4 This document describes installation on all supported operating
5 systems (the Unix/Linux family, including macOS), OpenVMS,
11 - [Prerequisites](#prerequisites)
12 - [Notational Conventions](#notational-conventions)
13 - [Quick Installation Guide](#quick-installation-guide)
14 - [Building OpenSSL](#building-openssl)
15 - [Installing OpenSSL](#installing-openssl)
16 - [Configuration Options](#configuration-options)
17 - [API Level](#api-level)
18 - [Cross Compile Prefix](#cross-compile-prefix)
19 - [Build Type](#build-type)
20 - [Directories](#directories)
21 - [Compiler Warnings](#compiler-warnings)
22 - [ZLib Flags](#zlib-flags)
23 - [Seeding the Random Generator](#seeding-the-random-generator)
24 - [Setting the FIPS HMAC key](#setting-the-FIPS-HMAC-key)
25 - [Enable and Disable Features](#enable-and-disable-features)
26 - [Displaying configuration data](#displaying-configuration-data)
27 - [Installation Steps in Detail](#installation-steps-in-detail)
28 - [Configure](#configure-openssl)
29 - [Build](#build-openssl)
30 - [Test](#test-openssl)
31 - [Install](#install-openssl)
32 - [Advanced Build Options](#advanced-build-options)
33 - [Environment Variables](#environment-variables)
34 - [Makefile Targets](#makefile-targets)
35 - [Running Selected Tests](#running-selected-tests)
36 - [Troubleshooting](#troubleshooting)
37 - [Configuration Problems](#configuration-problems)
38 - [Build Failures](#build-failures)
39 - [Test Failures](#test-failures)
41 - [Notes on multi-threading](#notes-on-multi-threading)
42 - [Notes on shared libraries](#notes-on-shared-libraries)
43 - [Notes on random number generation](#notes-on-random-number-generation)
48 To install OpenSSL, you will need:
50 * A "make" implementation
51 * Perl 5 with core modules (please read [NOTES-PERL.md](NOTES-PERL.md))
52 * The Perl module `Text::Template` (please read [NOTES-PERL.md](NOTES-PERL.md))
54 * a development environment in the form of development libraries and C
56 * a supported operating system
58 For additional platform specific requirements, solutions to specific
59 issues and other details, please read one of these:
61 * [Notes for UNIX-like platforms](NOTES-UNIX.md)
62 * [Notes for Android platforms](NOTES-ANDROID.md)
63 * [Notes for Windows platforms](NOTES-WINDOWS.md)
64 * [Notes for the DOS platform with DJGPP](NOTES-DJGPP.md)
65 * [Notes for the OpenVMS platform](NOTES-VMS.md)
66 * [Notes on Perl](NOTES-PERL.md)
67 * [Notes on Valgrind](NOTES-VALGRIND.md)
69 Notational conventions
70 ======================
72 Throughout this document, we use the following conventions.
77 Any line starting with a dollar sign is a command line.
81 The dollar sign indicates the shell prompt and is not to be entered as
87 Several words in curly braces separated by pipe characters indicate a
88 **mandatory choice**, to be replaced with one of the given words.
91 $ echo { WORD1 | WORD2 | WORD3 }
93 represents one of the following three commands
101 One or several words in square brackets separated by pipe characters
102 denote an **optional choice**. It is similar to the mandatory choice,
103 but it can also be omitted entirely.
107 $ echo [ WORD1 | WORD2 | WORD3 ]
109 represents one of the four commands
122 **Mandatory arguments** are enclosed in double curly braces.
123 A simple example would be
125 $ type {{ filename }}
127 which is to be understood to use the command `type` on some file name
128 determined by the user.
130 **Optional Arguments** are enclosed in double square brackets.
134 Note that the notation assumes spaces around `{`, `}`, `[`, `]`, `{{`, `}}` and
135 `[[`, `]]`. This is to differentiate from OpenVMS directory
136 specifications, which also use [ and ], but without spaces.
138 Quick Installation Guide
139 ========================
141 If you just want to get OpenSSL installed without bothering too much
142 about the details, here is the short version of how to build and install
143 OpenSSL. If any of the following steps fails, please consult the
144 [Installation in Detail](#installation-steps-in-detail) section below.
149 Use the following commands to configure, build and test OpenSSL.
150 The testing is optional, but recommended if you intend to install
151 OpenSSL for production use.
153 ### Unix / Linux / macOS
161 Use the following commands to build OpenSSL:
169 If you are using Visual Studio, open a Developer Command Prompt and
170 issue the following commands to build OpenSSL.
176 As mentioned in the [Choices](#choices) section, you need to pick one
177 of the four Configure targets in the first command.
179 Most likely you will be using the `VC-WIN64A` target for 64bit Windows
180 binaries (AMD64) or `VC-WIN32` for 32bit Windows binaries (X86).
181 The other two options are `VC-WIN64I` (Intel IA64, Itanium) and
182 `VC-CE` (Windows CE) are rather uncommon nowadays.
187 The following commands will install OpenSSL to a default system location.
189 **Danger Zone:** even if you are impatient, please read the following two
190 paragraphs carefully before you install OpenSSL.
192 For security reasons the default system location is by default not writable
193 for unprivileged users. So for the final installation step administrative
194 privileges are required. The default system location and the procedure to
195 obtain administrative privileges depends on the operating system.
196 It is recommended to compile and test OpenSSL with normal user privileges
197 and use administrative privileges only for the final installation step.
199 On some platforms OpenSSL is preinstalled as part of the Operating System.
200 In this case it is highly recommended not to overwrite the system versions,
201 because other applications or libraries might depend on it.
202 To avoid breaking other applications, install your copy of OpenSSL to a
203 [different location](#installing-to-a-different-location) which is not in
204 the global search path for system libraries.
206 Finally, if you plan on using the FIPS module, you need to read the
207 [Post-installation Notes](#post-installation-notes) further down.
209 ### Unix / Linux / macOS
211 Depending on your distribution, you need to run the following command as
212 root user or prepend `sudo` to the command:
216 By default, OpenSSL will be installed to
220 More precisely, the files will be installed into the subdirectories
227 depending on the file type, as it is custom on Unix-like operating systems.
231 Use the following command to install OpenSSL.
235 By default, OpenSSL will be installed to
241 If you are using Visual Studio, open the Developer Command Prompt _elevated_
242 and issue the following command.
