]>
Commit | Line | Data |
---|---|---|
79e259e3 | 1 | |
d5957691 MC |
2 | OPENSSL INSTALLATION |
3 | -------------------- | |
79e259e3 | 4 | |
07930a75 RL |
5 | [This document describes installation on all supported operating |
6 | systems (currently mainly the Linux/Unix family, OpenVMS and | |
7 | Windows)] | |
4109b97c RE |
8 | |
9 | To install OpenSSL, you will need: | |
79e259e3 | 10 | |
07930a75 RL |
11 | * A make implementation |
12 | * Perl 5 with core modules (please read NOTES.PERL) | |
13 | * The perl module Text::Template (please read NOTES.PERL) | |
73bfb9ad | 14 | * an ANSI C compiler |
d5957691 | 15 | * a development environment in the form of development libraries and C |
d57d85ff | 16 | header files |
2acd8ec7 RL |
17 | * a supported operating system |
18 | ||
84f4f0bd RL |
19 | For additional platform specific requirements and other details, |
20 | please read one of these: | |
2acd8ec7 | 21 | |
b32b8961 | 22 | * NOTES.VMS (OpenVMS) |
20ab55f4 | 23 | * NOTES.WIN (any supported Windows) |
07930a75 | 24 | * NOTES.DJGPP (DOS platform with DJGPP) |
79e259e3 | 25 | |
4109b97c RE |
26 | Quick Start |
27 | ----------- | |
79e259e3 | 28 | |
4109b97c | 29 | If you want to just get on with it, do: |
79e259e3 | 30 | |
2acd8ec7 RL |
31 | on Unix: |
32 | ||
33 | $ ./config | |
34 | $ make | |
35 | $ make test | |
36 | $ make install | |
37 | ||
38 | on OpenVMS: | |
39 | ||
40 | $ @config | |
41 | $ mms | |
42 | $ mms test | |
43 | $ mms install | |
79e259e3 | 44 | |
b32b8961 RL |
45 | on Windows (only pick one of the targets for configuration): |
46 | ||
47 | $ perl Configure { VC-WIN32 | VC-WIN64A | VC-WIN64I | VC-CE } | |
48 | $ nmake | |
49 | $ nmake test | |
8c16829e | 50 | $ nmake install |
b32b8961 | 51 | |
d872c55c | 52 | [If any of these steps fails, see section Installation in Detail below.] |
b1fe6b43 | 53 | |
2acd8ec7 RL |
54 | This will build and install OpenSSL in the default location, which is: |
55 | ||
56 | Unix: normal installation directories under /usr/local | |
57 | OpenVMS: SYS$COMMON:[OPENSSL-'version'...], where 'version' is the | |
667c6bfe RL |
58 | OpenSSL version number with underscores instead of periods. |
59 | Windows: C:\Program Files\OpenSSL or C:\Program Files (x86)\OpenSSL | |
2acd8ec7 RL |
60 | |
61 | If you want to install it anywhere else, run config like this: | |
79e259e3 | 62 | |
2acd8ec7 RL |
63 | On Unix: |
64 | ||
65 | $ ./config --prefix=/opt/openssl --openssldir=/usr/local/ssl | |
66 | ||
67 | On OpenVMS: | |
68 | ||
69 | $ @config --prefix=PROGRAM:[INSTALLS] --openssldir=SYS$MANAGER:[OPENSSL] | |
79e259e3 | 70 | |
b1fe6b43 UM |
71 | |
72 | Configuration Options | |
73 | --------------------- | |
74 | ||
2d99cee7 | 75 | There are several options to ./config (or ./Configure) to customize |
8c16829e RL |
76 | the build (note that for Windows, the defaults for --prefix and |
77 | --openssldir depend in what configuration is used and what Windows | |
78 | implementation OpenSSL is built on. More notes on this in NOTES.WIN): | |
2613c1fa | 79 | |
ecabf05e MC |
80 | --prefix=DIR |
81 | The top of the installation directory tree. Defaults are: | |
462ba4f6 | 82 | |
d5957691 | 83 | Unix: /usr/local |
8c16829e RL |
84 | Windows: C:\Program Files\OpenSSL |
85 | or C:\Program Files (x86)\OpenSSL | |
d5957691 | 86 | OpenVMS: SYS$COMMON:[OPENSSL-'version'] |
2acd8ec7 | 87 | |
ecabf05e MC |
88 | --openssldir=DIR |
89 | Directory for OpenSSL configuration files, and also the | |
d5957691 MC |
90 | default certificate and key store. Defaults are: |
91 | ||
667c6bfe | 92 | Unix: /usr/local/ssl |
8c16829e RL |
