]>
Commit | Line | Data |
---|---|---|
1 | OPENSSL INSTALLATION | |
2 | -------------------- | |
3 | ||
4 | This document describes installation on all supported operating | |
5 | systems (the Unix/Linux family (which includes Mac OS/X), OpenVMS, | |
6 | and Windows). | |
7 | ||
8 | To install OpenSSL, you will need: | |
9 | ||
10 | * A make implementation | |
11 | * Perl 5 with core modules (please read NOTES.PERL) | |
12 | * The perl module Text::Template (please read NOTES.PERL) | |
13 | * an ANSI C compiler | |
14 | * a development environment in the form of development libraries and C | |
15 | header files | |
16 | * a supported operating system | |
17 | ||
18 | For additional platform specific requirements, solutions to specific | |
19 | issues and other details, please read one of these: | |
20 | ||
21 | * NOTES.UNIX (any supported Unix like system) | |
22 | * NOTES.VMS (OpenVMS) | |
23 | * NOTES.WIN (any supported Windows) | |
24 | * NOTES.DJGPP (DOS platform with DJGPP) | |
25 | * NOTES.ANDROID (obviously Android [NDK]) | |
26 | * NOTES.VALGRIND (testing with Valgrind) | |
27 | ||
28 | Notational conventions in this document | |
29 | --------------------------------------- | |
30 | ||
31 | Throughout this document, we use the following conventions in command | |
32 | examples: | |
33 | ||
34 | $ command Any line starting with a dollar sign | |
35 | ($) is a command line. | |
36 | ||
37 | { word1 | word2 | word3 } This denotes a mandatory choice, to be | |
38 | replaced with one of the given words. | |
39 | A simple example would be this: | |
40 | ||
41 | $ echo { FOO | BAR | COOKIE } | |
42 | ||
43 | which is to be understood as one of | |
44 | these: | |
45 | ||
46 | $ echo FOO | |
47 | - or - | |
48 | $ echo BAR | |
49 | - or - | |
50 | $ echo COOKIE | |
51 | ||
52 | [ word1 | word2 | word3 ] Similar to { word1 | word2 | word3 } | |
53 | except it's optional to give any of | |
54 | those. In addition to the examples | |
55 | above, this would also be valid: | |
56 | ||
57 | $ echo | |
58 | ||
59 | {{ target }} This denotes a mandatory word or | |
60 | sequence of words of some sort. A | |
61 | simple example would be this: | |
62 | ||
63 | $ type {{ filename }} | |
64 | ||
65 | which is to be understood to use the | |
66 | command 'type' on some file name | |
67 | determined by the user. | |
68 | ||
69 | [[ options ]] Similar to {{ target }}, but is | |
70 | optional. | |
71 | ||
72 | Note that the notation assumes spaces around {, }, [, ], {{, }} and | |
73 | [[, ]]. This is to differentiate from OpenVMS directory | |
74 | specifications, which also use [ and ], but without spaces. | |
75 | ||
76 | Quick Start | |
77 | ----------- | |
78 | ||
79 | If you want to just get on with it, do: | |
80 | ||
81 | on Unix (again, this includes Mac OS/X): | |
82 | ||
83 | $ ./config | |
84 | $ make | |
85 | $ make test | |
86 | $ make install | |
87 | ||
88 | on OpenVMS: | |
89 | ||
90 | $ @config | |
91 | $ mms | |
92 | $ mms test | |
93 | $ mms install | |
94 | ||
95 | on Windows (only pick one of the targets for configuration): | |
96 | ||
97 | $ perl Configure { VC-WIN32 | VC-WIN64A | VC-WIN64I | VC-CE } | |
98 | $ nmake | |
99 | $ nmake test | |
100 | $ nmake install | |
101 | ||
102 | Note that in order to perform the install step above you need to have | |
103 | appropriate permissions to write to the installation directory. | |
104 | ||
105 | If any of these steps fails, see section Installation in Detail below. | |
106 | ||
107 | This will build and install OpenSSL in the default location, which is: | |
108 | ||
109 | Unix: normal installation directories under /usr/local | |
110 | OpenVMS: SYS$COMMON:[OPENSSL-'version'...], where 'version' is the | |
111 | OpenSSL version number with underscores instead of periods. | |
112 | Windows: C:\Program Files\OpenSSL or C:\Program Files (x86)\OpenSSL | |
113 | ||
114 | The installation directory should be appropriately protected to ensure | |
115 | unprivileged users cannot make changes to OpenSSL binaries or files, or install | |
116 | engines. If you already have a pre-installed version of OpenSSL as part of | |
117 | your Operating System it is recommended that you do not overwrite the system | |
118 | version and instead install to somewhere else. | |
119 | ||
120 | If you want to install it anywhere else, run config like this: | |
121 | ||
122 | On Unix: | |
123 | ||
124 | $ ./config --prefix=/opt/openssl --openssldir=/usr/local/ssl | |
125 | ||
126 | On OpenVMS: | |
127 | ||
128 | $ @config --prefix=PROGRAM:[INSTALLS] --openssldir=SYS$MANAGER:[OPENSSL] | |
129 | ||
130 | (Note: if you do add options to the configuration command, please make sure | |
131 | you've read more than just this Quick Start, such as relevant NOTES.* files, | |
132 | the options outline below, as configuration options may change the outcome | |
133 | in otherwise unexpected ways) | |
134 | ||
135 | ||
136 | Configuration Options | |
137 | --------------------- | |
138 | ||
139 | There are several options to ./config (or ./Configure) to customize | |
140 | the build (note that for Windows, the defaults for --prefix and | |
141 | --openssldir depend in what configuration is used and what Windows | |
142 | implementation OpenSSL is built on. More notes on this in NOTES.WIN): | |
143 | ||
144 | --api=x.y[.z] | |
145 | Build the OpenSSL libraries to support the API for | |
146 | the specified version. If "no-deprecated" is also | |
147 | given, don't build with support for deprecated APIs | |
148 | in or below the specified version number. For example | |
149 | "--api=1.1.0" with "no-deprecated" will remove | |
150 | support for all APIS that were deprecated in | |
151 | OpenSSL version 1.1.0 or below. | |
152 | This is a rather specialized option for developers. | |
153 | If you just intend to remove all deprecated APIs | |
154 | entirely (up to the current version), only specify | |
155 | "-no-deprecated" (see below). | |
156 | If "--api" isn't given, it defaults to the current | |
157 | OpenSSL minor version. | |
158 | ||
159 | --cross-compile-prefix=PREFIX | |
160 | The PREFIX to include in front of commands for your | |
161 | toolchain. It's likely to have to end with dash, e.g. | |
162 | a-b-c- would invoke GNU compiler as a-b-c-gcc, etc. | |
163 | Unfortunately cross-compiling is too case-specific to | |
164 | put together one-size-fits-all instructions. You might | |
165 | have to pass more flags or set up environment variables | |
166 | to actually make it work. Android and iOS cases are | |
167 | discussed in corresponding Configurations/15-*.conf | |
168 | files. But there are cases when this option alone is | |
169 | sufficient. For example to build the mingw64 target on | |
170 | Linux "--cross-compile-prefix=x86_64-w64-mingw32-" | |
171 | works. Naturally provided that mingw packages are | |
172 | installed. Today Debian and Ubuntu users have option to | |
173 | install a number of prepackaged cross-compilers along | |
174 | with corresponding run-time and development packages for | |
175 | "alien" hardware. To give another example | |
176 | "--cross-compile-prefix=mipsel-linux-gnu-" suffices | |
177 | in such case. Needless to mention that you have to | |
178 | invoke ./Configure, not ./config, and pass your target | |
179 | name explicitly. Also, note that --openssldir refers | |