246 The easiest way to elevate the Command Prompt is to press and hold down
247 the both the `<CTRL>` and `<SHIFT>` key while clicking the menu item in the
250 The default installation location is
252 C:\Program Files\OpenSSL
254 for native binaries, or
256 C:\Program Files (x86)\OpenSSL
258 for 32bit binaries on 64bit Windows (WOW64).
260 #### Installing to a different location
262 To install OpenSSL to a different location (for example into your home
263 directory for testing purposes) run `Configure` as shown in the following
266 The options `--prefix` and `--openssldir` are explained in further detail in
267 [Directories](#directories) below, and the values used here are mere examples.
271 $ ./Configure --prefix=/opt/openssl --openssldir=/usr/local/ssl
275 $ perl Configure --prefix=PROGRAM:[INSTALLS] --openssldir=SYS$MANAGER:[OPENSSL]
277 Note: if you do add options to the configuration command, please make sure
278 you've read more than just this Quick Start, such as relevant `NOTES-*` files,
279 the options outline below, as configuration options may change the outcome
280 in otherwise unexpected ways.
282 Configuration Options
283 =====================
285 There are several options to `./Configure` to customize the build (note that
286 for Windows, the defaults for `--prefix` and `--openssldir` depend on what
287 configuration is used and what Windows implementation OpenSSL is built on.
288 For more information, see the [Notes for Windows platforms](NOTES-WINDOWS.md).
295 Build the OpenSSL libraries to support the API for the specified version.
296 If [no-deprecated](#no-deprecated) is also given, don't build with support
297 for deprecated APIs in or below the specified version number. For example,
300 --api=1.1.0 no-deprecated
302 will remove support for all APIs that were deprecated in OpenSSL version
303 1.1.0 or below. This is a rather specialized option for developers.
304 If you just intend to remove all deprecated APIs up to the current version
305 entirely, just specify [no-deprecated](#no-deprecated).
306 If `--api` isn't given, it defaults to the current (minor) OpenSSL version.
311 --cross-compile-prefix=<PREFIX>
313 The `<PREFIX>` to include in front of commands for your toolchain.
315 It is likely to have to end with dash, e.g. `a-b-c-` would invoke GNU compiler
316 as `a-b-c-gcc`, etc. Unfortunately cross-compiling is too case-specific to put
317 together one-size-fits-all instructions. You might have to pass more flags or
318 set up environment variables to actually make it work. Android and iOS cases
319 are discussed in corresponding `Configurations/15-*.conf` files. But there are
320 cases when this option alone is sufficient. For example to build the mingw64
321 target on Linux `--cross-compile-prefix=x86_64-w64-mingw32-` works. Naturally
322 provided that mingw packages are installed. Today Debian and Ubuntu users
323 have option to install a number of prepackaged cross-compilers along with
324 corresponding run-time and development packages for "alien" hardware. To give
325 another example `--cross-compile-prefix=mipsel-linux-gnu-` suffices in such
328 For cross compilation, you must [configure manually](#manual-configuration).
329 Also, note that `--openssldir` refers to target's file system, not one you are
337 Build OpenSSL with debugging symbols and zero optimization level.
341 Build OpenSSL without debugging symbols. This is the default.
350 The name of the directory under the top of the installation directory tree
351 (see the `--prefix` option) where libraries will be installed. By default
352 this is `lib/`. Note that on Windows only static libraries (`*.lib`) will
353 be stored in this location. Shared libraries (`*.dll`) will always be
354 installed to the `bin/` directory.
360 Directory for OpenSSL configuration files, and also the default certificate
361 and key store. Defaults are:
364 Windows: C:\Program Files\Common Files\SSL
365 OpenVMS: SYS$COMMON:[OPENSSL-COMMON]
367 For 32bit Windows applications on Windows 64bit (WOW64), always replace
368 `C:\Program Files` by `C:\Program Files (x86)`.
374 The top of the installation directory tree. Defaults are:
377 Windows: C:\Program Files\OpenSSL
378 OpenVMS: SYS$COMMON:[OPENSSL]
385 This is a developer flag that switches on various compiler options recommended
386 for OpenSSL development. It only works when using gcc or clang as the compiler.
387 If you are developing a patch for OpenSSL then it is recommended that you use
388 this option where possible.
393 ### with-zlib-include
395 --with-zlib-include=DIR
397 The directory for the location of the zlib include file. This option is only
398 necessary if [zlib](#zlib) is used and the include file is not
399 already on the system include path.
405 **On Unix**: this is the directory containing the zlib library.
406 If not provided the system library path will be used.
408 **On Windows:** this is the filename of the zlib library (with or
409 without a path). This flag must be provided if the
410 [zlib-dynamic](#zlib-dynamic) option is not also used. If `zlib-dynamic` is used
411 then this flag is optional and defaults to `ZLIB1` if not provided.
413 **On VMS:** this is the filename of the zlib library (with or without a path).
414 This flag is optional and if not provided then `GNV$LIBZSHR`, `GNV$LIBZSHR32`
415 or `GNV$LIBZSHR64` is used by default depending on the pointer size chosen.
417 Seeding the Random Generator
418 ----------------------------
420 --with-rand-seed=seed1[,seed2,...]
422 A comma separated list of seeding methods which will be tried by OpenSSL
423 in order to obtain random input (a.k.a "entropy") for seeding its
424 cryptographically secure random number generator (CSPRNG).
425 The current seeding methods are:
429 Use a trusted operating system entropy source.
430 This is the default method if such an entropy source exists.
434 Use the [getrandom(2)][man-getrandom] or equivalent system call.
436 [man-getrandom]: http://man7.org/linux/man-pages/man2/getrandom.2.html
440 Use the first device from the `DEVRANDOM` list which can be opened to read
441 random bytes. The `DEVRANDOM` preprocessor constant expands to
443 "/dev/urandom","/dev/random","/dev/srandom"
445 on most unix-ish operating systems.
449 Check for an entropy generating daemon.
450 This source is ignored by the FIPS provider.
454 Use the `RDSEED` or `RDRAND` command if provided by the CPU.
458 Use librandom (not implemented yet).
459 This source is ignored by the FIPS provider.
463 Disable automatic seeding. This is the default on some operating systems where
464 no suitable entropy source exists, or no support for it is implemented yet.
465 This option is ignored by the FIPS provider.
467 For more information, see the section [Notes on random number generation][rng]
468 at the end of this document.
