]>
Commit | Line | Data |
---|---|---|
6ede7d73 DMSP |
1 | Build and Install |
2 | ================= | |
3 | ||
4 | This document describes installation on all supported operating | |
5 | systems (the Unix/Linux family, including macOS), OpenVMS, | |
6 | and Windows). | |
7 | ||
8 | Table of Contents | |
9 | ================= | |
10 | ||
11 | - [Prerequisites](#prerequisites) | |
12 | - [Notational Conventions](#notational-conventions) | |
13 | - [Quick Installation Guide](#quick-installation-guide) | |
257e9d03 RS |
14 | - [Building OpenSSL](#building-openssl) |
15 | - [Installing OpenSSL](#installing-openssl) | |
6ede7d73 | 16 | - [Configuration Options](#configuration-options) |
257e9d03 RS |
17 | - [API Level](#api-level) |
18 | - [Cross Compile Prefix](#cross-compile-prefix) | |
19 | - [Build Type](#build-type) | |
20 | - [Directories](#directories) | |
21 | - [Compiler Warnings](#compiler-warnings) | |
12e96a23 | 22 | - [Compression Algorithm Flags](#compression-algorithm-flags) |
257e9d03 | 23 | - [Seeding the Random Generator](#seeding-the-random-generator) |
31214258 | 24 | - [Setting the FIPS HMAC key](#setting-the-FIPS-HMAC-key) |
257e9d03 RS |
25 | - [Enable and Disable Features](#enable-and-disable-features) |
26 | - [Displaying configuration data](#displaying-configuration-data) | |
6ede7d73 | 27 | - [Installation Steps in Detail](#installation-steps-in-detail) |
257e9d03 RS |
28 | - [Configure](#configure-openssl) |
29 | - [Build](#build-openssl) | |
30 | - [Test](#test-openssl) | |
31 | - [Install](#install-openssl) | |
6ede7d73 | 32 | - [Advanced Build Options](#advanced-build-options) |
257e9d03 RS |
33 | - [Environment Variables](#environment-variables) |
34 | - [Makefile Targets](#makefile-targets) | |
35 | - [Running Selected Tests](#running-selected-tests) | |
6ede7d73 | 36 | - [Troubleshooting](#troubleshooting) |
257e9d03 RS |
37 | - [Configuration Problems](#configuration-problems) |
38 | - [Build Failures](#build-failures) | |
39 | - [Test Failures](#test-failures) | |
6ede7d73 | 40 | - [Notes](#notes) |
257e9d03 RS |
41 | - [Notes on multi-threading](#notes-on-multi-threading) |
42 | - [Notes on shared libraries](#notes-on-shared-libraries) | |
43 | - [Notes on random number generation](#notes-on-random-number-generation) | |
203c18f1 | 44 | - [Notes on assembler modules compilation](#notes-on-assembler-modules-compilation) |
79e259e3 | 45 | |
6ede7d73 DMSP |
46 | Prerequisites |
47 | ============= | |
2acd8ec7 | 48 | |
6ede7d73 | 49 | To install OpenSSL, you will need: |
2acd8ec7 | 50 | |
3a0b3cc9 | 51 | * A "make" implementation |
9f1fe6a9 DMSP |
52 | * Perl 5 with core modules (please read [NOTES-PERL.md](NOTES-PERL.md)) |
53 | * The Perl module `Text::Template` (please read [NOTES-PERL.md](NOTES-PERL.md)) | |
6ede7d73 DMSP |
54 | * an ANSI C compiler |
55 | * a development environment in the form of development libraries and C | |
56 | header files | |
57 | * a supported operating system | |
79e259e3 | 58 | |
6ede7d73 DMSP |
59 | For additional platform specific requirements, solutions to specific |
60 | issues and other details, please read one of these: | |
ea24fe29 | 61 | |
4148581e DMSP |
62 | * [Notes for UNIX-like platforms](NOTES-UNIX.md) |
63 | * [Notes for Android platforms](NOTES-ANDROID.md) | |
64 | * [Notes for Windows platforms](NOTES-WINDOWS.md) | |
65 | * [Notes for the DOS platform with DJGPP](NOTES-DJGPP.md) | |
66 | * [Notes for the OpenVMS platform](NOTES-VMS.md) | |
67 | * [Notes on Perl](NOTES-PERL.md) | |
68 | * [Notes on Valgrind](NOTES-VALGRIND.md) | |
ea24fe29 | 69 | |
6ede7d73 DMSP |
70 | Notational conventions |
71 | ====================== | |
ea24fe29 | 72 | |
6ede7d73 | 73 | Throughout this document, we use the following conventions. |
ea24fe29 | 74 | |
6ede7d73 DMSP |
75 | Commands |
76 | -------- | |
ea24fe29 | 77 | |
6ede7d73 | 78 | Any line starting with a dollar sign is a command line. |
ea24fe29 | 79 | |
6ede7d73 | 80 | $ command |
ea24fe29 | 81 | |
6ede7d73 DMSP |
82 | The dollar sign indicates the shell prompt and is not to be entered as |
83 | part of the command. | |
ea24fe29 | 84 | |
6ede7d73 DMSP |
85 | Choices |
86 | ------- | |
ea24fe29 | 87 | |
6ede7d73 DMSP |
88 | Several words in curly braces separated by pipe characters indicate a |
89 | **mandatory choice**, to be replaced with one of the given words. | |
90 | For example, the line | |
ea24fe29 | 91 | |
6ede7d73 | 92 | $ echo { WORD1 | WORD2 | WORD3 } |
ea24fe29 | 93 | |
6ede7d73 | 94 | represents one of the following three commands |
ea24fe29 | 95 | |
6ede7d73 DMSP |
96 | $ echo WORD1 |
97 | - or - | |
98 | $ echo WORD2 | |
99 | - or - | |
100 | $ echo WORD3 | |
ea24fe29 | 101 | |
6ede7d73 DMSP |
102 | One or several words in square brackets separated by pipe characters |
103 | denote an **optional choice**. It is similar to the mandatory choice, | |
104 | but it can also be omitted entirely. | |
79e259e3 | 105 | |
6ede7d73 | 106 | So the line |
79e259e3 | 107 | |
6ede7d73 DMSP |
108 | $ echo [ WORD1 | WORD2 | WORD3 ] |
109 | ||
110 | represents one of the four commands | |
111 | ||
112 | $ echo WORD1 | |
113 | - or - | |
114 | $ echo WORD2 | |
115 | - or - | |
116 | $ echo WORD3 | |
117 | - or - | |
118 | $ echo | |
119 | ||
120 | Arguments | |
121 | --------- | |
122 | ||
a4ffb33e | 123 | **Optional Arguments** are enclosed in square brackets. |
6ede7d73 | 124 | |
a4ffb33e | 125 | [option...] |
6ede7d73 | 126 | |
a4ffb33e | 127 | A trailing ellipsis means that more than one could be specified. |
6ede7d73 | 128 | |
6ede7d73 DMSP |
129 | Quick Installation Guide |
130 | ======================== | |
131 | ||
132 | If you just want to get OpenSSL installed without bothering too much | |
133 | about the details, here is the short version of how to build and install | |
134 | OpenSSL. If any of the following steps fails, please consult the | |
bf4cdd4a | 135 | [Installation in Detail](#installation-steps-in-detail) section below. |
6ede7d73 DMSP |
136 | |
137 | Building OpenSSL | |
138 | ---------------- | |
139 | ||
140 | Use the following commands to configure, build and test OpenSSL. | |
141 | The testing is optional, but recommended if you intend to install | |
142 | OpenSSL for production use. | |
143 | ||
257e9d03 | 144 | ### Unix / Linux / macOS |
2acd8ec7 | 145 | |
16b0e0fc | 146 | $ ./Configure |
2acd8ec7 RL |
147 | $ make |
148 | $ make test | |
2acd8ec7 | 149 | |
257e9d03 | 150 | ### OpenVMS |
6ede7d73 DMSP |
151 | |
152 | Use the following commands to build OpenSSL: | |
2acd8ec7 | 153 | |
16b0e0fc | 154 | $ perl Configure |
2acd8ec7 RL |
155 | $ mms |
156 | $ mms test | |
79e259e3 | 157 | |
257e9d03 | 158 | ### Windows |
6ede7d73 DMSP |
159 | |
160 | If you are using Visual Studio, open a Developer Command Prompt and | |
8c1cbc72 | 161 | issue the following commands to build OpenSSL. |
b32b8961 | 162 | |
16b0e0fc | 163 | $ perl Configure |
b32b8961 RL |
164 | $ nmake |
165 | $ nmake test | |
6ede7d73 DMSP |
166 | |
167 | As mentioned in the [Choices](#choices) section, you need to pick one | |
168 | of the four Configure targets in the first command. | |
169 | ||
18891efd | 170 | Most likely you will be using the `VC-WIN64A`/`VC-WIN64A-HYBRIDCRT` target for |
171 | 64bit Windows binaries (AMD64) or `VC-WIN32`/`VC-WIN32-HYBRIDCRT` for 32bit | |
172 | Windows binaries (X86). | |
9afbb681 DDO |
173 | The other two options are `VC-WIN64I` (Intel IA64, Itanium) and |
174 | `VC-CE` (Windows CE) are rather uncommon nowadays. | |
6ede7d73 DMSP |
175 | |
176 | Installing OpenSSL | |
177 | ------------------ | |
178 | ||
179 | The following commands will install OpenSSL to a default system location. | |
180 | ||
181 | **Danger Zone:** even if you are impatient, please read the following two | |
182 | paragraphs carefully before you install OpenSSL. | |
183 | ||
184 | For security reasons the default system location is by default not writable | |
185 | for unprivileged users. So for the final installation step administrative | |
186 | privileges are required. The default system location and the procedure to | |
8c1cbc72 | 187 | obtain administrative privileges depends on the operating system. |
6ede7d73 DMSP |
188 | It is recommended to compile and test OpenSSL with normal user privileges |
189 | and use administrative privileges only for the final installation step. | |
190 | ||
191 | On some platforms OpenSSL is preinstalled as part of the Operating System. | |
192 | In this case it is highly recommended not to overwrite the system versions, | |
193 | because other applications or libraries might depend on it. | |
194 | To avoid breaking other applications, install your copy of OpenSSL to a | |
195 | [different location](#installing-to-a-different-location) which is not in | |
196 | the global search path for system libraries. | |
197 | ||
41149648 RL |
198 | Finally, if you plan on using the FIPS module, you need to read the |
199 | [Post-installation Notes](#post-installation-notes) further down. | |
200 | ||
257e9d03 | 201 | ### Unix / Linux / macOS |
6ede7d73 DMSP |
202 | |
203 | Depending on your distribution, you need to run the following command as | |
204 | root user or prepend `sudo` to the command: | |
205 | ||
206 | $ make install | |
207 | ||
208 | By default, OpenSSL will be installed to | |
209 | ||
210 | /usr/local | |
211 | ||
212 | More precisely, the files will be installed into the subdirectories | |
213 | ||
214 | /usr/local/bin | |
215 | /usr/local/lib | |
216 | /usr/local/include | |
217 | ... | |
218 | ||
219 | depending on the file type, as it is custom on Unix-like operating systems. | |
220 | ||
257e9d03 | 221 | ### OpenVMS |
6ede7d73 DMSP |
222 | |
223 | Use the following command to install OpenSSL. | |
224 | ||
225 | $ mms install | |
226 | ||
227 | By default, OpenSSL will be installed to | |
228 | ||
d8c1cafb | 229 | SYS$COMMON:[OPENSSL] |
6ede7d73 | 230 | |
257e9d03 | 231 | ### Windows |
6ede7d73 DMSP |
232 | |
233 | If you are using Visual Studio, open the Developer Command Prompt _elevated_ | |
234 | and issue the following command. | |
235 | ||
8c16829e | 236 | $ nmake install |
b32b8961 | 237 | |
98663afc TM |
238 | The easiest way to elevate the Command Prompt is to press and hold down both |
239 | the `<CTRL>` and `<SHIFT>` keys while clicking the menu item in the task menu. | |
6ede7d73 DMSP |
240 | |
241 | The default installation location is | |
242 | ||
243 | C:\Program Files\OpenSSL | |
7c03bb9f | 244 | |
6ede7d73 | 245 | for native binaries, or |
b1fe6b43 | 246 | |
6ede7d73 | 247 | C:\Program Files (x86)\OpenSSL |
2acd8ec7 | 248 | |
6ede7d73 | 249 | for 32bit binaries on 64bit Windows (WOW64). |
2acd8ec7 | 250 | |
257e9d03 | 251 | #### Installing to a different location |
79e259e3 | 252 | |
6ede7d73 | 253 | To install OpenSSL to a different location (for example into your home |
9afbb681 | 254 | directory for testing purposes) run `Configure` as shown in the following |
43a70f02 | 255 | examples. |
6ede7d73 | 256 | |
d8c1cafb RL |
257 | The options `--prefix` and `--openssldir` are explained in further detail in |
258 | [Directories](#directories) below, and the values used here are mere examples. | |
259 | ||
43a70f02 | 260 | On Unix: |
2acd8ec7 | 261 | |