180 | to target's file system, not one you are building on. | |
181 | ||
182 | --debug | |
183 | Build OpenSSL with debugging symbols and zero optimization | |
184 | level. | |
185 | ||
186 | --libdir=DIR | |
187 | The name of the directory under the top of the installation | |
188 | directory tree (see the --prefix option) where libraries will | |
189 | be installed. By default this is "lib". Note that on Windows | |
190 | only ".lib" files will be stored in this location. dll files | |
191 | will always be installed to the "bin" directory. | |
192 | ||
193 | --openssldir=DIR | |
194 | Directory for OpenSSL configuration files, and also the | |
195 | default certificate and key store. Defaults are: | |
196 | ||
197 | Unix: /usr/local/ssl | |
198 | Windows: C:\Program Files\Common Files\SSL | |
199 | or C:\Program Files (x86)\Common Files\SSL | |
200 | OpenVMS: SYS$COMMON:[OPENSSL-COMMON] | |
201 | ||
202 | --prefix=DIR | |
203 | The top of the installation directory tree. Defaults are: | |
204 | ||
205 | Unix: /usr/local | |
206 | Windows: C:\Program Files\OpenSSL | |
207 | or C:\Program Files (x86)\OpenSSL | |
208 | OpenVMS: SYS$COMMON:[OPENSSL-'version'] | |
209 | ||
210 | --release | |
211 | Build OpenSSL without debugging symbols. This is the default. | |
212 | ||
213 | --strict-warnings | |
214 | This is a developer flag that switches on various compiler | |
215 | options recommended for OpenSSL development. It only works | |
216 | when using gcc or clang as the compiler. If you are | |
217 | developing a patch for OpenSSL then it is recommended that | |
218 | you use this option where possible. | |
219 | ||
220 | --with-zlib-include=DIR | |
221 | The directory for the location of the zlib include file. This | |
222 | option is only necessary if enable-zlib (see below) is used | |
223 | and the include file is not already on the system include | |
224 | path. | |
225 | ||
226 | --with-zlib-lib=LIB | |
227 | On Unix: this is the directory containing the zlib library. | |
228 | If not provided the system library path will be used. | |
229 | On Windows: this is the filename of the zlib library (with or | |
230 | without a path). This flag must be provided if the | |
231 | zlib-dynamic option is not also used. If zlib-dynamic is used | |
232 | then this flag is optional and a default value ("ZLIB1") is | |
233 | used if not provided. | |
234 | On VMS: this is the filename of the zlib library (with or | |
235 | without a path). This flag is optional and if not provided | |
236 | then "GNV$LIBZSHR", "GNV$LIBZSHR32" or "GNV$LIBZSHR64" is | |
237 | used by default depending on the pointer size chosen. | |
238 | ||
239 | ||
240 | --with-rand-seed=seed1[,seed2,...] | |
241 | A comma separated list of seeding methods which will be tried | |
242 | by OpenSSL in order to obtain random input (a.k.a "entropy") | |
243 | for seeding its cryptographically secure random number | |
244 | generator (CSPRNG). The current seeding methods are: | |
245 | ||
246 | os: Use a trusted operating system entropy source. | |
247 | This is the default method if such an entropy | |
248 | source exists. | |
249 | getrandom: Use the L<getrandom(2)> or equivalent system | |
250 | call. | |
251 | devrandom: Use the first device from the DEVRANDOM list | |
252 | which can be opened to read random bytes. The | |
253 | DEVRANDOM preprocessor constant expands to | |
254 | "/dev/urandom","/dev/random","/dev/srandom" on | |
255 | most unix-ish operating systems. | |
256 | egd: Check for an entropy generating daemon. | |
257 | rdcpu: Use the RDSEED or RDRAND command if provided by | |
258 | the CPU. | |
259 | librandom: Use librandom (not implemented yet). | |
260 | none: Disable automatic seeding. This is the default | |
261 | on some operating systems where no suitable | |
262 | entropy source exists, or no support for it is | |
263 | implemented yet. | |
264 | ||
265 | For more information, see the section 'Note on random number | |
266 | generation' at the end of this document. | |
267 | ||
268 | no-afalgeng | |
269 | Don't build the AFALG engine. This option will be forced if | |
270 | on a platform that does not support AFALG. | |
271 | ||
272 | enable-ktls | |
273 | Build with Kernel TLS support. This option will enable the | |
274 | use of the Kernel TLS data-path, which can improve | |
275 | performance and allow for the use of sendfile and splice | |
276 | system calls on TLS sockets. The Kernel may use TLS | |
277 | accelerators if any are available on the system. | |
278 | This option will be forced off on systems that do not support | |
279 | the Kernel TLS data-path. | |
280 | ||
281 | enable-asan | |
282 | Build with the Address sanitiser. This is a developer option | |
283 | only. It may not work on all platforms and should never be | |
284 | used in production environments. It will only work when used | |
285 | with gcc or clang and should be used in conjunction with the | |
286 | no-shared option. | |
287 | ||
288 | no-asm | |
289 | Do not use assembler code. This should be viewed as | |
290 | debugging/trouble-shooting option rather than production. | |
291 | On some platforms a small amount of assembler code may | |
292 | still be used even with this option. | |
293 | ||
294 | no-async | |
295 | Do not build support for async operations. | |
296 | ||
297 | no-autoalginit | |
298 | Don't automatically load all supported ciphers and digests. | |
299 | Typically OpenSSL will make available all of its supported | |
300 | ciphers and digests. For a statically linked application this | |
301 | may be undesirable if small executable size is an objective. | |
302 | This only affects libcrypto. Ciphers and digests will have to | |
303 | be loaded manually using EVP_add_cipher() and | |
304 | EVP_add_digest() if this option is used. This option will | |
305 | force a non-shared build. | |
306 | ||
307 | no-autoerrinit | |
308 | Don't automatically load all libcrypto/libssl error strings. | |
309 | Typically OpenSSL will automatically load human readable | |
310 | error strings. For a statically linked application this may | |
311 | be undesirable if small executable size is an objective. | |
312 | ||
313 | no-autoload-config | |
314 | Don't automatically load the default openssl.cnf file. | |
315 | Typically OpenSSL will automatically load a system config | |
316 | file which configures default ssl options. | |
317 | ||
318 | enable-buildtest-c++ | |
319 | While testing, generate C++ buildtest files that | |
320 | simply check that the public OpenSSL header files | |
321 | are usable standalone with C++. | |
322 | ||
323 | Enabling this option demands extra care. For any | |
324 | compiler flag given directly as configuration | |
325 | option, you must ensure that it's valid for both | |
326 | the C and the C++ compiler. If not, the C++ build | |
327 | test will most likely break. As an alternative, | |
328 | you can use the language specific variables, CFLAGS | |
329 | and CXXFLAGS. | |
330 | ||
331 | no-capieng | |
332 | Don't build the CAPI engine. This option will be forced if | |
333 | on a platform that does not support CAPI. | |
334 | ||
335 | no-cmp | |
336 | Don't build support for CMP features | |
337 | ||
338 | no-cms | |
339 | Don't build support for CMS features | |
340 | ||
341 | no-comp | |
342 | Don't build support for SSL/TLS compression. If this option | |