470 [rng]: #notes-on-random-number-generation
472 Setting the FIPS HMAC key
473 -------------------------
477 As part of its self-test validation, the FIPS module must verify itself
478 by performing a SHA-256 HMAC computation on itself. The default key is
479 the SHA256 value of "the holy handgrenade of antioch" and is sufficient
480 for meeting the FIPS requirements.
482 To change the key to a different value, use this flag. The value should
483 be a hex string no more than 64 characters.
485 Enable and Disable Features
486 ---------------------------
488 Feature options always come in pairs, an option to enable feature
489 `xxxx`, and an option to disable it:
491 [ enable-xxxx | no-xxxx ]
493 Whether a feature is enabled or disabled by default, depends on the feature.
494 In the following list, always the non-default variant is documented: if
495 feature `xxxx` is disabled by default then `enable-xxxx` is documented and
496 if feature `xxxx` is enabled by default then `no-xxxx` is documented.
500 Don't build the AFALG engine.
502 This option will be forced on a platform that does not support AFALG.
506 Build with Kernel TLS support.
508 This option will enable the use of the Kernel TLS data-path, which can improve
509 performance and allow for the use of sendfile and splice system calls on
510 TLS sockets. The Kernel may use TLS accelerators if any are available on the
511 system. This option will be forced off on systems that do not support the
512 Kernel TLS data-path.
516 Build with the Address sanitiser.
518 This is a developer option only. It may not work on all platforms and should
519 never be used in production environments. It will only work when used with
520 gcc or clang and should be used in conjunction with the [no-shared](#no-shared)
525 Do not build support for Automated Cryptographic Validation Protocol (ACVP)
528 This is required for FIPS validation purposes. Certain ACVP tests require
529 access to algorithm internals that are not normally accessible.
530 Additional information related to ACVP can be found at
531 <https://github.com/usnistgov/ACVP>.
535 Do not use assembler code.
537 This should be viewed as debugging/troubleshooting option rather than for
538 production use. On some platforms a small amount of assembler code may still
539 be used even with this option.
543 Do not build support for async operations.
547 Don't automatically load all supported ciphers and digests.
549 Typically OpenSSL will make available all of its supported ciphers and digests.
550 For a statically linked application this may be undesirable if small executable
551 size is an objective. This only affects libcrypto. Ciphers and digests will
552 have to be loaded manually using `EVP_add_cipher()` and `EVP_add_digest()`
553 if this option is used. This option will force a non-shared build.
557 Don't automatically load all libcrypto/libssl error strings.
559 Typically OpenSSL will automatically load human readable error strings. For a
560 statically linked application this may be undesirable if small executable size
563 ### no-autoload-config
565 Don't automatically load the default `openssl.cnf` file.
567 Typically OpenSSL will automatically load a system config file which configures
570 ### enable-buildtest-c++
572 While testing, generate C++ buildtest files that simply check that the public
573 OpenSSL header files are usable standalone with C++.
575 Enabling this option demands extra care. For any compiler flag given directly
576 as configuration option, you must ensure that it's valid for both the C and
577 the C++ compiler. If not, the C++ build test will most likely break. As an
578 alternative, you can use the language specific variables, `CFLAGS` and `CXXFLAGS`.
582 Build only some minimal set of features.
583 This is a developer option used internally for CI build tests of the project.
587 Never cache algorithms when they are fetched from a provider. Normally, a
588 provider indicates if the algorithms it supplies can be cached or not. Using
589 this option will reduce run-time memory usage but it also introduces a
590 significant performance penalty. This option is primarily designed to help
591 with detecting incorrect reference counting.
595 Don't build the CAPI engine.
597 This option will be forced if on a platform that does not support CAPI.
601 Don't build support for Certificate Management Protocol (CMP)
602 and Certificate Request Message Format (CRMF).
606 Don't build support for Cryptographic Message Syntax (CMS).
610 Don't build support for SSL/TLS compression.
612 If this option is enabled (the default), then compression will only work if
613 the zlib or `zlib-dynamic` options are also chosen.
615 ### enable-crypto-mdebug
617 This now only enables the `failed-malloc` feature.
619 ### enable-crypto-mdebug-backtrace
621 This is a no-op; the project uses the compiler's address/leak sanitizer instead.
625 Don't build support for Certificate Transparency (CT).
629 Don't build with support for deprecated APIs up until and including the version
630 given with `--api` (or the current version, if `--api` wasn't specified).
634 Don't build support for datagram based BIOs.
636 Selecting this option will also force the disabling of DTLS.
640 Don't build support for loading Dynamic Shared Objects (DSO)
642 ### enable-devcryptoeng
644 Build the `/dev/crypto` engine.
646 This option is automatically selected on the BSD platform, in which case it can
647 be disabled with `no-devcryptoeng`.
649 ### no-dynamic-engine
651 Don't build the dynamically loaded engines.
653 This only has an effect in a shared build.
657 Don't build support for Elliptic Curves.
661 Don't build support for binary Elliptic Curves
663 ### enable-ec_nistp_64_gcc_128
665 Enable support for optimised implementations of some commonly used NIST
668 This option is only supported on platforms:
670 - with little-endian storage of non-byte types
671 - that tolerate misaligned memory references
672 - where the compiler:
673 - supports the non-standard type `__uint128_t`
674 - defines the built-in macro `__SIZEOF_INT128__`
678 Build support for gathering entropy from the Entropy Gathering Daemon (EGD).
682 Don't build support for loading engines.
686 Don't compile in any error strings.
688 ### enable-external-tests
690 Enable building of integration with external test suites.
692 This is a developer option and may not work on all platforms. The following
693 external test suites are currently supported:
695 - BoringSSL test suite
696 - Python PYCA/Cryptography test suite
699 See the file [test/README-external.md](test/README-external.md)
704 Don't compile in filename and line number information (e.g. for errors and
709 Don't compile the FIPS provider
711 ### no-fips-securitychecks
713 Don't perform FIPS module run-time checks related to enforcement of security
714 parameters such as minimum security strength of keys.
716 ### enable-fuzz-libfuzzer, enable-fuzz-afl
718 Build with support for fuzzing using either libfuzzer or AFL.
720 These are developer options only. They may not work on all platforms and
721 should never be used in production environments.