16b0e0fc | 262 | $ ./Configure --prefix=/opt/openssl --openssldir=/usr/local/ssl |
2acd8ec7 | 263 | |
43a70f02 | 264 | On OpenVMS: |
2acd8ec7 | 265 | |
16b0e0fc | 266 | $ perl Configure --prefix=PROGRAM:[INSTALLS] --openssldir=SYS$MANAGER:[OPENSSL] |
79e259e3 | 267 | |
6ede7d73 | 268 | Note: if you do add options to the configuration command, please make sure |
1dc1ea18 | 269 | you've read more than just this Quick Start, such as relevant `NOTES-*` files, |
6ede7d73 DMSP |
270 | the options outline below, as configuration options may change the outcome |
271 | in otherwise unexpected ways. | |
272 | ||
6ede7d73 DMSP |
273 | Configuration Options |
274 | ===================== | |
275 | ||
9afbb681 DDO |
276 | There are several options to `./Configure` to customize the build (note that |
277 | for Windows, the defaults for `--prefix` and `--openssldir` depend on what | |
16b0e0fc | 278 | configuration is used and what Windows implementation OpenSSL is built on. |
9f1fe6a9 | 279 | For more information, see the [Notes for Windows platforms](NOTES-WINDOWS.md). |
6ede7d73 DMSP |
280 | |
281 | API Level | |
282 | --------- | |
283 | ||
284 | --api=x.y[.z] | |
285 | ||
286 | Build the OpenSSL libraries to support the API for the specified version. | |
287 | If [no-deprecated](#no-deprecated) is also given, don't build with support | |
288 | for deprecated APIs in or below the specified version number. For example, | |
473664aa | 289 | adding |
6ede7d73 DMSP |
290 | |
291 | --api=1.1.0 no-deprecated | |
292 | ||
293 | will remove support for all APIs that were deprecated in OpenSSL version | |
294 | 1.1.0 or below. This is a rather specialized option for developers. | |
295 | If you just intend to remove all deprecated APIs up to the current version | |
296 | entirely, just specify [no-deprecated](#no-deprecated). | |
297 | If `--api` isn't given, it defaults to the current (minor) OpenSSL version. | |
298 | ||
6ede7d73 DMSP |
299 | Cross Compile Prefix |
300 | -------------------- | |
301 | ||
9afbb681 | 302 | --cross-compile-prefix=<PREFIX> |
6ede7d73 | 303 | |
9afbb681 | 304 | The `<PREFIX>` to include in front of commands for your toolchain. |
6ede7d73 | 305 | |
9afbb681 DDO |
306 | It is likely to have to end with dash, e.g. `a-b-c-` would invoke GNU compiler |
307 | as `a-b-c-gcc`, etc. Unfortunately cross-compiling is too case-specific to put | |
6ede7d73 | 308 | together one-size-fits-all instructions. You might have to pass more flags or |
16b0e0fc RL |
309 | set up environment variables to actually make it work. Android and iOS cases |
310 | are discussed in corresponding `Configurations/15-*.conf` files. But there are | |
311 | cases when this option alone is sufficient. For example to build the mingw64 | |
312 | target on Linux `--cross-compile-prefix=x86_64-w64-mingw32-` works. Naturally | |
313 | provided that mingw packages are installed. Today Debian and Ubuntu users | |
314 | have option to install a number of prepackaged cross-compilers along with | |
315 | corresponding run-time and development packages for "alien" hardware. To give | |
316 | another example `--cross-compile-prefix=mipsel-linux-gnu-` suffices in such | |
317 | case. | |
318 | ||
319 | For cross compilation, you must [configure manually](#manual-configuration). | |
320 | Also, note that `--openssldir` refers to target's file system, not one you are | |
321 | building on. | |
6ede7d73 | 322 | |
6ede7d73 DMSP |
323 | Build Type |
324 | ---------- | |
325 | ||
326 | --debug | |
327 | ||
328 | Build OpenSSL with debugging symbols and zero optimization level. | |
329 | ||
330 | --release | |
331 | ||
332 | Build OpenSSL without debugging symbols. This is the default. | |
333 | ||
6ede7d73 DMSP |
334 | Directories |
335 | ----------- | |
336 | ||
257e9d03 | 337 | ### libdir |
6ede7d73 DMSP |
338 | |
339 | --libdir=DIR | |
340 | ||
341 | The name of the directory under the top of the installation directory tree | |
342 | (see the `--prefix` option) where libraries will be installed. By default | |
bd32bdb8 | 343 | this is `lib`. Note that on Windows only static libraries (`*.lib`) will |
6ede7d73 | 344 | be stored in this location. Shared libraries (`*.dll`) will always be |
bd32bdb8 TM |
345 | installed to the `bin` directory. |
346 | ||
347 | Some build targets have a multilib postfix set in the build configuration. | |
348 | For these targets the default libdir is `lib<multilib-postfix>`. Please use | |
349 | `--libdir=lib` to override the libdir if adding the postfix is undesirable. | |
6ede7d73 | 350 | |
257e9d03 | 351 | ### openssldir |
6ede7d73 DMSP |
352 | |
353 | --openssldir=DIR | |
354 | ||
355 | Directory for OpenSSL configuration files, and also the default certificate | |
356 | and key store. Defaults are: | |
357 | ||
358 | Unix: /usr/local/ssl | |
359 | Windows: C:\Program Files\Common Files\SSL | |
360 | OpenVMS: SYS$COMMON:[OPENSSL-COMMON] | |
361 | ||
362 | For 32bit Windows applications on Windows 64bit (WOW64), always replace | |
363 | `C:\Program Files` by `C:\Program Files (x86)`. | |
364 | ||
257e9d03 | 365 | ### prefix |
6ede7d73 DMSP |
366 | |
367 | --prefix=DIR | |
368 | ||
369 | The top of the installation directory tree. Defaults are: | |
370 | ||
371 | Unix: /usr/local | |
372 | Windows: C:\Program Files\OpenSSL | |
d8c1cafb | 373 | OpenVMS: SYS$COMMON:[OPENSSL] |
6ede7d73 | 374 | |
6ede7d73 DMSP |
375 | Compiler Warnings |
376 | ----------------- | |
377 | ||
378 | --strict-warnings | |
379 | ||
380 | This is a developer flag that switches on various compiler options recommended | |
381 | for OpenSSL development. It only works when using gcc or clang as the compiler. | |
382 | If you are developing a patch for OpenSSL then it is recommended that you use | |
383 | this option where possible. | |
384 | ||
12e96a23 TS |
385 | Compression Algorithm Flags |
386 | --------------------------- | |
387 | ||
388 | ### with-brotli-include | |
389 | ||
390 | --with-brotli-include=DIR | |
391 | ||
392 | The directory for the location of the brotli include files (i.e. the location | |
393 | of the **brotli** include directory). This option is only necessary if | |
394 | [enable-brotli](#enable-brotli) is used and the include files are not already | |
395 | on the system include path. | |
396 | ||
397 | ### with-brotli-lib | |
398 | ||
399 | --with-brotli-lib=LIB | |
400 | ||
401 | **On Unix**: this is the directory containing the brotli libraries. | |
402 | If not provided, the system library path will be used. | |
403 | ||
404 | The names of the libraries are: | |
405 | ||
406 | * libbrotlicommon.a or libbrotlicommon.so | |
407 | * libbrotlidec.a or libbrotlidec.so | |
408 | * libbrotlienc.a or libbrotlienc.so | |
409 | ||
410 | **On Windows:** this is the directory containing the brotli libraries. | |
411 | If not provided, the system library path will be used. | |
412 | ||
413 | The names of the libraries are: | |
414 | ||
415 | * brotlicommon.lib | |
416 | * brotlidec.lib | |
417 | * brotlienc.lib | |
6ede7d73 | 418 | |
257e9d03 | 419 | ### with-zlib-include |
6ede7d73 DMSP |
420 | |
421 | --with-zlib-include=DIR | |
422 | ||
423 | The directory for the location of the zlib include file. This option is only | |
bf4cdd4a | 424 | necessary if [zlib](#zlib) is used and the include file is not |
6ede7d73 DMSP |
425 | already on the system include path. |
426 | ||
257e9d03 | 427 | ### with-zlib-lib |
6ede7d73 DMSP |
428 | |
429 | --with-zlib-lib=LIB | |
430 | ||
431 | **On Unix**: this is the directory containing the zlib library. | |
432 | If not provided the system library path will be used. | |
433 | ||
434 | **On Windows:** this is the filename of the zlib library (with or | |
435 | without a path). This flag must be provided if the | |
9afbb681 DDO |
436 | [zlib-dynamic](#zlib-dynamic) option is not also used. If `zlib-dynamic` is used |
437 | then this flag is optional and defaults to `ZLIB1` if not provided. | |
6ede7d73 DMSP |
438 | |
439 | **On VMS:** this is the filename of the zlib library (with or without a path). | |
9afbb681 DDO |
440 | This flag is optional and if not provided then `GNV$LIBZSHR`, `GNV$LIBZSHR32` |
441 | or `GNV$LIBZSHR64` is used by default depending on the pointer size chosen. | |
6ede7d73 | 442 | |
caf9317d TS |
443 | ### with-zstd-include |
444 | ||
445 | --with-zstd-include=DIR | |
446 | ||
447 | The directory for the location of the Zstd include file. This option is only | |
448 | necessary if [enable-std](#enable-zstd) is used and the include file is not | |
449 | already on the system include path. | |
450 | ||
451 | OpenSSL requires Zstd 1.4 or greater. The Linux kernel source contains a | |
452 | *zstd.h* file that is not compatible with the 1.4.x Zstd distribution, the | |
453 | compilation will generate an error if the Linux *zstd.h* is included before | |
454 | (or instead of) the Zstd distribution header. | |
455 | ||
456 | ### with-zstd-lib | |
457 | ||
458 | --with-zstd-lib=LIB | |
459 | ||
460 | **On Unix**: this is the directory containing the Zstd library. | |
461 | If not provided the system library path will be used. | |
462 | ||
463 | **On Windows:** this is the filename of the Zstd library (with or | |
464 | without a path). This flag must be provided if the | |
465 | [enable-zstd-dynamic](#enable-zstd-dynamic) option is not also used. | |
466 | If `zstd-dynamic` is used then this flag is optional and defaults | |
467 | to `LIBZSTD` if not provided. | |
468 | ||
6ede7d73 DMSP |
469 | Seeding the Random Generator |
470 | ---------------------------- | |
471 | ||
472 | --with-rand-seed=seed1[,seed2,...] | |
473 | ||
474 | A comma separated list of seeding methods which will be tried by OpenSSL | |
475 | in order to obtain random input (a.k.a "entropy") for seeding its | |
476 | cryptographically secure random number generator (CSPRNG). | |
477 | The current seeding methods are: | |
478 | ||
257e9d03 | 479 | ### os |
6ede7d73 DMSP |
480 | |
481 | Use a trusted operating system entropy source. | |
482 | This is the default method if such an entropy source exists. | |
483 | ||
257e9d03 | 484 | ### getrandom |
6ede7d73 DMSP |
485 | |
486 | Use the [getrandom(2)][man-getrandom] or equivalent system call. | |
487 | ||
488 | [man-getrandom]: http://man7.org/linux/man-pages/man2/getrandom.2.html | |
489 | ||
257e9d03 | 490 | ### devrandom |
6ede7d73 | 491 | |
9afbb681 DDO |
492 | Use the first device from the `DEVRANDOM` list which can be opened to read |
493 | random bytes. The `DEVRANDOM` preprocessor constant expands to | |
6ede7d73 DMSP |
494 | |
495 | "/dev/urandom","/dev/random","/dev/srandom" | |
496 | ||
497 | on most unix-ish operating systems. | |
498 | ||
257e9d03 | 499 | ### egd |
6ede7d73 DMSP |
500 | |
501 | Check for an entropy generating daemon. | |
b99c463d | 502 | This source is ignored by the FIPS provider. |
6ede7d73 | 503 | |
257e9d03 | 504 | ### rdcpu |
6ede7d73 | 505 | |
e8b597f3 OT |
506 | Use the `RDSEED` or `RDRAND` command on x86 or `RNDRRS` command on aarch64 |
507 | if provided by the CPU. | |
6ede7d73 | 508 | |
257e9d03 | 509 | ### librandom |
6ede7d73 DMSP |
510 | |
511 | Use librandom (not implemented yet). | |
b99c463d | 512 | This source is ignored by the FIPS provider. |
6ede7d73 | 513 | |
257e9d03 | 514 | ### none |
