory, and the binary will be in the "apps" directory. |
|
154 |
||
155 |
If "make" fails, look at the output. There may be reasons for |
|
156 |
the failure that aren't problems in OpenSSL itself (like missing |
|
157 |
standard headers). If it is a problem with OpenSSL itself, please
|
|
158 |
report the problem to <openssl-bugs@openssl.org> (note that your
|
|
159 |
message will be recorded in the request tracker publicly readable
|
|
160 |
via http://www.openssl.org/support/rt.html and will be forwarded to a
|
|
1.1.7
by Kurt Roeckx
Import upstream version 0.9.8k |
161 |
public mailing list). Include the output of "make report" in your message.
|
1
by Christoph Martin
Import upstream version 0.9.7d |
162 |
Please check out the request tracker. Maybe the bug was already
|
163 |
reported or has already been fixed.
|
|
164 |
||
165 |
[If you encounter assembler error messages, try the "no-asm"
|
|
166 |
configuration option as an immediate fix.]
|
|
167 |
||
168 |
Compiling parts of OpenSSL with gcc and others with the system
|
|
169 |
compiler will result in unresolved symbols on some systems.
|
|
170 |
||
171 |
3. After a successful build, the libraries should be tested. Run:
|
|
172 |
||
173 |
$ make test
|
|
174 |
||
175 |
If a test fails, look at the output. There may be reasons for
|
|
176 |
the failure that isn't a problem in OpenSSL itself (like a missing |
|
177 |
or malfunctioning bc). If it is a problem with OpenSSL itself, |
|
178 |
try removing any compiler optimization flags from the CFLAG line |
|
179 |
in Makefile.ssl and run "make clean; make". Please send a bug |
|
1.1.2
by Kurt Roeckx
Import upstream version 0.9.8a |
180 |
report to <openssl-bugs@openssl.org>, including the output of |
1
by Christoph Martin
Import upstream version 0.9.7d |
181 |
"make report" in order to be added to the request tracker at |
182 |
http://www.openssl.org/support/rt.html. |
|
1.1.7
by Kurt Roeckx
Import upstream version 0.9.8k |
183 |
|
1
by Christoph Martin
Import upstream version 0.9.7d |
184 |
4. If everything tests ok, install OpenSSL with |
185 |
||
186 |
$ make install |
|
187 |
||
188 |
This will create the installation directory (if it does not exist) and |
|
189 |
then the following subdirectories: |
|
190 |
||
191 |
certs Initially empty, this is the default location |
|
192 |
for certificate files. |
|
193 |
man/man1 Manual pages for the 'openssl' command line tool |
|
194 |
man/man3 Manual pages for the libraries (very incomplete) |
|
195 |
misc Various scripts. |
|
196 |
private Initially empty, this is the default location |
|
197 |
for private key files. |
|
198 |
||
199 |
If you didn't choose a different installation prefix, the |
|
200 |
following additional subdirectories will be created:
|
|
201 |
||
202 |
bin Contains the openssl binary and a few other
|
|
203 |
utility programs.
|
|
204 |
include/openssl Contains the header files needed if you want to
|
|
205 |
compile programs with libcrypto or libssl.
|
|
206 |
lib Contains the OpenSSL library files themselves.
|
|
207 |
||
208 |
Package builders who want to configure the library for standard
|
|
209 |
locations, but have the package installed somewhere else so that
|
|
210 |
it can easily be packaged, can use
|
|
211 |
||
212 |
$ make INSTALL_PREFIX=/tmp/package-root install
|
|
213 |
||
214 |
(or specify "--install_prefix=/tmp/package-root" as a configure
|
|
215 |
option). The specified prefix will be prepended to all
|
|
216 |
installation target filenames.
|
|
217 |
||
218 |
||
219 |
NOTE: The header files used to reside directly in the include
|
|
220 |
directory, but have now been moved to include/openssl so that
|
|
221 |
OpenSSL can co-exist with other libraries which use some of the
|
|
222 |
same filenames. This means that applications that use OpenSSL
|
|
223 |
should now use C preprocessor directives of the form
|
|
224 |
||
225 |
#include <openssl/ssl.h>
|
|
226 |
||
227 |
instead of "#include <ssl.h>", which was used with library versions
|
|
228 |
up to OpenSSL 0.9.2b.
|
|
229 |
||
230 |
If you install a new version of OpenSSL over an old library version,
|
|
231 |
you should delete the old header files in the include directory.
|
|
232 |
||
233 |
Compatibility issues:
|
|
234 |
||
235 |
* COMPILING existing applications
|
|
236 |
||
237 |
To compile an application that uses old filenames -- e.g.
|
|
238 |
"#include <ssl.h>" --, it will usually be enough to find
|
|
239 |
the CFLAGS definition in the application's Makefile and |
|
240 |
add a C option such as |
|
241 |
||
242 |
-I/usr/local/ssl/include/openssl |
|
243 |
||
244 |
to it. |
|
245 |
||
246 |
But don't delete the existing -I option that points to |
|
247 |
the ..../include directory! Otherwise, OpenSSL header files
|
|
248 |
could not #include each other.
|
|
249 |
||
250 |
* WRITING applications
|
|
251 |
||
252 |
To write an application that is able to handle both the new
|
|
253 |
and the old directory layout, so that it can still be compiled
|
|
254 |
with library versions up to OpenSSL 0.9.2b without bothering
|
|
255 |
the user, you can proceed as follows:
|
|
256 |
||
257 |
- Always use the new filename of OpenSSL header files,
|
|
258 |
e.g. #include <openssl/ssl.h>.
