Difference between revisions of "OpenSSL"

From CBLFS
Jump to navigationJump to search
(I added the package description from BLFS.)
(Makes more sense to have x86 instead of x86_64 with the other 32bit target names like sparc, powerpc...)
 
(50 intermediate revisions by 13 users not shown)
Line 2: Line 2:
 
|-
 
|-
 
!Download Source:
 
!Download Source:
| http://www.openssl.org/source/openssl-0.9.8d.tar.gz
+
| http://www.openssl.org/source/openssl-{{OpenSSL-Version}}.tar.gz
|-
 
!Download Source:
 
| ftp://ftp.openssl.org/source/openssl-0.9.8d.tar.gz
 
 
|-
 
|-
 
!Required Patch:
 
!Required Patch:
| http://svn.cross-lfs.org/svn/repos/patches/openssl/openssl-0.9.8d-fix_manpages-1.patch
+
| http://svn.clfs.org/svn/repos/patches/openssl/openssl-{{OpenSSL-Version}}-fix_manpages-1.patch
|-
 
!Required Patch (Multilib):
 
| http://svn.cross-lfs.org/svn/repos/patches/openssl/openssl-0.9.8d-allow_lib64-1.patch
 
 
|-
 
|-
 
!Required Patch (x86_64 Multilib):
 
!Required Patch (x86_64 Multilib):
| http://svn.cross-lfs.org/svn/repos/patches/openssl/openssl-0.9.8d-32bit_x86_64-1.patch
+
| http://svn.clfs.org/svn/repos/patches/openssl/openssl-{{OpenSSL-Version}}-32bit_x86_64-1.patch
 
|-
 
|-
 
!Required Patch (MIPS):
 
!Required Patch (MIPS):
| http://svn.cross-lfs.org/svn/repos/patches/openssl/openssl-0.9.8d-mips_support-1.patch
+
| http://svn.clfs.org/svn/repos/patches/openssl/openssl-{{OpenSSL-Version}}-mips_support-1.patch
 +
|-
 +
|Optional Patch:
 +
| http://svn.clfs.org/svn/repos/patches/openssl/openssl-{{OpenSSL-Version}}-fix_parallel_build-1.patch
 
|}
 
|}
  
 
----
 
----
  
== Introduction to OpenSSL ==
+
{{Package-Introduction|The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library.|http://www.openssl.org/ }}
 
 
The OpenSSL package contains management tools and libraries relating to cryptography. These are useful for providing cryptography functions to other packages, notably OpenSSH, email applications and web browsers (for accessing HTTPS sites).
 
  
 
== Dependencies ==
 
== Dependencies ==
Line 30: Line 25:
 
=== Optional ===
 
=== Optional ===
 
* [[bc]] (used by the testsuite)
 
* [[bc]] (used by the testsuite)
 +
* [[CVS]] (used by the certificate bundle script)
 +
 +
{{Note|Kerberos support is currently BROKEN, DO NOT USE}}
 +
 +
{{Note|Parallel build (make -j ...) may fail to install openssl but still appear to complete "successfully," without stopping at the error. Apply the parallel build patch:
 +
patch -Np1 -i ../openssl-{{OpenSSL-Version}}-fix_parallel_build-1.patch}}
  
 
== Non-Multilib ==
 
== Non-Multilib ==
 +
 +
{{Note|When building on Sparc in Pure 64bit, use the configure command from the multilib section, then proceed as normal}}
  
 
Compile the package:
 
Compile the package:
  
  patch -Np1 -i ../openssl-0.9.8d-fix_manpages-1.patch &&
+
  patch -Np1 -i ../openssl-{{OpenSSL-Version}}-fix_manpages-1.patch &&
 +
patch -Np1 -i ../openssl-{{OpenSSL-Version}}-mips_support-1.patch &&
 
