2014-07-04 11:59:01 +02:00
2015-02-05 10:06:27 +01:00
2014-07-16 18:49:46 +02:00
Instructions
============
2014-07-18 22:48:46 +02:00
The precompiled binaries provided here have extended support for everything
2015-02-10 12:39:02 +01:00
which is normally not configured to be compiled (56 Bit, export/ANOn ciphers, SSLv2 etc.)
The bninraies come also with extended support for new cipher suites and/or
2014-07-16 18:49:46 +02:00
features which are not yet in the official branch.
2014-07-04 11:59:01 +02:00
2015-02-10 12:39:02 +01:00
The binaries in this directory are all compiled from an OpenSSL 1.0.2 fork
2014-07-16 18:35:42 +02:00
from Peter Mosmans. He has patched the master git branch
2014-07-16 18:49:46 +02:00
to support CHACHA20 + POLY1305 and other ciphers (like CAMELIA 256 Bit).
2014-07-16 18:35:42 +02:00
2014-07-16 18:49:46 +02:00
CHACHA20 + POLY1305 cipher suites from the official git repo didn't
2014-07-16 18:35:42 +02:00
work for me work correctly, it's also likely they'll disappear shortly
2014-07-04 12:27:17 +02:00
(https://www.mail-archive.com/openssl-dev@openssl.org/msg34756.html).
2014-07-04 11:59:01 +02:00
2015-02-10 12:39:20 +01:00
*Pls note bug [#38 ](https://github.com/drwetter/testssl.sh/issues/38 ) = bug [#6 ](https://github.com/PeterMosmans/openssl/issues/5 ): False negatives for 40Bit and export ciphers.*
2015-02-10 12:39:02 +01:00
Workaround: use the vanilla tree, see https://github.com/drwetter/testssl.sh/openssl-bins/openssl-1.0.2-vanilla.
2014-07-04 11:59:01 +02:00
2014-07-16 18:35:42 +02:00
General
-------
2015-02-05 10:06:27 +01:00
Both 64+32 bit versions were compiled under Ubuntu 12.04 LTS. Likely you cannot use older distributions, younger should work. I provide for each distributions two sets of binaries:
2014-07-04 11:59:01 +02:00
2015-02-10 12:20:59 +01:00
* statically linked binaries
2014-07-16 18:35:42 +02:00
* dynamically linked binaries with MIT Kerberos support ("krb5" in the name)
2014-07-04 11:59:01 +02:00
2014-07-16 18:35:42 +02:00
For the latter you need a whopping bunch of kerberos libraries which you maybe need to
install from your distributor (libgssapi_krb5, libkrb5, libcom_err, libk5crypto, libkrb5support,
libkeyutils). For the 'static' binaries kerberos is not compiled in, so that's is not needed.
2014-07-04 11:59:01 +02:00
2014-07-16 18:35:42 +02:00
Compilation instructions
------------------------
2014-07-04 11:59:01 +02:00
If you want to compile OpenSSL yourself, here are the instructions:
2014-07-16 18:35:42 +02:00
1.) get openssl from Peter Mosmans' repo:
2014-07-04 12:27:17 +02:00
2014-07-16 18:35:42 +02:00
git clone https://github.com/PeterMosmans/openssl
cd openssl
2014-07-04 11:59:01 +02:00
2014-07-16 18:35:42 +02:00
2.) configure the damned thing. Options I used:
2014-07-04 11:59:01 +02:00
2015-02-05 09:22:01 +01:00
**for 64Bit including Kerberos ciphers:**
2014-07-04 11:59:01 +02:00
2014-10-16 16:46:01 +02:00
./config --prefix=/usr/ --openssldir=/etc/ssl enable-zlib enable-ssl2 enable-rc5 enable-rc2 \
enable-GOST enable-cms enable-md2 enable-mdc2 enable-ec enable-ec2m enable-ecdh enable-ecdsa \
2014-10-16 16:47:54 +02:00
enable-seed enable-camellia enable-idea enable-rfc3779 enable-ec_nistp_64_gcc_128 \
2014-10-16 16:46:01 +02:00
--with-krb5-flavor=MIT experimental-jpake
2015-02-05 09:22:01 +01:00
**for 64Bit, static binaries:**
2014-07-04 14:37:15 +02:00
2015-02-05 09:22:01 +01:00
./config --prefix=/usr/ --openssldir=/etc/ssl enable-zlib enable-ssl2 enable-rc5 enable-rc2 \
enable-GOST enable-cms enable-md2 enable-mdc2 enable-ec enable-ec2m enable-ecdh enable-ecdsa \
enable-seed enable-camellia enable-idea enable-rfc3779 enable-ec_nistp_64_gcc_128 \
-static experimental-jpake
**for 32 Bit including Kerberos ciphers:**
2014-07-04 14:37:15 +02:00
2014-10-16 16:46:01 +02:00
./config --prefix=/usr/ --openssldir=/etc/ssl enable-zlib enable-ssl2 enable-rc5 enable-rc2 \
2014-10-16 16:47:54 +02:00
enable-GOST enable-cms enable-md2 enable-mdc2 enable-ec enable-ec2m enable-ecdh enable-ecdsa \
2014-10-16 16:46:01 +02:00
enable-seed enable-camellia enable-idea enable-rfc3779 no-ec_nistp_64_gcc_128 \
--with-krb5-flavor=MIT experimental-jpake
2015-02-05 09:22:01 +01:00
**for 32 Bit, static binaries:**
./config --prefix=/usr/ --openssldir=/etc/ssl enable-zlib enable-ssl2 enable-rc5 enable-rc2 \
enable-GOST enable-cms enable-md2 enable-mdc2 enable-ec enable-ec2m enable-ecdh enable-ecdsa \
enable-seed enable-camellia enable-idea enable-rfc3779 no-ec_nistp_64_gcc_128 \
-static experimental-jpake
2014-07-04 11:59:01 +02:00
2014-07-16 18:49:46 +02:00
Don't use -DTEMP_GOST_TLS, it currently breaks things and it is not needed for general GOST [1] support.
2014-07-04 11:59:01 +02:00
2015-02-05 09:22:01 +01:00
If you don't have / don't want Kerberos libraries and devel rpms/debs, omit "--with-krb5-flavor=MIT" (see examples). If you have other Kerberos flavors you need to figure out by yourself.
2014-07-04 11:59:01 +02:00
2014-07-16 18:35:42 +02:00
3.) make depend
2014-07-04 11:59:01 +02:00
2014-07-16 18:35:42 +02:00
4.) make
2014-07-04 12:15:13 +02:00
2014-07-16 18:35:42 +02:00
5.) make report (check whether it runs ok)
2014-07-04 12:15:13 +02:00
2014-11-24 16:43:11 +01:00
6.) "./apps/openssl ciphers -V 'ALL:COMPLEMENTOFALL' | wc -l" lists now for me
2015-02-05 09:22:01 +01:00
* 191(+4 GOST) ciphers -- including kerberos
* 177(+4 GOST) ciphers without kerberos
2014-07-04 11:59:01 +02:00
2014-07-16 18:35:42 +02:00
as opposed to 111/109 from Ubuntu or Opensuse.
2014-07-04 11:59:01 +02:00
2014-07-14 20:19:03 +02:00
Enjoy, Dirk
PS: **Never use these binaries for anything else then for testing**
2014-07-04 14:15:45 +02:00
2014-07-04 11:59:01 +02:00
2014-07-04 14:37:15 +02:00
[1] https://en.wikipedia.org/wiki/GOST_%29block_cipher%29