testssl.sh/openssl-bins/openssl-1.0.2-chacha.pm/Readme.md


Compiling and Usage Instructions
================================

The precompiled binaries provided here have extended support for everything
which is normally not configured to be compiled (40+56 Bit, export/ANON ciphers, weak DH ciphers, 
SSLv2 etc.). The binaries also come with extended support for new cipher suites 
and/or features which are not (yet?) in the official branch.

The binaries in this directory are all compiled from an OpenSSL 1.0.2 fork
from Peter Mosmans. He has patched the master git branch
to support CHACHA20 + POLY1305 and other ciphers like CAMELIA 256 Bit.

The binary ``openssl-1.0.2pm.darwin.64``, based on Peter Mosmans 1.0.2b-dev, was borrowed with permission from Julien Vehent's cipherscan.


General
-------

Both 64+32 bit Linux binaries were compiled under Ubuntu 12.04 LTS. Likely you
cannot use them for older distributions, younger worked in my test environments. I provide 
for each distributions two sets of binaries:

* completely statically linked binaries
* dynamically linked binaries, additionally with MIT Kerberos support ("krb5" in the name).
  They provide also KRB5-* and EXP-KRB5-* support (in OpenSSL terminology, see krb5-ciphers.txt). 

For the latter you need a whopping bunch of kerberos runtime libraries which you maybe need to 
install from your distributor (libgssapi_krb5, libkrb5, libcom_err, libk5crypto, libkrb5support, 
libkeyutils). The 'static' binaries do not have MIT kerberos support as there are no
static kerberos libs and I did not bother to compile them from the sources.


Compilation instructions
------------------------

If you want to compile OpenSSL yourself, here are the instructions:

1.) get openssl from Peter Mosmans' repo:

     git clone https://github.com/PeterMosmans/openssl
     cd openssl

2.) configure the damned thing. Options I used (see https://github.com/drwetter/testssl.sh/blob/master/openssl-bins/make-openssl.sh)

**for 64Bit including Kerberos ciphers:**

    ./config --prefix=/usr/ --openssldir=/etc/ssl enable-zlib enable-ssl2 enable-rc5 enable-rc2 \
    enable-GOST enable-cms enable-md2 enable-mdc2 enable-ec enable-ec2m enable-ecdh enable-ecdsa \
    enable-seed enable-camellia enable-idea enable-rfc3779 enable-ec_nistp_64_gcc_128 \
    --with-krb5-flavor=MIT experimental-jpake -DOPENSSL_USE_BUILD_DATE -DTEMP_GOST_TLS
    
**for 64Bit, static binaries:**    

    ./config --prefix=/usr/ --openssldir=/etc/ssl enable-zlib enable-ssl2 enable-rc5 enable-rc2 \
    enable-GOST enable-cms enable-md2 enable-mdc2 enable-ec enable-ec2m enable-ecdh enable-ecdsa \
    enable-seed enable-camellia enable-idea enable-rfc3779 enable-ec_nistp_64_gcc_128 \
    -static experimental-jpake -DOPENSSL_USE_BUILD_DATE -DTEMP_GOST_TLS

**for 32 Bit including Kerberos ciphers:**

    ./config --prefix=/usr/ --openssldir=/etc/ssl enable-zlib enable-ssl2 enable-rc5 enable-rc2 \
    enable-GOST enable-cms enable-md2 enable-mdc2 enable-ec enable-ec2m enable-ecdh enable-ecdsa \
    enable-seed enable-camellia enable-idea enable-rfc3779 no-ec_nistp_64_gcc_128 \
    --with-krb5-flavor=MIT experimental-jpake -DOPENSSL_USE_BUILD_DATE -DTEMP_GOST_TLS
    
 **for 32 Bit, static binaries:**

    ./config --prefix=/usr/ --openssldir=/etc/ssl enable-zlib enable-ssl2 enable-rc5 enable-rc2 \
    enable-GOST enable-cms enable-md2 enable-mdc2 enable-ec enable-ec2m enable-ecdh enable-ecdsa \
    enable-seed enable-camellia enable-idea enable-rfc3779 no-ec_nistp_64_gcc_128 \
    -static experimental-jpake -DOPENSSL_USE_BUILD_DATE -DTEMP_GOST_TLS

Two GOST [1][2] ciphers (``GOST-GOST94``, ``GOST-MD5``) come with ``-DTEMP_GOST_TLS``, four additional come via openssl engine. ``-DTEMP_GOST_TLS`` on earlier versions of openssl broke things.

