2014-07-04 11:59:01 +02:00
|
|
|
|
|
|
|
Compilation instructions
|
|
|
|
========================
|
|
|
|
|
2014-07-04 12:24:27 +02:00
|
|
|
Currrent precompiled versions are are from OpenSSL 1.0.2.
|
|
|
|
The ones I were using is a fork of OpenSSL from Peter Mosmans,
|
|
|
|
just to get chacha20+poly1305 support (thx!). The one from
|
|
|
|
the official git repo didn't work for me work correctly,
|
|
|
|
it's also likely to disappear shortly.
|
2014-07-04 11:59:01 +02:00
|
|
|
(https://www.mail-archive.com/openssl-dev@openssl.org/msg34756.html)
|
|
|
|
|
2014-07-04 12:24:27 +02:00
|
|
|
$ git clone https://github.com/PeterMosmans/openssl
|
|
|
|
$ cd openssl
|
2014-07-04 11:59:01 +02:00
|
|
|
|
|
|
|
|
|
|
|
General instructions
|
|
|
|
--------------------
|
|
|
|
|
|
|
|
* 64 bit version was compiled under Opensuse 12.3
|
|
|
|
* 32 bit version was compiled under Ubuntu 12.04 LTS
|
|
|
|
|
|
|
|
In addition to the binaries statically linked binaries I provide -- except a few
|
2014-07-04 12:15:13 +02:00
|
|
|
libs which are nowadays sometimes hard to statically link in -- I compiled a set of
|
2014-07-04 11:59:01 +02:00
|
|
|
dynamic binaries. The catch here are the Kerberos libs: No Linux
|
|
|
|
distributor privides static libs. As of now I feel to lazy to compile
|
|
|
|
MIT or KTH from scratch to get statitic libs.
|
|
|
|
|
2014-07-04 12:15:13 +02:00
|
|
|
So for the kerberos binaries I provide (openssl??-1.0.2pm-krb5*) you need a whopping bunch of
|
|
|
|
kerberos libraries which you maybe need to install (libgssapi_krb5, libkrb5, libcom_err,
|
|
|
|
libk5crypto, libkrb5support, libkeyutils). For the 'static' binaries kerberos is not compiled in, so that's is not needed.
|
|
|
|
|
2014-07-04 11:59:01 +02:00
|
|
|
|
|
|
|
If you want to compile OpenSSL yourself, here are the instructions:
|
|
|
|
|
|
|
|
0.) apply experimental-features.patch (otherwise you miss the experimental features)
|
2014-07-04 12:15:13 +02:00
|
|
|
1.) apply openssl-telnet-starttls.patch and openssl-xmpp-starttls-fix.patch
|
2014-07-04 11:59:01 +02:00
|
|
|
(provided by Stefan Zehl, thx!).
|
|
|
|
|
|
|
|
3.) configure the damned thing. Options I used:
|
|
|
|
|
|
|
|
* for 64Bit:
|
|
|
|
>./config --prefix=/usr/ --openssldir=/etc/ssl enable-zlib enable-ssl2 enable-rc5 enable-rc2 enable-GOST enable-cms enable-md2 enable-mdc2 enable-ec enable-ec2m enable-ecdh enable-ecdsa enable-seed enable-camellia enable-idea enable-rfc3779 enable-ec_nistp_64_gcc_128 --with-krb5-flavor=MIT experimental-jpake
|
|
|
|
|
2014-07-04 12:15:13 +02:00
|
|
|
* for 32 Bit:
|
|
|
|
> ./config --prefix=/usr/ --openssldir=/etc/ssl enable-zlib enable-ssl2 enable-rc5 enable-rc2 enable-GOST enable-cms enable-md2 enable-mdc2 enable-ec enable-ec2m enable-ecdh enable-ecdsa enable-seed enable-camellia enable-idea enable-rfc3779 no-ec_nistp_64_gcc_128 --with-krb5-flavor=MIT experimental-jpake
|
2014-07-04 11:59:01 +02:00
|
|
|
|
|
|
|
Don't use -DTEMP_GOST_TLS, it breaks things!
|
|
|
|
|
2014-07-04 12:15:13 +02:00
|
|
|
If you don't have / don't want Kerberos libraries and devel rpms/debs, omit "--with-krb5-flavor=MIT".
|
|
|
|
If you have other Kerberos flavors you need to figure out by yourself.
|
2014-07-04 11:59:01 +02:00
|
|
|
|
|
|
|
For real GOST cipher [1] support you need to built static libs as the crypto
|
2014-07-04 12:15:13 +02:00
|
|
|
engine is a shared lib (additional options: "shared -fPIC -DOPENSSL_PIC"). I didn't
|
|
|
|
do that yet. If you aiming at this you rather should compile everything with another prefix
|
2014-07-04 11:59:01 +02:00
|
|
|
as you don't want your openssl binary to end up loading system libraries like libssl or
|
|
|
|
libcrypto. Alternatively you can hack the Makefile and include those
|
|
|
|
libs which you compiled statically as ".a".
|
|
|
|
|
|
|
|
4.) make depend
|
2014-07-04 12:15:13 +02:00
|
|
|
|
2014-07-04 11:59:01 +02:00
|
|
|
5.) make
|
2014-07-04 12:15:13 +02:00
|
|
|
|
2014-07-04 11:59:01 +02:00
|
|
|
6.) make report (check whether it runs ok)
|
|
|
|
|
|
|
|
7.) "openssl ciphers -V ALL:COMPLEMENTOFALL | wc -l" lists for me w/ kerberos and w/o GOST cipher engine
|
|
|
|
167 ciphers as opposed to 111/109 from Ubuntu or Opensuse.
|
|
|
|
|
2014-07-04 12:24:27 +02:00
|
|
|
**Never use these binaries for anything else then for testing**
|
2014-07-04 11:59:01 +02:00
|
|
|
|
|
|
|
|
2014-07-04 12:24:27 +02:00
|
|
|
Enjoy! Dirk
|
2014-07-04 11:59:01 +02:00
|
|
|
|
|
|
|
|
|
|
|
[1] https://en.wikipedia.org/wiki/GOST_%28block_cipher%29
|