|
|
259 |
||
260 |
- Create a directory "incl" that contains only a symbolic
|
|
261 |
link named "openssl", which points to the "include" directory
|
|
262 |
of OpenSSL.
|
|
263 |
For example, your application's Makefile might contain the |
|
264 |
following rule, if OPENSSLDIR is a pathname (absolute or |
|
265 |
relative) of the directory where OpenSSL resides: |
|
266 |
||
267 |
incl/openssl: |
|
268 |
-mkdir incl |
|
269 |
cd $(OPENSSLDIR) # Check whether the directory really exists |
|
270 |
-ln -s `cd $(OPENSSLDIR); pwd`/include incl/openssl |
|
271 |
||
272 |
You will have to add "incl/openssl" to the dependencies |
|
273 |
of those C files that include some OpenSSL header file. |
|
274 |
||
275 |
- Add "-Iincl" to your CFLAGS. |
|
276 |
||
277 |
With these additions, the OpenSSL header files will be available |
|
278 |
under both name variants if an old library version is used: |
|
279 |
Your application can reach them under names like <openssl/foo.h>, |
|
280 |
while the header files still are able to #include each other |
|
281 |
with names of the form <foo.h>. |
|
282 |
||
283 |
||
284 |
Note on multi-threading |
|
285 |
-----------------------
|
|
286 |
||
287 |
For some systems, the OpenSSL Configure script knows what compiler options |
|
288 |
are needed to generate a library that is suitable for multi-threaded |
|
289 |
applications. On these systems, support for multi-threading is enabled |
|
290 |
by default; use the "no-threads" option to disable (this should never be |
|
291 |
necessary). |
|
292 |
||
293 |
On other systems, to enable support for multi-threading, you will have |
|
294 |
to specify at least two options: "threads", and a system-dependent option. |
|
295 |
(The latter is "-D_REENTRANT" on various systems.) The default in this |
|
296 |
case, obviously, is not to include support for multi-threading (but |
|
297 |
you can still use "no-threads" to suppress an annoying warning message |
|
298 |
from the Configure script.) |
|
299 |
||
300 |
||
301 |
Note on shared libraries |
|
302 |
------------------------
|
|
303 |
||
304 |
Shared libraries have certain caveats. Binary backward compatibility |
|
1.1.5
by Kurt Roeckx
Import upstream version 0.9.8e |
305 |
can't be guaranteed before OpenSSL version 1.0. The only reason to |
306 |
use them would be to conserve memory on systems where several programs
|
|
307 |
are using OpenSSL.
|
|
308 |
||
1
by Christoph Martin
Import upstream version 0.9.7d |
309 |
For some systems, the OpenSSL Configure script knows what is needed to
|
310 |
build shared libraries for libcrypto and libssl. On these systems,
|
|
311 |
the shared libraries are currently not created by default, but giving
|
|
312 |
the option "shared" will get them created. This method supports Makefile
|
|
313 |
targets for shared library creation, like linux-shared. Those targets
|
|
314 |
can currently be used on their own just as well, but this is expected
|
|
315 |
to change in future versions of OpenSSL.
|
|
316 |
||
317 |
Note on random number generation
|
|
318 |
--------------------------------
|
|
319 |
||
320 |
Availability of cryptographically secure random numbers is required for
|
|
321 |
secret key generation. OpenSSL provides several options to seed the
|
|
322 |
internal PRNG. If not properly seeded, the internal PRNG will refuse
|
|
323 |
to deliver random bytes and a "PRNG not seeded error" will occur.
|
|
324 |
On systems without /dev/urandom (or similar) device, it may be necessary
|
|
325 |
to install additional support software to obtain random seed.
|
|
326 |
Please check out the manual pages for RAND_add(), RAND_bytes(), RAND_egd(),
|
|
327 |
and the FAQ for more information.
|
|
328 |
||
329 |
Note on support for multiple builds
|
|
330 |
-----------------------------------
|
|
331 |
||
332 |
OpenSSL is usually built in its source tree. Unfortunately, this doesn't |
|
1.1.3
by Kurt Roeckx
Import upstream version 0.9.8b |
333 |
support building for multiple platforms from the same source tree very well. |
1
by Christoph Martin
Import upstream version 0.9.7d |
334 |
It is however possible to build in a separate tree through the use of lots |
335 |
of symbolic links, which should be prepared like this: |
|
336 |
||
337 |
mkdir -p objtree/"`uname -s`-`uname -r`-`uname -m`" |
|
338 |
cd objtree/"`uname -s`-`uname -r`-`uname -m`" |
|
339 |
(cd $OPENSSL_SOURCE; find . -type f) | while read F; do |
|
340 |
mkdir -p `dirname $F` |
|
341 |
rm -f $F; ln -s $OPENSSL_SOURCE/$F $F |
|
342 |
echo $F '->' $OPENSSL_SOURCE/$F |
|
343 |
done
|
|
344 |
make -f Makefile.org clean |
|
345 |
||
346 |
OPENSSL_SOURCE is an environment variable that contains the absolute (this |
|
347 |
is important!) path to the OpenSSL source tree. |
|
348 |
||
349 |
Also, operations like 'make update' should still be made in the source tree. |
|
350 |