93 | Windows: C:\Program Files\Common Files\SSL |
94 | or C:\Program Files (x86)\Common Files\SSL | |
667c6bfe | 95 | OpenVMS: SYS$COMMON:[OPENSSL-COMMON] |
d5957691 | 96 | |
ecabf05e MC |
97 | --api=x.y.z |
98 | Don't build with support for deprecated APIs below the | |
d5957691 MC |
99 | specified version number. For example "--api=1.1.0" will |
100 | remove support for all APIS that were deprecated in OpenSSL | |
101 | version 1.1.0 or below. | |
102 | ||
ecabf05e MC |
103 | no-afalgeng |
104 | Don't build the AFALG engine. This option will be forced if | |
105 | on a platform that does not support AFALG. | |
106 | ||
107 | no-asm | |
05328815 MC |
108 | Do not use assembler code. On some platforms a small amount |
109 | of assembler code may still be used. | |
ecabf05e MC |
110 | |
111 | no-async | |
112 | Do not build support for async operations. | |
d5957691 | 113 | |
ecabf05e MC |
114 | no-autoalginit |
115 | Don't automatically load all supported ciphers and digests. | |
d5957691 MC |
116 | Typically OpenSSL will make available all of its supported |
117 | ciphers and digests. For a statically linked application this | |
118 | may be undesirable if small executable size is an objective. | |
119 | This only affects libcrypto. Ciphers and digests will have to | |
120 | be loaded manually using EVP_add_cipher() and | |
ecabf05e MC |
121 | EVP_add_digest() if this option is used. This option will |
122 | force a non-shared build. | |
d5957691 | 123 | |
ecabf05e MC |
124 | no-autoerrinit |
125 | Don't automatically load all libcrypto/libssl error strings. | |
d5957691 MC |
126 | Typically OpenSSL will automatically load human readable |
127 | error strings. For a statically linked application this may | |
128 | be undesirable if small executable size is an objective. | |
129 | ||
d5957691 | 130 | |
ecabf05e MC |
131 | no-capieng |
132 | Don't build the CAPI engine. This option will be forced if | |
133 | on a platform that does not support CAPI. | |
d5957691 | 134 | |
ecabf05e MC |
135 | no-cms |
136 | Don't build support for CMS features | |
d5957691 | 137 | |
ecabf05e MC |
138 | no-comp |
139 | Don't build support for SSL/TLS compression. If this option | |
140 | is left enabled (the default), then compression will only | |
141 | work if the zlib or zlib-dynamic options are also chosen. | |
d5957691 | 142 | |
ecabf05e MC |
143 | enable-crypto-mdebug |
144 | Build support for debugging memory allocated via | |
145 | OPENSSL_malloc() or OPENSSL_zalloc(). | |
146 | ||
147 | enable-crypto-mdebug-backtrace | |
148 | As for crypto-mdebug, but additionally provide backtrace | |
149 | information for allocated memory. | |
8d054a55 RL |
150 | TO BE USED WITH CARE: this uses GNU C functionality, and |
151 | is therefore not usable for non-GNU config targets. If | |
152 | your build complains about the use of '-rdynamic' or the | |
153 | lack of header file execinfo.h, this option is not for you. | |
154 | ALSO NOTE that even though execinfo.h is available on your | |
155 | system (through Gnulib), the functions might just be stubs | |
156 | that do nothing. | |
ecabf05e MC |
157 | |
158 | no-ct | |
159 | Don't build support for Certificate Transparency. | |
160 | ||
161 | no-deprecated | |
162 | Don't build with support for any deprecated APIs. This is the | |
163 | same as using "--api" and supplying the latest version | |
164 | number. | |
165 | ||
166 | no-dgram | |
167 | Don't build support for datagram based BIOs. Selecting this | |
168 | option will also force the disabling of DTLS. | |
169 | ||
170 | no-dso | |
171 | Don't build support for loading Dynamic Shared Objects. | |
