Difference between revisions of "OpenSSL"

From CBLFS
Jump to navigationJump to search
 
(Makes more sense to have x86 instead of x86_64 with the other 32bit target names like sparc, powerpc...)
 
(62 intermediate revisions by 16 users not shown)
Line 2: Line 2:
 
|-
 
|-
 
!Download Source:
 
!Download Source:
| http://www.openssl.org/source/openssl-0.9.8b.tar.gz
+
| http://www.openssl.org/source/openssl-{{OpenSSL-Version}}.tar.gz
 
|-
 
|-
!Download Source:
+
!Required Patch:
| ftp://ftp.openssl.org/source/openssl-0.9.8b.tar.gz
+
| http://svn.clfs.org/svn/repos/patches/openssl/openssl-{{OpenSSL-Version}}-fix_manpages-1.patch
 
|-
 
|-
!Required Patch:
+
!Required Patch (x86_64 Multilib):
| http://www.linuxfromscratch.org/patches/blfs/svn/openssl-0.9.8b-fix_manpages-1.patch
+
| http://svn.clfs.org/svn/repos/patches/openssl/openssl-{{OpenSSL-Version}}-32bit_x86_64-1.patch
 
|-
 
|-
!Required Patch (Multilib):
+
!Required Patch (MIPS):
| http://www.linuxfromscratch.org/patches/downloads/openssl/openssl-0.9.8b-allow_lib64-2.patch
+
| http://svn.clfs.org/svn/repos/patches/openssl/openssl-{{OpenSSL-Version}}-mips_support-1.patch
 
|-
 
|-
!Required Patch (x86_64 Multilib):
+
|Optional Patch:
| http://cross-lfs.org/~jciccone/openssl-0.9.8b-32bit_x86_64.patch
+
| http://svn.clfs.org/svn/repos/patches/openssl/openssl-{{OpenSSL-Version}}-fix_parallel_build-1.patch
 
|}
 
|}
  
 
----
 
----
 +
 +
{{Package-Introduction|The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library.|http://www.openssl.org/ }}
  
 
== Dependencies ==
 
== Dependencies ==
  
 
=== Optional ===
 
=== Optional ===
* [[bc]]
+
* [[bc]] (used by the testsuite)
 +
* [[CVS]] (used by the certificate bundle script)
 +
 
 +
{{Note|Kerberos support is currently BROKEN, DO NOT USE}}
 +
 
 +
{{Note|Parallel build (make -j ...) may fail to install openssl but still appear to complete "successfully," without stopping at the error. Apply the parallel build patch:
 +
patch -Np1 -i ../openssl-{{OpenSSL-Version}}-fix_parallel_build-1.patch}}
  
 
== Non-Multilib ==
 
== Non-Multilib ==
 +
 +
{{Note|When building on Sparc in Pure 64bit, use the configure command from the multilib section, then proceed as normal}}
  
 
Compile the package:
 
Compile the package:
  
  patch -Np1 -i ../openssl-0.9.8b-fix_manpages-1.patch &&
+
  patch -Np1 -i ../openssl-{{OpenSSL-Version}}-fix_manpages-1.patch &&
 +
patch -Np1 -i ../openssl-{{OpenSSL-Version}}-mips_support-1.patch &&
 
  ./config --openssldir=/etc/ssl --prefix=/usr shared &&
 
  ./config --openssldir=/etc/ssl --prefix=/usr shared &&
 
  make MANDIR=/usr/share/man
 
  make MANDIR=/usr/share/man
Line 35: Line 46:
  
 
  make MANDIR=/usr/share/man install &&
 
  make MANDIR=/usr/share/man install &&
 +
ln -sv ../../etc/ssl /usr/share &&
 
  cp -v -r certs /etc/ssl &&
 
  cp -v -r certs /etc/ssl &&
  install -v -d -m755 /usr/share/doc/openssl-0.9.8b &&
+
  install -v -d -m755 /usr/share/doc/openssl-{{OpenSSL-Version}} &&
 
  cp -v -r doc/{HOWTO,README,*.{txt,html,gif}} \
 
  cp -v -r doc/{HOWTO,README,*.{txt,html,gif}} \
     /usr/share/doc/openssl-0.9.8b
+
     /usr/share/doc/openssl-{{OpenSSL-Version}}
  
