From 556d6370699af3c20206c80f95795f7f87e98890 Mon Sep 17 00:00:00 2001 From: Dirk Wetter Date: Mon, 26 Sep 2016 23:47:39 +0200 Subject: [PATCH] updated --- bin/Readme.md | 52 ++++++++++++++++++++++++++++++--------------------- 1 file changed, 31 insertions(+), 21 deletions(-) diff --git a/bin/Readme.md b/bin/Readme.md index bfb755c..0d33813 100644 --- a/bin/Readme.md +++ b/bin/Readme.md @@ -1,13 +1,27 @@ - -**Note: Further new improved binaries (1.0.2i, compiled from a snapshot from Peter Mosman's fork: https://github.com/drwetter/openssl) will be uploaded soon.** - -**Probably we discontinue the rarely used ones at github as it is not very approrpriate. Main site for binaries see https://testssl.sh/** - - Binaries ======== +All the precompiled binaries provided here have extended support for +everything which is normally not in OpenSSL or LibreSSL -- 40+56 Bit, +export/ANON ciphers, weak DH ciphers, weak EC curves, SSLv2 etc. -- all the dirty +features needed for testing. OTOH they also come with extended support +for new / advanced cipher suites and/or features which are not in the +official branch like (old version of the) CHACHA20+POLY1305 and CAMELLIA 256 bit ciphers. +They also have IPv6 support, see below. + +The (stripped) binaries this directory are all compiled from my openssl +snapshot (https://github.com/drwetter/openssl) from Peter Mosman's openssl +fork (https://github.com/PeterMosmans/openssl). Thx a bunch, Peter! + +Compiled Linux and FreeBSD binaries so far come from Dirk, other +contributors see ../CREDITS.md . + +**We discontinued the not commonly used binaries** (ARM7l, Darwin.i386) **at github as it +is not very approrpriate to use github especially for those. Main site for +binaries see https://testssl.sh/openssl-1.0.2i-chacha.pm.ipv6.contributed/ and +https://testssl.sh/openssl-1.0.2i-chacha.pm.ipv6.Linux+FreeBSD.tar.gz** + The binaries here have the naming scheme ``openssl.$(uname).$(uname -m)`` and will be picked up from testssl.sh if you run testssl.sh directly off the git directory. Otherwise you need ``testssl.sh`` to point to it @@ -18,19 +32,6 @@ The Linux binaries with the trailing ``-krb5`` come with Kerberos 5 support, they won't be picked up automatically as you need to make sure first they run (see libraries below). -All the precompiled binaries provided here have extended support for -everything which is normally not in OpenSSL or LibreSSL -- 40+56 Bit, -export/ANON ciphers, weak DH ciphers, weak EC curves, SSLv2 etc. -- all the dirty -features needed for testing. OTOH they also come with extended support -for new / advanced cipher suites and/or features which are not in the -official branch like (old version of the) CHACHA20+POLY1305 and CAMELIA 256 bit ciphers. - -The binaries in this directory are all compiled from an OpenSSL 1.0.2 fork -from Peter Mosmans (https://github.com/PeterMosmans/openssl). Thx a bunch, -Peter! - -Compiled Linux and FreeBSD binaries so far come from Dirk, other contributors see ../CREDITS.md . - Compiling and Usage Instructions ================================ @@ -62,6 +63,12 @@ If you want to compile OpenSSL yourself, here are the instructions: git clone https://github.com/PeterMosmans/openssl cd openssl +or use my repo: + + git clone https://github.com/drwetter/openssl + cd openssl + + 2.) configure the damned thing. Options I used (see https://github.com/drwetter/testssl.sh/blob/master/utils/make-openssl.sh) **for 64Bit including Kerberos ciphers:** @@ -92,7 +99,10 @@ If you want to compile OpenSSL yourself, here are the instructions: enable-seed enable-camellia enable-idea enable-rfc3779 no-ec_nistp_64_gcc_128 \ -static experimental-jpake -DOPENSSL_USE_BUILD_DATE -IPv6 support would need additionally the patch from ``fedora-dirk-ipv6.diff``. This doesn't give you the option of an IPv6 enabled proxy yet. It is good practice to compile those binaries with ``-DOPENSSL_USE_IPV6`` as later on you can tell them apart by``openssl version -a``. +IPv6 support would need additionally the patch from ``fedora-dirk-ipv6.diff`` (included already +in my branch). This doesn't give you the option of an IPv6 enabled proxy yet. +It is good practice to compile those binaries with ``-DOPENSSL_USE_IPV6`` as +later on you can tell them apart by``openssl version -a``. Four GOST [1][2] ciphers come via engine support automagically with this setup. Two additional GOST ciphers can be compiled in (``GOST-GOST94``, ``GOST-MD5``) with ``-DTEMP_GOST_TLS`` but as of now they make @@ -110,7 +120,7 @@ If you don't have / don't want Kerberos libraries and devel rpms/debs, just omit 6.) ``./apps/openssl ciphers -V 'ALL:COMPLEMENTOFALL' | wc -l`` lists for me * 193(+4 GOST) ciphers including kerberos -* 177(+4 GOST) ciphers without kerberos +* 179(+4 GOST) ciphers without kerberos as opposed to ~110 from Ubuntu or Opensuse.