343 | is left enabled (the default), then compression will only | |
344 | work if the zlib or zlib-dynamic options are also chosen. | |
345 | ||
346 | enable-crypto-mdebug | |
347 | This now only enables the failed-malloc feature. | |
348 | ||
349 | enable-crypto-mdebug-backtrace | |
350 | This is a no-op; the project uses the compiler's | |
351 | address/leak sanitizer instead. | |
352 | ||
353 | no-ct | |
354 | Don't build support for Certificate Transparency. | |
355 | ||
356 | no-deprecated | |
357 | Don't build with support for deprecated APIs up | |
358 | until and including the version given with | |
359 | "--api" (or the current version of "--api" wasn't | |
360 | given). | |
361 | ||
362 | no-dgram | |
363 | Don't build support for datagram based BIOs. Selecting this | |
364 | option will also force the disabling of DTLS. | |
365 | ||
366 | no-dso | |
367 | Don't build support for loading Dynamic Shared Objects. | |
368 | ||
369 | enable-devcryptoeng | |
370 | Build the /dev/crypto engine. It is automatically selected | |
371 | on BSD implementations, in which case it can be disabled with | |
372 | no-devcryptoeng. | |
373 | ||
374 | no-dynamic-engine | |
375 | Don't build the dynamically loaded engines. This only has an | |
376 | effect in a "shared" build | |
377 | ||
378 | no-ec | |
379 | Don't build support for Elliptic Curves. | |
380 | ||
381 | no-ec2m | |
382 | Don't build support for binary Elliptic Curves | |
383 | ||
384 | enable-ec_nistp_64_gcc_128 | |
385 | Enable support for optimised implementations of some commonly | |
386 | used NIST elliptic curves. | |
387 | This is only supported on platforms: | |
388 | - with little-endian storage of non-byte types | |
389 | - that tolerate misaligned memory references | |
390 | - where the compiler: | |
391 | - supports the non-standard type __uint128_t | |
392 | - defines the built-in macro __SIZEOF_INT128__ | |
393 | ||
394 | enable-egd | |
395 | Build support for gathering entropy from EGD (Entropy | |
396 | Gathering Daemon). | |
397 | ||
398 | no-engine | |
399 | Don't build support for loading engines. | |
400 | ||
401 | no-err | |
402 | Don't compile in any error strings. | |
403 | ||
404 | enable-external-tests | |
405 | Enable building of integration with external test suites. | |
406 | This is a developer option and may not work on all platforms. | |
407 | The only supported external test suite at the current time is | |
408 | the BoringSSL test suite. See the file test/README.external | |
409 | for further details. | |
410 | ||
411 | no-filenames | |
412 | Don't compile in filename and line number information (e.g. | |
413 | for errors and memory allocation). | |
414 | ||
415 | no-fips | |
416 | Don't compile the FIPS module | |
417 | ||
418 | enable-fuzz-libfuzzer, enable-fuzz-afl | |
419 | Build with support for fuzzing using either libfuzzer or AFL. | |
420 | These are developer options only. They may not work on all | |
421 | platforms and should never be used in production environments. | |
422 | See the file fuzz/README.md for further details. | |
423 | ||
424 | no-gost | |
425 | Don't build support for GOST based ciphersuites. Note that | |
426 | if this feature is enabled then GOST ciphersuites are only | |
427 | available if the GOST algorithms are also available through | |
428 | loading an externally supplied engine. | |
429 | ||
430 | no-legacy | |
431 | Don't build the legacy provider. Disabling this also disables | |
432 | the legacy algorithms: MD2 (already disabled by default). | |
433 | ||
434 | no-makedepend | |
435 | Don't generate dependencies. | |
436 | ||
437 | no-module | |
438 | Don't build any dynamically loadable engines. This also | |
439 | implies 'no-dynamic-engine'. | |
440 | ||
441 | no-multiblock | |
442 | Don't build support for writing multiple records in one | |
443 | go in libssl (Note: this is a different capability to the | |
444 | pipelining functionality). | |
445 | ||
446 | no-nextprotoneg | |
447 | Don't build support for the NPN TLS extension. | |
448 | ||
449 | no-ocsp | |
450 | Don't build support for OCSP. | |
451 | ||
452 | no-padlockeng | |
453 | no-hw-padlock | |
454 | Don't build the padlock engine. | |
455 | ('no-hw-padlock' is deprecated and should not be used) | |
456 | ||
457 | no-pic | |
458 | Don't build with support for Position Independent Code. | |
459 | ||
460 | no-pinshared By default OpenSSL will attempt to stay in memory until the | |
461 | process exits. This is so that libcrypto and libssl can be | |
462 | properly cleaned up automatically via an "atexit()" handler. | |
463 | The handler is registered by libcrypto and cleans up both | |
464 | libraries. On some platforms the atexit() handler will run on | |
465 | unload of libcrypto (if it has been dynamically loaded) | |
466 | rather than at process exit. This option can be used to stop | |
467 | OpenSSL from attempting to stay in memory until the process | |
468 | exits. This could lead to crashes if either libcrypto or | |
469 | libssl have already been unloaded at the point | |
470 | that the atexit handler is invoked, e.g. on a platform which | |
471 | calls atexit() on unload of the library, and libssl is | |
472 | unloaded before libcrypto then a crash is likely to happen. | |
473 | Applications can suppress running of the atexit() handler at | |
474 | run time by using the OPENSSL_INIT_NO_ATEXIT option to | |
475 | OPENSSL_init_crypto(). See the man page for it for further | |
476 | details. | |
477 | ||
478 | no-posix-io | |
479 | Don't use POSIX IO capabilities. | |
480 | ||
481 | no-psk | |
482 | Don't build support for Pre-Shared Key based ciphersuites. | |
483 | ||
484 | no-rdrand | |
485 | Don't use hardware RDRAND capabilities. | |
486 | ||
487 | no-rfc3779 | |
488 | Don't build support for RFC3779 ("X.509 Extensions for IP | |
489 | Addresses and AS Identifiers") | |
490 | ||
491 | sctp | |
492 | Build support for SCTP | |
493 | ||
494 | no-shared | |
495 | Do not create shared libraries, only static ones. See "Note | |
496 | on shared libraries" below. | |
497 | ||
498 | no-sock | |
499 | Don't build support for socket BIOs | |
500 | ||
501 | no-srp | |
502 | Don't build support for SRP or SRP based ciphersuites. | |
503 | ||
504 | no-srtp | |
505 | Don't build SRTP support | |
506 | ||
507 | no-sse2 | |
508 | Exclude SSE2 code paths from 32-bit x86 assembly modules. | |
509 | Normally SSE2 extension is detected at run-time, but the | |
510 | decision whether or not the machine code will be executed | |
511 | is taken solely on CPU capability vector. This means that | |
512 | if you happen to run OS kernel which does not support SSE2 | |
513 | extension on Intel P4 processor, then your application | |
514 | might be exposed to "illegal instruction" exception. | |
515 | There might be a way to enable support in kernel, e.g. | |
516 | FreeBSD kernel can be compiled with CPU_ENABLE_SSE, and | |
517 | there is a way to disengage SSE2 code paths upon application | |
518 | start-up, but if you aim for wider "audience" running | |
519 | such kernel, consider no-sse2. Both the 386 and | |
520 | no-asm options imply no-sse2. | |
521 | ||
522 | enable-ssl-trace | |
523 | Build with the SSL Trace capabilities (adds the "-trace" | |
524 | option to s_client and s_server). | |
525 | ||
526 | no-static-engine | |
527 | Don't build the statically linked engines. This only | |