6ede7d73 DMSP |
515 | |
516 | Disable automatic seeding. This is the default on some operating systems where | |
517 | no suitable entropy source exists, or no support for it is implemented yet. | |
b99c463d | 518 | This option is ignored by the FIPS provider. |
6ede7d73 DMSP |
519 | |
520 | For more information, see the section [Notes on random number generation][rng] | |
521 | at the end of this document. | |
522 | ||
523 | [rng]: #notes-on-random-number-generation | |
524 | ||
31214258 RS |
525 | Setting the FIPS HMAC key |
526 | ------------------------- | |
527 | ||
528 | --fips-key=value | |
529 | ||
530 | As part of its self-test validation, the FIPS module must verify itself | |
531 | by performing a SHA-256 HMAC computation on itself. The default key is | |
532 | the SHA256 value of "the holy handgrenade of antioch" and is sufficient | |
533 | for meeting the FIPS requirements. | |
534 | ||
535 | To change the key to a different value, use this flag. The value should | |
536 | be a hex string no more than 64 characters. | |
537 | ||
6ede7d73 DMSP |
538 | Enable and Disable Features |
539 | --------------------------- | |
540 | ||
8c1cbc72 GN |
541 | Feature options always come in pairs, an option to enable feature |
542 | `xxxx`, and an option to disable it: | |
6ede7d73 DMSP |
543 | |
544 | [ enable-xxxx | no-xxxx ] | |
545 | ||
546 | Whether a feature is enabled or disabled by default, depends on the feature. | |
547 | In the following list, always the non-default variant is documented: if | |
9afbb681 DDO |
548 | feature `xxxx` is disabled by default then `enable-xxxx` is documented and |
549 | if feature `xxxx` is enabled by default then `no-xxxx` is documented. | |
6ede7d73 | 550 | |
257e9d03 | 551 | ### no-afalgeng |
6ede7d73 DMSP |
552 | |
553 | Don't build the AFALG engine. | |
554 | ||
555 | This option will be forced on a platform that does not support AFALG. | |
556 | ||
257e9d03 | 557 | ### enable-ktls |
6ede7d73 DMSP |
558 | |
559 | Build with Kernel TLS support. | |
560 | ||
561 | This option will enable the use of the Kernel TLS data-path, which can improve | |
562 | performance and allow for the use of sendfile and splice system calls on | |
563 | TLS sockets. The Kernel may use TLS accelerators if any are available on the | |
564 | system. This option will be forced off on systems that do not support the | |
565 | Kernel TLS data-path. | |
566 | ||
257e9d03 | 567 | ### enable-asan |
6ede7d73 DMSP |
568 | |
569 | Build with the Address sanitiser. | |
570 | ||
571 | This is a developer option only. It may not work on all platforms and should | |
572 | never be used in production environments. It will only work when used with | |
573 | gcc or clang and should be used in conjunction with the [no-shared](#no-shared) | |
574 | option. | |
575 | ||
d1a77041 | 576 | ### enable-acvp-tests |
4f2271d5 | 577 | |
d1a77041 | 578 | Build support for Automated Cryptographic Validation Protocol (ACVP) |
4f2271d5 SL |
579 | tests. |
580 | ||
581 | This is required for FIPS validation purposes. Certain ACVP tests require | |
582 | access to algorithm internals that are not normally accessible. | |
583 | Additional information related to ACVP can be found at | |
584 | <https://github.com/usnistgov/ACVP>. | |
585 | ||
ff88545e VK |
586 | ### no-apps |
587 | ||
588 | Do not build apps, e.g. the openssl program. This is handy for minimization. | |
589 | This option also disables tests. | |
590 | ||
257e9d03 | 591 | ### no-asm |
6ede7d73 DMSP |
592 | |
593 | Do not use assembler code. | |
594 | ||
595 | This should be viewed as debugging/troubleshooting option rather than for | |
596 | production use. On some platforms a small amount of assembler code may still | |
597 | be used even with this option. | |
598 | ||
257e9d03 | 599 | ### no-async |
6ede7d73 DMSP |
600 | |
601 | Do not build support for async operations. | |
602 | ||
257e9d03 | 603 | ### no-autoalginit |
6ede7d73 DMSP |
604 | |
605 | Don't automatically load all supported ciphers and digests. | |
606 | ||
607 | Typically OpenSSL will make available all of its supported ciphers and digests. | |
608 | For a statically linked application this may be undesirable if small executable | |
609 | size is an objective. This only affects libcrypto. Ciphers and digests will | |
9afbb681 DDO |
610 | have to be loaded manually using `EVP_add_cipher()` and `EVP_add_digest()` |
611 | if this option is used. This option will force a non-shared build. | |
6ede7d73 | 612 | |
257e9d03 | 613 | ### no-autoerrinit |
6ede7d73 DMSP |
614 | |
615 | Don't automatically load all libcrypto/libssl error strings. | |
616 | ||
617 | Typically OpenSSL will automatically load human readable error strings. For a | |
618 | statically linked application this may be undesirable if small executable size | |
619 | is an objective. | |
620 | ||
12e96a23 TS |
621 | ### enable-brotli |
622 | ||
623 | Build with support for brotli compression/decompression. | |
624 | ||
625 | ### enable-brotli-dynamic | |
626 | ||
627 | Like the enable-brotli option, but has OpenSSL load the brotli library dynamically | |
628 | when needed. | |
629 | ||
630 | This is only supported on systems where loading of shared libraries is supported. | |
631 | ||
257e9d03 | 632 | ### no-autoload-config |
6ede7d73 | 633 | |
9afbb681 | 634 | Don't automatically load the default `openssl.cnf` file. |
6ede7d73 DMSP |
635 | |
636 | Typically OpenSSL will automatically load a system config file which configures | |
637 | default SSL options. | |
638 | ||
257e9d03 | 639 | ### enable-buildtest-c++ |
6ede7d73 DMSP |
640 | |
641 | While testing, generate C++ buildtest files that simply check that the public | |
642 | OpenSSL header files are usable standalone with C++. | |
643 | ||
644 | Enabling this option demands extra care. For any compiler flag given directly | |
645 | as configuration option, you must ensure that it's valid for both the C and | |
646 | the C++ compiler. If not, the C++ build test will most likely break. As an | |
9afbb681 | 647 | alternative, you can use the language specific variables, `CFLAGS` and `CXXFLAGS`. |
6ede7d73 | 648 | |
d0364dcc RS |
649 | ### --banner=text |
650 | ||
651 | Use the specified text instead of the default banner at the end of | |
652 | configuration. | |
653 | ||
ecb09baf RS |
654 | ### --w |
655 | ||
656 | On platforms where the choice of 32-bit or 64-bit architecture | |
657 | is not explicitly specified, `Configure` will print a warning | |
658 | message and wait for a few seconds to let you interrupt the | |
659 | configuration. Using this flag skips the wait. | |
660 | ||
06f81af8 DDO |
661 | ### no-bulk |
662 | ||
663 | Build only some minimal set of features. | |
664 | This is a developer option used internally for CI build tests of the project. | |
665 | ||
1eaf1fc3 P |
666 | ### no-cached-fetch |
667 | ||
668 | Never cache algorithms when they are fetched from a provider. Normally, a | |
669 | provider indicates if the algorithms it supplies can be cached or not. Using | |
670 | this option will reduce run-time memory usage but it also introduces a | |
671 | significant performance penalty. This option is primarily designed to help | |
672 | with detecting incorrect reference counting. | |
673 | ||
257e9d03 | 674 | ### no-capieng |
6ede7d73 DMSP |
675 | |
676 | Don't build the CAPI engine. | |
677 | ||
678 | This option will be forced if on a platform that does not support CAPI. | |
679 | ||
257e9d03 | 680 | ### no-cmp |
6ede7d73 | 681 | |
9afbb681 DDO |
682 | Don't build support for Certificate Management Protocol (CMP) |
683 | and Certificate Request Message Format (CRMF). | |
6ede7d73 | 684 | |
257e9d03 | 685 | ### no-cms |
6ede7d73 DMSP |
686 | |
687 | Don't build support for Cryptographic Message Syntax (CMS). | |
688 | ||
257e9d03 | 689 | ### no-comp |
6ede7d73 DMSP |
690 | |
691 | Don't build support for SSL/TLS compression. | |
692 | ||
693 | If this option is enabled (the default), then compression will only work if | |
9afbb681 | 694 | the zlib or `zlib-dynamic` options are also chosen. |
6ede7d73 | 695 | |
257e9d03 | 696 | ### enable-crypto-mdebug |
6ede7d73 | 697 | |
9afbb681 | 698 | This now only enables the `failed-malloc` feature. |
6ede7d73 | 699 | |
257e9d03 | 700 | ### enable-crypto-mdebug-backtrace |
6ede7d73 DMSP |
701 | |
702 | This is a no-op; the project uses the compiler's address/leak sanitizer instead. | |
703 | ||
257e9d03 | 704 | ### no-ct |
6ede7d73 DMSP |
705 | |
706 | Don't build support for Certificate Transparency (CT). | |
707 | ||
257e9d03 | 708 | ### no-deprecated |
6ede7d73 DMSP |
709 | |
710 | Don't build with support for deprecated APIs up until and including the version | |
711 | given with `--api` (or the current version, if `--api` wasn't specified). | |
712 | ||
257e9d03 | 713 | ### no-dgram |
6ede7d73 DMSP |
714 | |
715 | Don't build support for datagram based BIOs. | |
716 | ||
717 | Selecting this option will also force the disabling of DTLS. | |
718 | ||
257e9d03 | 719 | ### no-dso |
6ede7d73 DMSP |
720 | |
721 | Don't build support for loading Dynamic Shared Objects (DSO) | |
722 | ||
257e9d03 | 723 | ### enable-devcryptoeng |
6ede7d73 DMSP |
724 | |
725 | Build the `/dev/crypto` engine. | |
726 | ||
727 | This option is automatically selected on the BSD platform, in which case it can | |
9afbb681 | 728 | be disabled with `no-devcryptoeng`. |
6ede7d73 | 729 | |
257e9d03 | 730 | ### no-dynamic-engine |
6ede7d73 DMSP |
731 | |
732 | Don't build the dynamically loaded engines. | |
733 | ||
734 | This only has an effect in a shared build. | |
735 | ||
257e9d03 | 736 | ### no-ec |
6ede7d73 DMSP |
737 | |
738 | Don't build support for Elliptic Curves. | |
739 | ||
257e9d03 | 740 | ### no-ec2m |
6ede7d73 DMSP |
741 | |
742 | Don't build support for binary Elliptic Curves | |
743 | ||
257e9d03 | 744 | ### enable-ec_nistp_64_gcc_128 |
6ede7d73 DMSP |
745 | |
746 | Enable support for optimised implementations of some commonly used NIST | |
747 | elliptic curves. | |
748 | ||
749 | This option is only supported on platforms: | |
750 | ||
751 | - with little-endian storage of non-byte types | |
752 | - that tolerate misaligned memory references | |
753 | - where the compiler: | |
754 | - supports the non-standard type `__uint128_t` | |
755 | - defines the built-in macro `__SIZEOF_INT128__` | |
756 | ||
257e9d03 | 757 | ### enable-egd |
6ede7d73 DMSP |
758 | |
759 | Build support for gathering entropy from the Entropy Gathering Daemon (EGD). | |
760 | ||
257e9d03 | 761 | ### no-engine |
6ede7d73 DMSP |
762 | |
763 | Don't build support for loading engines. | |
764 | ||
257e9d03 | 765 | ### no-err |
6ede7d73 DMSP |
766 | |
767 | Don't compile in any error strings. | |
768 | ||
257e9d03 | 769 | ### enable-external-tests |
6ede7d73 DMSP |
770 | |
771 | Enable building of integration with external test suites. | |
772 | ||
773 | This is a developer option and may not work on all platforms. The following | |
774 | external test suites are currently supported: | |
775 | ||
cede07dc | 776 | - GOST engine test suite |
6ede7d73 DMSP |
777 | - Python PYCA/Cryptography test suite |
778 | - krb5 test suite | |
779 | ||
036cbb6b DDO |
780 | See the file [test/README-external.md](test/README-external.md) |