  ./config --openssldir=/etc/ssl --prefix=/usr shared &&
 
  ./config --openssldir=/etc/ssl --prefix=/usr shared &&
 
  make MANDIR=/usr/share/man
 
  make MANDIR=/usr/share/man
Line 42: Line 46:
  
 
  make MANDIR=/usr/share/man install &&
 
  make MANDIR=/usr/share/man install &&
 +
ln -sv ../../etc/ssl /usr/share &&
 
  cp -v -r certs /etc/ssl &&
 
  cp -v -r certs /etc/ssl &&
  install -v -d -m755 /usr/share/doc/openssl-0.9.8d &&
+
  install -v -d -m755 /usr/share/doc/openssl-{{OpenSSL-Version}} &&
 
  cp -v -r doc/{HOWTO,README,*.{txt,html,gif}} \
 
  cp -v -r doc/{HOWTO,README,*.{txt,html,gif}} \
     /usr/share/doc/openssl-0.9.8d
+
     /usr/share/doc/openssl-{{OpenSSL-Version}}
  
 
== Multilib ==
 
== Multilib ==
  
 
=== 32Bit ===
 
=== 32Bit ===
 +
 +
Apply Patches:
 +
 +
patch -Np1 -i ../openssl-{{OpenSSL-Version}}-fix_manpages-1.patch
  
 
Configure the Package (Use the appropriate command):
 
Configure the Package (Use the appropriate command):
  
==== x86_64 ====
+
==== x86 ====
  
  patch -Np1 -i ../openssl-0.9.8d-32bit_x86_64-1.patch &&
+
  patch -Np1 -i ../openssl-{{OpenSSL-Version}}-32bit_x86_64-1.patch &&
 
  ./Configure linux-x86_64-32 --openssldir=/etc/ssl --prefix=/usr shared
 
  ./Configure linux-x86_64-32 --openssldir=/etc/ssl --prefix=/usr shared
  
Line 64: Line 73:
 
==== Mips (Little-Endian) ====
 
==== Mips (Little-Endian) ====
  
 +
patch -Np1 -i ../openssl-{{OpenSSL-Version}}-mips_support-1.patch &&
 
  ./Configure linux-mipsel --openssldir=/etc/ssl --prefix=/usr shared
 
  ./Configure linux-mipsel --openssldir=/etc/ssl --prefix=/usr shared
  
 
==== Mips (Big-Endian) ====
 
==== Mips (Big-Endian) ====
  
 +
patch -Np1 -i ../openssl-{{OpenSSL-Version}}-mips_support-1.patch &&
 
  ./Configure linux-mips --openssldir=/etc/ssl --prefix=/usr shared
 
  ./Configure linux-mips --openssldir=/etc/ssl --prefix=/usr shared
 +
 +
==== PowerPC ====
 +
 +
./Configure linux-ppc --openssldir=/etc/ssl --prefix=/usr shared
  
 
Compile the package:
 
Compile the package:
Line 80: Line 95:
 
=== N32 ===
 
=== N32 ===
  
This patch allows OpenSSL to be installed a dir other then lib.
+
Apply Patches:
  
  patch -Np1 -i ../openssl-0.9.8d-allow_lib64-1.patch
+
  patch -Np1 -i ../openssl-{{OpenSSL-Version}}-fix_manpages-1.patch &&
 +
patch -Np1 -i ../openssl-{{OpenSSL-Version}}-mips_support-1.patch
  
 
Configure the Package (Use the appropriate command):
 
Configure the Package (Use the appropriate command):
Line 104: Line 120:
 
=== 64Bit ===
 
=== 64Bit ===
  
This patch allows OpenSSL to be installed into a dir other then lib:
+
Apply Patches:
  
  patch -Np1 -i ../openssl-0.9.8d-allow_lib64-1.patch
+
  patch -Np1 -i ../openssl-{{OpenSSL-Version}}-fix_manpages-1.patch  
  
 
Configure the Package (Use the appropriate command):
 
Configure the Package (Use the appropriate command):
Line 120: Line 136:
 
==== Mips (Little-Endian) ====
 
==== Mips (Little-Endian) ====
  
 +
patch -Np1 -i ../openssl-{{OpenSSL-Version}}-mips_support-1.patch &&
 
  ./Configure linux-mips64el --openssldir=/etc/ssl --prefix=/usr shared
 
  ./Configure linux-mips64el --openssldir=/etc/ssl --prefix=/usr shared
  
 
==== Mips (Big-Endian) ====
 
==== Mips (Big-Endian) ====
  
 +
patch -Np1 -i ../openssl-{{OpenSSL-Version}}-mips_support-1.patch &&
 
  ./Configure linux-mips64 --openssldir=/etc/ssl --prefix=/usr shared
 
  ./Configure linux-mips64 --openssldir=/etc/ssl --prefix=/usr shared
 +
 +
==== PowerPC ====
 +
 +
./Configure linux-ppc64 --openssldir=/etc/ssl --prefix=/usr shared
  