172 | ||
173 | no-dynamic-engine | |
174 | Don't build the dynamically loaded engines. This only has an | |
175 | effect in a "shared" build | |
176 | ||
177 | no-ec | |
178 | Don't build support for Elliptic Curves. | |
179 | ||
180 | no-ec2m | |
181 | Don't build support for binary Elliptic Curves | |
182 | ||
183 | enable-ec_nistp_64_gcc_128 | |
184 | Enable support for optimised implementations of some commonly | |
185 | used NIST elliptic curves. This is only supported on some | |
186 | platforms. | |
187 | ||
188 | enable-egd | |
189 | Build support for gathering entropy from EGD (Entropy | |
190 | Gathering Daemon). | |
191 | ||
192 | no-engine | |
193 | Don't build support for loading engines. | |
194 | ||
195 | no-err | |
196 | Don't compile in any error strings. | |
197 | ||
198 | no-filenames | |
199 | Don't compile in filename and line number information (e.g. | |
200 | for errors and memory allocation). | |
201 | ||
202 | no-gost | |
203 | Don't build support for GOST based ciphersuites. Note that | |
204 | if this feature is enabled then GOST ciphersuites are only | |
205 | available if the GOST algorithms are also available through | |
206 | loading an externally supplied engine. | |
207 | ||
208 | enable-heartbeats | |
209 | Build support for DTLS heartbeats. | |
210 | ||
211 | no-hw-padlock | |
212 | Don't build the padlock engine. | |
213 | ||
214 | no-makedepend | |
05328815 | 215 | Don't generate dependencies. |
ecabf05e MC |
216 | |
217 | no-multiblock | |
218 | Don't build support for writing multiple records in one | |
219 | go in libssl (Note: this is a different capability to the | |
220 | pipelining functionality). | |
221 | ||
222 | no-nextprotoneg | |
223 | Don't build support for the NPN TLS extension. | |
224 | ||
225 | no-ocsp | |
226 | Don't build support for OCSP. | |
d5957691 | 227 | |
ecabf05e MC |
228 | no-pic |
229 | Don't build with support for Position Independent Code. | |
d5957691 | 230 | |
ecabf05e MC |
231 | no-posix-io |
232 | Don't use POSIX IO capabilities. | |
233 | ||
234 | no-psk | |
235 | Don't build support for Pre-Shared Key based ciphersuites. | |
236 | ||
237 | no-rdrand | |
238 | Don't use hardware RDRAND capabilities. | |
239 | ||
240 | no-rfc3779 | |
241 | Don't build support for RFC3779 ("X.509 Extensions for IP | |
242 | Addresses and AS Identifiers") | |
243 | ||
ecabf05e MC |
244 | sctp |
245 | Build support for SCTP | |
246 | ||
ce942199 MC |
247 | no-shared |
248 | Do not create shared libraries, only static ones. See "Note | |
249 | on shared libraries" below. | |
d5957691 | 250 | |
ecabf05e MC |
251 | no-sock |
252 | Don't build support for socket BIOs | |
d5957691 | 253 | |
ecabf05e MC |
254 | no-srp |
255 | Don't build support for SRP or SRP based ciphersuites. | |
256 | ||
257 | no-srtp | |
258 | Don't build SRTP support | |
d5957691 | 259 | |
ecabf05e MC |
260 | no-sse2 |
261 | Exclude SSE2 code paths. Normally SSE2 extension is | |
d5957691 MC |
262 | detected at run-time, but the decision whether or not the |
263 | machine code will be executed is taken solely on CPU | |
264 | capability vector. This means that if you happen to run OS | |
265 | kernel which does not support SSE2 extension on Intel P4 | |
266 | processor, then your application might be exposed to | |
267 | "illegal instruction" exception. There might be a way | |
268 | to enable support in kernel, e.g. FreeBSD kernel can be | |
269 | compiled with CPU_ENABLE_SSE, and there is a way to | |
270 | disengage SSE2 code pathes upon application start-up, | |
271 | but if you aim for wider "audience" running such kernel, | |