781 | for further details. | |
6ede7d73 | 782 | |
257e9d03 | 783 | ### no-filenames |
6ede7d73 DMSP |
784 | |
785 | Don't compile in filename and line number information (e.g. for errors and | |
786 | memory allocation). | |
787 | ||
f2ea01d9 | 788 | ### enable-fips |
6ede7d73 | 789 | |
f2ea01d9 | 790 | Build (and install) the FIPS provider |
6ede7d73 | 791 | |
991a6bb5 SL |
792 | ### no-fips-securitychecks |
793 | ||
794 | Don't perform FIPS module run-time checks related to enforcement of security | |
795 | parameters such as minimum security strength of keys. | |
796 | ||
257e9d03 | 797 | ### enable-fuzz-libfuzzer, enable-fuzz-afl |
6ede7d73 DMSP |
798 | |
799 | Build with support for fuzzing using either libfuzzer or AFL. | |
800 | ||
801 | These are developer options only. They may not work on all platforms and | |
802 | should never be used in production environments. | |
803 | ||
804 | See the file [fuzz/README.md](fuzz/README.md) for further details. | |
805 | ||
257e9d03 | 806 | ### no-gost |
6ede7d73 DMSP |
807 | |
808 | Don't build support for GOST based ciphersuites. | |
809 | ||
810 | Note that if this feature is enabled then GOST ciphersuites are only available | |
811 | if the GOST algorithms are also available through loading an externally supplied | |
812 | engine. | |
813 | ||
6b1f763c VK |
814 | ### no-http |
815 | ||
816 | Disable HTTP support. | |
817 | ||
257e9d03 | 818 | ### no-legacy |
6ede7d73 DMSP |
819 | |
820 | Don't build the legacy provider. | |
821 | ||
822 | Disabling this also disables the legacy algorithms: MD2 (already disabled by default). | |
823 | ||
257e9d03 | 824 | ### no-makedepend |
6ede7d73 DMSP |
825 | |
826 | Don't generate dependencies. | |
827 | ||
257e9d03 | 828 | ### no-module |
79e259e3 | 829 | |
6ede7d73 | 830 | Don't build any dynamically loadable engines. |
917a1b2e | 831 | |
9afbb681 | 832 | This also implies `no-dynamic-engine`. |
917a1b2e | 833 | |
257e9d03 | 834 | ### no-multiblock |
917a1b2e | 835 | |
6ede7d73 | 836 | Don't build support for writing multiple records in one go in libssl |
917a1b2e | 837 | |
6ede7d73 | 838 | Note: this is a different capability to the pipelining functionality. |
917a1b2e | 839 | |
257e9d03 | 840 | ### no-nextprotoneg |
917a1b2e | 841 | |
6ede7d73 | 842 | Don't build support for the Next Protocol Negotiation (NPN) TLS extension. |
c9f06e7f | 843 | |
257e9d03 | 844 | ### no-ocsp |
c9f06e7f | 845 | |
6ede7d73 | 846 | Don't build support for Online Certificate Status Protocol (OCSP). |
b32b8961 | 847 | |
257e9d03 | 848 | ### no-padlockeng |
2acd8ec7 | 849 | |
6ede7d73 | 850 | Don't build the padlock engine. |
2acd8ec7 | 851 | |
257e9d03 | 852 | ### no-hw-padlock |
c9f06e7f | 853 | |
9afbb681 | 854 | As synonym for `no-padlockeng`. Deprecated and should not be used. |
c9f06e7f | 855 | |
257e9d03 | 856 | ### no-pic |
b1fe6b43 | 857 | |
6ede7d73 | 858 | Don't build with support for Position Independent Code. |
b1fe6b43 | 859 | |
257e9d03 | 860 | ### no-pinshared |
79e259e3 | 861 | |
6ede7d73 | 862 | Don't pin the shared libraries. |
79e259e3 | 863 | |
6ede7d73 DMSP |
864 | By default OpenSSL will attempt to stay in memory until the process exits. |
865 | This is so that libcrypto and libssl can be properly cleaned up automatically | |
9afbb681 DDO |
866 | via an `atexit()` handler. The handler is registered by libcrypto and cleans |
867 | up both libraries. On some platforms the `atexit()` handler will run on unload of | |
ce451fb8 MSP |
868 | libcrypto (if it has been dynamically loaded) rather than at process exit. |
869 | ||
870 | This option can be used to stop OpenSSL from attempting to stay in memory until the | |
6ede7d73 DMSP |
871 | process exits. This could lead to crashes if either libcrypto or libssl have |
872 | already been unloaded at the point that the atexit handler is invoked, e.g. on a | |
9afbb681 | 873 | platform which calls `atexit()` on unload of the library, and libssl is unloaded |
ce451fb8 MSP |
874 | before libcrypto then a crash is likely to happen. |
875 | ||
876 | Note that shared library pinning is not automatically disabled for static builds, | |
877 | i.e., `no-shared` does not imply `no-pinshared`. This may come as a surprise when | |
878 | linking libcrypto statically into a shared third-party library, because in this | |
879 | case the shared library will be pinned. To prevent this behaviour, you need to | |
880 | configure the static build using `no-shared` and `no-pinshared` together. | |
881 | ||
882 | Applications can suppress running of the `atexit()` handler at run time by | |
883 | using the `OPENSSL_INIT_NO_ATEXIT` option to `OPENSSL_init_crypto()`. | |
9afbb681 | 884 | See the man page for it for further details. |
2acd8ec7 | 885 | |
257e9d03 | 886 | ### no-posix-io |
2acd8ec7 | 887 | |
6ede7d73 | 888 | Don't use POSIX IO capabilities. |
2acd8ec7 | 889 | |
257e9d03 | 890 | ### no-psk |
79e259e3 | 891 | |
6ede7d73 | 892 | Don't build support for Pre-Shared Key based ciphersuites. |
79e259e3 | 893 | |
257e9d03 | 894 | ### no-rdrand |
79e259e3 | 895 | |
6ede7d73 | 896 | Don't use hardware RDRAND capabilities. |
79e259e3 | 897 | |
257e9d03 | 898 | ### no-rfc3779 |
5bb9e2b4 | 899 | |
6ede7d73 DMSP |
900 | Don't build support for RFC3779, "X.509 Extensions for IP Addresses and |
901 | AS Identifiers". | |
79e259e3 | 902 | |
257e9d03 | 903 | ### sctp |
2acd8ec7 | 904 | |
6ede7d73 | 905 | Build support for Stream Control Transmission Protocol (SCTP). |
2acd8ec7 | 906 | |
257e9d03 | 907 | ### no-shared |
2acd8ec7 | 908 | |
6ede7d73 | 909 | Do not create shared libraries, only static ones. |
2acd8ec7 | 910 | |
6ede7d73 | 911 | See [Notes on shared libraries](#notes-on-shared-libraries) below. |
2acd8ec7 | 912 | |
257e9d03 | 913 | ### no-sock |
2acd8ec7 | 914 | |
6ede7d73 | 915 | Don't build support for socket BIOs. |
2acd8ec7 | 916 | |
257e9d03 | 917 | ### no-srp |
2acd8ec7 | 918 | |
6ede7d73 DMSP |
919 | Don't build support for Secure Remote Password (SRP) protocol or |
920 | SRP based ciphersuites. | |
2acd8ec7 | 921 | |
257e9d03 | 922 | ### no-srtp |
b32b8961 | 923 | |
6ede7d73 | 924 | Don't build Secure Real-Time Transport Protocol (SRTP) support. |
b32b8961 | 925 | |
257e9d03 | 926 | ### no-sse2 |
2acd8ec7 | 927 | |
6ede7d73 | 928 | Exclude SSE2 code paths from 32-bit x86 assembly modules. |
79e259e3 | 929 | |
6ede7d73 DMSP |
930 | Normally SSE2 extension is detected at run-time, but the decision whether or not |
931 | the machine code will be executed is taken solely on CPU capability vector. This | |
932 | means that if you happen to run OS kernel which does not support SSE2 extension | |
933 | on Intel P4 processor, then your application might be exposed to "illegal | |
934 | instruction" exception. There might be a way to enable support in kernel, e.g. | |
9afbb681 | 935 | FreeBSD kernel can be compiled with `CPU_ENABLE_SSE`, and there is a way to |
6ede7d73 | 936 | disengage SSE2 code paths upon application start-up, but if you aim for wider |
9afbb681 DDO |
937 | "audience" running such kernel, consider `no-sse2`. Both the `386` and `no-asm` |
938 | options imply `no-sse2`. | |
79e259e3 | 939 | |
726f92e0 | 940 | ### no-ssl-trace |
79e259e3 | 941 | |
726f92e0 | 942 | Don't build with SSL Trace capabilities. |
1af66bb7 | 943 | |
726f92e0 ACB |
944 | This removes the `-trace` option from `s_client` and `s_server`, and omits the |
945 | `SSL_trace()` function from libssl. | |
946 | ||
947 | Disabling `ssl-trace` may provide a small reduction in libssl binary size. | |
1af66bb7 | 948 | |
257e9d03 | 949 | ### no-static-engine |
1af66bb7 | 950 | |
6ede7d73 | 951 | Don't build the statically linked engines. |
1af66bb7 | 952 | |
6ede7d73 | 953 | This only has an impact when not built "shared". |
1af66bb7 | 954 | |
257e9d03 | 955 | ### no-stdio |
1af66bb7 | 956 | |
3a0b3cc9 | 957 | Don't use anything from the C header file `stdio.h` that makes use of the `FILE` |
6ede7d73 DMSP |
958 | type. Only libcrypto and libssl can be built in this way. Using this option will |
959 | suppress building the command line applications. Additionally, since the OpenSSL | |
960 | tests also use the command line applications, the tests will also be skipped. | |
b1fe6b43 | 961 | |
257e9d03 | 962 | ### no-tests |
79e259e3 | 963 | |
6ede7d73 | 964 | Don't build test programs or run any tests. |
79e259e3 | 965 | |
a3e53d56 TS |
966 | ### enable-tfo |
967 | ||
968 | Build with support for TCP Fast Open (RFC7413). Supported on Linux, macOS and FreeBSD. | |
969 | ||
30b01329 TM |
970 | ### enable-quic |
971 | ||
972 | Build with QUIC support. This is currently just for developers as the | |
973 | implementation is by no means complete and usable. | |
974 | ||
257e9d03 | 975 | ### no-threads |
6616429d | 976 | |
6ede7d73 | 977 | Don't build with support for multi-threaded applications. |
2e996acf | 978 | |
257e9d03 | 979 | ### threads |
2acd8ec7 | 980 | |
6ede7d73 | 981 | Build with support for multi-threaded applications. Most platforms will enable |
8c1cbc72 | 982 | this by default. However, if on a platform where this is not the case then this |
6ede7d73 | 983 | will usually require additional system-dependent options! |
2e996acf | 984 | |
6ede7d73 | 985 | See [Notes on multi-threading](#notes-on-multi-threading) below. |
e3d9a6b5 | 986 | |
4574a7fd ÄŒK |
987 | ### no-thread-pool |
988 | ||
989 | Don't build with support for thread pool functionality. | |
990 | ||
991 | ### thread-pool | |
992 | ||
993 | Build with thread pool functionality. If enabled, OpenSSL algorithms may | |
994 | use the thread pool to perform parallel computation. This option in itself | |
995 | does not enable OpenSSL to spawn new threads. Currently the only supported | |
996 | thread pool mechanism is the default thread pool. | |
997 | ||
998 | ### no-default-thread-pool | |
999 | ||
1000 | Don't build with support for default thread pool functionality. | |
1001 | ||
1002 | ### default-thread-pool | |
1003 | ||
1004 | Build with default thread pool functionality. If enabled, OpenSSL may create | |
1005 | and manage threads up to a maximum number of threads authorized by the | |
1006 | application. Supported on POSIX compliant platforms and Windows. | |
1007 | ||
257e9d03 | 1008 | ### enable-trace |
b32b8961 | 1009 | |
6ede7d73 | 1010 | Build with support for the integrated tracing api. |
2e996acf | 1011 | |
6ede7d73 | 1012 | See manual pages OSSL_trace_set_channel(3) and OSSL_trace_enabled(3) for details. |
2e996acf | 1013 | |
257e9d03 | 1014 | ### no-ts |
a73d990e | 1015 | |
6ede7d73 | 1016 | Don't build Time Stamping (TS) Authority support. |
2e996acf | 1017 | |
257e9d03 | 1018 | ### enable-ubsan |
2e996acf | 1019 | |
6ede7d73 | 1020 | Build with the Undefined Behaviour sanitiser (UBSAN). |
2e996acf | 1021 | |
6ede7d73 | 1022 | This is a developer option only. It may not work on all platforms and should |
9afbb681 DDO |
1023 | never be used in production environments. It will only work when used with |
1024 | gcc or clang and should be used in conjunction with the `-DPEDANTIC` option | |
6ede7d73 | 1025 | (or the `--strict-warnings` option). |
d40b0622 | 1026 | |
257e9d03 | 1027 | ### no-ui-console |
2e996acf | 1028 | |