 
Compile the package:
 
Compile the package:
Line 132: Line 154:
 
Install the package:
 
Install the package:
  
  USE_ARCH=64 make PERL=/usr/bin/perl MANDIR=/usr/share/man LIBDIR=lib64 install
+
  USE_ARCH=64 make PERL=/usr/bin/perl MANDIR=/usr/share/man LIBDIR=lib64 install &&
 +
ln -sv ../../etc/ssl /usr/share &&
 +
cp -v -r certs /etc/ssl &&
 +
install -v -d -m755 /usr/share/doc/openssl-{{OpenSSL-Version}} &&
 +
cp -v -r doc/{HOWTO,README,*.{txt,html,gif}} \
 +
    /usr/share/doc/openssl-{{OpenSSL-Version}}
 +
 
 +
== Configuring ==
  
 +
You can create a ca-bundle with the following script, it is from: http://www.mail-archive.com/modssl-users@modssl.org/msg16980.html
  
= Contents =
+
cat > mkcabundle.pl << "EOF"
 +
#!/usr/bin/perl -w                                                                                                         
 +
#                                                                                                                         
 +
# Used to regenerate ca-bundle.crt from the Mozilla certdata.txt.                                                         
 +
# Run as ./mkcabundle.pl > ca-bundle.crt                                                                                   
 +
#                                                                                                                         
 +
 +
my $cvsroot = ':pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot';
 +
my $certdata = 'mozilla/security/nss/lib/ckfw/builtins/certdata.txt';
 +
 +
open(IN, "cvs -d $cvsroot co -p $certdata|")
 +
    || die "could not check out certdata.txt";
 +
 +
my $incert = 0;
 +
 +
print<<EOH;
 +
# This is a bundle of X.509 certificates of public Certificate
 +
# Authorities.  It was generated from the Mozilla root CA list.
 +
#
 +
# Source: $certdata
 +
#
 +
EOH
 +
 +
while (<IN>) {
 +
    if (/^CKA_VALUE MULTILINE_OCTAL/) {
 +
        $incert = 1;
 +
        open(OUT, "|openssl x509 -text -inform DER -fingerprint")
 +
            || die "could not pipe to openssl x509";
 +
    } elsif (/^END/ && $incert) {
 +
        close(OUT);
 +
        $incert = 0;
 +
        print "\n\n";
 +
    } elsif ($incert) {
 +
        my @bs = split(/\\/);
 +
        foreach my $b (@bs) {
 +
            chomp $b;
 +
            printf(OUT "%c", oct($b)) unless $b eq <nowiki>''</nowiki>;
 +
        }
 +
    } elsif (/^CVS_ID.*Revision: ([^ ]*).*/) {
 +
        print "# Generated from certdata.txt RCS revision $1\n#\n";
 +
    }
 +
}
 +
EOF
  
The OpenSSL package contains management tools and libraries relating to cryptography.
+
This command requires that you have Perl and [[CVS]] installed:
  
Installed Programs: c_rehash, openssl
+
./mkcabundle.pl > ca-bundle.crt &&
 +
install -Dv -m644 ca-bundle.crt /etc/ssl/certs
  
Installed Libraries: libcrypto.{so,a}, libssl.{so,a}
+
= Contents =
  
Installed Directories: /etc/ssl, /usr/include/ssl, /usr/lib/engines, /usr/share/doc/openssl-0.9.8c
+
{| style="text-align: left;"
 +
|-
 +
! Installed Programs:
 +
| c_rehash, openssl
 +
|-
 +
! Installed Libraries:
 +
| libcrypto.{so,a}, libssl.{so,a}
 +
|-
 +
! Installed Directories:
 +
| /etc/ssl, /usr/include/ssl, /usr/lib/engines, /usr/share/doc/openssl-{{OpenSSL-Version}}
 +
|}
  
 
=== Short Descriptions ===
 
=== Short Descriptions ===
  
c_rehash: is a Perl script that scans all files in a directory and adds symbolic links to their hash values.
+
{| style="text-align: left;"
 
+
|-
openssl: is a command-line tool for using the various cryptography functions of OpenSSL's crypto library from the shell
+
! c_rehash
 