528 | has an impact when not built "shared". | |
529 | ||
530 | no-stdio | |
531 | Don't use anything from the C header file "stdio.h" that | |
532 | makes use of the "FILE" type. Only libcrypto and libssl can | |
533 | be built in this way. Using this option will suppress | |
534 | building the command line applications. Additionally since | |
535 | the OpenSSL tests also use the command line applications the | |
536 | tests will also be skipped. | |
537 | ||
538 | no-tests | |
539 | Don't build test programs or run any test. | |
540 | ||
541 | no-threads | |
542 | Don't try to build with support for multi-threaded | |
543 | applications. | |
544 | ||
545 | threads | |
546 | Build with support for multi-threaded applications. Most | |
547 | platforms will enable this by default. However if on a | |
548 | platform where this is not the case then this will usually | |
549 | require additional system-dependent options! See "Note on | |
550 | multi-threading" below. | |
551 | ||
552 | enable-trace | |
553 | Build with support for the integrated tracing api. See manual pages | |
554 | OSSL_trace_set_channel(3) and OSSL_trace_enabled(3) for details. | |
555 | ||
556 | no-ts | |
557 | Don't build Time Stamping Authority support. | |
558 | ||
559 | enable-ubsan | |
560 | Build with the Undefined Behaviour sanitiser. This is a | |
561 | developer option only. It may not work on all platforms and | |
562 | should never be used in production environments. It will only | |
563 | work when used with gcc or clang and should be used in | |
564 | conjunction with the "-DPEDANTIC" option (or the | |
565 | --strict-warnings option). | |
566 | ||
567 | no-ui | |
568 | Don't build with the "UI" capability (i.e. the set of | |
569 | features enabling text based prompts). | |
570 | ||
571 | enable-unit-test | |
572 | Enable additional unit test APIs. This should not typically | |
573 | be used in production deployments. | |
574 | ||
575 | no-uplink | |
576 | Don't build support for UPLINK interface. | |
577 | ||
578 | enable-weak-ssl-ciphers | |
579 | Build support for SSL/TLS ciphers that are considered "weak" | |
580 | (e.g. RC4 based ciphersuites). | |
581 | ||
582 | zlib | |
583 | Build with support for zlib compression/decompression. | |
584 | ||
585 | zlib-dynamic | |
586 | Like "zlib", but has OpenSSL load the zlib library | |
587 | dynamically when needed. This is only supported on systems | |
588 | where loading of shared libraries is supported. | |
589 | ||
590 | 386 | |
591 | In 32-bit x86 builds, when generating assembly modules, | |
592 | use the 80386 instruction set only (the default x86 code | |
593 | is more efficient, but requires at least a 486). Note: | |
594 | This doesn't affect code generated by compiler, you're | |
595 | likely to complement configuration command line with | |
596 | suitable compiler-specific option. | |
597 | ||
598 | no-<prot> | |
599 | Don't build support for negotiating the specified SSL/TLS | |
600 | protocol (one of ssl, ssl3, tls, tls1, tls1_1, tls1_2, | |
601 | tls1_3, dtls, dtls1 or dtls1_2). If "no-tls" is selected then | |
602 | all of tls1, tls1_1, tls1_2 and tls1_3 are disabled. | |
603 | Similarly "no-dtls" will disable dtls1 and dtls1_2. The | |
604 | "no-ssl" option is synonymous with "no-ssl3". Note this only | |
605 | affects version negotiation. OpenSSL will still provide the | |
606 | methods for applications to explicitly select the individual | |
607 | protocol versions. | |
608 | ||
609 | no-<prot>-method | |
610 | As for no-<prot> but in addition do not build the methods for | |
611 | applications to explicitly select individual protocol | |
612 | versions. Note that there is no "no-tls1_3-method" option | |
613 | because there is no application method for TLSv1.3. Using | |
614 | individual protocol methods directly is deprecated. | |
615 | Applications should use TLS_method() instead. | |
616 | ||
617 | enable-<alg> | |
618 | Build with support for the specified algorithm, where <alg> | |
619 | is one of: md2 or rc5. | |
620 | ||
621 | no-<alg> | |
622 | Build without support for the specified algorithm, where | |
623 | <alg> is one of: aria, bf, blake2, camellia, cast, chacha, | |
624 | cmac, des, dh, dsa, ecdh, ecdsa, idea, md4, mdc2, ocb, | |
625 | poly1305, rc2, rc4, rmd160, scrypt, seed, siphash, siv, sm2, | |
626 | sm3, sm4 or whirlpool. The "ripemd" algorithm is deprecated | |
627 | and if used is synonymous with rmd160. | |
628 | ||
629 | -Dxxx, -Ixxx, -Wp, -lxxx, -Lxxx, -Wl, -rpath, -R, -framework, -static | |
630 | These system specific options will be recognised and | |
631 | passed through to the compiler to allow you to define | |
632 | preprocessor symbols, specify additional libraries, library | |
633 | directories or other compiler options. It might be worth | |
634 | noting that some compilers generate code specifically for | |
635 | processor the compiler currently executes on. This is not | |
636 | necessarily what you might have in mind, since it might be | |
637 | unsuitable for execution on other, typically older, | |
638 | processor. Consult your compiler documentation. | |
639 | ||
640 | Take note of the VAR=value documentation below and how | |
641 | these flags interact with those variables. | |
642 | ||
643 | -xxx, +xxx, /xxx | |
644 | Additional options that are not otherwise recognised are | |
645 | passed through as they are to the compiler as well. | |
646 | Unix-style options beginning with a '-' or '+' and | |
647 | Windows-style options beginning with a '/' are recognized. | |
648 | Again, consult your compiler documentation. | |
649 | ||
650 | If the option contains arguments separated by spaces, | |
651 | then the URL-style notation %20 can be used for the space | |
652 | character in order to avoid having to quote the option. | |
653 | For example, -opt%20arg gets expanded to -opt arg. | |
654 | In fact, any ASCII character can be encoded as %xx using its | |
655 | hexadecimal encoding. | |
656 | ||
657 | Take note of the VAR=value documentation below and how | |
658 | these flags interact with those variables. | |
659 | ||
660 | VAR=value | |
661 | Assignment of environment variable for Configure. These | |
662 | work just like normal environment variable assignments, | |
663 | but are supported on all platforms and are confined to | |
664 | the configuration scripts only. These assignments override | |
665 | the corresponding value in the inherited environment, if | |
666 | there is one. | |
667 | ||
668 | The following variables are used as "make variables" and | |
669 | can be used as an alternative to giving preprocessor, | |
670 | compiler and linker options directly as configuration. | |
671 | The following variables are supported: | |
672 | ||
673 | AR The static library archiver. | |
674 | ARFLAGS Flags for the static library archiver. | |
675 | AS The assembler compiler. | |
676 | ASFLAGS Flags for the assembler compiler. | |
677 | CC The C compiler. | |
678 | CFLAGS Flags for the C compiler. | |
679 | CXX The C++ compiler. | |
680 | CXXFLAGS Flags for the C++ compiler. | |
681 | CPP The C/C++ preprocessor. | |
682 | CPPFLAGS Flags for the C/C++ preprocessor. | |
683 | CPPDEFINES List of CPP macro definitions, separated | |
684 | by a platform specific character (':' or | |
685 | space for Unix, ';' for Windows, ',' for | |