05328815 | 272 | consider no-sse2. Both the 386 and no-asm options imply |
d5957691 MC |
273 | no-sse2. |
274 | ||
ecabf05e MC |
275 | enable-ssl-trace |
276 | Build with the SSL Trace capabilities (adds the "-trace" | |
277 | option to s_client and s_server). | |
278 | ||
279 | no-static-engine | |
280 | Don't build the statically linked engines. This only | |
281 | has an impact when not built "shared". | |
282 | ||
283 | no-stdio | |
284 | Don't use any C "stdio" features. Only libcrypto and libssl | |
285 | can be built in this way. Using this option will suppress | |
286 | building the command line applications. Additionally since | |
287 | the OpenSSL tests also use the command line applications the | |
288 | tests will also be skipped. | |
289 | ||
290 | no-threads | |
291 | Don't try to build with support for multi-threaded | |
292 | applications. | |
293 | ||
294 | threads | |
295 | Build with support for multi-threaded applications. Most | |
296 | platforms will enable this by default. However if on a | |
297 | platform where this is not the case then this will usually | |
298 | require additional system-dependent options! See "Note on | |
299 | multi-threading" below. | |
300 | ||
301 | no-ts | |
302 | Don't build Time Stamping Authority support. | |
303 | ||
304 | no-ui | |
305 | Don't build with the "UI" capability (i.e. the set of | |
306 | features enabling text based prompts). | |
307 | ||
308 | enable-unit-test | |
309 | Enable additional unit test APIs. This should not typically | |
310 | be used in production deployments. | |
311 | ||
312 | enable-weak-ssl-ciphers | |
313 | Build support for SSL/TLS ciphers that are considered "weak" | |
314 | (e.g. RC4 based ciphersuites). | |
315 | ||
316 | zlib | |
317 | Build with support for zlib compression/decompression. | |
318 | ||
319 | zlib-dynamic | |
320 | Like "zlib", but has OpenSSL load the zlib library | |
321 | dynamically when needed. This is only supported on systems | |
322 | where loading of shared libraries is supported. | |
323 | ||
324 | 386 | |
325 | On Intel hardware, use the 80386 instruction set only | |
326 | (the default x86 code is more efficient, but requires at | |
327 | least a 486). Note: Use compiler flags for any other CPU | |
328 | specific configuration, e.g. "-m32" to build x86 code on | |
329 | an x64 system. | |
d5957691 | 330 | |
ecabf05e MC |
331 | no-<prot> |
332 | Don't build support for negotiating the specified SSL/TLS | |
333 | protocol (one of ssl, ssl3, tls, tls1, tls1_1, tls1_2, dtls, | |
334 | dtls1 or dtls1_2). If "no-tls" is selected then all of tls1, | |
335 | tls1_1 and tls1_2 are disabled. Similarly "no-dtls" will | |
336 | disable dtls1 and dtls1_2. The "no-ssl" option is synonymous | |
337 | with "no-ssl3". Note this only affects version negotiation. | |
338 | OpenSSL will still provide the methods for applications to | |
339 | explicitly select the individual protocol versions. | |
340 | ||
341 | no-<prot>-method | |
342 | As for no-<prot> but in addition do not build the methods for | |
343 | applications to explicitly select individual protocol | |
344 | versions. | |
345 | ||
346 | enable-<alg> | |
347 | Build with support for the specified algorithm, where <alg> | |
348 | is one of: md2 or rc5. | |
349 | ||
350 | no-<alg> | |
351 | Build without support for the specified algorithm, where | |
352 | <alg> is one of: bf, blake2, camellia, cast, chacha, cmac, | |
353 | des, dh, dsa, ecdh, ecdsa, idea, md4, md5, mdc2, ocb, | |
354 | ploy1305, rc2, rc4, rmd160, scrypt, seed or whirlpool. The | |