301ea192 | 1029 | Don't build with the User Interface (UI) console method |
b1fe6b43 | 1030 | |
301ea192 | 1031 | The User Interface console method enables text based console prompts. |
b3e718e2 | 1032 | |
257e9d03 | 1033 | ### enable-unit-test |
79e259e3 | 1034 | |
6ede7d73 | 1035 | Enable additional unit test APIs. |
2acd8ec7 | 1036 | |
6ede7d73 | 1037 | This should not typically be used in production deployments. |
7c03bb9f | 1038 | |
257e9d03 | 1039 | ### no-uplink |
2acd8ec7 | 1040 | |
6ede7d73 | 1041 | Don't build support for UPLINK interface. |
2acd8ec7 | 1042 | |
257e9d03 | 1043 | ### enable-weak-ssl-ciphers |
b0940b33 | 1044 | |
6ede7d73 | 1045 | Build support for SSL/TLS ciphers that are considered "weak" |
fa28bfd6 | 1046 | |
6ede7d73 | 1047 | Enabling this includes for example the RC4 based ciphersuites. |
fa28bfd6 | 1048 | |
257e9d03 | 1049 | ### zlib |
fa28bfd6 | 1050 | |
6ede7d73 | 1051 | Build with support for zlib compression/decompression. |
fa28bfd6 | 1052 | |
257e9d03 | 1053 | ### zlib-dynamic |
fa28bfd6 | 1054 | |
6ede7d73 DMSP |
1055 | Like the zlib option, but has OpenSSL load the zlib library dynamically |
1056 | when needed. | |
fa28bfd6 | 1057 | |
6ede7d73 | 1058 | This is only supported on systems where loading of shared libraries is supported. |
fa28bfd6 | 1059 | |
caf9317d TS |
1060 | ### enable-zstd |
1061 | ||
1062 | Build with support for Zstd compression/decompression. | |
1063 | ||
1064 | ### enable-zstd-dynamic | |
1065 | ||
1066 | Like the enable-zstd option, but has OpenSSL load the Zstd library dynamically | |
1067 | when needed. | |
1068 | ||
1069 | This is only supported on systems where loading of shared libraries is supported. | |
1070 | ||
257e9d03 | 1071 | ### 386 |
fa28bfd6 | 1072 | |
6ede7d73 | 1073 | In 32-bit x86 builds, use the 80386 instruction set only in assembly modules |
fa28bfd6 | 1074 | |
6ede7d73 DMSP |
1075 | The default x86 code is more efficient, but requires at least an 486 processor. |
1076 | Note: This doesn't affect compiler generated code, so this option needs to be | |
1077 | accompanied by a corresponding compiler-specific option. | |
fa28bfd6 | 1078 | |
257e9d03 | 1079 | ### no-{protocol} |
bf01fbbf | 1080 | |
6ede7d73 | 1081 | no-{ssl|ssl3|tls|tls1|tls1_1|tls1_2|tls1_3|dtls|dtls1|dtls1_2} |
4fd53220 | 1082 | |
6ede7d73 | 1083 | Don't build support for negotiating the specified SSL/TLS protocol. |
b3e718e2 | 1084 | |
9afbb681 DDO |
1085 | If `no-tls` is selected then all of `tls1`, `tls1_1`, `tls1_2` and `tls1_3` |
1086 | are disabled. | |
1087 | Similarly `no-dtls` will disable `dtls1` and `dtls1_2`. The `no-ssl` option is | |
1088 | synonymous with `no-ssl3`. Note this only affects version negotiation. | |
6ede7d73 DMSP |
1089 | OpenSSL will still provide the methods for applications to explicitly select |
1090 | the individual protocol versions. | |
b3e718e2 | 1091 | |
257e9d03 | 1092 | ### no-{protocol}-method |
b3e718e2 | 1093 | |
5f18dc7f | 1094 | no-{ssl3|tls1|tls1_1|tls1_2|dtls1|dtls1_2}-method |
b3e718e2 | 1095 | |
9afbb681 | 1096 | Analogous to `no-{protocol}` but in addition do not build the methods for |
6ede7d73 | 1097 | applications to explicitly select individual protocol versions. Note that there |
9afbb681 | 1098 | is no `no-tls1_3-method` option because there is no application method for |
6ede7d73 | 1099 | TLSv1.3. |
b3e718e2 | 1100 | |
6ede7d73 | 1101 | Using individual protocol methods directly is deprecated. Applications should |
9afbb681 | 1102 | use `TLS_method()` instead. |
b3e718e2 | 1103 | |
257e9d03 | 1104 | ### enable-{algorithm} |
b3e718e2 | 1105 | |
6ede7d73 | 1106 | enable-{md2|rc5} |
b3e718e2 | 1107 | |
6ede7d73 | 1108 | Build with support for the specified algorithm. |
b3e718e2 | 1109 | |
257e9d03 | 1110 | ### no-{algorithm} |
b3e718e2 | 1111 | |
6ede7d73 DMSP |
1112 | no-{aria|bf|blake2|camellia|cast|chacha|cmac| |
1113 | des|dh|dsa|ecdh|ecdsa|idea|md4|mdc2|ocb| | |
1114 | poly1305|rc2|rc4|rmd160|scrypt|seed| | |
1115 | siphash|siv|sm2|sm3|sm4|whirlpool} | |
d0631327 | 1116 | |
6ede7d73 | 1117 | Build without support for the specified algorithm. |
d0631327 | 1118 | |
9afbb681 | 1119 | The `ripemd` algorithm is deprecated and if used is synonymous with `rmd160`. |
d0631327 | 1120 | |
257e9d03 | 1121 | ### Compiler-specific options |
d0631327 | 1122 | |
6ede7d73 | 1123 | -Dxxx, -Ixxx, -Wp, -lxxx, -Lxxx, -Wl, -rpath, -R, -framework, -static |
d0631327 | 1124 | |
6ede7d73 DMSP |
1125 | These system specific options will be recognised and passed through to the |
1126 | compiler to allow you to define preprocessor symbols, specify additional | |
1127 | libraries, library directories or other compiler options. It might be worth | |
1128 | noting that some compilers generate code specifically for processor the | |
1129 | compiler currently executes on. This is not necessarily what you might have | |
1130 | in mind, since it might be unsuitable for execution on other, typically older, | |
1131 | processor. Consult your compiler documentation. | |
1132 | ||
1133 | Take note of the [Environment Variables](#environment-variables) documentation | |
1134 | below and how these flags interact with those variables. | |
1135 | ||
1136 | -xxx, +xxx, /xxx | |
1137 | ||
1138 | Additional options that are not otherwise recognised are passed through as | |
1139 | they are to the compiler as well. Unix-style options beginning with a | |
af33b200 | 1140 | `-` or `+` and Windows-style options beginning with a `/` are recognised. |
6ede7d73 DMSP |
1141 | Again, consult your compiler documentation. |
1142 | ||
1143 | If the option contains arguments separated by spaces, then the URL-style | |
9afbb681 DDO |
1144 | notation `%20` can be used for the space character in order to avoid having |
1145 | to quote the option. For example, `-opt%20arg` gets expanded to `-opt arg`. | |
6ede7d73 DMSP |
1146 | In fact, any ASCII character can be encoded as %xx using its hexadecimal |
1147 | encoding. | |
1148 | ||
1149 | Take note of the [Environment Variables](#environment-variables) documentation | |
1150 | below and how these flags interact with those variables. | |
1151 | ||
257e9d03 | 1152 | ### Environment Variables |
6ede7d73 DMSP |
1153 | |
1154 | VAR=value | |
1155 | ||
9afbb681 | 1156 | Assign the given value to the environment variable `VAR` for `Configure`. |
6ede7d73 DMSP |
1157 | |
1158 | These work just like normal environment variable assignments, but are supported | |
1159 | on all platforms and are confined to the configuration scripts only. | |
1160 | These assignments override the corresponding value in the inherited environment, | |
1161 | if there is one. | |
1162 | ||
3a0b3cc9 | 1163 | The following variables are used as "`make` variables" and can be used as an |
6ede7d73 DMSP |
1164 | alternative to giving preprocessor, compiler and linker options directly as |
1165 | configuration. The following variables are supported: | |
1166 | ||
1167 | AR The static library archiver. | |
1168 | ARFLAGS Flags for the static library archiver. | |
1169 | AS The assembler compiler. | |
1170 | ASFLAGS Flags for the assembler compiler. | |
1171 | CC The C compiler. | |
1172 | CFLAGS Flags for the C compiler. | |
1173 | CXX The C++ compiler. | |
1174 | CXXFLAGS Flags for the C++ compiler. | |
1175 | CPP The C/C++ preprocessor. | |
1176 | CPPFLAGS Flags for the C/C++ preprocessor. | |
1177 | CPPDEFINES List of CPP macro definitions, separated | |
1178 | by a platform specific character (':' or | |
1179 | space for Unix, ';' for Windows, ',' for | |
1180 | VMS). This can be used instead of using | |
1181 | -D (or what corresponds to that on your | |
1182 | compiler) in CPPFLAGS. | |
1183 | CPPINCLUDES List of CPP inclusion directories, separated | |
1184 | the same way as for CPPDEFINES. This can | |
1185 | be used instead of -I (or what corresponds | |
1186 | to that on your compiler) in CPPFLAGS. | |
1187 | HASHBANGPERL Perl invocation to be inserted after '#!' | |
1188 | in public perl scripts (only relevant on | |
1189 | Unix). | |
1190 | LD The program linker (not used on Unix, $(CC) | |
1191 | is used there). | |
1192 | LDFLAGS Flags for the shared library, DSO and | |
1193 | program linker. | |
1194 | LDLIBS Extra libraries to use when linking. | |
1195 | Takes the form of a space separated list | |
1196 | of library specifications on Unix and | |
1197 | Windows, and as a comma separated list of | |
1198 | libraries on VMS. | |
1199 | RANLIB The library archive indexer. | |
1200 | RC The Windows resource compiler. | |
1201 | RCFLAGS Flags for the Windows resource compiler. | |
1202 | RM The command to remove files and directories. | |
1203 | ||
1204 | These cannot be mixed with compiling/linking flags given on the command line. | |
1205 | In other words, something like this isn't permitted. | |
1206 | ||
16b0e0fc | 1207 | $ ./Configure -DFOO CPPFLAGS=-DBAR -DCOOKIE |
6ede7d73 DMSP |
1208 | |
1209 | Backward compatibility note: | |
1210 | ||
1211 | To be compatible with older configuration scripts, the environment variables | |
1212 | are ignored if compiling/linking flags are given on the command line, except | |
1213 | for the following: | |
1214 | ||
1215 | AR, CC, CXX, CROSS_COMPILE, HASHBANGPERL, PERL, RANLIB, RC, and WINDRES | |
1216 | ||
9afbb681 | 1217 | For example, the following command will not see `-DBAR`: |
6ede7d73 | 1218 | |
16b0e0fc | 1219 | $ CPPFLAGS=-DBAR ./Configure -DCOOKIE |
6ede7d73 DMSP |
1220 | |
1221 | However, the following will see both set variables: | |
1222 | ||
16b0e0fc | 1223 | $ CC=gcc CROSS_COMPILE=x86_64-w64-mingw32- ./Configure -DCOOKIE |
6ede7d73 | 1224 | |
9afbb681 | 1225 | If `CC` is set, it is advisable to also set `CXX` to ensure both the C and C++ |
6ede7d73 | 1226 | compiler are in the same "family". This becomes relevant with |
9afbb681 | 1227 | `enable-external-tests` and `enable-buildtest-c++`. |
6ede7d73 | 1228 | |
257e9d03 | 1229 | ### Reconfigure |
6ede7d73 DMSP |
1230 | |
1231 | reconf | |
1232 | reconfigure | |
1233 | ||
1234 | Reconfigure from earlier data. | |
1235 | ||
16b0e0fc | 1236 | This fetches the previous command line options and environment from data |
9afbb681 | 1237 | saved in `configdata.pm` and runs the configuration process again, using |
16b0e0fc | 1238 | these options and environment. Note: NO other option is permitted together |
9afbb681 | 1239 | with `reconf`. Note: The original configuration saves away values for ALL |
16b0e0fc RL |
1240 | environment variables that were used, and if they weren't defined, they are |
1241 | still saved away with information that they weren't originally defined. | |
1242 | This information takes precedence over environment variables that are | |
1243 | defined when reconfiguring. | |
6ede7d73 DMSP |
1244 | |
1245 | Displaying configuration data | |
1246 | ----------------------------- | |
1247 | ||
1248 | The configuration script itself will say very little, and finishes by | |
9afbb681 | 1249 | creating `configdata.pm`. This perl module can be loaded by other scripts |
6ede7d73 DMSP |
1250 | to find all the configuration data, and it can also be used as a script to |
1251 | display all sorts of configuration data in a human readable form. | |
1252 | ||
1253 | For more information, please do: | |