686 | VMS). This can be used instead of using | |
687 | -D (or what corresponds to that on your | |
688 | compiler) in CPPFLAGS. | |
689 | CPPINCLUDES List of CPP inclusion directories, separated | |
690 | the same way as for CPPDEFINES. This can | |
691 | be used instead of -I (or what corresponds | |
692 | to that on your compiler) in CPPFLAGS. | |
693 | HASHBANGPERL Perl invocation to be inserted after '#!' | |
694 | in public perl scripts (only relevant on | |
695 | Unix). | |
696 | LD The program linker (not used on Unix, $(CC) | |
697 | is used there). | |
698 | LDFLAGS Flags for the shared library, DSO and | |
699 | program linker. | |
700 | LDLIBS Extra libraries to use when linking. | |
701 | Takes the form of a space separated list | |
702 | of library specifications on Unix and | |
703 | Windows, and as a comma separated list of | |
704 | libraries on VMS. | |
705 | RANLIB The library archive indexer. | |
706 | RC The Windows resource compiler. | |
707 | RCFLAGS Flags for the Windows resource compiler. | |
708 | RM The command to remove files and directories. | |
709 | ||
710 | These cannot be mixed with compiling / linking flags given | |
711 | on the command line. In other words, something like this | |
712 | isn't permitted. | |
713 | ||
714 | ./config -DFOO CPPFLAGS=-DBAR -DCOOKIE | |
715 | ||
716 | Backward compatibility note: | |
717 | ||
718 | To be compatible with older configuration scripts, the | |
719 | environment variables are ignored if compiling / linking | |
720 | flags are given on the command line, except for these: | |
721 | ||
722 | AR, CC, CXX, CROSS_COMPILE, HASHBANGPERL, PERL, RANLIB, RC | |
723 | and WINDRES | |
724 | ||
725 | For example, the following command will not see -DBAR: | |
726 | ||
727 | CPPFLAGS=-DBAR ./config -DCOOKIE | |
728 | ||
729 | However, the following will see both set variables: | |
730 | ||
731 | CC=gcc CROSS_COMPILE=x86_64-w64-mingw32- \ | |
732 | ./config -DCOOKIE | |
733 | ||
734 | If CC is set, it is advisable to also set CXX to ensure | |
735 | both C and C++ compilers are in the same "family". This | |
736 | becomes relevant with 'enable-external-tests' and | |
737 | 'enable-buildtest-c++'. | |
738 | ||
739 | reconf | |
740 | reconfigure | |
741 | Reconfigure from earlier data. This fetches the previous | |
742 | command line options and environment from data saved in | |
743 | "configdata.pm", and runs the configuration process again, | |
744 | using these options and environment. | |
745 | Note: NO other option is permitted together with "reconf". | |
746 | This means that you also MUST use "./Configure" (or | |
747 | what corresponds to that on non-Unix platforms) directly | |
748 | to invoke this option. | |
749 | Note: The original configuration saves away values for ALL | |
750 | environment variables that were used, and if they weren't | |
751 | defined, they are still saved away with information that | |
752 | they weren't originally defined. This information takes | |
753 | precedence over environment variables that are defined | |
754 | when reconfiguring. | |
755 | ||
756 | Displaying configuration data | |
757 | ----------------------------- | |
758 | ||
759 | The configuration script itself will say very little, and finishes by | |
760 | creating "configdata.pm". This perl module can be loaded by other scripts | |
761 | to find all the configuration data, and it can also be used as a script to | |
762 | display all sorts of configuration data in a human readable form. | |
763 | ||
764 | For more information, please do: | |
765 | ||
766 | $ ./configdata.pm --help # Unix | |
767 | ||
768 | or | |
769 | ||
770 | $ perl configdata.pm --help # Windows and VMS | |
771 | ||
772 | Installation in Detail | |
773 | ---------------------- | |
774 | ||
775 | 1a. Configure OpenSSL for your operation system automatically: | |
776 | ||
777 | NOTE: This is not available on Windows. | |
778 | ||
779 | $ ./config [[ options ]] # Unix | |
780 | ||
781 | or | |
782 | ||
783 | $ @config [[ options ]] ! OpenVMS | |
784 | ||
785 | For the remainder of this text, the Unix form will be used in all | |
786 | examples, please use the appropriate form for your platform. | |
787 | ||
788 | This guesses at your operating system (and compiler, if necessary) and | |
789 | configures OpenSSL based on this guess. Run ./config -t to see | |
790 | if it guessed correctly. If you want to use a different compiler, you | |
791 | are cross-compiling for another platform, or the ./config guess was | |
792 | wrong for other reasons, go to step 1b. Otherwise go to step 2. | |
793 | ||
794 | On some systems, you can include debugging information as follows: | |
795 | ||
796 | $ ./config -d [[ options ]] | |
797 | ||
798 | 1b. Configure OpenSSL for your operating system manually | |
799 | ||
800 | OpenSSL knows about a range of different operating system, hardware and | |
801 | compiler combinations. To see the ones it knows about, run | |
802 | ||
803 | $ ./Configure # Unix | |
804 | ||
805 | or | |
806 | ||
807 | $ perl Configure # All other platforms | |
808 | ||
809 | For the remainder of this text, the Unix form will be used in all | |
810 | examples, please use the appropriate form for your platform. | |
811 | ||
812 | Pick a suitable name from the list that matches your system. For most | |
813 | operating systems there is a choice between using "cc" or "gcc". When | |
814 | you have identified your system (and if necessary compiler) use this name | |
815 | as the argument to Configure. For example, a "linux-elf" user would | |
816 | run: | |
817 | ||
818 | $ ./Configure linux-elf [[ options ]] | |
819 | ||
820 | If your system isn't listed, you will have to create a configuration | |
821 | file named Configurations/{{ something }}.conf and add the correct | |
822 | configuration for your system. See the available configs as examples | |
823 | and read Configurations/README and Configurations/README.design for | |
824 | more information. | |
825 | ||
826 | The generic configurations "cc" or "gcc" should usually work on 32 bit | |
827 | Unix-like systems. | |
828 | ||
829 | Configure creates a build file ("Makefile" on Unix, "makefile" on Windows | |
830 | and "descrip.mms" on OpenVMS) from a suitable template in Configurations, | |
831 | and defines various macros in include/openssl/configuration.h (generated | |
832 | from include/openssl/configuration.h.in). | |
833 | ||
834 | 1c. Configure OpenSSL for building outside of the source tree. | |
835 | ||
836 | OpenSSL can be configured to build in a build directory separate from | |
837 | the directory with the source code. It's done by placing yourself in | |
838 | some other directory and invoking the configuration commands from | |
839 | there. | |
840 | ||
841 | Unix example: | |
842 | ||
843 | $ mkdir /var/tmp/openssl-build | |
844 | $ cd /var/tmp/openssl-build | |
845 | $ /PATH/TO/OPENSSL/SOURCE/config [[ options ]] | |
846 | ||
847 | or | |
848 | ||
849 | $ /PATH/TO/OPENSSL/SOURCE/Configure {{ target }} [[ options ]] | |
850 | ||
851 | OpenVMS example: | |
852 | ||
853 | $ set default sys$login: | |
854 | $ create/dir [.tmp.openssl-build] | |
855 | $ set default [.tmp.openssl-build] | |
856 | $ @[PATH.TO.OPENSSL.SOURCE]config [[ options ]] | |
857 | ||
858 | or | |
859 | ||
860 | $ @[PATH.TO.OPENSSL.SOURCE]Configure {{ target }} [[ options ]] | |