+
| is a Perl script that scans all files in a directory and adds symbolic links to their hash values.
libcrypto.{so,a}: implements a wide range of cryptographic algorithms used in various Internet standards.
+
|-valign="top"
 +
! openssl
 +
| is a command-line tool for using the various cryptography functions of OpenSSL's crypto library from the shell.
 +
|-
 +
! libcrypto.{so,a}
 +
| implements a wide range of cryptographic algorithms used in various Internet standards.
 +
|-
 +
!libssl.{so,a}
 +
| implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols
 +
|}
  
libssl.{so,a}: implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols.
+
[[Category:Security]]

Latest revision as of 17:08, 7 April 2017

Download Source: http://www.openssl.org/source/openssl-1.0.1e.tar.gz
Required Patch: http://svn.clfs.org/svn/repos/patches/openssl/openssl-1.0.1e-fix_manpages-1.patch
Required Patch (x86_64 Multilib): http://svn.clfs.org/svn/repos/patches/openssl/openssl-1.0.1e-32bit_x86_64-1.patch
Required Patch (MIPS): http://svn.clfs.org/svn/repos/patches/openssl/openssl-1.0.1e-mips_support-1.patch
Optional Patch: http://svn.clfs.org/svn/repos/patches/openssl/openssl-1.0.1e-fix_parallel_build-1.patch

Introduction to OpenSSL

The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library.

Project Homepage: http://www.openssl.org/

Dependencies

Optional

  • bc (used by the testsuite)
  • CVS (used by the certificate bundle script)
Caution.png

Note

Kerberos support is currently BROKEN, DO NOT USE
Caution.png

Note

Parallel build (make -j ...) may fail to install openssl but still appear to complete "successfully," without stopping at the error. Apply the parallel build patch: patch -Np1 -i ../openssl-1.0.1e-fix_parallel_build-1.patch

Non-Multilib

Caution.png

Note

When building on Sparc in Pure 64bit, use the configure command from the multilib section, then proceed as normal

Compile the package:

patch -Np1 -i ../openssl-1.0.1e-fix_manpages-1.patch &&
patch -Np1 -i ../openssl-1.0.1e-mips_support-1.patch &&
./config --openssldir=/etc/ssl --prefix=/usr shared &&
make MANDIR=/usr/share/man

Install the package

make MANDIR=/usr/share/man install &&
ln -sv ../../etc/ssl /usr/share &&
cp -v -r certs /etc/ssl &&
install -v -d -m755 /usr/share/doc/openssl-1.0.1e &&
cp -v -r doc/{HOWTO,README,*.{txt,html,gif}} \
    /usr/share/doc/openssl-1.0.1e

Multilib

32Bit

Apply Patches:

patch -Np1 -i ../openssl-1.0.1e-fix_manpages-1.patch 

Configure the Package (Use the appropriate command):

x86

patch -Np1 -i ../openssl-1.0.1e-32bit_x86_64-1.patch &&
./Configure linux-x86_64-32 --openssldir=/etc/ssl --prefix=/usr shared

Sparc

./Configure linux-sparcv9 --openssldir=/etc/ssl --prefix=/usr shared

Mips (Little-Endian)

patch -Np1 -i ../openssl-1.0.1e-mips_support-1.patch &&
./Configure linux-mipsel --openssldir=/etc/ssl --prefix=/usr shared

Mips (Big-Endian)

patch -Np1 -i ../openssl-1.0.1e-mips_support-1.patch &&
./Configure linux-mips --openssldir=/etc/ssl --prefix=/usr shared

PowerPC

./Configure linux-ppc --openssldir=/etc/ssl --prefix=/usr shared

Compile the package:

USE_ARCH=32 make CC="gcc ${BUILD32}" PERL=/usr/bin/perl

Install the package:

USE_ARCH=32 make PERL=/usr/bin/perl MANDIR=/usr/share/man install

N32

Apply Patches:

patch -Np1 -i ../openssl-1.0.1e-fix_manpages-1.patch &&
patch -Np1 -i ../openssl-1.0.1e-mips_support-1.patch

Configure the Package (Use the appropriate command):

Mips (Little-Endian)

./Configure linux-mipsel-n32 --openssldir=/etc/ssl --prefix=/usr shared

Mips (Big-Endian)