1254 | ||
1255 | $ ./configdata.pm --help # Unix | |
1256 | ||
1257 | or | |
1258 | ||
1259 | $ perl configdata.pm --help # Windows and VMS | |
1260 | ||
1261 | Installation Steps in Detail | |
1262 | ============================ | |
1263 | ||
1264 | Configure OpenSSL | |
1265 | ----------------- | |
1266 | ||
257e9d03 | 1267 | ### Automatic Configuration |
6ede7d73 | 1268 | |
92115096 RS |
1269 | In previous version, the `config` script determined the platform type and |
1270 | compiler and then called `Configure`. Starting with this release, they are | |
1271 | the same. | |
6ede7d73 | 1272 | |
257e9d03 | 1273 | #### Unix / Linux / macOS |
6ede7d73 | 1274 | |
a4ffb33e | 1275 | $ ./Configure [options...] |
6ede7d73 | 1276 | |
257e9d03 | 1277 | #### OpenVMS |
6ede7d73 | 1278 | |
a4ffb33e | 1279 | $ perl Configure [options...] |
6ede7d73 | 1280 | |
257e9d03 | 1281 | #### Windows |
6ede7d73 | 1282 | |
a4ffb33e | 1283 | $ perl Configure [options...] |
6ede7d73 | 1284 | |
257e9d03 | 1285 | ### Manual Configuration |
6ede7d73 DMSP |
1286 | |
1287 | OpenSSL knows about a range of different operating system, hardware and | |
1288 | compiler combinations. To see the ones it knows about, run | |
1289 | ||
16b0e0fc | 1290 | $ ./Configure LIST # Unix |
6ede7d73 DMSP |
1291 | |
1292 | or | |
1293 | ||
16b0e0fc | 1294 | $ perl Configure LIST # All other platforms |
6ede7d73 DMSP |
1295 | |
1296 | For the remainder of this text, the Unix form will be used in all examples. | |
1297 | Please use the appropriate form for your platform. | |
1298 | ||
1299 | Pick a suitable name from the list that matches your system. For most | |
9afbb681 | 1300 | operating systems there is a choice between using cc or gcc. |
6ede7d73 | 1301 | When you have identified your system (and if necessary compiler) use this |
9afbb681 | 1302 | name as the argument to `Configure`. For example, a `linux-elf` user would |
6ede7d73 DMSP |
1303 | run: |
1304 | ||
a4ffb33e | 1305 | $ ./Configure linux-elf [options...] |
6ede7d73 | 1306 | |
257e9d03 | 1307 | ### Creating your own Configuration |
6ede7d73 DMSP |
1308 | |
1309 | If your system isn't listed, you will have to create a configuration | |
a4ffb33e RS |
1310 | file named `Configurations/YOURFILENAME.conf` (replace `YOURFILENAME` |
1311 | with a filename of your choosing) and add the correct | |
6ede7d73 | 1312 | configuration for your system. See the available configs as examples |
036cbb6b DDO |
1313 | and read [Configurations/README.md](Configurations/README.md) and |
1314 | [Configurations/README-design.md](Configurations/README-design.md) | |
3a0b3cc9 | 1315 | for more information. |
6ede7d73 | 1316 | |
9afbb681 | 1317 | The generic configurations `cc` or `gcc` should usually work on 32 bit |
6ede7d73 DMSP |
1318 | Unix-like systems. |
1319 | ||
9afbb681 DDO |
1320 | `Configure` creates a build file (`Makefile` on Unix, `makefile` on Windows |
1321 | and `descrip.mms` on OpenVMS) from a suitable template in `Configurations/`, | |
1322 | and defines various macros in `include/openssl/configuration.h` (generated | |
1323 | from `include/openssl/configuration.h.in`. | |
6ede7d73 | 1324 | |
aa2d7e0e RL |
1325 | If none of the generated build files suit your purpose, it's possible to |
1326 | write your own build file template and give its name through the environment | |
1327 | variable `BUILDFILE`. For example, Ninja build files could be supported by | |
1328 | writing `Configurations/build.ninja.tmpl` and then configure with `BUILDFILE` | |
1329 | set like this (Unix syntax shown, you'll have to adapt for other platforms): | |
1330 | ||
1331 | $ BUILDFILE=build.ninja perl Configure [options...] | |
1332 | ||
257e9d03 | 1333 | ### Out of Tree Builds |
6ede7d73 DMSP |
1334 | |
1335 | OpenSSL can be configured to build in a build directory separate from the | |
1336 | source code directory. It's done by placing yourself in some other | |
1337 | directory and invoking the configuration commands from there. | |
1338 | ||
257e9d03 | 1339 | #### Unix example |
6ede7d73 DMSP |
1340 | |
1341 | $ mkdir /var/tmp/openssl-build | |
1342 | $ cd /var/tmp/openssl-build | |
a4ffb33e | 1343 | $ /PATH/TO/OPENSSL/SOURCE/Configure [options...] |
6ede7d73 | 1344 | |
257e9d03 | 1345 | #### OpenVMS example |
6ede7d73 DMSP |
1346 | |
1347 | $ set default sys$login: | |
1348 | $ create/dir [.tmp.openssl-build] | |
1349 | $ set default [.tmp.openssl-build] | |
a4ffb33e | 1350 | $ perl D:[PATH.TO.OPENSSL.SOURCE]Configure [options...] |
6ede7d73 | 1351 | |
257e9d03 | 1352 | #### Windows example |
6ede7d73 DMSP |
1353 | |
1354 | $ C: | |
1355 | $ mkdir \temp-openssl | |
1356 | $ cd \temp-openssl | |
a4ffb33e | 1357 | $ perl d:\PATH\TO\OPENSSL\SOURCE\Configure [options...] |
6ede7d73 | 1358 | |
9afbb681 | 1359 | Paths can be relative just as well as absolute. `Configure` will do its best |
6ede7d73 DMSP |
1360 | to translate them to relative paths whenever possible. |
1361 | ||
6ede7d73 DMSP |
1362 | Build OpenSSL |
1363 | ------------- | |
1364 | ||
1365 | Build OpenSSL by running: | |
1366 | ||
1367 | $ make # Unix | |
1368 | $ mms ! (or mmk) OpenVMS | |
1369 | $ nmake # Windows | |
1370 | ||
9afbb681 | 1371 | This will build the OpenSSL libraries (`libcrypto.a` and `libssl.a` on |
6ede7d73 | 1372 | Unix, corresponding on other platforms) and the OpenSSL binary |
9afbb681 DDO |
1373 | (`openssl`). The libraries will be built in the top-level directory, |
1374 | and the binary will be in the `apps/` subdirectory. | |
6ede7d73 DMSP |
1375 | |
1376 | If the build fails, take a look at the [Build Failures](#build-failures) | |
1377 | subsection of the [Troubleshooting](#troubleshooting) section. | |
1378 | ||
1379 | Test OpenSSL | |
1380 | ------------ | |
1381 | ||
1382 | After a successful build, and before installing, the libraries should | |
1383 | be tested. Run: | |
1384 | ||
1385 | $ make test # Unix | |
1386 | $ mms test ! OpenVMS | |
1387 | $ nmake test # Windows | |
1388 | ||
1389 | **Warning:** you MUST run the tests from an unprivileged account (or disable | |
1390 | your privileges temporarily if your platform allows it). | |
1391 | ||
036cbb6b DDO |
1392 | See [test/README.md](test/README.md) for further details how run tests. |
1393 | ||
1394 | See [test/README-dev.md](test/README-dev.md) for guidelines on adding tests. | |
6ede7d73 | 1395 | |
6ede7d73 DMSP |
1396 | Install OpenSSL |
1397 | --------------- | |
1398 | ||
1399 | If everything tests ok, install OpenSSL with | |
1400 | ||
1401 | $ make install # Unix | |
1402 | $ mms install ! OpenVMS | |
1403 | $ nmake install # Windows | |
1404 | ||
1405 | Note that in order to perform the install step above you need to have | |
1406 | appropriate permissions to write to the installation directory. | |
1407 | ||
1408 | The above commands will install all the software components in this | |
9afbb681 | 1409 | directory tree under `<PREFIX>` (the directory given with `--prefix` or |
6ede7d73 DMSP |
1410 | its default): |
1411 | ||
257e9d03 | 1412 | ### Unix / Linux / macOS |
6ede7d73 DMSP |
1413 | |
1414 | bin/ Contains the openssl binary and a few other | |
1415 | utility scripts. | |
1416 | include/openssl | |
1417 | Contains the header files needed if you want | |
1418 | to build your own programs that use libcrypto | |
1419 | or libssl. | |
1420 | lib Contains the OpenSSL library files. | |
1421 | lib/engines Contains the OpenSSL dynamically loadable engines. | |
1422 | ||
1423 | share/man/man1 Contains the OpenSSL command line man-pages. | |
1424 | share/man/man3 Contains the OpenSSL library calls man-pages. | |
1425 | share/man/man5 Contains the OpenSSL configuration format man-pages. | |
1426 | share/man/man7 Contains the OpenSSL other misc man-pages. | |
1427 | ||
1428 | share/doc/openssl/html/man1 | |
1429 | share/doc/openssl/html/man3 | |
1430 | share/doc/openssl/html/man5 | |
1431 | share/doc/openssl/html/man7 | |
1432 | Contains the HTML rendition of the man-pages. | |
1433 | ||
257e9d03 | 1434 | ### OpenVMS |
6ede7d73 | 1435 | |
d8c1cafb | 1436 | 'arch' is replaced with the architecture name, `ALPHA` or `IA64`, |
9afbb681 | 1437 | 'sover' is replaced with the shared library version (`0101` for 1.1), and |
6ede7d73 DMSP |
1438 | 'pz' is replaced with the pointer size OpenSSL was built with: |
1439 | ||
1440 | [.EXE.'arch'] Contains the openssl binary. | |
1441 | [.EXE] Contains a few utility scripts. | |
1442 | [.include.openssl] | |
1443 | Contains the header files needed if you want | |
1444 | to build your own programs that use libcrypto | |
1445 | or libssl. | |
1446 | [.LIB.'arch'] Contains the OpenSSL library files. | |
1447 | [.ENGINES'sover''pz'.'arch'] | |
1448 | Contains the OpenSSL dynamically loadable engines. | |
1449 | [.SYS$STARTUP] Contains startup, login and shutdown scripts. | |
1450 | These define appropriate logical names and | |
1451 | command symbols. | |
1452 | [.SYSTEST] Contains the installation verification procedure. | |
1453 | [.HTML] Contains the HTML rendition of the manual pages. | |
1454 | ||
257e9d03 | 1455 | ### Additional Directories |
6ede7d73 DMSP |
1456 | |
1457 | Additionally, install will add the following directories under | |
1458 | OPENSSLDIR (the directory given with `--openssldir` or its default) | |
1459 | for you convenience: | |
1460 | ||
1461 | certs Initially empty, this is the default location | |
1462 | for certificate files. | |
1463 | private Initially empty, this is the default location | |
1464 | for private key files. | |
1465 | misc Various scripts. | |
1466 | ||
1467 | The installation directory should be appropriately protected to ensure | |
1468 | unprivileged users cannot make changes to OpenSSL binaries or files, or | |
1469 | install engines. If you already have a pre-installed version of OpenSSL as | |
1470 | part of your Operating System it is recommended that you do not overwrite | |
1471 | the system version and instead install to somewhere else. | |
1472 | ||
1473 | Package builders who want to configure the library for standard locations, | |
1474 | but have the package installed somewhere else so that it can easily be | |
1475 | packaged, can use | |
1476 | ||
3a0b3cc9 DDO |
1477 | $ make DESTDIR=/tmp/package-root install # Unix |
1478 | $ mms/macro="DESTDIR=TMP:[PACKAGE-ROOT]" install ! OpenVMS | |
6ede7d73 DMSP |
1479 | |
1480 | The specified destination directory will be prepended to all installation | |
1481 | target paths. | |
1482 | ||
257e9d03 RS |
1483 | Compatibility issues with previous OpenSSL versions |
1484 | --------------------------------------------------- | |
6ede7d73 | 1485 | |
257e9d03 | 1486 | ### COMPILING existing applications |
6ede7d73 DMSP |
1487 | |
1488 | Starting with version 1.1.0, OpenSSL hides a number of structures that were | |
1489 | previously open. This includes all internal libssl structures and a number | |
1490 | of EVP types. Accessor functions have been added to allow controlled access | |
1491 | to the structures' data. | |
1492 | ||
1493 | This means that some software needs to be rewritten to adapt to the new ways | |
1494 | of doing things. This often amounts to allocating an instance of a structure | |
1495 | explicitly where you could previously allocate them on the stack as automatic | |