861 | ||
862 | Windows example: | |
863 | ||
864 | $ C: | |
865 | $ mkdir \temp-openssl | |
866 | $ cd \temp-openssl | |
867 | $ perl d:\PATH\TO\OPENSSL\SOURCE\Configure {{ target }} [[ options ]] | |
868 | ||
869 | Paths can be relative just as well as absolute. Configure will | |
870 | do its best to translate them to relative paths whenever possible. | |
871 | ||
872 | 2. Build OpenSSL by running: | |
873 | ||
874 | $ make # Unix | |
875 | $ mms ! (or mmk) OpenVMS | |
876 | $ nmake # Windows | |
877 | ||
878 | This will build the OpenSSL libraries (libcrypto.a and libssl.a on | |
879 | Unix, corresponding on other platforms) and the OpenSSL binary | |
880 | ("openssl"). The libraries will be built in the top-level directory, | |
881 | and the binary will be in the "apps" subdirectory. | |
882 | ||
883 | Troubleshooting: | |
884 | ||
885 | If the build fails, look at the output. There may be reasons | |
886 | for the failure that aren't problems in OpenSSL itself (like | |
887 | missing standard headers). | |
888 | ||
889 | If the build succeeded previously, but fails after a source or | |
890 | configuration change, it might be helpful to clean the build tree | |
891 | before attempting another build. Use this command: | |
892 | ||
893 | $ make clean # Unix | |
894 | $ mms clean ! (or mmk) OpenVMS | |
895 | $ nmake clean # Windows | |
896 | ||
897 | Assembler error messages can sometimes be sidestepped by using the | |
898 | "no-asm" configuration option. | |
899 | ||
900 | Compiling parts of OpenSSL with gcc and others with the system | |
901 | compiler will result in unresolved symbols on some systems. | |
902 | ||
903 | If you are still having problems you can get help by sending an email | |
904 | to the openssl-users email list (see | |
905 | https://www.openssl.org/community/mailinglists.html for details). If | |
906 | it is a bug with OpenSSL itself, please open an issue on GitHub, at | |
907 | https://github.com/openssl/openssl/issues. Please review the existing | |
908 | ones first; maybe the bug was already reported or has already been | |
909 | fixed. | |
910 | ||
911 | 3. After a successful build, the libraries should be tested. Run: | |
912 | ||
913 | $ make test # Unix | |
914 | $ mms test ! OpenVMS | |
915 | $ nmake test # Windows | |
916 | ||
917 | NOTE: you MUST run the tests from an unprivileged account (or | |
918 | disable your privileges temporarily if your platform allows it). | |
919 | ||
920 | If some tests fail, look at the output. There may be reasons for | |
921 | the failure that isn't a problem in OpenSSL itself (like a | |
922 | malfunction with Perl). You may want increased verbosity, that | |
923 | can be accomplished like this: | |
924 | ||
925 | Verbosity on failure only (make macro VERBOSE_FAILURE or VF): | |
926 | ||
927 | $ make VF=1 test # Unix | |
928 | $ mms /macro=(VF=1) test ! OpenVMS | |
929 | $ nmake VF=1 test # Windows | |
930 | ||
931 | Full verbosity (make macro VERBOSE or V): | |
932 | ||
933 | $ make V=1 test # Unix | |
934 | $ mms /macro=(V=1) test ! OpenVMS | |
935 | $ nmake V=1 test # Windows | |
936 | ||
937 | If you want to run just one or a few specific tests, you can use | |
938 | the make variable TESTS to specify them, like this: | |
939 | ||
940 | $ make TESTS='test_rsa test_dsa' test # Unix | |
941 | $ mms/macro="TESTS=test_rsa test_dsa" test ! OpenVMS | |
942 | $ nmake TESTS='test_rsa test_dsa' test # Windows | |
943 | ||
944 | And of course, you can combine (Unix example shown): | |
945 | ||
946 | $ make VF=1 TESTS='test_rsa test_dsa' test | |
947 | ||
948 | You can find the list of available tests like this: | |
949 | ||
950 | $ make list-tests # Unix | |
951 | $ mms list-tests ! OpenVMS | |
952 | $ nmake list-tests # Windows | |
953 | ||
954 | Have a look at the manual for the perl module Test::Harness to | |
955 | see what other HARNESS_* variables there are. | |
956 | ||
957 | If you find a problem with OpenSSL itself, try removing any | |
958 | compiler optimization flags from the CFLAGS line in Makefile and | |
959 | run "make clean; make" or corresponding. | |
960 | ||
961 | To report a bug please open an issue on GitHub, at | |
962 | https://github.com/openssl/openssl/issues. | |
963 | ||
964 | For more details on how the make variables TESTS can be used, | |
965 | see section TESTS in Detail below. | |
966 | ||
967 | 4. If everything tests ok, install OpenSSL with | |
968 | ||
969 | $ make install # Unix | |
970 | $ mms install ! OpenVMS | |
971 | $ nmake install # Windows | |
972 | ||
973 | Note that in order to perform the install step above you need to have | |
974 | appropriate permissions to write to the installation directory. | |
975 | ||
976 | The above commands will install all the software components in this | |
977 | directory tree under PREFIX (the directory given with --prefix or its | |
978 | default): | |
979 | ||
980 | Unix: | |
981 | ||
982 | bin/ Contains the openssl binary and a few other | |
983 | utility scripts. | |
984 | include/openssl | |
985 | Contains the header files needed if you want | |
986 | to build your own programs that use libcrypto | |
987 | or libssl. | |
988 | lib Contains the OpenSSL library files. | |
989 | lib/engines Contains the OpenSSL dynamically loadable engines. | |
990 | ||
991 | share/man/man1 Contains the OpenSSL command line man-pages. | |
992 | share/man/man3 Contains the OpenSSL library calls man-pages. | |
993 | share/man/man5 Contains the OpenSSL configuration format man-pages. | |
994 | share/man/man7 Contains the OpenSSL other misc man-pages. | |
995 | ||
996 | share/doc/openssl/html/man1 | |
997 | share/doc/openssl/html/man3 | |
998 | share/doc/openssl/html/man5 | |
999 | share/doc/openssl/html/man7 | |
1000 | Contains the HTML rendition of the man-pages. | |
1001 | ||
1002 | OpenVMS ('arch' is replaced with the architecture name, "Alpha" | |
1003 | or "ia64", 'sover' is replaced with the shared library version | |
1004 | (0101 for 1.1), and 'pz' is replaced with the pointer size | |
1005 | OpenSSL was built with): | |
1006 | ||
1007 | [.EXE.'arch'] Contains the openssl binary. | |
1008 | [.EXE] Contains a few utility scripts. | |
1009 | [.include.openssl] | |
1010 | Contains the header files needed if you want | |
1011 | to build your own programs that use libcrypto | |
1012 | or libssl. | |
1013 | [.LIB.'arch'] Contains the OpenSSL library files. | |
1014 | [.ENGINES'sover''pz'.'arch'] | |
1015 | Contains the OpenSSL dynamically loadable engines. | |
1016 | [.SYS$STARTUP] Contains startup, login and shutdown scripts. | |
1017 | These define appropriate logical names and | |
1018 | command symbols. | |
1019 | [.SYSTEST] Contains the installation verification procedure. | |
1020 | [.HTML] Contains the HTML rendition of the manual pages. | |
1021 | ||
1022 | ||
1023 | Additionally, install will add the following directories under | |
1024 | OPENSSLDIR (the directory given with --openssldir or its default) | |
1025 | for you convenience: | |
1026 | ||
1027 | certs Initially empty, this is the default location | |
1028 | for certificate files. | |
1029 | private Initially empty, this is the default location | |
1030 | for private key files. | |
1031 | misc Various scripts. | |
1032 | ||
1033 | The installation directory should be appropriately protected to ensure | |
1034 | unprivileged users cannot make changes to OpenSSL binaries or files, or | |