 
== Multilib ==
 
== Multilib ==
  
 
=== 32Bit ===
 
=== 32Bit ===
 +
 +
Apply Patches:
 +
 +
patch -Np1 -i ../openssl-{{OpenSSL-Version}}-fix_manpages-1.patch
  
 
Configure the Package (Use the appropriate command):
 
Configure the Package (Use the appropriate command):
  
==== x86_64 ====
+
==== x86 ====
  
  patch -Np1 -i ../openssl-0.9.8b-32bit_x86_64.patch &&
+
  patch -Np1 -i ../openssl-{{OpenSSL-Version}}-32bit_x86_64-1.patch &&
 
  ./Configure linux-x86_64-32 --openssldir=/etc/ssl --prefix=/usr shared
 
  ./Configure linux-x86_64-32 --openssldir=/etc/ssl --prefix=/usr shared
  
Line 57: Line 73:
 
==== Mips (Little-Endian) ====
 
==== Mips (Little-Endian) ====
  
 +
patch -Np1 -i ../openssl-{{OpenSSL-Version}}-mips_support-1.patch &&
 
  ./Configure linux-mipsel --openssldir=/etc/ssl --prefix=/usr shared
 
  ./Configure linux-mipsel --openssldir=/etc/ssl --prefix=/usr shared
  
 
==== Mips (Big-Endian) ====
 
==== Mips (Big-Endian) ====
  
 +
patch -Np1 -i ../openssl-{{OpenSSL-Version}}-mips_support-1.patch &&
 
  ./Configure linux-mips --openssldir=/etc/ssl --prefix=/usr shared
 
  ./Configure linux-mips --openssldir=/etc/ssl --prefix=/usr shared
 +
 +
==== PowerPC ====
 +
 +
./Configure linux-ppc --openssldir=/etc/ssl --prefix=/usr shared
  
 
Compile the package:
 
Compile the package:
  
  make CC="gcc ${BUILD32}" PERL=/usr/bin/perl
+
  USE_ARCH=32 make CC="gcc ${BUILD32}" PERL=/usr/bin/perl
  
 
Install the package:
 
Install the package:
  
  make PERL=/usr/bin/perl MANDIR=/usr/share/man install
+
  USE_ARCH=32 make PERL=/usr/bin/perl MANDIR=/usr/share/man install
  
 
=== N32 ===
 
=== N32 ===
  
This patch allows OpenSSL to be installed a dir other then lib.
+
Apply Patches:
  
  patch -Np1 -i ../openssl-0.9.8b-allow_lib64-2.patch
+
  patch -Np1 -i ../openssl-{{OpenSSL-Version}}-fix_manpages-1.patch &&
 +
patch -Np1 -i ../openssl-{{OpenSSL-Version}}-mips_support-1.patch
  
 
Configure the Package (Use the appropriate command):
 
Configure the Package (Use the appropriate command):
Line 89: Line 112:
 
Compile the package:
 
Compile the package:
  
  make CC="gcc ${BUILDN32}" PERL=/usr/bin/perl LIBDIR=lib32
+
  USE_ARCH=n32 make CC="gcc ${BUILDN32}" PERL=/usr/bin/perl LIBDIR=lib32
  
 
Install the package:
 
Install the package:
  
  make PERL=/usr/bin/perl MANDIR=/usr/share/man LIBDIR=lib32 install
+
  USE_ARCH=n32 make PERL=/usr/bin/perl MANDIR=/usr/share/man LIBDIR=lib32 install
  
 
=== 64Bit ===
 
=== 64Bit ===
  
This patch allows OpenSSL to be installed a dir other then lib.
+
Apply Patches:
  
  patch -Np1 -i ../openssl-0.9.8b-allow_lib64-2.patch
+
  patch -Np1 -i ../openssl-{{OpenSSL-Version}}-fix_manpages-1.patch  
  
 
Configure the Package (Use the appropriate command):
 
Configure the Package (Use the appropriate command):
Line 113: Line 136:
 