355 | "ripemd" algorithm is deprecated and if used is synonymous | |
356 | with rmd160. | |
357 | ||
358 | -Dxxx, -lxxx, -Lxxx, -fxxx, -mXXX, -Kxxx | |
359 | These system specific options will be passed through to the | |
360 | compiler to allow you to define preprocessor symbols, specify | |
361 | additional libraries, library directories or other compiler | |
d5957691 | 362 | options. |
b1fe6b43 | 363 | |
79e259e3 | 364 | |
4109b97c RE |
365 | Installation in Detail |
366 | ---------------------- | |
c9f06e7f | 367 | |
4109b97c | 368 | 1a. Configure OpenSSL for your operation system automatically: |
c9f06e7f | 369 | |
b32b8961 RL |
370 | NOTE: This is not available on Windows. |
371 | ||
2acd8ec7 RL |
372 | $ ./config [options] # Unix |
373 | ||
374 | or | |
375 | ||
376 | $ @config [options] ! OpenVMS | |
377 | ||
378 | For the remainder of this text, the Unix form will be used in all | |
379 | examples, please use the appropriate form for your platform. | |
c9f06e7f | 380 | |
4109b97c | 381 | This guesses at your operating system (and compiler, if necessary) and |
b1fe6b43 | 382 | configures OpenSSL based on this guess. Run ./config -t to see |
db209ec2 UM |
383 | if it guessed correctly. If you want to use a different compiler, you |
384 | are cross-compiling for another platform, or the ./config guess was | |
385 | wrong for other reasons, go to step 1b. Otherwise go to step 2. | |
c9f06e7f | 386 | |
b1fe6b43 UM |
387 | On some systems, you can include debugging information as follows: |
388 | ||
389 | $ ./config -d [options] | |
390 | ||
c9f06e7f | 391 | 1b. Configure OpenSSL for your operating system manually |
79e259e3 | 392 | |
4109b97c RE |
393 | OpenSSL knows about a range of different operating system, hardware and |
394 | compiler combinations. To see the ones it knows about, run | |
79e259e3 | 395 | |
2acd8ec7 RL |
396 | $ ./Configure # Unix |
397 | ||
398 | or | |
399 | ||
400 | $ perl Configure # All other platforms | |
401 | ||
402 | For the remainder of this text, the Unix form will be used in all | |
403 | examples, please use the appropriate form for your platform. | |
79e259e3 | 404 | |
4109b97c RE |
405 | Pick a suitable name from the list that matches your system. For most |
406 | operating systems there is a choice between using "cc" or "gcc". When | |
407 | you have identified your system (and if necessary compiler) use this name | |
2acd8ec7 | 408 | as the argument to Configure. For example, a "linux-elf" user would |
4109b97c | 409 | run: |
79e259e3 | 410 | |
b1fe6b43 | 411 | $ ./Configure linux-elf [options] |
79e259e3 | 412 | |
5bb9e2b4 RL |
413 | If your system isn't listed, you will have to create a configuration |
414 | file named Configurations/{something}.conf and add the correct | |
415 | configuration for your system. See the available configs as examples | |
416 | and read Configurations/README and Configurations/README.design for | |
417 | more information. | |
79e259e3 | 418 | |
5bb9e2b4 RL |
419 | The generic configurations "cc" or "gcc" should usually work on 32 bit |
420 | Unix-like systems. | |
421 | ||
422 | Configure creates a build file ("Makefile" on Unix and "descrip.mms" | |
423 | on OpenVMS) from a suitable template in Configurations, and | |
b1fe6b43 | 424 | defines various macros in crypto/opensslconf.h (generated from |
80611577 | 425 | crypto/opensslconf.h.in). |
79e259e3 | 426 | |
2acd8ec7 RL |
427 | 1c. Configure OpenSSL for building outside of the source tree. |
428 | ||
429 | OpenSSL can be configured to build in a build directory separate from | |
430 | the directory with the source code. It's done by placing yourself in | |