1496 | variables, and using the provided accessor functions where you would previously | |
1497 | access a structure's field directly. | |
1498 | ||
1499 | Some APIs have changed as well. However, older APIs have been preserved when | |
1500 | possible. | |
1501 | ||
41149648 RL |
1502 | Post-installation Notes |
1503 | ----------------------- | |
1504 | ||
1505 | With the default OpenSSL installation comes a FIPS provider module, which | |
1506 | needs some post-installation attention, without which it will not be usable. | |
1507 | This involves using the following command: | |
1508 | ||
270540fd | 1509 | $ openssl fipsinstall |
41149648 RL |
1510 | |
1511 | See the openssl-fipsinstall(1) manual for details and examples. | |
1512 | ||
6ede7d73 DMSP |
1513 | Advanced Build Options |
1514 | ====================== | |
1515 | ||
6ede7d73 DMSP |
1516 | Environment Variables |
1517 | --------------------- | |
1518 | ||
1519 | A number of environment variables can be used to provide additional control | |
1520 | over the build process. Typically these should be defined prior to running | |
9afbb681 | 1521 | `Configure`. Not all environment variables are relevant to all platforms. |
6ede7d73 DMSP |
1522 | |
1523 | AR | |
1524 | The name of the ar executable to use. | |
1525 | ||
1526 | BUILDFILE | |
1527 | Use a different build file name than the platform default | |
1528 | ("Makefile" on Unix-like platforms, "makefile" on native Windows, | |
1529 | "descrip.mms" on OpenVMS). This requires that there is a | |
036cbb6b DDO |
1530 | corresponding build file template. |
1531 | See [Configurations/README.md](Configurations/README.md) | |
6ede7d73 DMSP |
1532 | for further information. |
1533 | ||
1534 | CC | |
1535 | The compiler to use. Configure will attempt to pick a default | |
1536 | compiler for your platform but this choice can be overridden | |
1537 | using this variable. Set it to the compiler executable you wish | |
9afbb681 | 1538 | to use, e.g. gcc or clang. |
6ede7d73 DMSP |
1539 | |
1540 | CROSS_COMPILE | |
1541 | This environment variable has the same meaning as for the | |
1542 | "--cross-compile-prefix" Configure flag described above. If both | |
1543 | are set then the Configure flag takes precedence. | |
1544 | ||
92115096 RS |
1545 | HASHBANGPERL |
1546 | The command string for the Perl executable to insert in the | |
1547 | #! line of perl scripts that will be publicly installed. | |
1548 | Default: /usr/bin/env perl | |
1549 | Note: the value of this variable is added to the same scripts | |
1550 | on all platforms, but it's only relevant on Unix-like platforms. | |
1551 | ||
1552 | KERNEL_BITS | |
1553 | This can be the value `32` or `64` to specify the architecture | |
1554 | when it is not "obvious" to the configuration. It should generally | |
1555 | not be necessary to specify this environment variable. | |
1556 | ||
6ede7d73 DMSP |
1557 | NM |
1558 | The name of the nm executable to use. | |
1559 | ||
1560 | OPENSSL_LOCAL_CONFIG_DIR | |
1561 | OpenSSL comes with a database of information about how it | |
1562 | should be built on different platforms as well as build file | |
1563 | templates for those platforms. The database is comprised of | |
1564 | ".conf" files in the Configurations directory. The build | |
1565 | file templates reside there as well as ".tmpl" files. See the | |
036cbb6b DDO |
1566 | file [Configurations/README.md](Configurations/README.md) |
1567 | for further information about the format of ".conf" files | |
1568 | as well as information on the ".tmpl" files. | |
6ede7d73 | 1569 | In addition to the standard ".conf" and ".tmpl" files, it is |
036cbb6b DDO |
1570 | possible to create your own ".conf" and ".tmpl" files and |
1571 | store them locally, outside the OpenSSL source tree. | |
1572 | This environment variable can be set to the directory where | |
1573 | these files are held and will be considered by Configure | |
1574 | before it looks in the standard directories. | |
6ede7d73 DMSP |
1575 | |
1576 | PERL | |
1577 | The name of the Perl executable to use when building OpenSSL. | |
eb4129e1 | 1578 | Only needed if building should use a different Perl executable |
16b0e0fc | 1579 | than what is used to run the Configure script. |
6ede7d73 | 1580 | |
92115096 RS |
1581 | RANLIB |
1582 | The name of the ranlib executable to use. | |
6ede7d73 DMSP |
1583 | |
1584 | RC | |
1585 | The name of the rc executable to use. The default will be as | |
1586 | defined for the target platform in the ".conf" file. If not | |
1587 | defined then "windres" will be used. The WINDRES environment | |
1588 | variable is synonymous to this. If both are defined then RC | |
1589 | takes precedence. | |
1590 | ||
6ede7d73 DMSP |
1591 | WINDRES |
1592 | See RC. | |
1593 | ||
6ede7d73 DMSP |
1594 | Makefile Targets |
1595 | ---------------- | |
1596 | ||
9afbb681 | 1597 | The `Configure` script generates a Makefile in a format relevant to the specific |
6ede7d73 DMSP |
1598 | platform. The Makefiles provide a number of targets that can be used. Not all |
1599 | targets may be available on all platforms. Only the most common targets are | |
1600 | described here. Examine the Makefiles themselves for the full list. | |
1601 | ||
1602 | all | |
1603 | The target to build all the software components and | |
1604 | documentation. | |
1605 | ||
1606 | build_sw | |
1607 | Build all the software components. | |
1608 | THIS IS THE DEFAULT TARGET. | |
1609 | ||
1610 | build_docs | |
1611 | Build all documentation components. | |
1612 | ||
1613 | clean | |
1614 | Remove all build artefacts and return the directory to a "clean" | |
1615 | state. | |
1616 | ||
1617 | depend | |
1618 | Rebuild the dependencies in the Makefiles. This is a legacy | |
1619 | option that no longer needs to be used since OpenSSL 1.1.0. | |
1620 | ||
1621 | install | |
1622 | Install all OpenSSL components. | |
1623 | ||
1624 | install_sw | |
1625 | Only install the OpenSSL software components. | |
1626 | ||
1627 | install_docs | |
1628 | Only install the OpenSSL documentation components. | |
1629 | ||
1630 | install_man_docs | |
1631 | Only install the OpenSSL man pages (Unix only). | |
1632 | ||
1633 | install_html_docs | |
8c1cbc72 | 1634 | Only install the OpenSSL HTML documentation. |
cad80959 | 1635 | |
b19b9830 RL |
1636 | install_fips |
1637 | Install the FIPS provider module configuration file. | |
6ede7d73 DMSP |
1638 | |
1639 | list-tests | |
1640 | Prints a list of all the self test names. | |
1641 | ||
1642 | test | |
1643 | Build and run the OpenSSL self tests. | |
1644 | ||
1645 | uninstall | |
1646 | Uninstall all OpenSSL components. | |
1647 | ||
1648 | reconfigure | |
1649 | reconf | |
1650 | Re-run the configuration process, as exactly as the last time | |
1651 | as possible. | |
1652 | ||
1653 | update | |
1654 | This is a developer option. If you are developing a patch for | |
1655 | OpenSSL you may need to use this if you want to update | |
1656 | automatically generated files; add new error codes or add new | |
1657 | (or change the visibility of) public API functions. (Unix only). | |
1658 | ||
1659 | Running Selected Tests | |
1660 | ---------------------- | |
1661 | ||
3a0b3cc9 DDO |
1662 | You can specify a set of tests to be performed |
1663 | using the `make` variable `TESTS`. | |
6ede7d73 | 1664 | |
3a0b3cc9 DDO |
1665 | See the section [Running Selected Tests of |
1666 | test/README.md](test/README.md#running-selected-tests). | |
6ede7d73 DMSP |
1667 | |
1668 | Troubleshooting | |
1669 | =============== | |
1670 | ||
1671 | Configuration Problems | |
1672 | ---------------------- | |
1673 | ||
257e9d03 | 1674 | ### Selecting the correct target |
6ede7d73 | 1675 | |
16b0e0fc | 1676 | The `./Configure` script tries hard to guess your operating system, but in some |
6ede7d73 DMSP |
1677 | cases it does not succeed. You will see a message like the following: |
1678 | ||
16b0e0fc | 1679 | $ ./Configure |
6ede7d73 | 1680 | Operating system: x86-whatever-minix |
1dc1ea18 | 1681 | This system (minix) is not supported. See file INSTALL.md for details. |
6ede7d73 | 1682 | |
9afbb681 DDO |
1683 | Even if the automatic target selection by the `./Configure` script fails, |
1684 | chances are that you still might find a suitable target in the `Configurations` | |
1685 | directory, which you can supply to the `./Configure` command, | |
1686 | possibly after some adjustment. | |
6ede7d73 | 1687 | |
9afbb681 | 1688 | The `Configurations/` directory contains a lot of examples of such targets. |
6c8149df | 1689 | The main configuration file is [10-main.conf], which contains all targets that |
6ede7d73 DMSP |
1690 | are officially supported by the OpenSSL team. Other configuration files contain |
1691 | targets contributed by other OpenSSL users. The list of targets can be found in | |
1692 | a Perl list `my %targets = ( ... )`. | |
1693 | ||
1694 | my %targets = ( | |
1695 | ... | |
1696 | "target-name" => { | |
1697 | inherit_from => [ "base-target" ], | |
1698 | CC => "...", | |
1699 | cflags => add("..."), | |
1700 | asm_arch => '...', | |
1701 | perlasm_scheme => "...", | |
1702 | }, | |
1703 | ... | |
1704 | ) | |
1705 | ||
16b0e0fc | 1706 | If you call `./Configure` without arguments, it will give you a list of all |
6ede7d73 | 1707 | known targets. Using `grep`, you can lookup the target definition in the |
9afbb681 DDO |
1708 | `Configurations/` directory. For example the `android-x86_64` can be found in |
1709 | [Configurations/15-android.conf](Configurations/15-android.conf). | |
6ede7d73 DMSP |
1710 | |
1711 | The directory contains two README files, which explain the general syntax and | |
9afbb681 | 1712 | design of the configuration files. |
6ede7d73 | 1713 | |
036cbb6b DDO |
1714 | - [Configurations/README.md](Configurations/README.md) |
1715 | - [Configurations/README-design.md](Configurations/README-design.md) | |
6ede7d73 | 1716 | |
6c8149df DMSP |
1717 | If you need further help, try to search the [openssl-users] mailing list |
1718 | or the [GitHub Issues] for existing solutions. If you don't find anything, | |
1719 | you can [raise an issue] to ask a question yourself. | |
6ede7d73 | 1720 | |
6c8149df | 1721 | More about our support resources can be found in the [SUPPORT] file. |
6ede7d73 | 1722 | |
257e9d03 | 1723 | ### Configuration Errors |
6ede7d73 | 1724 | |
16b0e0fc | 1725 | If the `./Configure` or `./Configure` command fails with an error message, |
6ede7d73 DMSP |
1726 | read the error message carefully and try to figure out whether you made |
1727 | a mistake (e.g., by providing a wrong option), or whether the script is | |
1728 | working incorrectly. If you think you encountered a bug, please | |
6c8149df | 1729 | [raise an issue] on GitHub to file a bug report. |
6ede7d73 DMSP |
1730 | |
1731 | Along with a short description of the bug, please provide the complete | |
1732 | configure command line and the relevant output including the error message. | |
1733 | ||
e304aa87 | 1734 | Note: To make the output readable, please add a 'code fence' (three backquotes |
6ede7d73 DMSP |
1735 | ` ``` ` on a separate line) before and after your output: |
1736 | ||
1737 | ``` | |
b0d5c1cb | 1738 | ./Configure [your arguments...] |