So the difference you maybe spotted: If you don't have / don't want Kerberos libraries and devel rpms/debs, omit "--with-krb5-flavor=MIT" (see examples). 
If you have another Kerberos flavor you would need to figure out by yourself.

3.) make depend

4.) make

5.) make report (check whether it runs ok!)

6.) "./apps/openssl ciphers -V 'ALL:COMPLEMENTOFALL' | wc -l" lists now for me 
* 193(+4 GOST) ciphers -- including kerberos
* 179(+4 GOST) ciphers without kerberos

as opposed to 111/109 from Ubuntu or Opensuse. 

**Never use these binaries for anything other than testing**

Enjoy, Dirk

[1] https://en.wikipedia.org/wiki/GOST_%29block_cipher%29
[2] http://fossies.org/linux/openssl/engines/ccgost/README.gost
- new binaries with: - chaha20+ploy1305, thx to Peter Mosmans - openssl starttls krb-telnet support (thx to Stefan Zehl) - openssl starttls xmpp starttls/sni patch (thx to Stefan Zehl) - record breaking 167 ciphers (including kerberos) 2014-07-04 11:59:01 +02:00
Update Readme.md 2015-05-12 10:21:31 +02:00			`Compiling and Usage Instructions`
			`================================`
Update Readme.md typos 2014-07-16 18:49:46 +02:00
Update Readme.md 2014-07-18 22:48:46 +02:00			`The precompiled binaries provided here have extended support for everything`
Update Readme.md 2015-07-17 10:55:15 +02:00			`which is normally not configured to be compiled (40+56 Bit, export/ANON ciphers, weak DH ciphers,`
Update Readme.md 2015-05-12 10:21:31 +02:00			`SSLv2 etc.). The binaries also come with extended support for new cipher suites`
			`and/or features which are not (yet?) in the official branch.`
- new binaries with: - chaha20+ploy1305, thx to Peter Mosmans - openssl starttls krb-telnet support (thx to Stefan Zehl) - openssl starttls xmpp starttls/sni patch (thx to Stefan Zehl) - record breaking 167 ciphers (including kerberos) 2014-07-04 11:59:01 +02:00
Update Readme.md 2015-02-10 12:39:02 +01:00			`The binaries in this directory are all compiled from an OpenSSL 1.0.2 fork`
- reflects the new tree from Peter Mosmans 2014-07-16 18:35:42 +02:00			`from Peter Mosmans. He has patched the master git branch`
Update Readme.md 2015-05-12 10:21:31 +02:00			`to support CHACHA20 + POLY1305 and other ciphers like CAMELIA 256 Bit.`
- reflects the new tree from Peter Mosmans 2014-07-16 18:35:42 +02:00
Update Readme.md 2015-07-17 10:51:28 +02:00			The binary ``openssl-1.0.2pm.darwin.64``, based on Peter Mosmans 1.0.2b-dev, was borrowed with permission from Julien Vehent's cipherscan.
- Darwin binary 2015-07-17 10:48:26 +02:00
- new binaries with: - chaha20+ploy1305, thx to Peter Mosmans - openssl starttls krb-telnet support (thx to Stefan Zehl) - openssl starttls xmpp starttls/sni patch (thx to Stefan Zehl) - record breaking 167 ciphers (including kerberos) 2014-07-04 11:59:01 +02:00

- reflects the new tree from Peter Mosmans 2014-07-16 18:35:42 +02:00			`General`
			`-------`