723 See the file [fuzz/README.md](fuzz/README.md) for further details.
727 Don't build support for GOST based ciphersuites.
729 Note that if this feature is enabled then GOST ciphersuites are only available
730 if the GOST algorithms are also available through loading an externally supplied
735 Don't build the legacy provider.
737 Disabling this also disables the legacy algorithms: MD2 (already disabled by default).
741 Don't generate dependencies.
745 Don't build any dynamically loadable engines.
747 This also implies `no-dynamic-engine`.
751 Don't build support for writing multiple records in one go in libssl
753 Note: this is a different capability to the pipelining functionality.
757 Don't build support for the Next Protocol Negotiation (NPN) TLS extension.
761 Don't build support for Online Certificate Status Protocol (OCSP).
765 Don't build the padlock engine.
769 As synonym for `no-padlockeng`. Deprecated and should not be used.
773 Don't build with support for Position Independent Code.
777 Don't pin the shared libraries.
779 By default OpenSSL will attempt to stay in memory until the process exits.
780 This is so that libcrypto and libssl can be properly cleaned up automatically
781 via an `atexit()` handler. The handler is registered by libcrypto and cleans
782 up both libraries. On some platforms the `atexit()` handler will run on unload of
783 libcrypto (if it has been dynamically loaded) rather than at process exit. This
784 option can be used to stop OpenSSL from attempting to stay in memory until the
785 process exits. This could lead to crashes if either libcrypto or libssl have
786 already been unloaded at the point that the atexit handler is invoked, e.g. on a
787 platform which calls `atexit()` on unload of the library, and libssl is unloaded
788 before libcrypto then a crash is likely to happen. Applications can suppress
789 running of the `atexit()` handler at run time by using the
790 `OPENSSL_INIT_NO_ATEXIT` option to `OPENSSL_init_crypto()`.
791 See the man page for it for further details.
795 Don't use POSIX IO capabilities.
799 Don't build support for Pre-Shared Key based ciphersuites.
803 Don't use hardware RDRAND capabilities.
807 Don't build support for RFC3779, "X.509 Extensions for IP Addresses and
812 Build support for Stream Control Transmission Protocol (SCTP).
816 Do not create shared libraries, only static ones.
818 See [Notes on shared libraries](#notes-on-shared-libraries) below.
822 Don't build support for socket BIOs.
826 Don't build support for Secure Remote Password (SRP) protocol or
827 SRP based ciphersuites.
831 Don't build Secure Real-Time Transport Protocol (SRTP) support.
835 Exclude SSE2 code paths from 32-bit x86 assembly modules.
837 Normally SSE2 extension is detected at run-time, but the decision whether or not
838 the machine code will be executed is taken solely on CPU capability vector. This
839 means that if you happen to run OS kernel which does not support SSE2 extension
840 on Intel P4 processor, then your application might be exposed to "illegal
841 instruction" exception. There might be a way to enable support in kernel, e.g.
842 FreeBSD kernel can be compiled with `CPU_ENABLE_SSE`, and there is a way to
843 disengage SSE2 code paths upon application start-up, but if you aim for wider
844 "audience" running such kernel, consider `no-sse2`. Both the `386` and `no-asm`
845 options imply `no-sse2`.
849 Build with the SSL Trace capabilities.
851 This adds the `-trace` option to `s_client` and `s_server`.
855 Don't build the statically linked engines.
857 This only has an impact when not built "shared".
861 Don't use anything from the C header file `stdio.h` that makes use of the `FILE`
862 type. Only libcrypto and libssl can be built in this way. Using this option will
863 suppress building the command line applications. Additionally, since the OpenSSL
864 tests also use the command line applications, the tests will also be skipped.
868 Don't build test programs or run any tests.
872 Don't build with support for multi-threaded applications.
876 Build with support for multi-threaded applications. Most platforms will enable
877 this by default. However, if on a platform where this is not the case then this
878 will usually require additional system-dependent options!
880 See [Notes on multi-threading](#notes-on-multi-threading) below.
884 Build with support for the integrated tracing api.
886 See manual pages OSSL_trace_set_channel(3) and OSSL_trace_enabled(3) for details.
890 Don't build Time Stamping (TS) Authority support.
894 Build with the Undefined Behaviour sanitiser (UBSAN).
896 This is a developer option only. It may not work on all platforms and should
897 never be used in production environments. It will only work when used with
898 gcc or clang and should be used in conjunction with the `-DPEDANTIC` option
899 (or the `--strict-warnings` option).
903 Don't build with the User Interface (UI) console method
905 The User Interface console method enables text based console prompts.
909 Enable additional unit test APIs.
911 This should not typically be used in production deployments.
915 Don't build support for UPLINK interface.
917 ### enable-weak-ssl-ciphers
919 Build support for SSL/TLS ciphers that are considered "weak"
921 Enabling this includes for example the RC4 based ciphersuites.
925 Build with support for zlib compression/decompression.
929 Like the zlib option, but has OpenSSL load the zlib library dynamically
932 This is only supported on systems where loading of shared libraries is supported.
936 In 32-bit x86 builds, use the 80386 instruction set only in assembly modules
938 The default x86 code is more efficient, but requires at least an 486 processor.
939 Note: This doesn't affect compiler generated code, so this option needs to be
940 accompanied by a corresponding compiler-specific option.
944 no-{ssl|ssl3|tls|tls1|tls1_1|tls1_2|tls1_3|dtls|dtls1|dtls1_2}
946 Don't build support for negotiating the specified SSL/TLS protocol.
948 If `no-tls` is selected then all of `tls1`, `tls1_1`, `tls1_2` and `tls1_3`
950 Similarly `no-dtls` will disable `dtls1` and `dtls1_2`. The `no-ssl` option is
951 synonymous with `no-ssl3`. Note this only affects version negotiation.
952 OpenSSL will still provide the methods for applications to explicitly select
953 the individual protocol versions.
955 ### no-{protocol}-method
957 no-{ssl|ssl3|tls|tls1|tls1_1|tls1_2|tls1_3|dtls|dtls1|dtls1_2}-method
959 Analogous to `no-{protocol}` but in addition do not build the methods for
960 applications to explicitly select individual protocol versions. Note that there
961 is no `no-tls1_3-method` option because there is no application method for
964 Using individual protocol methods directly is deprecated. Applications should
965 use `TLS_method()` instead.
