- cleanup bin mess, part 2

bin/Readme.md

@@ -6,13 +6,110 @@ The binaries here have the naming scheme ``openssl.$(uname).$(uname -m)``
 and will be picked up from testssl.sh if you run testssl.sh directly
 off the git directory.
 
-They are compiled from Peter Mosmans openssl fork to support more advanced
-ciphers as well as broken stuff which is either missing in most OS and
-even in OpenSSL or LibreSSL.
+If you expect Kerberos ciphers: The Linux binaries with the trailing -krb5 
+need to be renamed accordingly or you need to supply the path either
+as an argument (``--openssl=<here>``) or as an environment variable
+(``OPENSSL=<here> testssl.sh <yourargs>``).
 
-More see ../openssl-bins/openssl-1.0.2-chacha.pm/
+The precompiled binaries provided here have extended support for
+everything which is normally not in OpenSSL or LibreSSL -- 40+56 Bit,
+export/ANON ciphers, weak DH ciphers, SSLv2 etc. -- all the dirty
+features needed for testing. OTOH the binaries also come with extended
+support for new / advanced cipher suites and/or features which are not
+in the official branch like CHACHA20+POLY1305 and other ciphers like 
+CAMELIA 256 Bit.
+
+The binaries in this directory are all compiled from an OpenSSL 1.0.2 fork
+from Peter Mosmans. Thx a bunch, Peter!
+
+Linux binaries so far come from Dirk, other contributors see ../CREDITS.md .
+
+
+Compiling and Usage Instructions
+================================
+
+General
+-------
+
+Both 64+32 bit Linux binaries were compiled under Ubuntu 12.04 LTS. Likely you
+cannot use them for older distributions, younger worked in all my test environments. 
+I provide for each distributions two sets of binaries:
+
+* completely statically linked binaries
+* dynamically linked binaries, additionally with MIT Kerberos support ("krb5" in the name).
+  They provide also KRB5-* and EXP-KRB5-* support (in OpenSSL terminology, see krb5-ciphers.txt). 
+
+For the latter you need a whopping bunch of kerberos runtime libraries which you maybe need to 
+install from your distributor (libgssapi_krb5, libkrb5, libcom_err, libk5crypto, libkrb5support, 
+libkeyutils). The 'static' binaries do not have MIT kerberos support as there are no
+static kerberos libs and I did not bother to compile them from the sources.
+
+
+Compilation instructions
+------------------------
+
+If you want to compile OpenSSL yourself, here are the instructions:
+
+1.) get openssl from Peter Mosmans' repo:
+
+     git clone https://github.com/PeterMosmans/openssl
+     cd openssl
+
+2.) configure the damned thing. Options I used (see https://github.com/drwetter/testssl.sh/blob/master/utils/make-openssl.sh)
+
+**for 64Bit including Kerberos ciphers:**
+
+    ./config --prefix=/usr/ --openssldir=/etc/ssl enable-zlib enable-ssl2 enable-rc5 enable-rc2 \
+    enable-GOST enable-cms enable-md2 enable-mdc2 enable-ec enable-ec2m enable-ecdh enable-ecdsa \
+    enable-seed enable-camellia enable-idea enable-rfc3779 enable-ec_nistp_64_gcc_128 \
+    --with-krb5-flavor=MIT experimental-jpake -DOPENSSL_USE_BUILD_DATE
+
+**for 64Bit, static binaries:**
+
+    ./config --prefix=/usr/ --openssldir=/etc/ssl enable-zlib enable-ssl2 enable-rc5 enable-rc2 \
+    enable-GOST enable-cms enable-md2 enable-mdc2 enable-ec enable-ec2m enable-ecdh enable-ecdsa \
+    enable-seed enable-camellia enable-idea enable-rfc3779 enable-ec_nistp_64_gcc_128 \
+    -static experimental-jpake -DOPENSSL_USE_BUILD_DATE
+
+**for 32 Bit including Kerberos ciphers:**
+
+    ./config --prefix=/usr/ --openssldir=/etc/ssl enable-zlib enable-ssl2 enable-rc5 enable-rc2 \
+    enable-GOST enable-cms enable-md2 enable-mdc2 enable-ec enable-ec2m enable-ecdh enable-ecdsa \
+    enable-seed enable-camellia enable-idea enable-rfc3779 no-ec_nistp_64_gcc_128 \
+    --with-krb5-flavor=MIT experimental-jpake -DOPENSSL_USE_BUILD_DATE
+
+ **for 32 Bit, static binaries:**
+
+    ./config --prefix=/usr/ --openssldir=/etc/ssl enable-zlib enable-ssl2 enable-rc5 enable-rc2 \
+    enable-GOST enable-cms enable-md2 enable-mdc2 enable-ec enable-ec2m enable-ecdh enable-ecdsa \
+    enable-seed enable-camellia enable-idea enable-rfc3779 no-ec_nistp_64_gcc_128 \
+    -static experimental-jpake -DOPENSSL_USE_BUILD_DATE 
+
+Four GOST [1][2] ciphers come via engine support automagically with this setup. Two additional GOST 
+ciphers can be compiled in (``GOST-GOST94``, ``GOST-MD5``) with ``-DTEMP_GOST_TLS``. The binaries 
+seem to work so far -- it has not been thouroughly tested though and ``make report`` bails out.
+
+If you don't have / don't want Kerberos libraries and devel rpms/debs, just omit "--with-krb5-flavor=MIT"
+(see examples).  If you have another Kerberos flavor you would need to figure out by yourself.
+
+3.) make depend
+
+4.) make
+
+5.) make report (check whether it runs ok!)
+
+6.) "./apps/openssl ciphers -V 'ALL:COMPLEMENTOFALL' | wc -l" lists now for me
+* 191(+4 GOST) ciphers -- including kerberos 
+* 177(+4 GOST) ciphers without kerberos
+
+as opposed to 111/109 from Ubuntu or Opensuse. 
+
+**Never use these binaries for anything other than testing**
+
+Enjoy, Dirk
+
+[1] https://en.wikipedia.org/wiki/GOST_%29block_cipher%29
+
+[2] http://fossies.org/linux/openssl/engines/ccgost/README.gost
 
-(Here you find the static binaries. If you want test Kerberos ciphers you
-need to copy the binary hereto)
 
-For contributors see ../CREDITS.md.