Update Readme.md 2015-07-17 10:55:15 +02:00			`Both 64+32 bit Linux binaries were compiled under Ubuntu 12.04 LTS. Likely you`
			`cannot use them for older distributions, younger worked in my test environments. I provide`
Update Readme.md 2015-05-12 10:21:31 +02:00			`for each distributions two sets of binaries:`
- new binaries with: - chaha20+ploy1305, thx to Peter Mosmans - openssl starttls krb-telnet support (thx to Stefan Zehl) - openssl starttls xmpp starttls/sni patch (thx to Stefan Zehl) - record breaking 167 ciphers (including kerberos) 2014-07-04 11:59:01 +02:00
- FIXED: #38, new openssl from Peter Mosmans makes the workaround unneccessary 2015-02-21 10:46:30 +01:00			`* completely statically linked binaries`
Update Readme.md 2015-05-12 10:21:31 +02:00			`* dynamically linked binaries, additionally with MIT Kerberos support ("krb5" in the name).`
			`They provide also KRB5-* and EXP-KRB5-* support (in OpenSSL terminology, see krb5-ciphers.txt).`
- new binaries with: - chaha20+ploy1305, thx to Peter Mosmans - openssl starttls krb-telnet support (thx to Stefan Zehl) - openssl starttls xmpp starttls/sni patch (thx to Stefan Zehl) - record breaking 167 ciphers (including kerberos) 2014-07-04 11:59:01 +02:00
- FIXED: #38, new openssl from Peter Mosmans makes the workaround unneccessary 2015-02-21 10:46:30 +01:00			`For the latter you need a whopping bunch of kerberos runtime libraries which you maybe need to`
- reflects the new tree from Peter Mosmans 2014-07-16 18:35:42 +02:00			`install from your distributor (libgssapi_krb5, libkrb5, libcom_err, libk5crypto, libkrb5support,`
- FIXED: #38, new openssl from Peter Mosmans makes the workaround unneccessary 2015-02-21 10:46:30 +01:00			`libkeyutils). The 'static' binaries do not have MIT kerberos support as there are no`
			`static kerberos libs and I did not bother to compile them from the sources.`
- new binaries with: - chaha20+ploy1305, thx to Peter Mosmans - openssl starttls krb-telnet support (thx to Stefan Zehl) - openssl starttls xmpp starttls/sni patch (thx to Stefan Zehl) - record breaking 167 ciphers (including kerberos) 2014-07-04 11:59:01 +02:00

- reflects the new tree from Peter Mosmans 2014-07-16 18:35:42 +02:00			`Compilation instructions`
			`------------------------`

- new binaries with: - chaha20+ploy1305, thx to Peter Mosmans - openssl starttls krb-telnet support (thx to Stefan Zehl) - openssl starttls xmpp starttls/sni patch (thx to Stefan Zehl) - record breaking 167 ciphers (including kerberos) 2014-07-04 11:59:01 +02:00			`If you want to compile OpenSSL yourself, here are the instructions:`