1035 | install engines. If you already have a pre-installed version of OpenSSL as | |
1036 | part of your Operating System it is recommended that you do not overwrite | |
1037 | the system version and instead install to somewhere else. | |
1038 | ||
1039 | Package builders who want to configure the library for standard | |
1040 | locations, but have the package installed somewhere else so that | |
1041 | it can easily be packaged, can use | |
1042 | ||
1043 | $ make DESTDIR=/tmp/package-root install # Unix | |
1044 | $ mms/macro="DESTDIR=TMP:[PACKAGE-ROOT]" install ! OpenVMS | |
1045 | ||
1046 | The specified destination directory will be prepended to all | |
1047 | installation target paths. | |
1048 | ||
1049 | Compatibility issues with previous OpenSSL versions: | |
1050 | ||
1051 | * COMPILING existing applications | |
1052 | ||
1053 | Starting with version 1.1.0, OpenSSL hides a number of structures | |
1054 | that were previously open. This includes all internal libssl | |
1055 | structures and a number of EVP types. Accessor functions have | |
1056 | been added to allow controlled access to the structures' data. | |
1057 | ||
1058 | This means that some software needs to be rewritten to adapt to | |
1059 | the new ways of doing things. This often amounts to allocating | |
1060 | an instance of a structure explicitly where you could previously | |
1061 | allocate them on the stack as automatic variables, and using the | |
1062 | provided accessor functions where you would previously access a | |
1063 | structure's field directly. | |
1064 | ||
1065 | Some APIs have changed as well. However, older APIs have been | |
1066 | preserved when possible. | |
1067 | ||
1068 | Environment Variables | |
1069 | --------------------- | |
1070 | ||
1071 | A number of environment variables can be used to provide additional control | |
1072 | over the build process. Typically these should be defined prior to running | |
1073 | config or Configure. Not all environment variables are relevant to all | |
1074 | platforms. | |
1075 | ||
1076 | AR | |
1077 | The name of the ar executable to use. | |
1078 | ||
1079 | BUILDFILE | |
1080 | Use a different build file name than the platform default | |
1081 | ("Makefile" on Unix-like platforms, "makefile" on native Windows, | |
1082 | "descrip.mms" on OpenVMS). This requires that there is a | |
1083 | corresponding build file template. See Configurations/README | |
1084 | for further information. | |
1085 | ||
1086 | CC | |
1087 | The compiler to use. Configure will attempt to pick a default | |
1088 | compiler for your platform but this choice can be overridden | |
1089 | using this variable. Set it to the compiler executable you wish | |
1090 | to use, e.g. "gcc" or "clang". | |
1091 | ||
1092 | CROSS_COMPILE | |
1093 | This environment variable has the same meaning as for the | |
1094 | "--cross-compile-prefix" Configure flag described above. If both | |
1095 | are set then the Configure flag takes precedence. | |
1096 | ||
1097 | NM | |
1098 | The name of the nm executable to use. | |
1099 | ||
1100 | OPENSSL_LOCAL_CONFIG_DIR | |
1101 | OpenSSL comes with a database of information about how it | |
1102 | should be built on different platforms as well as build file | |
1103 | templates for those platforms. The database is comprised of | |
1104 | ".conf" files in the Configurations directory. The build | |
1105 | file templates reside there as well as ".tmpl" files. See the | |
1106 | file Configurations/README for further information about the | |
1107 | format of ".conf" files as well as information on the ".tmpl" | |
1108 | files. | |
1109 | In addition to the standard ".conf" and ".tmpl" files, it is | |
1110 | possible to create your own ".conf" and ".tmpl" files and store | |
1111 | them locally, outside the OpenSSL source tree. This environment | |
1112 | variable can be set to the directory where these files are held | |
1113 | and will be considered by Configure before it looks in the | |
1114 | standard directories. | |
1115 | ||
1116 | PERL | |
1117 | The name of the Perl executable to use when building OpenSSL. | |
1118 | This variable is used in config script only. Configure on the | |
1119 | other hand imposes the interpreter by which it itself was | |
1120 | executed on the whole build procedure. | |
1121 | ||
1122 | HASHBANGPERL | |
1123 | The command string for the Perl executable to insert in the | |
1124 | #! line of perl scripts that will be publicly installed. | |
1125 | Default: /usr/bin/env perl | |
1126 | Note: the value of this variable is added to the same scripts | |
1127 | on all platforms, but it's only relevant on Unix-like platforms. | |
1128 | ||
1129 | RC | |
1130 | The name of the rc executable to use. The default will be as | |
1131 | defined for the target platform in the ".conf" file. If not | |
1132 | defined then "windres" will be used. The WINDRES environment | |
1133 | variable is synonymous to this. If both are defined then RC | |
1134 | takes precedence. | |
1135 | ||
1136 | RANLIB | |
1137 | The name of the ranlib executable to use. | |
1138 | ||
1139 | WINDRES | |
1140 | See RC. | |
1141 | ||
1142 | Makefile targets | |
1143 | ---------------- | |
1144 | ||
1145 | The Configure script generates a Makefile in a format relevant to the specific | |
1146 | platform. The Makefiles provide a number of targets that can be used. Not all | |
1147 | targets may be available on all platforms. Only the most common targets are | |
1148 | described here. Examine the Makefiles themselves for the full list. | |
1149 | ||
1150 | all | |
1151 | The target to build all the software components and | |
1152 | documentation. | |
1153 | ||
1154 | build_sw | |
1155 | Build all the software components. | |
1156 | THIS IS THE DEFAULT TARGET. | |
1157 | ||
1158 | build_docs | |
1159 | Build all documentation components. | |
1160 | ||
1161 | clean | |
1162 | Remove all build artefacts and return the directory to a "clean" | |
1163 | state. | |
1164 | ||
1165 | depend | |
1166 | Rebuild the dependencies in the Makefiles. This is a legacy | |
1167 | option that no longer needs to be used since OpenSSL 1.1.0. | |
1168 | ||
1169 | install | |
1170 | Install all OpenSSL components. | |
1171 | ||
1172 | install_sw | |
1173 | Only install the OpenSSL software components. | |
1174 | ||
1175 | install_docs | |
1176 | Only install the OpenSSL documentation components. | |
1177 | ||
1178 | install_man_docs | |
1179 | Only install the OpenSSL man pages (Unix only). | |
1180 | ||
1181 | install_html_docs | |
1182 | Only install the OpenSSL html documentation. | |
1183 | ||
1184 | list-tests | |
1185 | Prints a list of all the self test names. | |
1186 | ||
1187 | test | |
1188 | Build and run the OpenSSL self tests. | |
1189 | ||
1190 | uninstall | |
1191 | Uninstall all OpenSSL components. | |
1192 | ||
1193 | reconfigure | |
1194 | reconf | |
1195 | Re-run the configuration process, as exactly as the last time | |
1196 | as possible. | |
1197 | ||
1198 | update | |
1199 | This is a developer option. If you are developing a patch for | |
1200 | OpenSSL you may need to use this if you want to update | |
1201 | automatically generated files; add new error codes or add new | |
1202 | (or change the visibility of) public API functions. (Unix only). | |
1203 | ||