967 ### enable-{algorithm}
971 Build with support for the specified algorithm.
975 no-{aria|bf|blake2|camellia|cast|chacha|cmac|
976 des|dh|dsa|ecdh|ecdsa|idea|md4|mdc2|ocb|
977 poly1305|rc2|rc4|rmd160|scrypt|seed|
978 siphash|siv|sm2|sm3|sm4|whirlpool}
980 Build without support for the specified algorithm.
982 The `ripemd` algorithm is deprecated and if used is synonymous with `rmd160`.
984 ### Compiler-specific options
986 -Dxxx, -Ixxx, -Wp, -lxxx, -Lxxx, -Wl, -rpath, -R, -framework, -static
988 These system specific options will be recognised and passed through to the
989 compiler to allow you to define preprocessor symbols, specify additional
990 libraries, library directories or other compiler options. It might be worth
991 noting that some compilers generate code specifically for processor the
992 compiler currently executes on. This is not necessarily what you might have
993 in mind, since it might be unsuitable for execution on other, typically older,
994 processor. Consult your compiler documentation.
996 Take note of the [Environment Variables](#environment-variables) documentation
997 below and how these flags interact with those variables.
1001 Additional options that are not otherwise recognised are passed through as
1002 they are to the compiler as well. Unix-style options beginning with a
1003 `-` or `+` and Windows-style options beginning with a `/` are recognized.
1004 Again, consult your compiler documentation.
1006 If the option contains arguments separated by spaces, then the URL-style
1007 notation `%20` can be used for the space character in order to avoid having
1008 to quote the option. For example, `-opt%20arg` gets expanded to `-opt arg`.
1009 In fact, any ASCII character can be encoded as %xx using its hexadecimal
1012 Take note of the [Environment Variables](#environment-variables) documentation
1013 below and how these flags interact with those variables.
1015 ### Environment Variables
1019 Assign the given value to the environment variable `VAR` for `Configure`.
1021 These work just like normal environment variable assignments, but are supported
1022 on all platforms and are confined to the configuration scripts only.
1023 These assignments override the corresponding value in the inherited environment,
1026 The following variables are used as "`make` variables" and can be used as an
1027 alternative to giving preprocessor, compiler and linker options directly as
1028 configuration. The following variables are supported:
1030 AR The static library archiver.
1031 ARFLAGS Flags for the static library archiver.
1032 AS The assembler compiler.
1033 ASFLAGS Flags for the assembler compiler.
1035 CFLAGS Flags for the C compiler.
1036 CXX The C++ compiler.
1037 CXXFLAGS Flags for the C++ compiler.
1038 CPP The C/C++ preprocessor.
1039 CPPFLAGS Flags for the C/C++ preprocessor.
1040 CPPDEFINES List of CPP macro definitions, separated
1041 by a platform specific character (':' or
1042 space for Unix, ';' for Windows, ',' for
1043 VMS). This can be used instead of using
1044 -D (or what corresponds to that on your
1045 compiler) in CPPFLAGS.
1046 CPPINCLUDES List of CPP inclusion directories, separated
1047 the same way as for CPPDEFINES. This can
1048 be used instead of -I (or what corresponds
1049 to that on your compiler) in CPPFLAGS.
1050 HASHBANGPERL Perl invocation to be inserted after '#!'
1051 in public perl scripts (only relevant on
1053 LD The program linker (not used on Unix, $(CC)
1055 LDFLAGS Flags for the shared library, DSO and
1057 LDLIBS Extra libraries to use when linking.
1058 Takes the form of a space separated list
1059 of library specifications on Unix and
1060 Windows, and as a comma separated list of
1062 RANLIB The library archive indexer.
1063 RC The Windows resource compiler.
1064 RCFLAGS Flags for the Windows resource compiler.
1065 RM The command to remove files and directories.
1067 These cannot be mixed with compiling/linking flags given on the command line.
1068 In other words, something like this isn't permitted.
1070 $ ./Configure -DFOO CPPFLAGS=-DBAR -DCOOKIE
1072 Backward compatibility note:
1074 To be compatible with older configuration scripts, the environment variables
1075 are ignored if compiling/linking flags are given on the command line, except
1078 AR, CC, CXX, CROSS_COMPILE, HASHBANGPERL, PERL, RANLIB, RC, and WINDRES
1080 For example, the following command will not see `-DBAR`:
1082 $ CPPFLAGS=-DBAR ./Configure -DCOOKIE
1084 However, the following will see both set variables:
1086 $ CC=gcc CROSS_COMPILE=x86_64-w64-mingw32- ./Configure -DCOOKIE
1088 If `CC` is set, it is advisable to also set `CXX` to ensure both the C and C++
1089 compiler are in the same "family". This becomes relevant with
1090 `enable-external-tests` and `enable-buildtest-c++`.
1097 Reconfigure from earlier data.
1099 This fetches the previous command line options and environment from data
1100 saved in `configdata.pm` and runs the configuration process again, using
1101 these options and environment. Note: NO other option is permitted together
1102 with `reconf`. Note: The original configuration saves away values for ALL
1103 environment variables that were used, and if they weren't defined, they are
1104 still saved away with information that they weren't originally defined.
1105 This information takes precedence over environment variables that are
1106 defined when reconfiguring.
1108 Displaying configuration data
1109 -----------------------------
1111 The configuration script itself will say very little, and finishes by
1112 creating `configdata.pm`. This perl module can be loaded by other scripts
1113 to find all the configuration data, and it can also be used as a script to
1114 display all sorts of configuration data in a human readable form.
1116 For more information, please do:
1118 $ ./configdata.pm --help # Unix
1122 $ perl configdata.pm --help # Windows and VMS
1124 Installation Steps in Detail
1125 ============================
1130 ### Automatic Configuration
1132 On some platform a `config` script is available which attempts to guess
1133 your operating system (and compiler, if necessary) and calls the `Configure`
1134 Perl script with appropriate target based on its guess. Further options can
1135 be supplied to the `config` script, which will be passed on to the `Configure`
1138 #### Unix / Linux / macOS
1140 $ ./Configure [[ options ]]
1144 $ perl Configure [[ options ]]
1148 $ perl Configure [[ options ]]
1150 ### Manual Configuration
1152 OpenSSL knows about a range of different operating system, hardware and
1153 compiler combinations. To see the ones it knows about, run
1155 $ ./Configure LIST # Unix
1159 $ perl Configure LIST # All other platforms
1161 For the remainder of this text, the Unix form will be used in all examples.
1162 Please use the appropriate form for your platform.
1164 Pick a suitable name from the list that matches your system. For most
1165 operating systems there is a choice between using cc or gcc.