431 | some other directory and invoking the configuration commands from | |
432 | there. | |
433 | ||
434 | Unix example: | |
435 | ||
436 | $ mkdir /var/tmp/openssl-build | |
437 | $ cd /var/tmp/openssl-build | |
438 | $ /PATH/TO/OPENSSL/SOURCE/config [options] | |
439 | ||
440 | or | |
441 | ||
442 | $ /PATH/TO/OPENSSL/SOURCE/Configure [target] [options] | |
443 | ||
444 | OpenVMS example: | |
445 | ||
446 | $ set default sys$login: | |
447 | $ create/dir [.tmp.openssl-build] | |
448 | $ set default [.tmp.openssl-build] | |
449 | $ @[PATH.TO.OPENSSL.SOURCE]config {options} | |
450 | ||
451 | or | |
452 | ||
453 | $ @[PATH.TO.OPENSSL.SOURCE]Configure {target} {options} | |
454 | ||
b32b8961 RL |
455 | Windows example: |
456 | ||
457 | $ C: | |
458 | $ mkdir \temp-openssl | |
459 | $ cd \temp-openssl | |
460 | $ perl d:\PATH\TO\OPENSSL\SOURCE\Configure {target} {options} | |
461 | ||
2acd8ec7 RL |
462 | Paths can be relative just as well as absolute. Configure will |
463 | do its best to translate them to relative paths whenever possible. | |
464 | ||
462ba4f6 | 465 | 2. Build OpenSSL by running: |
79e259e3 | 466 | |
2acd8ec7 RL |
467 | $ make # Unix |
468 | $ mms ! (or mmk) OpenVMS | |
b32b8961 | 469 | $ nmake # Windows |
79e259e3 | 470 | |
2acd8ec7 RL |
471 | This will build the OpenSSL libraries (libcrypto.a and libssl.a on |
472 | Unix, corresponding on other platforms) and the OpenSSL binary | |
473 | ("openssl"). The libraries will be built in the top-level directory, | |
474 | and the binary will be in the "apps" subdirectory. | |
79e259e3 | 475 | |
2acd8ec7 | 476 | If the build fails, look at the output. There may be reasons for |
9020b862 | 477 | the failure that aren't problems in OpenSSL itself (like missing |
a652ffc4 | 478 | standard headers). If it is a problem with OpenSSL itself, please |
2acd8ec7 RL |
479 | report the problem to <rt@openssl.org> (note that your message |
480 | will be recorded in the request tracker publicly readable at | |
481 | https://www.openssl.org/community/index.html#bugs and will be | |
d5957691 MC |
482 | forwarded to a public mailing list). Please check out the request |
483 | tracker. Maybe the bug was already reported or has already been | |
484 | fixed. | |
b1fe6b43 | 485 | |
436a376b | 486 | [If you encounter assembler error messages, try the "no-asm" |
b82ccbb7 | 487 | configuration option as an immediate fix.] |
436a376b | 488 | |
91174a91 UM |
489 | Compiling parts of OpenSSL with gcc and others with the system |
490 | compiler will result in unresolved symbols on some systems. | |
491 | ||
462ba4f6 | 492 | 3. After a successful build, the libraries should be tested. Run: |
79e259e3 | 493 | |
2acd8ec7 RL |
494 | $ make test # Unix |
495 | $ mms test ! OpenVMS | |
b32b8961 | 496 | $ nmake test # Windows |
79e259e3 | 497 | |
2e996acf RL |
498 | If some tests fail, look at the output. There may be reasons for |
499 | the failure that isn't a problem in OpenSSL itself (like a | |
500 | malfunction with Perl). You may want increased verbosity, that | |
501 | can be accomplished like this: | |
502 | ||
be6bdab6 | 503 | $ make VERBOSE=1 test # Unix |
2acd8ec7 | 504 | |
e8173157 | 505 | $ mms /macro=(VERBOSE=1) test ! OpenVMS |
2e996acf | 506 | |
be6bdab6 | 507 | $ nmake VERBOSE=1 test # Windows |
b32b8961 | 508 | |
2e996acf RL |
509 | If you want to run just one or a few specific tests, you can use |
510 | the make variable TESTS to specify them, like this: | |
511 | ||
2acd8ec7 RL |
512 | $ make TESTS='test_rsa test_dsa' test # Unix |
513 | $ mms/macro="TESTS=test_rsa test_dsa" test ! OpenVMS | |