./Configure linux-mips-n32 --openssldir=/etc/ssl --prefix=/usr shared

Compile the package:

USE_ARCH=n32 make CC="gcc ${BUILDN32}" PERL=/usr/bin/perl LIBDIR=lib32

Install the package:

USE_ARCH=n32 make PERL=/usr/bin/perl MANDIR=/usr/share/man LIBDIR=lib32 install

64Bit

Apply Patches:

patch -Np1 -i ../openssl-1.0.1e-fix_manpages-1.patch 

Configure the Package (Use the appropriate command):

x86_64

./Configure linux-x86_64 --openssldir=/etc/ssl --prefix=/usr shared

Sparc

./Configure linux64-sparcv9 --openssldir=/etc/ssl --prefix=/usr shared

Mips (Little-Endian)

patch -Np1 -i ../openssl-1.0.1e-mips_support-1.patch &&
./Configure linux-mips64el --openssldir=/etc/ssl --prefix=/usr shared

Mips (Big-Endian)

patch -Np1 -i ../openssl-1.0.1e-mips_support-1.patch &&
./Configure linux-mips64 --openssldir=/etc/ssl --prefix=/usr shared

PowerPC

./Configure linux-ppc64 --openssldir=/etc/ssl --prefix=/usr shared

Compile the package:

USE_ARCH=64 make CC="gcc ${BUILD64}" PERL=/usr/bin/perl LIBDIR=lib64

Install the package:

USE_ARCH=64 make PERL=/usr/bin/perl MANDIR=/usr/share/man LIBDIR=lib64 install &&
ln -sv ../../etc/ssl /usr/share &&
cp -v -r certs /etc/ssl &&
install -v -d -m755 /usr/share/doc/openssl-1.0.1e &&
cp -v -r doc/{HOWTO,README,*.{txt,html,gif}} \
    /usr/share/doc/openssl-1.0.1e

Configuring

You can create a ca-bundle with the following script, it is from: http://www.mail-archive.com/modssl-users@modssl.org/msg16980.html

cat > mkcabundle.pl << "EOF"
#!/usr/bin/perl -w                                                                                                          
#                                                                                                                           
# Used to regenerate ca-bundle.crt from the Mozilla certdata.txt.                                                           
# Run as ./mkcabundle.pl > ca-bundle.crt                                                                                    
#                                                                                                                           

my $cvsroot = ':pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot';
my $certdata = 'mozilla/security/nss/lib/ckfw/builtins/certdata.txt';

open(IN, "cvs -d $cvsroot co -p $certdata|")
    || die "could not check out certdata.txt";

my $incert = 0;

print<<EOH;
# This is a bundle of X.509 certificates of public Certificate
# Authorities.  It was generated from the Mozilla root CA list.
#
# Source: $certdata
#
EOH

while (<IN>) {
    if (/^CKA_VALUE MULTILINE_OCTAL/) {
        $incert = 1;
        open(OUT, "|openssl x509 -text -inform DER -fingerprint")
            || die "could not pipe to openssl x509";
    } elsif (/^END/ && $incert) {
        close(OUT);
        $incert = 0;
        print "\n\n";
    } elsif ($incert) {
        my @bs = split(/\\/);
        foreach my $b (@bs) {
            chomp $b;
            printf(OUT "%c", oct($b)) unless $b eq '';
        }
    } elsif (/^CVS_ID.*Revision: ([^ ]*).*/) {
        print "# Generated from certdata.txt RCS revision $1\n#\n";
    }
}
EOF

This command requires that you have Perl and CVS installed:

./mkcabundle.pl > ca-bundle.crt &&
install -Dv -m644 ca-bundle.crt /etc/ssl/certs

Contents

Installed Programs: c_rehash, openssl
Installed Libraries: libcrypto.{so,a}, libssl.{so,a}
Installed Directories: /etc/ssl, /usr/include/ssl, /usr/lib/engines, /usr/share/doc/openssl-1.0.1e

Short Descriptions

c_rehash is a Perl script that scans all files in a directory and adds symbolic links to their hash values.
openssl is a command-line tool for using the various cryptography functions of OpenSSL's crypto library from the shell.
libcrypto.{so,a} implements a wide range of cryptographic algorithms used in various Internet standards.
libssl.{so,a} implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols
Retrieved from "?title=OpenSSL&oldid=21662"