1166 When you have identified your system (and if necessary compiler) use this
1167 name as the argument to `Configure`. For example, a `linux-elf` user would
1170 $ ./Configure linux-elf [[ options ]]
1172 ### Creating your own Configuration
1174 If your system isn't listed, you will have to create a configuration
1175 file named `Configurations/{{ something }}.conf` and add the correct
1176 configuration for your system. See the available configs as examples
1177 and read [Configurations/README.md](Configurations/README.md) and
1178 [Configurations/README-design.md](Configurations/README-design.md)
1179 for more information.
1181 The generic configurations `cc` or `gcc` should usually work on 32 bit
1184 `Configure` creates a build file (`Makefile` on Unix, `makefile` on Windows
1185 and `descrip.mms` on OpenVMS) from a suitable template in `Configurations/`,
1186 and defines various macros in `include/openssl/configuration.h` (generated
1187 from `include/openssl/configuration.h.in`.
1189 ### Out of Tree Builds
1191 OpenSSL can be configured to build in a build directory separate from the
1192 source code directory. It's done by placing yourself in some other
1193 directory and invoking the configuration commands from there.
1197 $ mkdir /var/tmp/openssl-build
1198 $ cd /var/tmp/openssl-build
1199 $ /PATH/TO/OPENSSL/SOURCE/Configure [[ options ]]
1201 #### OpenVMS example
1203 $ set default sys$login:
1204 $ create/dir [.tmp.openssl-build]
1205 $ set default [.tmp.openssl-build]
1206 $ perl D:[PATH.TO.OPENSSL.SOURCE]Configure [[ options ]]
1208 #### Windows example
1211 $ mkdir \temp-openssl
1213 $ perl d:\PATH\TO\OPENSSL\SOURCE\Configure [[ options ]]
1215 Paths can be relative just as well as absolute. `Configure` will do its best
1216 to translate them to relative paths whenever possible.
1221 Build OpenSSL by running:
1224 $ mms ! (or mmk) OpenVMS
1227 This will build the OpenSSL libraries (`libcrypto.a` and `libssl.a` on
1228 Unix, corresponding on other platforms) and the OpenSSL binary
1229 (`openssl`). The libraries will be built in the top-level directory,
1230 and the binary will be in the `apps/` subdirectory.
1232 If the build fails, take a look at the [Build Failures](#build-failures)
1233 subsection of the [Troubleshooting](#troubleshooting) section.
1238 After a successful build, and before installing, the libraries should
1242 $ mms test ! OpenVMS
1243 $ nmake test # Windows
1245 **Warning:** you MUST run the tests from an unprivileged account (or disable
1246 your privileges temporarily if your platform allows it).
1248 See [test/README.md](test/README.md) for further details how run tests.
1250 See [test/README-dev.md](test/README-dev.md) for guidelines on adding tests.
1255 If everything tests ok, install OpenSSL with
1257 $ make install # Unix
1258 $ mms install ! OpenVMS
1259 $ nmake install # Windows
1261 Note that in order to perform the install step above you need to have
1262 appropriate permissions to write to the installation directory.
1264 The above commands will install all the software components in this
1265 directory tree under `<PREFIX>` (the directory given with `--prefix` or
1268 ### Unix / Linux / macOS
1270 bin/ Contains the openssl binary and a few other
1273 Contains the header files needed if you want
1274 to build your own programs that use libcrypto
1276 lib Contains the OpenSSL library files.
1277 lib/engines Contains the OpenSSL dynamically loadable engines.
1279 share/man/man1 Contains the OpenSSL command line man-pages.
1280 share/man/man3 Contains the OpenSSL library calls man-pages.
1281 share/man/man5 Contains the OpenSSL configuration format man-pages.
1282 share/man/man7 Contains the OpenSSL other misc man-pages.
1284 share/doc/openssl/html/man1
1285 share/doc/openssl/html/man3
1286 share/doc/openssl/html/man5
1287 share/doc/openssl/html/man7
1288 Contains the HTML rendition of the man-pages.
1292 'arch' is replaced with the architecture name, `ALPHA` or `IA64`,
1293 'sover' is replaced with the shared library version (`0101` for 1.1), and
1294 'pz' is replaced with the pointer size OpenSSL was built with:
1296 [.EXE.'arch'] Contains the openssl binary.
1297 [.EXE] Contains a few utility scripts.
1299 Contains the header files needed if you want
1300 to build your own programs that use libcrypto
1302 [.LIB.'arch'] Contains the OpenSSL library files.
1303 [.ENGINES'sover''pz'.'arch']
1304 Contains the OpenSSL dynamically loadable engines.
1305 [.SYS$STARTUP] Contains startup, login and shutdown scripts.
1306 These define appropriate logical names and
1308 [.SYSTEST] Contains the installation verification procedure.
1309 [.HTML] Contains the HTML rendition of the manual pages.
1311 ### Additional Directories
1313 Additionally, install will add the following directories under
1314 OPENSSLDIR (the directory given with `--openssldir` or its default)
1315 for you convenience:
1317 certs Initially empty, this is the default location
1318 for certificate files.
1319 private Initially empty, this is the default location
1320 for private key files.
1321 misc Various scripts.
1323 The installation directory should be appropriately protected to ensure
1324 unprivileged users cannot make changes to OpenSSL binaries or files, or
1325 install engines. If you already have a pre-installed version of OpenSSL as
1326 part of your Operating System it is recommended that you do not overwrite
1327 the system version and instead install to somewhere else.
1329 Package builders who want to configure the library for standard locations,
1330 but have the package installed somewhere else so that it can easily be
1333 $ make DESTDIR=/tmp/package-root install # Unix
1334 $ mms/macro="DESTDIR=TMP:[PACKAGE-ROOT]" install ! OpenVMS
1336 The specified destination directory will be prepended to all installation
1339 Compatibility issues with previous OpenSSL versions
1340 ---------------------------------------------------
1342 ### COMPILING existing applications
1344 Starting with version 1.1.0, OpenSSL hides a number of structures that were
1345 previously open. This includes all internal libssl structures and a number
1346 of EVP types. Accessor functions have been added to allow controlled access
1347 to the structures' data.
1349 This means that some software needs to be rewritten to adapt to the new ways
1350 of doing things. This often amounts to allocating an instance of a structure
1351 explicitly where you could previously allocate them on the stack as automatic
1352 variables, and using the provided accessor functions where you would previously
1353 access a structure's field directly.
1355 Some APIs have changed as well. However, older APIs have been preserved when
1358 Post-installation Notes
1359 -----------------------
1361 With the default OpenSSL installation comes a FIPS provider module, which
1362 needs some post-installation attention, without which it will not be usable.