- reflects the new tree from Peter Mosmans 2014-07-16 18:35:42 +02:00			`1.) get openssl from Peter Mosmans' repo:`
- typos 2014-07-04 12:27:17 +02:00
- reflects the new tree from Peter Mosmans 2014-07-16 18:35:42 +02:00			`git clone https://github.com/PeterMosmans/openssl`
			`cd openssl`
- new binaries with: - chaha20+ploy1305, thx to Peter Mosmans - openssl starttls krb-telnet support (thx to Stefan Zehl) - openssl starttls xmpp starttls/sni patch (thx to Stefan Zehl) - record breaking 167 ciphers (including kerberos) 2014-07-04 11:59:01 +02:00
GOST additions 2015-07-20 15:28:55 +02:00			`2.) configure the damned thing. Options I used (see https://github.com/drwetter/testssl.sh/blob/master/openssl-bins/make-openssl.sh)`
- new binaries with: - chaha20+ploy1305, thx to Peter Mosmans - openssl starttls krb-telnet support (thx to Stefan Zehl) - openssl starttls xmpp starttls/sni patch (thx to Stefan Zehl) - record breaking 167 ciphers (including kerberos) 2014-07-04 11:59:01 +02:00
Update Readme.md new stable 1.0.2 branch, also with 4 more ciphers 2015-02-05 09:22:01 +01:00			`for 64Bit including Kerberos ciphers:`
- new binaries with: - chaha20+ploy1305, thx to Peter Mosmans - openssl starttls krb-telnet support (thx to Stefan Zehl) - openssl starttls xmpp starttls/sni patch (thx to Stefan Zehl) - record breaking 167 ciphers (including kerberos) 2014-07-04 11:59:01 +02:00
better c&p 2014-10-16 16:46:01 +02:00			`./config --prefix=/usr/ --openssldir=/etc/ssl enable-zlib enable-ssl2 enable-rc5 enable-rc2 \`
			`enable-GOST enable-cms enable-md2 enable-mdc2 enable-ec enable-ec2m enable-ecdh enable-ecdsa \`
better+ c&p 2014-10-16 16:47:54 +02:00			`enable-seed enable-camellia enable-idea enable-rfc3779 enable-ec_nistp_64_gcc_128 \`
GOST additions 2015-07-20 15:28:55 +02:00			`--with-krb5-flavor=MIT experimental-jpake -DOPENSSL_USE_BUILD_DATE -DTEMP_GOST_TLS`
Update Readme.md new stable 1.0.2 branch, also with 4 more ciphers 2015-02-05 09:22:01 +01:00
			`for 64Bit, static binaries:`
- typos 2014-07-04 14:37:15 +02:00
Update Readme.md new stable 1.0.2 branch, also with 4 more ciphers 2015-02-05 09:22:01 +01:00			`./config --prefix=/usr/ --openssldir=/etc/ssl enable-zlib enable-ssl2 enable-rc5 enable-rc2 \`
			`enable-GOST enable-cms enable-md2 enable-mdc2 enable-ec enable-ec2m enable-ecdh enable-ecdsa \`
			`enable-seed enable-camellia enable-idea enable-rfc3779 enable-ec_nistp_64_gcc_128 \`
GOST additions 2015-07-20 15:28:55 +02:00			`-static experimental-jpake -DOPENSSL_USE_BUILD_DATE -DTEMP_GOST_TLS`
Update Readme.md new stable 1.0.2 branch, also with 4 more ciphers 2015-02-05 09:22:01 +01:00
			`for 32 Bit including Kerberos ciphers:`
- typos 2014-07-04 14:37:15 +02:00
better c&p 2014-10-16 16:46:01 +02:00			`./config --prefix=/usr/ --openssldir=/etc/ssl enable-zlib enable-ssl2 enable-rc5 enable-rc2 \`
better+ c&p 2014-10-16 16:47:54 +02:00			`enable-GOST enable-cms enable-md2 enable-mdc2 enable-ec enable-ec2m enable-ecdh enable-ecdsa \`
better c&p 2014-10-16 16:46:01 +02:00			`enable-seed enable-camellia enable-idea enable-rfc3779 no-ec_nistp_64_gcc_128 \`
GOST additions 2015-07-20 15:28:55 +02:00			`--with-krb5-flavor=MIT experimental-jpake -DOPENSSL_USE_BUILD_DATE -DTEMP_GOST_TLS`
Update Readme.md new stable 1.0.2 branch, also with 4 more ciphers 2015-02-05 09:22:01 +01:00
			`for 32 Bit, static binaries:`