==== Mips (Little-Endian) ====
 
==== Mips (Little-Endian) ====
  
 +
patch -Np1 -i ../openssl-{{OpenSSL-Version}}-mips_support-1.patch &&
 
  ./Configure linux-mips64el --openssldir=/etc/ssl --prefix=/usr shared
 
  ./Configure linux-mips64el --openssldir=/etc/ssl --prefix=/usr shared
  
 
==== Mips (Big-Endian) ====
 
==== Mips (Big-Endian) ====
  
 +
patch -Np1 -i ../openssl-{{OpenSSL-Version}}-mips_support-1.patch &&
 
  ./Configure linux-mips64 --openssldir=/etc/ssl --prefix=/usr shared
 
  ./Configure linux-mips64 --openssldir=/etc/ssl --prefix=/usr shared
 +
 +
==== PowerPC ====
 +
 +
./Configure linux-ppc64 --openssldir=/etc/ssl --prefix=/usr shared
  
 
Compile the package:
 
Compile the package:
  
  make CC="gcc ${BUILD64}" PERL=/usr/bin/perl LIBDIR=lib64
+
  USE_ARCH=64 make CC="gcc ${BUILD64}" PERL=/usr/bin/perl LIBDIR=lib64
  
 
Install the package:
 
Install the package:
  
  make PERL=/usr/bin/perl MANDIR=/usr/share/man LIBDIR=lib64 install
+
  USE_ARCH=64 make PERL=/usr/bin/perl MANDIR=/usr/share/man LIBDIR=lib64 install &&
 +
ln -sv ../../etc/ssl /usr/share &&
 +
cp -v -r certs /etc/ssl &&
 +
install -v -d -m755 /usr/share/doc/openssl-{{OpenSSL-Version}} &&
 +
cp -v -r doc/{HOWTO,README,*.{txt,html,gif}} \
 +
    /usr/share/doc/openssl-{{OpenSSL-Version}}
 +
 
 +
== Configuring ==
 +
 
 +
You can create a ca-bundle with the following script, it is from: http://www.mail-archive.com/modssl-users@modssl.org/msg16980.html
 +
 
 +
cat > mkcabundle.pl << "EOF"
 +
#!/usr/bin/perl -w                                                                                                         
 +
#                                                                                                                         
 +
# Used to regenerate ca-bundle.crt from the Mozilla certdata.txt.                                                         
 +
# Run as ./mkcabundle.pl > ca-bundle.crt                                                                                   
 +
#                                                                                                                         
 +
 +
my $cvsroot = ':pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot';
 +
my $certdata = 'mozilla/security/nss/lib/ckfw/builtins/certdata.txt';
 +
 +
open(IN, "cvs -d $cvsroot co -p $certdata|")
 +
    || die "could not check out certdata.txt";
 +
 +
my $incert = 0;
 +
 +
print<<EOH;
 +
# This is a bundle of X.509 certificates of public Certificate
 +
# Authorities.  It was generated from the Mozilla root CA list.
 +
#
 +
# Source: $certdata
 +
#
 +
EOH
 +
 +
while (<IN>) {
 +
    if (/^CKA_VALUE MULTILINE_OCTAL/) {
 +
        $incert = 1;
 +
        open(OUT, "|openssl x509 -text -inform DER -fingerprint")
 +
            || die "could not pipe to openssl x509";
 +
    } elsif (/^END/ && $incert) {
 +
        close(OUT);
 +
        $incert = 0;
 +
        print "\n\n";
 +
    } elsif ($incert) {
 +
        my @bs = split(/\\/);
 +
        foreach my $b (@bs) {
 +
            chomp $b;
 +
            printf(OUT "%c", oct($b)) unless $b eq <nowiki>''</nowiki>;
 +
        }
 +
    } elsif (/^CVS_ID.*Revision: ([^ ]*).*/) {
 +
        print "# Generated from certdata.txt RCS revision $1\n#\n";
 +
    }
 +
}
 +
EOF
 +
 
 +
This command requires that you have Perl and [[CVS]] installed:
 +
 
 +
./mkcabundle.pl > ca-bundle.crt &&
 +
install -Dv -m644 ca-bundle.crt /etc/ssl/certs
 +
 
 +
= Contents =
 +
 
 +
{| style="text-align: left;"
 +
|-
 +
! Installed Programs:
 +
| c_rehash, openssl
 +
|-
 +
! Installed Libraries:
 +
| libcrypto.{so,a}, libssl.{so,a}
 +
|-
 +
! Installed Directories:
 +
| /etc/ssl, /usr/include/ssl, /usr/lib/engines, /usr/share/doc/openssl-{{OpenSSL-Version}}
 +
|}
 +
 
