Difference between revisions of "OpenSSL"

From CBLFS
Jump to navigationJump to search
(Configuring)
Line 184: Line 184:
 
You can create a ca-bundle with the following script, it is from: http://www.mail-archive.com/modssl-users@modssl.org/msg16980.html
 
You can create a ca-bundle with the following script, it is from: http://www.mail-archive.com/modssl-users@modssl.org/msg16980.html
  
  cat > mkcabundle.pl << "EOF"
+
  <nowiki>cat > mkcabundle.pl << "EOF"
 
  #!/usr/bin/perl -w                                                                                                           
 
  #!/usr/bin/perl -w                                                                                                           
 
  #                                                                                                                           
 
  #                                                                                                                           
Line 226: Line 226:
 
     }
 
     }
 
  }
 
  }
  EOF
+
  EOF</nowiki>
  
 
This command requires that you have Perl and [[CVS]] installed:
 
This command requires that you have Perl and [[CVS]] installed:

Revision as of 10:49, 4 October 2009

Download Source: http://www.openssl.org/source/openssl-1.0.1e.tar.gz
Required Patch: http://svn.cross-lfs.org/svn/repos/patches/openssl/openssl-1.0.1e-fix_manpages-1.patch
Required Patch: http://svn.cross-lfs.org/svn/repos/patches/openssl/openssl-1.0.1e-build_fix-1.patch
Required Patch (Multilib): http://svn.cross-lfs.org/svn/repos/patches/openssl/openssl-1.0.1e-allow_lib64-1.patch
Required Patch (x86_64 Multilib): http://svn.cross-lfs.org/svn/repos/patches/openssl/openssl-1.0.1e-32bit_x86_64-1.patch
Required Patch (MIPS): http://svn.cross-lfs.org/svn/repos/patches/openssl/openssl-1.0.1e-mips_support-1.patch

Introduction to OpenSSL

The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library.

Project Homepage: http://www.openssl.org/

Dependencies

Optional

  • bc (used by the testsuite)
Caution.png

Note

Kerberos support is currently BROKEN, DO NOT USE

Non-Multilib

Caution.png

Note

When building on Sparc in Pure 64bit, use the configure command from the multilib section, then proceed as normal
Caution.png

Note

Parallel build (make -j ...) may fail to install openssl but still appear to complete "successfully," without stopping at the error.
Caution.png

Note

Some patches may fail (order dependent?). I suggest manually editing patch files to remove unnecessary patches to Configure~ (note the "~"). Some patches may still fail, in which case you may easily examine the ".rej" file and make the change manually. Developer may want to fix this, remove Configure~ (and any other ~ files) from the build directory, and re-diff.

Compile the package:

patch -Np1 -i ../openssl-1.0.1e-fix_manpages-1.patch &&
patch -Np1 -i ../openssl-1.0.1e-build_fix-1.patch &&
patch -Np1 -i ../openssl-1.0.1e-mips_support-1.patch &&
./config --openssldir=/etc/ssl --prefix=/usr shared &&
make MANDIR=/usr/share/man

Install the package

make MANDIR=/usr/share/man install &&
ln -sv ../../etc/ssl /usr/share &&
cp -v -r certs /etc/ssl &&
install -v -d -m755 /usr/share/doc/openssl-1.0.1e &&
cp -v -r doc/{HOWTO,README,*.{txt,html,gif}} \
    /usr/share/doc/openssl-1.0.1e

Multilib

Caution.png

Note

Parallel build (make -j ...) may fail to install openssl but still appear to complete "successfully," without stopping at the error.
Caution.png

Note

Some patches may fail (order dependent?). I suggest manually editing patch files to remove unnecessary patches to Configure~ (note the "~"). Some patches may still fail, in which case you may easily examine the ".rej" file and make the change manually. Developer may want to fix this, remove Configure~ (and any other ~ files) from the build directory, and re-diff.

32Bit

Apply Patches:

patch -Np1 -i ../openssl-1.0.1e-fix_manpages-1.patch &&
patch -Np1 -i ../openssl-1.0.1e-build_fix-1.patch

Configure the Package (Use the appropriate command):

x86_64

patch -Np1 -i ../openssl-1.0.1e-32bit_x86_64-1.patch &&
./Configure linux-x86_64-32 --openssldir=/etc/ssl --prefix=/usr shared

Sparc

./Configure linux-sparcv9 --openssldir=/etc/ssl --prefix=/usr shared

Mips (Little-Endian)

patch -Np1 -i ../openssl-1.0.1e-mips_support-1.patch &&
./Configure linux-mipsel --openssldir=/etc/ssl --prefix=/usr shared

Mips (Big-Endian)

patch -Np1 -i ../openssl-1.0.1e-mips_support-1.patch &&
./Configure linux-mips --openssldir=/etc/ssl --prefix=/usr shared

PowerPC

./Configure linux-ppc --openssldir=/etc/ssl --prefix=/usr shared

Compile the package:

USE_ARCH=32 make CC="gcc ${BUILD32}" PERL=/usr/bin/perl

Install the package:

USE_ARCH=32 make PERL=/usr/bin/perl MANDIR=/usr/share/man install

N32

Apply Patches:

patch -Np1 -i ../openssl-1.0.1e-fix_manpages-1.patch &&
patch -Np1 -i ../openssl-1.0.1e-build_fix-1.patch &&
patch -Np1 -i ../openssl-1.0.1e-mips_support-1.patch

This patch allows OpenSSL to be installed a dir other than lib.

patch -Np1 -i ../openssl-1.0.1e-allow_lib64-1.patch

Configure the Package (Use the appropriate command):

Mips (Little-Endian)

./Configure linux-mipsel-n32 --openssldir=/etc/ssl --prefix=/usr shared

Mips (Big-Endian)

./Configure linux-mips-n32 --openssldir=/etc/ssl --prefix=/usr shared

Compile the package:

USE_ARCH=n32 make CC="gcc ${BUILDN32}" PERL=/usr/bin/perl LIBDIR=lib32

Install the package:

USE_ARCH=n32 make PERL=/usr/bin/perl MANDIR=/usr/share/man LIBDIR=lib32 install

64Bit

Apply Patches:

patch -Np1 -i ../openssl-1.0.1e-fix_manpages-1.patch &&
patch -Np1 -i ../openssl-1.0.1e-build_fix-1.patch

This patch allows OpenSSL to be installed into a dir other than lib:

patch -Np1 -i ../openssl-1.0.1e-allow_lib64-1.patch

Configure the Package (Use the appropriate command):

x86_64

./Configure linux-x86_64 --openssldir=/etc/ssl --prefix=/usr shared

Sparc

./Configure linux64-sparcv9 --openssldir=/etc/ssl --prefix=/usr shared

Mips (Little-Endian)

patch -Np1 -i ../openssl-1.0.1e-mips_support-1.patch &&
./Configure linux-mips64el --openssldir=/etc/ssl --prefix=/usr shared

Mips (Big-Endian)

patch -Np1 -i ../openssl-1.0.1e-mips_support-1.patch &&
./Configure linux-mips64 --openssldir=/etc/ssl --prefix=/usr shared

PowerPC

./Configure linux-ppc64 --openssldir=/etc/ssl --prefix=/usr shared

Compile the package:

USE_ARCH=64 make CC="gcc ${BUILD64}" PERL=/usr/bin/perl LIBDIR=lib64

Install the package:

USE_ARCH=64 make PERL=/usr/bin/perl MANDIR=/usr/share/man LIBDIR=lib64 install &&
ln -sv ../../etc/ssl /usr/share &&
cp -v -r certs /etc/ssl &&
install -v -d -m755 /usr/share/doc/openssl-1.0.1e &&
cp -v -r doc/{HOWTO,README,*.{txt,html,gif}} \
    /usr/share/doc/openssl-1.0.1e

Configuring

You can create a ca-bundle with the following script, it is from: http://www.mail-archive.com/modssl-users@modssl.org/msg16980.html

cat > mkcabundle.pl << "EOF"
 #!/usr/bin/perl -w                                                                                                          
 #                                                                                                                           
 # Used to regenerate ca-bundle.crt from the Mozilla certdata.txt.                                                           
 # Run as ./mkcabundle.pl > ca-bundle.crt                                                                                    
 #                                                                                                                           
 
 my $cvsroot = ':pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot';
 my $certdata = 'mozilla/security/nss/lib/ckfw/builtins/certdata.txt';
 
 open(IN, "cvs -d $cvsroot co -p $certdata|")
     || die "could not check out certdata.txt";
 
 my $incert = 0;
 
 print<<EOH;
 # This is a bundle of X.509 certificates of public Certificate
 # Authorities.  It was generated from the Mozilla root CA list.
 #
 # Source: $certdata
 #
 EOH
 
 while (<IN>) {
     if (/^CKA_VALUE MULTILINE_OCTAL/) {
         $incert = 1;
         open(OUT, "|openssl x509 -text -inform DER -fingerprint")
             || die "could not pipe to openssl x509";
     } elsif (/^END/ && $incert) {
         close(OUT);
         $incert = 0;
         print "\n\n";
     } elsif ($incert) {
         my @bs = split(/\\/);
         foreach my $b (@bs) {
             chomp $b;
             printf(OUT "%c", oct($b)) unless $b eq '';
         }
     } elsif (/^CVS_ID.*Revision: ([^ ]*).*/) {
         print "# Generated from certdata.txt RCS revision $1\n#\n";
     }
 }
 EOF

This command requires that you have Perl and CVS installed:

./mkcabundle.pl > ca-bundle.crt &&
install -Dv -m644 ca-bundle.crt /etc/ssl/certs

Contents

Installed Programs: c_rehash, openssl
Installed Libraries: libcrypto.{so,a}, libssl.{so,a}
Installed Directories: /etc/ssl, /usr/include/ssl, /usr/lib/engines, /usr/share/doc/openssl-1.0.1e

Short Descriptions

c_rehash is a Perl script that scans all files in a directory and adds symbolic links to their hash values.
openssl is a command-line tool for using the various cryptography functions of OpenSSL's crypto library from the shell.
libcrypto.{so,a} implements a wide range of cryptographic algorithms used in various Internet standards.
libssl.{so,a} implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols
Retrieved from "?title=OpenSSL&oldid=19535"