1363 This involves using the following command:
1365 $ openssl fipsinstall
1367 See the openssl-fipsinstall(1) manual for details and examples.
1369 Advanced Build Options
1370 ======================
1372 Environment Variables
1373 ---------------------
1375 A number of environment variables can be used to provide additional control
1376 over the build process. Typically these should be defined prior to running
1377 `Configure`. Not all environment variables are relevant to all platforms.
1380 The name of the ar executable to use.
1383 Use a different build file name than the platform default
1384 ("Makefile" on Unix-like platforms, "makefile" on native Windows,
1385 "descrip.mms" on OpenVMS). This requires that there is a
1386 corresponding build file template.
1387 See [Configurations/README.md](Configurations/README.md)
1388 for further information.
1391 The compiler to use. Configure will attempt to pick a default
1392 compiler for your platform but this choice can be overridden
1393 using this variable. Set it to the compiler executable you wish
1394 to use, e.g. gcc or clang.
1397 This environment variable has the same meaning as for the
1398 "--cross-compile-prefix" Configure flag described above. If both
1399 are set then the Configure flag takes precedence.
1402 The name of the nm executable to use.
1404 OPENSSL_LOCAL_CONFIG_DIR
1405 OpenSSL comes with a database of information about how it
1406 should be built on different platforms as well as build file
1407 templates for those platforms. The database is comprised of
1408 ".conf" files in the Configurations directory. The build
1409 file templates reside there as well as ".tmpl" files. See the
1410 file [Configurations/README.md](Configurations/README.md)
1411 for further information about the format of ".conf" files
1412 as well as information on the ".tmpl" files.
1413 In addition to the standard ".conf" and ".tmpl" files, it is
1414 possible to create your own ".conf" and ".tmpl" files and
1415 store them locally, outside the OpenSSL source tree.
1416 This environment variable can be set to the directory where
1417 these files are held and will be considered by Configure
1418 before it looks in the standard directories.
1421 The name of the Perl executable to use when building OpenSSL.
1422 Only needed if builing should use a different Perl executable
1423 than what is used to run the Configure script.
1426 The command string for the Perl executable to insert in the
1427 #! line of perl scripts that will be publicly installed.
1428 Default: /usr/bin/env perl
1429 Note: the value of this variable is added to the same scripts
1430 on all platforms, but it's only relevant on Unix-like platforms.
1433 The name of the rc executable to use. The default will be as
1434 defined for the target platform in the ".conf" file. If not
1435 defined then "windres" will be used. The WINDRES environment
1436 variable is synonymous to this. If both are defined then RC
1440 The name of the ranlib executable to use.
1448 The `Configure` script generates a Makefile in a format relevant to the specific
1449 platform. The Makefiles provide a number of targets that can be used. Not all
1450 targets may be available on all platforms. Only the most common targets are
1451 described here. Examine the Makefiles themselves for the full list.
1454 The target to build all the software components and
1458 Build all the software components.
1459 THIS IS THE DEFAULT TARGET.
1462 Build all documentation components.
1465 Remove all build artefacts and return the directory to a "clean"
1469 Rebuild the dependencies in the Makefiles. This is a legacy
1470 option that no longer needs to be used since OpenSSL 1.1.0.
1473 Install all OpenSSL components.
1476 Only install the OpenSSL software components.
1479 Only install the OpenSSL documentation components.
1482 Only install the OpenSSL man pages (Unix only).
1485 Only install the OpenSSL HTML documentation.
1488 Install the FIPS provider module configuration file.
1491 Prints a list of all the self test names.
1494 Build and run the OpenSSL self tests.
1497 Uninstall all OpenSSL components.
1501 Re-run the configuration process, as exactly as the last time
1505 This is a developer option. If you are developing a patch for
1506 OpenSSL you may need to use this if you want to update
1507 automatically generated files; add new error codes or add new
1508 (or change the visibility of) public API functions. (Unix only).
1510 Running Selected Tests
1511 ----------------------
1513 You can specify a set of tests to be performed
1514 using the `make` variable `TESTS`.
1516 See the section [Running Selected Tests of
1517 test/README.md](test/README.md#running-selected-tests).
1522 Configuration Problems
1523 ----------------------
1525 ### Selecting the correct target
1527 The `./Configure` script tries hard to guess your operating system, but in some
1528 cases it does not succeed. You will see a message like the following:
1531 Operating system: x86-whatever-minix
1532 This system (minix) is not supported. See file INSTALL.md for details.
1534 Even if the automatic target selection by the `./Configure` script fails,
1535 chances are that you still might find a suitable target in the `Configurations`
1536 directory, which you can supply to the `./Configure` command,
1537 possibly after some adjustment.
1539 The `Configurations/` directory contains a lot of examples of such targets.
1540 The main configuration file is [10-main.conf], which contains all targets that
1541 are officially supported by the OpenSSL team. Other configuration files contain
1542 targets contributed by other OpenSSL users. The list of targets can be found in
1543 a Perl list `my %targets = ( ... )`.
1548 inherit_from => [ "base-target" ],
1550 cflags => add("..."),
1552 perlasm_scheme => "...",
1557 If you call `./Configure` without arguments, it will give you a list of all
1558 known targets. Using `grep`, you can lookup the target definition in the
1559 `Configurations/` directory. For example the `android-x86_64` can be found in
1560 [Configurations/15-android.conf](Configurations/15-android.conf).
1562 The directory contains two README files, which explain the general syntax and
1563 design of the configuration files.
1565 - [Configurations/README.md](Configurations/README.md)
1566 - [Configurations/README-design.md](Configurations/README-design.md)
1568 If you need further help, try to search the [openssl-users] mailing list
1569 or the [GitHub Issues] for existing solutions. If you don't find anything,
1570 you can [raise an issue] to ask a question yourself.
1572 More about our support resources can be found in the [SUPPORT] file.
1574 ### Configuration Errors
1576 If the `./Configure` or `./Configure` command fails with an error message,
1577 read the error message carefully and try to figure out whether you made
1578 a mistake (e.g., by providing a wrong option), or whether the script is
1579 working incorrectly. If you think you encountered a bug, please
1580 [raise an issue] on GitHub to file a bug report.
1582 Along with a short description of the bug, please provide the complete
1583 configure command line and the relevant output including the error message.
1585 Note: To make the output readable, pleace add a 'code fence' (three backquotes
1586 ` ``` ` on a separate line) before and after your output:
1589 ./Configure [your arguments...]