 +
=== Short Descriptions ===
 +
 
 +
{| style="text-align: left;"
 +
|-
 +
! c_rehash
 +
| is a Perl script that scans all files in a directory and adds symbolic links to their hash values.
 +
|-valign="top"
 +
! openssl
 +
| is a command-line tool for using the various cryptography functions of OpenSSL's crypto library from the shell.
 +
|-
 +
! libcrypto.{so,a}
 +
| implements a wide range of cryptographic algorithms used in various Internet standards.
 +
|-
 +
!libssl.{so,a}
 +
| implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols
 +
|}
 +
 
 +
[[Category:Security]]

Latest revision as of 17:08, 7 April 2017

Download Source: http://www.openssl.org/source/openssl-1.0.1e.tar.gz
Required Patch: http://svn.clfs.org/svn/repos/patches/openssl/openssl-1.0.1e-fix_manpages-1.patch
Required Patch (x86_64 Multilib): http://svn.clfs.org/svn/repos/patches/openssl/openssl-1.0.1e-32bit_x86_64-1.patch
Required Patch (MIPS): http://svn.clfs.org/svn/repos/patches/openssl/openssl-1.0.1e-mips_support-1.patch
Optional Patch: http://svn.clfs.org/svn/repos/patches/openssl/openssl-1.0.1e-fix_parallel_build-1.patch

Introduction to OpenSSL

The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library.

Project Homepage: http://www.openssl.org/

Dependencies

Optional

  • bc (used by the testsuite)
  • CVS (used by the certificate bundle script)
Caution.png

Note

Kerberos support is currently BROKEN, DO NOT USE
Caution.png

Note

Parallel build (make -j ...) may fail to install openssl but still appear to complete "successfully," without stopping at the error. Apply the parallel build patch: patch -Np1 -i ../openssl-1.0.1e-fix_parallel_build-1.patch

Non-Multilib

Caution.png

Note

When building on Sparc in Pure 64bit, use the configure command from the multilib section, then proceed as normal

Compile the package:

patch -Np1 -i ../openssl-1.0.1e-fix_manpages-1.patch &&
patch -Np1 -i ../openssl-1.0.1e-mips_support-1.patch &&
./config --openssldir=/etc/ssl --prefix=/usr shared &&
make MANDIR=/usr/share/man

Install the package

make MANDIR=/usr/share/man install &&
ln -sv ../../etc/ssl /usr/share &&
cp -v -r certs /etc/ssl &&
install -v -d -m755 /usr/share/doc/openssl-1.0.1e &&
cp -v -r doc/{HOWTO,README,*.{txt,html,gif}} \
    /usr/share/doc/openssl-1.0.1e

Multilib

32Bit

Apply Patches:

patch -Np1 -i ../openssl-1.0.1e-fix_manpages-1.patch 

Configure the Package (Use the appropriate command):

x86

patch -Np1 -i ../openssl-1.0.1e-32bit_x86_64-1.patch &&
./Configure linux-x86_64-32 --openssldir=/etc/ssl --prefix=/usr shared

Sparc

./Configure linux-sparcv9 --openssldir=/etc/ssl --prefix=/usr shared

Mips (Little-Endian)

patch -Np1 -i ../openssl-1.0.1e-mips_support-1.patch &&
./Configure linux-mipsel --openssldir=/etc/ssl --prefix=/usr shared

Mips (Big-Endian)

patch -Np1 -i ../openssl-1.0.1e-mips_support-1.patch &&
./Configure linux-mips --openssldir=/etc/ssl --prefix=/usr shared

PowerPC

./Configure linux-ppc --openssldir=/etc/ssl --prefix=/usr shared

Compile the package:

USE_ARCH=32 make CC="gcc ${BUILD32}" PERL=/usr/bin/perl

Install the package:

USE_ARCH=32 make PERL=/usr/bin/perl MANDIR=/usr/share/man install

N32

Apply Patches:

patch -Np1 -i ../openssl-1.0.1e-fix_manpages-1.patch &&
patch -Np1 -i ../openssl-1.0.1e-mips_support-1.patch

Configure the Package (Use the appropriate command):

Mips (Little-Endian)

./Configure linux-mipsel-n32 --openssldir=/etc/ssl --prefix=/usr shared

Mips (Big-Endian)