6ede7d73 DMSP |
1739 | |
1740 | [output...] | |
1741 | ||
1742 | ``` | |
1743 | ||
6ede7d73 DMSP |
1744 | Build Failures |
1745 | -------------- | |
1746 | ||
1747 | If the build fails, look carefully at the output. Try to locate and understand | |
1748 | the error message. It might be that the compiler is already telling you | |
1749 | exactly what you need to do to fix your problem. | |
1750 | ||
1751 | There may be reasons for the failure that aren't problems in OpenSSL itself, | |
1752 | for example if the compiler reports missing standard or third party headers. | |
1753 | ||
1754 | If the build succeeded previously, but fails after a source or configuration | |
1755 | change, it might be helpful to clean the build tree before attempting another | |
1756 | build. Use this command: | |
1757 | ||
270540fd RL |
1758 | $ make clean # Unix |
1759 | $ mms clean ! (or mmk) OpenVMS | |
1760 | $ nmake clean # Windows | |
6ede7d73 | 1761 | |
203c18f1 AM |
1762 | Assembler error messages can sometimes be sidestepped by using the `no-asm` |
1763 | configuration option. See also [notes](#notes-on-assembler-modules-compilation). | |
6ede7d73 DMSP |
1764 | |
1765 | Compiling parts of OpenSSL with gcc and others with the system compiler will | |
1766 | result in unresolved symbols on some systems. | |
1767 | ||
6c8149df DMSP |
1768 | If you are still having problems, try to search the [openssl-users] mailing |
1769 | list or the [GitHub Issues] for existing solutions. If you think you | |
1770 | encountered an OpenSSL bug, please [raise an issue] to file a bug report. | |
6ede7d73 DMSP |
1771 | Please take the time to review the existing issues first; maybe the bug was |
1772 | already reported or has already been fixed. | |
1773 | ||
6ede7d73 DMSP |
1774 | Test Failures |
1775 | ------------- | |
1776 | ||
1777 | If some tests fail, look at the output. There may be reasons for the failure | |
b0d5c1cb | 1778 | that isn't a problem in OpenSSL itself (like an OS malfunction or a Perl issue). |
6ede7d73 | 1779 | |
3a0b3cc9 DDO |
1780 | You may want increased verbosity, that can be accomplished as described in |
1781 | section [Test Failures of test/README.md](test/README.md#test-failures). | |
6ede7d73 | 1782 | |
e4522e10 DDO |
1783 | You may also want to selectively specify which test(s) to perform. This can be |
1784 | done using the `make` variable `TESTS` as described in section [Running | |
1785 | Selected Tests of test/README.md](test/README.md#running-selected-tests). | |
6ede7d73 DMSP |
1786 | |
1787 | If you find a problem with OpenSSL itself, try removing any | |
3a0b3cc9 DDO |
1788 | compiler optimization flags from the `CFLAGS` line in the Makefile and |
1789 | run `make clean; make` or corresponding. | |
6ede7d73 DMSP |
1790 | |
1791 | To report a bug please open an issue on GitHub, at | |
257e9d03 | 1792 | <https://github.com/openssl/openssl/issues>. |
6ede7d73 | 1793 | |
6ede7d73 DMSP |
1794 | Notes |
1795 | ===== | |
1796 | ||
1797 | Notes on multi-threading | |
1798 | ------------------------ | |
1799 | ||
9afbb681 | 1800 | For some systems, the OpenSSL `Configure` script knows what compiler options |
6ede7d73 DMSP |
1801 | are needed to generate a library that is suitable for multi-threaded |
1802 | applications. On these systems, support for multi-threading is enabled | |
9afbb681 | 1803 | by default; use the `no-threads` option to disable (this should never be |
6ede7d73 DMSP |
1804 | necessary). |
1805 | ||
1806 | On other systems, to enable support for multi-threading, you will have | |
9afbb681 DDO |
1807 | to specify at least two options: `threads`, and a system-dependent option. |
1808 | (The latter is `-D_REENTRANT` on various systems.) The default in this | |
6ede7d73 | 1809 | case, obviously, is not to include support for multi-threading (but |
9afbb681 DDO |
1810 | you can still use `no-threads` to suppress an annoying warning message |
1811 | from the `Configure` script.) | |
6ede7d73 DMSP |
1812 | |
1813 | OpenSSL provides built-in support for two threading models: pthreads (found on | |
1814 | most UNIX/Linux systems), and Windows threads. No other threading models are | |
1815 | supported. If your platform does not provide pthreads or Windows threads then | |
9afbb681 | 1816 | you should use `Configure` with the `no-threads` option. |
6ede7d73 | 1817 | |
3d8905f8 RS |
1818 | For pthreads, all locks are non-recursive. In addition, in a debug build, |
1819 | the mutex attribute `PTHREAD_MUTEX_ERRORCHECK` is used. If this is not | |
1820 | available on your platform, you might have to add | |
1821 | `-DOPENSSL_NO_MUTEX_ERRORCHECK` to your `Configure` invocation. | |
1822 | (On Linux `PTHREAD_MUTEX_ERRORCHECK` is an enum value, so a built-in | |
1823 | ifdef test cannot be used.) | |
1824 | ||
6ede7d73 DMSP |
1825 | Notes on shared libraries |
1826 | ------------------------- | |
1827 | ||
9afbb681 | 1828 | For most systems the OpenSSL `Configure` script knows what is needed to |
6ede7d73 DMSP |
1829 | build shared libraries for libcrypto and libssl. On these systems |
1830 | the shared libraries will be created by default. This can be suppressed and | |
9afbb681 DDO |
1831 | only static libraries created by using the `no-shared` option. On systems |
1832 | where OpenSSL does not know how to build shared libraries the `no-shared` | |
6ede7d73 DMSP |
1833 | option will be forced and only static libraries will be created. |
1834 | ||
1835 | Shared libraries are named a little differently on different platforms. | |
1836 | One way or another, they all have the major OpenSSL version number as | |
9afbb681 | 1837 | part of the file name, i.e. for OpenSSL 1.1.x, `1.1` is somehow part of |
6ede7d73 DMSP |
1838 | the name. |
1839 | ||
9afbb681 DDO |
1840 | On most POSIX platforms, shared libraries are named `libcrypto.so.1.1` |
1841 | and `libssl.so.1.1`. | |
6ede7d73 | 1842 | |
9afbb681 DDO |
1843 | on Cygwin, shared libraries are named `cygcrypto-1.1.dll` and `cygssl-1.1.dll` |
1844 | with import libraries `libcrypto.dll.a` and `libssl.dll.a`. | |
6ede7d73 DMSP |
1845 | |
1846 | On Windows build with MSVC or using MingW, shared libraries are named | |
9afbb681 DDO |
1847 | `libcrypto-1_1.dll` and `libssl-1_1.dll` for 32-bit Windows, |
1848 | `libcrypto-1_1-x64.dll` and `libssl-1_1-x64.dll` for 64-bit x86_64 Windows, | |
1849 | and `libcrypto-1_1-ia64.dll` and `libssl-1_1-ia64.dll` for IA64 Windows. | |
1850 | With MSVC, the import libraries are named `libcrypto.lib` and `libssl.lib`, | |
1851 | while with MingW, they are named `libcrypto.dll.a` and `libssl.dll.a`. | |
6ede7d73 DMSP |
1852 | |
1853 | On VMS, shareable images (VMS speak for shared libraries) are named | |
9afbb681 | 1854 | `ossl$libcrypto0101_shr.exe` and `ossl$libssl0101_shr.exe`. However, when |
6ede7d73 | 1855 | OpenSSL is specifically built for 32-bit pointers, the shareable images |
9afbb681 | 1856 | are named `ossl$libcrypto0101_shr32.exe` and `ossl$libssl0101_shr32.exe` |
6ede7d73 | 1857 | instead, and when built for 64-bit pointers, they are named |
9afbb681 | 1858 | `ossl$libcrypto0101_shr64.exe` and `ossl$libssl0101_shr64.exe`. |
6ede7d73 DMSP |
1859 | |
1860 | Notes on random number generation | |
1861 | --------------------------------- | |
1862 | ||
1863 | Availability of cryptographically secure random numbers is required for | |
1864 | secret key generation. OpenSSL provides several options to seed the | |
1865 | internal CSPRNG. If not properly seeded, the internal CSPRNG will refuse | |
1866 | to deliver random bytes and a "PRNG not seeded error" will occur. | |
1867 | ||
1868 | The seeding method can be configured using the `--with-rand-seed` option, | |
1869 | which can be used to specify a comma separated list of seed methods. | |
8c1cbc72 | 1870 | However, in most cases OpenSSL will choose a suitable default method, |
6ede7d73 | 1871 | so it is not necessary to explicitly provide this option. Note also |
b99c463d P |
1872 | that not all methods are available on all platforms. The FIPS provider will |
1873 | silently ignore seed sources that were not validated. | |
6ede7d73 DMSP |
1874 | |
1875 | I) On operating systems which provide a suitable randomness source (in | |
1876 | form of a system call or system device), OpenSSL will use the optimal | |
1877 | available method to seed the CSPRNG from the operating system's | |
1878 | randomness sources. This corresponds to the option `--with-rand-seed=os`. | |
1879 | ||
1880 | II) On systems without such a suitable randomness source, automatic seeding | |
9afbb681 | 1881 | and reseeding is disabled (`--with-rand-seed=none`) and it may be necessary |
6ede7d73 | 1882 | to install additional support software to obtain a random seed and reseed |
9afbb681 DDO |
1883 | the CSPRNG manually. Please check out the manual pages for `RAND_add()`, |
1884 | `RAND_bytes()`, `RAND_egd()`, and the FAQ for more information. | |
6ede7d73 | 1885 | |
203c18f1 AM |
1886 | Notes on assembler modules compilation |
1887 | -------------------------------------- | |
1888 | ||
1889 | Compilation of some code paths in assembler modules might depend on whether the | |
1890 | current assembler version supports certain ISA extensions or not. Code paths | |
1891 | that use the AES-NI, PCLMULQDQ, SSSE3, and SHA extensions are always assembled. | |
1892 | Apart from that, the minimum requirements for the assembler versions are shown | |
1893 | in the table below: | |
1894 | ||
1895 | | ISA extension | GNU as | nasm | llvm | | |
1896 | |---------------|--------|--------|---------| | |
1897 | | AVX | 2.19 | 2.09 | 3.0 | | |
1898 | | AVX2 | 2.22 | 2.10 | 3.1 | | |
1899 | | ADCX/ADOX | 2.23 | 2.10 | 3.3 | | |
1900 | | AVX512 | 2.25 | 2.11.8 | 3.6 (*) | | |
1901 | | AVX512IFMA | 2.26 | 2.11.8 | 6.0 (*) | | |
1902 | | VAES | 2.30 | 2.13.3 | 6.0 (*) | | |
1903 | ||
1904 | --- | |
1905 | ||
1906 | (*) Even though AVX512 support was implemented in llvm 3.6, prior to version 7.0 | |
1907 | an explicit -march flag was apparently required to compile assembly modules. But | |
1908 | then the compiler generates processor-specific code, which in turn contradicts | |
1909 | the idea of performing dispatch at run-time, which is facilitated by the special | |
1910 | variable `OPENSSL_ia32cap`. For versions older than 7.0, it is possible to work | |
1911 | around the problem by forcing the build procedure to use the following script: | |
1912 | ||
1913 | #!/bin/sh | |
1914 | exec clang -no-integrated-as "$@" | |
1915 | ||
1916 | instead of the real clang. In which case it doesn't matter what clang version | |
1917 | is used, as it is the version of the GNU assembler that will be checked. | |
1918 | ||
1919 | --- | |
1920 | ||
6ede7d73 DMSP |
1921 | <!-- Links --> |
1922 | ||
1923 | [openssl-users]: | |
257e9d03 | 1924 | <https://mta.openssl.org/mailman/listinfo/openssl-users> |
6ede7d73 DMSP |
1925 | |
1926 | [SUPPORT]: | |
1927 | ./SUPPORT.md | |
1928 | ||
1929 | [GitHub Issues]: | |
257e9d03 | 1930 | <https://github.com/openssl/openssl/issues> |
6ede7d73 DMSP |
1931 | |
1932 | [raise an issue]: | |
257e9d03 | 1933 | <https://github.com/openssl/openssl/issues/new/choose> |
6ede7d73 DMSP |
1934 | |
1935 | [10-main.conf]: | |
1936 | Configurations/10-main.conf |