b32b8961 | 514 | $ nmake TESTS='test_rsa test_dsa' test # Windows |
2e996acf | 515 | |
2acd8ec7 | 516 | And of course, you can combine (Unix example shown): |
2e996acf | 517 | |
be6bdab6 | 518 | $ make VERBOSE=1 TESTS='test_rsa test_dsa' test |
2e996acf RL |
519 | |
520 | You can find the list of available tests like this: | |
521 | ||
2acd8ec7 | 522 | $ make list-tests # Unix |
5bb9e2b4 | 523 | $ mms list-tests ! OpenVMS |
b32b8961 | 524 | $ nmake list-tests # Windows |
2e996acf | 525 | |
d40b0622 RL |
526 | Have a look at the manual for the perl module Test::Harness to |
527 | see what other HARNESS_* variables there are. | |
528 | ||
2e996acf | 529 | If you find a problem with OpenSSL itself, try removing any |
2acd8ec7 RL |
530 | compiler optimization flags from the CFLAGS line in Makefile and |
531 | run "make clean; make" or corresponding. | |
2e996acf | 532 | |
d5957691 | 533 | Please send a bug reports to <rt@openssl.org>. |
b1fe6b43 | 534 | |
462ba4f6 | 535 | 4. If everything tests ok, install OpenSSL with |
79e259e3 | 536 | |
2acd8ec7 RL |
537 | $ make install # Unix |
538 | $ mms install ! OpenVMS | |
539 | ||
540 | This will install all the software components in this directory | |
541 | tree under PREFIX (the directory given with --prefix or its | |
542 | default): | |
543 | ||
544 | Unix: | |
545 | ||
546 | bin/ Contains the openssl binary and a few other | |
547 | utility scripts. | |
548 | include/openssl | |
549 | Contains the header files needed if you want | |
550 | to build your own programs that use libcrypto | |
551 | or libssl. | |
552 | lib Contains the OpenSSL library files. | |
553 | lib/engines Contains the OpenSSL dynamically loadable engines. | |
554 | share/man/{man1,man3,man5,man7} | |
555 | Contains the OpenSSL man-pages. | |
d5957691 | 556 | share/doc/openssl/html/{man1,man3,man5,man7} |
2acd8ec7 RL |
557 | Contains the HTML rendition of the man-pages. |
558 | ||
559 | OpenVMS ('arch' is replaced with the architecture name, "Alpha" | |
560 | or "ia64"): | |
561 | ||
562 | [.EXE.'arch'] Contains the openssl binary and a few other | |
563 | utility scripts. | |
564 | [.include.openssl] | |
565 | Contains the header files needed if you want | |
566 | to build your own programs that use libcrypto | |
567 | or libssl. | |
568 | [.LIB.'arch'] Contains the OpenSSL library files. | |
569 | [.ENGINES.'arch'] | |
570 | Contains the OpenSSL dynamically loadable engines. | |
571 | [.SYS$STARTUP] Contains startup, login and shutdown scripts. | |
572 | These define appropriate logical names and | |
573 | command symbols. | |
574 | ||
575 | ||
576 | Additionally, install will add the following directories under | |
577 | OPENSSLDIR (the directory given with --openssldir or its default) | |
578 | for you convenience: | |
579 | ||
580 | certs Initially empty, this is the default location | |
581 | for certificate files. | |
582 | private Initially empty, this is the default location | |
583 | for private key files. | |
584 | misc Various scripts. | |
60cdb821 | 585 | |
e5f3045f BM |
586 | Package builders who want to configure the library for standard |
587 | locations, but have the package installed somewhere else so that | |
588 | it can easily be packaged, can use | |
589 | ||
2acd8ec7 RL |
590 | $ make DESTDIR=/tmp/package-root install # Unix |
591 | $ mms/macro="DESTDIR=TMP:[PACKAGE-ROOT]" install ! OpenVMS | |
e5f3045f | 592 | |
3c65577f | 593 | The specified destination directory will be prepended to all |
2acd8ec7 | 594 | installation target paths. |
4fd53220 | 595 | |
2acd8ec7 | 596 | Compatibility issues with previous OpenSSL versions: |