			`./config --prefix=/usr/ --openssldir=/etc/ssl enable-zlib enable-ssl2 enable-rc5 enable-rc2 \`
			`enable-GOST enable-cms enable-md2 enable-mdc2 enable-ec enable-ec2m enable-ecdh enable-ecdsa \`
			`enable-seed enable-camellia enable-idea enable-rfc3779 no-ec_nistp_64_gcc_128 \`
GOST additions 2015-07-20 15:28:55 +02:00			`-static experimental-jpake -DOPENSSL_USE_BUILD_DATE -DTEMP_GOST_TLS`
- new binaries with: - chaha20+ploy1305, thx to Peter Mosmans - openssl starttls krb-telnet support (thx to Stefan Zehl) - openssl starttls xmpp starttls/sni patch (thx to Stefan Zehl) - record breaking 167 ciphers (including kerberos) 2014-07-04 11:59:01 +02:00
addiotnal citation for GOST 2015-07-20 19:06:53 +02:00			Two GOST [1][2] ciphers (``GOST-GOST94``, ``GOST-MD5``) come with ``-DTEMP_GOST_TLS``, four additional come via openssl engine. ``-DTEMP_GOST_TLS`` on earlier versions of openssl broke things.
- new binaries with: - chaha20+ploy1305, thx to Peter Mosmans - openssl starttls krb-telnet support (thx to Stefan Zehl) - openssl starttls xmpp starttls/sni patch (thx to Stefan Zehl) - record breaking 167 ciphers (including kerberos) 2014-07-04 11:59:01 +02:00
GOST additions 2015-07-20 15:28:55 +02:00			`So the difference you maybe spotted: If you don't have / don't want Kerberos libraries and devel rpms/debs, omit "--with-krb5-flavor=MIT" (see examples).`
Update Readme.md 2015-07-17 10:55:15 +02:00			`If you have another Kerberos flavor you would need to figure out by yourself.`
- new binaries with: - chaha20+ploy1305, thx to Peter Mosmans - openssl starttls krb-telnet support (thx to Stefan Zehl) - openssl starttls xmpp starttls/sni patch (thx to Stefan Zehl) - record breaking 167 ciphers (including kerberos) 2014-07-04 11:59:01 +02:00
- reflects the new tree from Peter Mosmans 2014-07-16 18:35:42 +02:00			`3.) make depend`
- new binaries with: - chaha20+ploy1305, thx to Peter Mosmans - openssl starttls krb-telnet support (thx to Stefan Zehl) - openssl starttls xmpp starttls/sni patch (thx to Stefan Zehl) - record breaking 167 ciphers (including kerberos) 2014-07-04 11:59:01 +02:00
- reflects the new tree from Peter Mosmans 2014-07-16 18:35:42 +02:00			`4.) make`
- formatting corrected 2014-07-04 12:15:13 +02:00
- FIXED: #38, new openssl from Peter Mosmans makes the workaround unneccessary 2015-02-21 10:46:30 +01:00			`5.) make report (check whether it runs ok!)`
- formatting corrected 2014-07-04 12:15:13 +02:00
Update Readme.md 2014-11-24 16:43:11 +01:00			`6.) "./apps/openssl ciphers -V 'ALL:COMPLEMENTOFALL' \| wc -l" lists now for me`
GOST additions 2015-07-20 15:28:55 +02:00			`* 193(+4 GOST) ciphers -- including kerberos`
			`* 179(+4 GOST) ciphers without kerberos`
- new binaries with: - chaha20+ploy1305, thx to Peter Mosmans - openssl starttls krb-telnet support (thx to Stefan Zehl) - openssl starttls xmpp starttls/sni patch (thx to Stefan Zehl) - record breaking 167 ciphers (including kerberos) 2014-07-04 11:59:01 +02:00
- reflects the new tree from Peter Mosmans 2014-07-16 18:35:42 +02:00			`as opposed to 111/109 from Ubuntu or Opensuse.`
- new binaries with: - chaha20+ploy1305, thx to Peter Mosmans - openssl starttls krb-telnet support (thx to Stefan Zehl) - openssl starttls xmpp starttls/sni patch (thx to Stefan Zehl) - record breaking 167 ciphers (including kerberos) 2014-07-04 11:59:01 +02:00
Update Readme.md Improve phrasing on important warning. 2015-07-17 11:08:10 +02:00			`Never use these binaries for anything other than testing`
- typos 2014-07-04 14:15:45 +02:00
Update Readme.md 2015-07-17 10:55:15 +02:00			`Enjoy, Dirk`
- new binaries with: - chaha20+ploy1305, thx to Peter Mosmans - openssl starttls krb-telnet support (thx to Stefan Zehl) - openssl starttls xmpp starttls/sni patch (thx to Stefan Zehl) - record breaking 167 ciphers (including kerberos) 2014-07-04 11:59:01 +02:00
- typos 2014-07-04 14:37:15 +02:00			`[1] https://en.wikipedia.org/wiki/GOST_%29block_cipher%29`
addiotnal citation for GOST 2015-07-20 19:06:53 +02:00			`[2] http://fossies.org/linux/openssl/engines/ccgost/README.gost`