./Configure linux-mips-n32 --openssldir=/etc/ssl --prefix=/usr shared

Compile the package:

USE_ARCH=n32 make CC="gcc ${BUILDN32}" PERL=/usr/bin/perl LIBDIR=lib32

Install the package:

USE_ARCH=n32 make PERL=/usr/bin/perl MANDIR=/usr/share/man LIBDIR=lib32 install

64Bit

Apply Patches:

patch -Np1 -i ../openssl-1.0.1e-fix_manpages-1.patch 

Configure the Package (Use the appropriate command):

x86_64

./Configure linux-x86_64 --openssldir=/etc/ssl --prefix=/usr shared

Sparc

./Configure linux64-sparcv9 --openssldir=/etc/ssl --prefix=/usr shared

Mips (Little-Endian)

patch -Np1 -i ../openssl-1.0.1e-mips_support-1.patch &&
./Configure linux-mips64el --openssldir=/etc/ssl --prefix=/usr shared

Mips (Big-Endian)

patch -Np1 -i ../openssl-1.0.1e-mips_support-1.patch &&
./Configure linux-mips64 --openssldir=/etc/ssl --prefix=/usr shared

PowerPC

./Configure linux-ppc64 --openssldir=/etc/ssl --prefix=/usr shared

Compile the package:

USE_ARCH=64 make CC="gcc ${BUILD64}" PERL=/usr/bin/perl LIBDIR=lib64

Install the package:

USE_ARCH=64 make PERL=/usr/bin/perl MANDIR=/usr/share/man LIBDIR=lib64 install &&
ln -sv ../../etc/ssl /usr/share &&
cp -v -r certs /etc/ssl &&
install -v -d -m755 /usr/share/doc/openssl-1.0.1e &&
cp -v -r doc/{HOWTO,README,*.{txt,html,gif}} \
    /usr/share/doc/openssl-1.0.1e

Configuring

You can create a ca-bundle with the following script, it is from: http://www.mail-archive.com/modssl-users@modssl.org/msg16980.html

cat > mkcabundle.pl << "EOF"
#!/usr/bin/perl -w                                                                                                          
#                                                                                                                           
# Used to regenerate ca-bundle.crt from the Mozilla certdata.txt.                                                           
# Run as ./mkcabundle.pl > ca-bundle.crt                                                                                    
#                                                                                                                           

my $cvsroot = ':pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot';
my $certdata = 'mozilla/security/nss/lib/ckfw/builtins/certdata.txt';

open(IN, "cvs -d $cvsroot co -p $certdata|")
    || die "could not check out certdata.txt";

my $incert = 0;

print<<EOH;
# This is a bundle of X.509 certificates of public Certificate
# Authorities.  It was generated from the Mozilla root CA list.
#
# Source: $certdata
#
EOH

while (<IN>) {
    if (/^CKA_VALUE MULTILINE_OCTAL/) {
        $incert = 1;
        open(OUT, "|openssl x509 -text -inform DER -fingerprint")
            || die "could not pipe to openssl x509";
    } elsif (/^END/ && $incert) {
        close(OUT);
        $incert = 0;
        print "\n\n";
    } elsif ($incert) {
        my @bs = split(/\\/);
        foreach my $b (@bs) {
            chomp $b;
            printf(OUT "%c", oct($b)) unless $b eq '';
        }
    } elsif (/^CVS_ID.*Revision: ([^ ]*).*/) {
        print "# Generated from certdata.txt RCS revision $1\n#\n";
    }
}
EOF

This command requires that you have Perl and CVS installed:

./mkcabundle.pl > ca-bundle.crt &&
install -Dv -m644 ca-bundle.crt /etc/ssl/certs

Contents

Installed Programs: c_rehash, openssl
Installed Libraries: libcrypto.{so,a}, libssl.{so,a}
Installed Directories: /etc/ssl, /usr/include/ssl, /usr/lib/engines, /usr/share/doc/openssl-1.0.1e

Short Descriptions

c_rehash is a Perl script that scans all files in a directory and adds symbolic links to their hash values.
openssl is a command-line tool for using the various cryptography functions of OpenSSL's crypto library from the shell.
libcrypto.{so,a} implements a wide range of cryptographic algorithms used in various Internet standards.
libssl.{so,a} implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols
Retrieved from "?title=OpenSSL&oldid=21662"