4fd53220 BM |
597 | |
598 | * COMPILING existing applications | |
599 | ||
2acd8ec7 RL |
600 | OpenSSL 1.1 hides a number of structures that were previously |
601 | open. This includes all internal libssl structures and a number | |
602 | of EVP types. Accessor functions have been added to allow | |
603 | controlled access to the structures' data. | |
4fd53220 | 604 | |
2acd8ec7 RL |
605 | This means that some software needs to be rewritten to adapt to |
606 | the new ways of doing things. This often amounts to allocating | |
607 | an instance of a structure explicitly where you could previously | |
608 | allocate them on the stack as automatic variables, and using the | |
609 | provided accessor functions where you would previously access a | |
610 | structure's field directly. | |
4fd53220 | 611 | |
2acd8ec7 | 612 | <TBA> |
4fd53220 | 613 | |
2acd8ec7 RL |
614 | Some APIs have changed as well. However, older APIs have been |
615 | preserved when possible. | |
4fd53220 BM |
616 | |
617 | ||
5f8d5c96 BM |
618 | Note on multi-threading |
619 | ----------------------- | |
620 | ||
621 | For some systems, the OpenSSL Configure script knows what compiler options | |
622 | are needed to generate a library that is suitable for multi-threaded | |
623 | applications. On these systems, support for multi-threading is enabled | |
624 | by default; use the "no-threads" option to disable (this should never be | |
625 | necessary). | |
626 | ||
627 | On other systems, to enable support for multi-threading, you will have | |
33d50ef6 | 628 | to specify at least two options: "threads", and a system-dependent option. |
5f8d5c96 BM |
629 | (The latter is "-D_REENTRANT" on various systems.) The default in this |
630 | case, obviously, is not to include support for multi-threading (but | |
631 | you can still use "no-threads" to suppress an annoying warning message | |
632 | from the Configure script.) | |
633 | ||
35d8fa56 | 634 | OpenSSL provides built-in support for two threading models: pthreads (found on |
8b75603c MC |
635 | most UNIX/Linux systems), and Windows threads. No other threading models are |
636 | supported. If your platform does not provide pthreads or Windows threads then | |
637 | you should Configure with the "no-threads" option. | |
fcc6a1c4 RL |
638 | |
639 | Note on shared libraries | |
640 | ------------------------ | |
641 | ||
ce942199 MC |
642 | For most systems the OpenSSL Configure script knows what is needed to |
643 | build shared libraries for libcrypto and libssl. On these systems | |
644 | the shared libraries will be created by default. This can be suppressed and | |
645 | only static libraries created by using the "no-shared" option. On systems | |
646 | where OpenSSL does not know how to build shared libraries the "no-shared" | |
647 | option will be forced and only static libraries will be created. | |
96c930dd LJ |
648 | |
649 | Note on random number generation | |
650 | -------------------------------- | |
651 | ||
652 | Availability of cryptographically secure random numbers is required for | |
653 | secret key generation. OpenSSL provides several options to seed the | |
654 | internal PRNG. If not properly seeded, the internal PRNG will refuse | |
655 | to deliver random bytes and a "PRNG not seeded error" will occur. | |
656 | On systems without /dev/urandom (or similar) device, it may be necessary | |
657 | to install additional support software to obtain random seed. | |
658 | Please check out the manual pages for RAND_add(), RAND_bytes(), RAND_egd(), | |
659 | and the FAQ for more information. | |
4a9476dd | 660 |