1204 | TESTS in Detail | |
1205 | --------------- | |
1206 | ||
1207 | The make variable TESTS supports a versatile set of space separated tokens | |
1208 | with which you can specify a set of tests to be performed. With a "current | |
1209 | set of tests" in mind, initially being empty, here are the possible tokens: | |
1210 | ||
1211 | alltests The current set of tests becomes the whole set of available | |
1212 | tests (as listed when you do 'make list-tests' or similar). | |
1213 | xxx Adds the test 'xxx' to the current set of tests. | |
1214 | -xxx Removes 'xxx' from the current set of tests. If this is the | |
1215 | first token in the list, the current set of tests is first | |
1216 | assigned the whole set of available tests, effectively making | |
1217 | this token equivalent to TESTS="alltests -xxx". | |
1218 | nn Adds the test group 'nn' (which is a number) to the current | |
1219 | set of tests. | |
1220 | -nn Removes the test group 'nn' from the current set of tests. | |
1221 | If this is the first token in the list, the current set of | |
1222 | tests is first assigned the whole set of available tests, | |
1223 | effectively making this token equivalent to | |
1224 | TESTS="alltests -xxx". | |
1225 | ||
1226 | Also, all tokens except for "alltests" may have wildcards, such as *. | |
1227 | (on Unix and Windows, BSD style wildcards are supported, while on VMS, | |
1228 | it's VMS style wildcards) | |
1229 | ||
1230 | Example: All tests except for the fuzz tests: | |
1231 | ||
1232 | $ make TESTS=-test_fuzz test | |
1233 | ||
1234 | or (if you want to be explicit) | |
1235 | ||
1236 | $ make TESTS='alltests -test_fuzz' test | |
1237 | ||
1238 | Example: All tests that have a name starting with "test_ssl" but not those | |
1239 | starting with "test_ssl_": | |
1240 | ||
1241 | $ make TESTS='test_ssl* -test_ssl_*' test | |
1242 | ||
1243 | Example: Only test group 10: | |
1244 | ||
1245 | $ make TESTS='10' | |
1246 | ||
1247 | Example: All tests except the slow group (group 99): | |
1248 | ||
1249 | $ make TESTS='-99' | |
1250 | ||
1251 | Example: All tests in test groups 80 to 99 except for tests in group 90: | |
1252 | ||
1253 | $ make TESTS='[89]? -90' | |
1254 | ||
1255 | To stochastically verify that the algorithm that produces uniformly distributed | |
1256 | random numbers is operating correctly (with a false positive rate of 0.01%): | |
1257 | ||
1258 | $ ./util/shlib_wrap.sh test/bntest -stochastic | |
1259 | ||
1260 | Note on multi-threading | |
1261 | ----------------------- | |
1262 | ||
1263 | For some systems, the OpenSSL Configure script knows what compiler options | |
1264 | are needed to generate a library that is suitable for multi-threaded | |
1265 | applications. On these systems, support for multi-threading is enabled | |
1266 | by default; use the "no-threads" option to disable (this should never be | |
1267 | necessary). | |
1268 | ||
1269 | On other systems, to enable support for multi-threading, you will have | |
1270 | to specify at least two options: "threads", and a system-dependent option. | |
1271 | (The latter is "-D_REENTRANT" on various systems.) The default in this | |
1272 | case, obviously, is not to include support for multi-threading (but | |
1273 | you can still use "no-threads" to suppress an annoying warning message | |
1274 | from the Configure script.) | |
1275 | ||
1276 | OpenSSL provides built-in support for two threading models: pthreads (found on | |
1277 | most UNIX/Linux systems), and Windows threads. No other threading models are | |
1278 | supported. If your platform does not provide pthreads or Windows threads then | |
1279 | you should Configure with the "no-threads" option. | |
1280 | ||
1281 | Notes on shared libraries | |
1282 | ------------------------- | |
1283 | ||
1284 | For most systems the OpenSSL Configure script knows what is needed to | |
1285 | build shared libraries for libcrypto and libssl. On these systems | |
1286 | the shared libraries will be created by default. This can be suppressed and | |
1287 | only static libraries created by using the "no-shared" option. On systems | |
1288 | where OpenSSL does not know how to build shared libraries the "no-shared" | |
1289 | option will be forced and only static libraries will be created. | |
1290 | ||
1291 | Shared libraries are named a little differently on different platforms. | |
1292 | One way or another, they all have the major OpenSSL version number as | |
1293 | part of the file name, i.e. for OpenSSL 1.1.x, 1.1 is somehow part of | |
1294 | the name. | |
1295 | ||
1296 | On most POSIX platforms, shared libraries are named libcrypto.so.1.1 | |
1297 | and libssl.so.1.1. | |
1298 | ||
1299 | on Cygwin, shared libraries are named cygcrypto-1.1.dll and cygssl-1.1.dll | |
1300 | with import libraries libcrypto.dll.a and libssl.dll.a. | |
1301 | ||
1302 | On Windows build with MSVC or using MingW, shared libraries are named | |
1303 | libcrypto-1_1.dll and libssl-1_1.dll for 32-bit Windows, libcrypto-1_1-x64.dll | |
1304 | and libssl-1_1-x64.dll for 64-bit x86_64 Windows, and libcrypto-1_1-ia64.dll | |
1305 | and libssl-1_1-ia64.dll for IA64 Windows. With MSVC, the import libraries | |
1306 | are named libcrypto.lib and libssl.lib, while with MingW, they are named | |
1307 | libcrypto.dll.a and libssl.dll.a. | |
1308 | ||
1309 | On VMS, shareable images (VMS speak for shared libraries) are named | |
1310 | ossl$libcrypto0101_shr.exe and ossl$libssl0101_shr.exe. However, when | |
1311 | OpenSSL is specifically built for 32-bit pointers, the shareable images | |
1312 | are named ossl$libcrypto0101_shr32.exe and ossl$libssl0101_shr32.exe | |
1313 | instead, and when built for 64-bit pointers, they are named | |
1314 | ossl$libcrypto0101_shr64.exe and ossl$libssl0101_shr64.exe. | |
1315 | ||
1316 | Note on random number generation | |
1317 | -------------------------------- | |
1318 | ||
1319 | Availability of cryptographically secure random numbers is required for | |
1320 | secret key generation. OpenSSL provides several options to seed the | |
1321 | internal CSPRNG. If not properly seeded, the internal CSPRNG will refuse | |
1322 | to deliver random bytes and a "PRNG not seeded error" will occur. | |
1323 | ||
1324 | The seeding method can be configured using the --with-rand-seed option, | |
1325 | which can be used to specify a comma separated list of seed methods. | |
1326 | However in most cases OpenSSL will choose a suitable default method, | |
1327 | so it is not necessary to explicitly provide this option. Note also | |
1328 | that not all methods are available on all platforms. | |
1329 | ||
1330 | I) On operating systems which provide a suitable randomness source (in | |
1331 | form of a system call or system device), OpenSSL will use the optimal | |
1332 | available method to seed the CSPRNG from the operating system's | |
1333 | randomness sources. This corresponds to the option --with-rand-seed=os. | |
1334 | ||
1335 | II) On systems without such a suitable randomness source, automatic seeding | |
1336 | and reseeding is disabled (--with-rand-seed=none) and it may be necessary | |
1337 | to install additional support software to obtain a random seed and reseed | |
1338 | the CSPRNG manually. Please check out the manual pages for RAND_add(), | |
1339 | RAND_bytes(), RAND_egd(), and the FAQ for more information. |