testssl.sh/bin/Readme.md

119 lines
5.1 KiB
Markdown
Raw Normal View History

2015-07-17 11:04:01 +02:00
Binaries
========
2015-07-21 10:34:08 +02:00
The binaries here have the naming scheme ``openssl.$(uname).$(uname -m)``
and will be picked up from testssl.sh if you run testssl.sh directly
2015-09-03 13:20:52 +02:00
off the git directory. Otherwise you need ``testssl.sh`` to point to it
via the argument (``--openssl=<here>``) or as an environment variable
2015-09-03 12:47:40 +02:00
(``OPENSSL=<here> testssl.sh <yourargs>``).
2015-07-17 11:04:01 +02:00
2015-09-03 13:20:52 +02:00
The Linux binaries with the trailing ``-krb5`` come with Kerberos 5 support,
they won't be automatically picked up as you need to make sure first they
run (see libraries below).
All the precompiled binaries provided here have extended support for
2015-09-03 12:47:40 +02:00
everything which is normally not in OpenSSL or LibreSSL -- 40+56 Bit,
export/ANON ciphers, weak DH ciphers, SSLv2 etc. -- all the dirty
2015-09-03 13:20:52 +02:00
features needed for testing. OTOH they also come with extended support
for new / advanced cipher suites and/or features which are not in the
official branch like CHACHA20+POLY1305 and CAMELIA 256 bit ciphers.
2015-09-03 12:47:40 +02:00
2015-10-05 09:19:11 +02:00
The binaries in this directory are all compiled from an OpenSSL 1.0.2 fork
2015-09-03 13:20:52 +02:00
from Peter Mosmans (https://github.com/PeterMosmans/openssl). Thx a bunch,
Peter!
2015-09-03 12:47:40 +02:00
2015-09-03 13:20:52 +02:00
Compiled Linux binaries so far come from Dirk, other contributors see ../CREDITS.md .
2015-09-03 12:47:40 +02:00
Compiling and Usage Instructions
================================
General
-------
Both 64+32 bit Linux binaries were compiled under Ubuntu 12.04 LTS. Likely you
cannot use them for older distributions, younger worked in all my test environments.
I provide for each distributions two sets of binaries:
* completely statically linked binaries
* dynamically linked binaries, additionally with MIT Kerberos support ("krb5" in the name).
They provide also KRB5-* and EXP-KRB5-* support (in OpenSSL terminology, see krb5-ciphers.txt).
For the latter you need a whopping bunch of kerberos runtime libraries which you maybe need to
install from your distributor (libgssapi_krb5, libkrb5, libcom_err, libk5crypto, libkrb5support,
libkeyutils). The 'static' binaries do not have MIT kerberos support as there are no
static kerberos libs and I did not bother to compile them from the sources.
Compilation instructions
------------------------
If you want to compile OpenSSL yourself, here are the instructions:
1.) get openssl from Peter Mosmans' repo:
git clone https://github.com/PeterMosmans/openssl
cd openssl
2.) configure the damned thing. Options I used (see https://github.com/drwetter/testssl.sh/blob/master/utils/make-openssl.sh)
**for 64Bit including Kerberos ciphers:**
./config --prefix=/usr/ --openssldir=/etc/ssl enable-zlib enable-ssl2 enable-rc5 enable-rc2 \
enable-GOST enable-cms enable-md2 enable-mdc2 enable-ec enable-ec2m enable-ecdh enable-ecdsa \
enable-seed enable-camellia enable-idea enable-rfc3779 enable-ec_nistp_64_gcc_128 \
--with-krb5-flavor=MIT experimental-jpake -DOPENSSL_USE_BUILD_DATE
**for 64Bit, static binaries:**
./config --prefix=/usr/ --openssldir=/etc/ssl enable-zlib enable-ssl2 enable-rc5 enable-rc2 \
enable-GOST enable-cms enable-md2 enable-mdc2 enable-ec enable-ec2m enable-ecdh enable-ecdsa \
enable-seed enable-camellia enable-idea enable-rfc3779 enable-ec_nistp_64_gcc_128 \
-static experimental-jpake -DOPENSSL_USE_BUILD_DATE
**for 32 Bit including Kerberos ciphers:**
./config --prefix=/usr/ --openssldir=/etc/ssl enable-zlib enable-ssl2 enable-rc5 enable-rc2 \
enable-GOST enable-cms enable-md2 enable-mdc2 enable-ec enable-ec2m enable-ecdh enable-ecdsa \
enable-seed enable-camellia enable-idea enable-rfc3779 no-ec_nistp_64_gcc_128 \
--with-krb5-flavor=MIT experimental-jpake -DOPENSSL_USE_BUILD_DATE
**for 32 Bit, static binaries:**
./config --prefix=/usr/ --openssldir=/etc/ssl enable-zlib enable-ssl2 enable-rc5 enable-rc2 \
enable-GOST enable-cms enable-md2 enable-mdc2 enable-ec enable-ec2m enable-ecdh enable-ecdsa \
enable-seed enable-camellia enable-idea enable-rfc3779 no-ec_nistp_64_gcc_128 \
-static experimental-jpake -DOPENSSL_USE_BUILD_DATE
2016-03-29 19:46:44 +02:00
(IPv6 would need additionally ``-DOPENSSL_USE_IPV6`` and the patch from ``fedora-dirk-ipv6.diff``
-- this doesn't give you the option of an IPv6 enabled proxy -- yet.)
2015-09-03 12:47:40 +02:00
Four GOST [1][2] ciphers come via engine support automagically with this setup. Two additional GOST
2015-10-05 09:22:02 +02:00
ciphers can be compiled in (``GOST-GOST94``, ``GOST-MD5``) with ``-DTEMP_GOST_TLS`` but as of now they make problems under rare circumstances, so unless you desperately need those ciphers I would stay away from ``-DTEMP_GOST_TLS``.
2015-09-03 12:47:40 +02:00
If you don't have / don't want Kerberos libraries and devel rpms/debs, just omit "--with-krb5-flavor=MIT"
(see examples). If you have another Kerberos flavor you would need to figure out by yourself.
3.) make depend
4.) make
5.) make report (check whether it runs ok!)
2015-09-03 13:20:52 +02:00
6.) ``./apps/openssl ciphers -V 'ALL:COMPLEMENTOFALL' | wc -l`` lists for me
2015-09-03 12:47:40 +02:00
* 191(+4 GOST) ciphers -- including kerberos
* 177(+4 GOST) ciphers without kerberos
as opposed to 111/109 from Ubuntu or Opensuse.
**Never use these binaries for anything other than testing**
Enjoy, Dirk
[1] https://en.wikipedia.org/wiki/GOST_%29block_cipher%29
[2] http://fossies.org/linux/openssl/engines/ccgost/README.gost
2015-07-17 11:04:01 +02:00