1598 If the build fails, look carefully at the output. Try to locate and understand
1599 the error message. It might be that the compiler is already telling you
1600 exactly what you need to do to fix your problem.
1602 There may be reasons for the failure that aren't problems in OpenSSL itself,
1603 for example if the compiler reports missing standard or third party headers.
1605 If the build succeeded previously, but fails after a source or configuration
1606 change, it might be helpful to clean the build tree before attempting another
1607 build. Use this command:
1610 $ mms clean ! (or mmk) OpenVMS
1611 $ nmake clean # Windows
1613 Assembler error messages can sometimes be sidestepped by using the
1614 `no-asm` configuration option.
1616 Compiling parts of OpenSSL with gcc and others with the system compiler will
1617 result in unresolved symbols on some systems.
1619 If you are still having problems, try to search the [openssl-users] mailing
1620 list or the [GitHub Issues] for existing solutions. If you think you
1621 encountered an OpenSSL bug, please [raise an issue] to file a bug report.
1622 Please take the time to review the existing issues first; maybe the bug was
1623 already reported or has already been fixed.
1628 If some tests fail, look at the output. There may be reasons for the failure
1629 that isn't a problem in OpenSSL itself (like an OS malfunction or a Perl issue).
1631 You may want increased verbosity, that can be accomplished as described in
1632 section [Test Failures of test/README.md](test/README.md#test-failures).
1634 You may also want to selectively specify which test(s) to perform. This can be
1635 done using the `make` variable `TESTS` as described in section [Running
1636 Selected Tests of test/README.md](test/README.md#running-selected-tests).
1638 If you find a problem with OpenSSL itself, try removing any
1639 compiler optimization flags from the `CFLAGS` line in the Makefile and
1640 run `make clean; make` or corresponding.
1642 To report a bug please open an issue on GitHub, at
1643 <https://github.com/openssl/openssl/issues>.
1648 Notes on multi-threading
1649 ------------------------
1651 For some systems, the OpenSSL `Configure` script knows what compiler options
1652 are needed to generate a library that is suitable for multi-threaded
1653 applications. On these systems, support for multi-threading is enabled
1654 by default; use the `no-threads` option to disable (this should never be
1657 On other systems, to enable support for multi-threading, you will have
1658 to specify at least two options: `threads`, and a system-dependent option.
1659 (The latter is `-D_REENTRANT` on various systems.) The default in this
1660 case, obviously, is not to include support for multi-threading (but
1661 you can still use `no-threads` to suppress an annoying warning message
1662 from the `Configure` script.)
1664 OpenSSL provides built-in support for two threading models: pthreads (found on
1665 most UNIX/Linux systems), and Windows threads. No other threading models are
1666 supported. If your platform does not provide pthreads or Windows threads then
1667 you should use `Configure` with the `no-threads` option.
1669 Notes on shared libraries
1670 -------------------------
1672 For most systems the OpenSSL `Configure` script knows what is needed to
1673 build shared libraries for libcrypto and libssl. On these systems
1674 the shared libraries will be created by default. This can be suppressed and
1675 only static libraries created by using the `no-shared` option. On systems
1676 where OpenSSL does not know how to build shared libraries the `no-shared`
1677 option will be forced and only static libraries will be created.
1679 Shared libraries are named a little differently on different platforms.
1680 One way or another, they all have the major OpenSSL version number as
1681 part of the file name, i.e. for OpenSSL 1.1.x, `1.1` is somehow part of
1684 On most POSIX platforms, shared libraries are named `libcrypto.so.1.1`
1685 and `libssl.so.1.1`.
1687 on Cygwin, shared libraries are named `cygcrypto-1.1.dll` and `cygssl-1.1.dll`
1688 with import libraries `libcrypto.dll.a` and `libssl.dll.a`.
1690 On Windows build with MSVC or using MingW, shared libraries are named
1691 `libcrypto-1_1.dll` and `libssl-1_1.dll` for 32-bit Windows,
1692 `libcrypto-1_1-x64.dll` and `libssl-1_1-x64.dll` for 64-bit x86_64 Windows,
1693 and `libcrypto-1_1-ia64.dll` and `libssl-1_1-ia64.dll` for IA64 Windows.
1694 With MSVC, the import libraries are named `libcrypto.lib` and `libssl.lib`,
1695 while with MingW, they are named `libcrypto.dll.a` and `libssl.dll.a`.
1697 On VMS, shareable images (VMS speak for shared libraries) are named
1698 `ossl$libcrypto0101_shr.exe` and `ossl$libssl0101_shr.exe`. However, when
1699 OpenSSL is specifically built for 32-bit pointers, the shareable images
1700 are named `ossl$libcrypto0101_shr32.exe` and `ossl$libssl0101_shr32.exe`
1701 instead, and when built for 64-bit pointers, they are named
1702 `ossl$libcrypto0101_shr64.exe` and `ossl$libssl0101_shr64.exe`.
1704 Notes on random number generation
1705 ---------------------------------
1707 Availability of cryptographically secure random numbers is required for
1708 secret key generation. OpenSSL provides several options to seed the
1709 internal CSPRNG. If not properly seeded, the internal CSPRNG will refuse
1710 to deliver random bytes and a "PRNG not seeded error" will occur.
1712 The seeding method can be configured using the `--with-rand-seed` option,
1713 which can be used to specify a comma separated list of seed methods.
1714 However, in most cases OpenSSL will choose a suitable default method,
1715 so it is not necessary to explicitly provide this option. Note also
1716 that not all methods are available on all platforms. The FIPS provider will
1717 silently ignore seed sources that were not validated.
1719 I) On operating systems which provide a suitable randomness source (in
1720 form of a system call or system device), OpenSSL will use the optimal
1721 available method to seed the CSPRNG from the operating system's
1722 randomness sources. This corresponds to the option `--with-rand-seed=os`.
1724 II) On systems without such a suitable randomness source, automatic seeding
1725 and reseeding is disabled (`--with-rand-seed=none`) and it may be necessary
1726 to install additional support software to obtain a random seed and reseed
1727 the CSPRNG manually. Please check out the manual pages for `RAND_add()`,
1728 `RAND_bytes()`, `RAND_egd()`, and the FAQ for more information.
1733 <https://mta.openssl.org/mailman/listinfo/openssl-users>
1739 <https://github.com/openssl/openssl/issues>
1742 <https://github.com/openssl/openssl/issues/new/choose>
1745 Configurations/10-main.conf