mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-09 02:00:57 +01:00
- formatting corrected
This commit is contained in:
parent
68ab11cc12
commit
5cd655eeaa
@ -9,8 +9,10 @@ from official OpenSSL git repo doesn't work correctly and is not supported
|
|||||||
(https://www.mail-archive.com/openssl-dev@openssl.org/msg34756.html)
|
(https://www.mail-archive.com/openssl-dev@openssl.org/msg34756.html)
|
||||||
|
|
||||||
|
|
||||||
|
>
|
||||||
> $ git clone https://github.com/PeterMosmans/openssl
|
> $ git clone https://github.com/PeterMosmans/openssl
|
||||||
> $ cd openssl
|
> $ cd openssl
|
||||||
|
>
|
||||||
|
|
||||||
General instructions
|
General instructions
|
||||||
--------------------
|
--------------------
|
||||||
@ -19,19 +21,20 @@ General instructions
|
|||||||
* 32 bit version was compiled under Ubuntu 12.04 LTS
|
* 32 bit version was compiled under Ubuntu 12.04 LTS
|
||||||
|
|
||||||
In addition to the binaries statically linked binaries I provide -- except a few
|
In addition to the binaries statically linked binaries I provide -- except a few
|
||||||
libs which are nowadays sometimes hard to link -- I compiled a set of
|
libs which are nowadays sometimes hard to statically link in -- I compiled a set of
|
||||||
dynamic binaries. The catch here are the Kerberos libs: No Linux
|
dynamic binaries. The catch here are the Kerberos libs: No Linux
|
||||||
distributor privides static libs. As of now I feel to lazy to compile
|
distributor privides static libs. As of now I feel to lazy to compile
|
||||||
MIT or KTH from scratch to get statitic libs.
|
MIT or KTH from scratch to get statitic libs.
|
||||||
|
|
||||||
So for the kerberos binaries I provide you need a whopping bunch of libraries which
|
So for the kerberos binaries I provide (openssl??-1.0.2pm-krb5*) you need a whopping bunch of
|
||||||
you maybe need to install (libgssapi_krb5, libkrb5, libcom_err, libk5crypto, libkrb5support,
|
kerberos libraries which you maybe need to install (libgssapi_krb5, libkrb5, libcom_err,
|
||||||
libkeyutils). For the 'static' binaries kerberos is not compiled in, so that's is not needed.
|
libk5crypto, libkrb5support, libkeyutils). For the 'static' binaries kerberos is not compiled in, so that's is not needed.
|
||||||
|
|
||||||
|
|
||||||
If you want to compile OpenSSL yourself, here are the instructions:
|
If you want to compile OpenSSL yourself, here are the instructions:
|
||||||
|
|
||||||
0.) apply experimental-features.patch (otherwise you miss the experimental features)
|
0.) apply experimental-features.patch (otherwise you miss the experimental features)
|
||||||
1.) apply openssl-telnet-starttls.patch and openssl-telnet-starttls.patch
|
1.) apply openssl-telnet-starttls.patch and openssl-xmpp-starttls-fix.patch
|
||||||
(provided by Stefan Zehl, thx!).
|
(provided by Stefan Zehl, thx!).
|
||||||
|
|
||||||
3.) configure the damned thing. Options I used:
|
3.) configure the damned thing. Options I used:
|
||||||
@ -39,23 +42,25 @@ If you want to compile OpenSSL yourself, here are the instructions:
|
|||||||
* for 64Bit:
|
* for 64Bit:
|
||||||
>./config --prefix=/usr/ --openssldir=/etc/ssl enable-zlib enable-ssl2 enable-rc5 enable-rc2 enable-GOST enable-cms enable-md2 enable-mdc2 enable-ec enable-ec2m enable-ecdh enable-ecdsa enable-seed enable-camellia enable-idea enable-rfc3779 enable-ec_nistp_64_gcc_128 --with-krb5-flavor=MIT experimental-jpake
|
>./config --prefix=/usr/ --openssldir=/etc/ssl enable-zlib enable-ssl2 enable-rc5 enable-rc2 enable-GOST enable-cms enable-md2 enable-mdc2 enable-ec enable-ec2m enable-ecdh enable-ecdsa enable-seed enable-camellia enable-idea enable-rfc3779 enable-ec_nistp_64_gcc_128 --with-krb5-flavor=MIT experimental-jpake
|
||||||
|
|
||||||
* for 32 Bit: >
|
* for 32 Bit:
|
||||||
./config --prefix=/usr/ --openssldir=/etc/ssl enable-zlib enable-ssl2 enable-rc5 enable-rc2 enable-GOST enable-cms enable-md2 enable-mdc2 enable-ec enable-ec2m enable-ecdh enable-ecdsa enable-seed enable-camellia enable-idea enable-rfc3779 no-ec_nistp_64_gcc_128 --with-krb5-flavor=MIT experimental-jpake
|
> ./config --prefix=/usr/ --openssldir=/etc/ssl enable-zlib enable-ssl2 enable-rc5 enable-rc2 enable-GOST enable-cms enable-md2 enable-mdc2 enable-ec enable-ec2m enable-ecdh enable-ecdsa enable-seed enable-camellia enable-idea enable-rfc3779 no-ec_nistp_64_gcc_128 --with-krb5-flavor=MIT experimental-jpake
|
||||||
|
|
||||||
Don't use -DTEMP_GOST_TLS, it breaks things!
|
Don't use -DTEMP_GOST_TLS, it breaks things!
|
||||||
|
|
||||||
If you don't have Kerberos libraries and devel rpms/debs, omit "--with-krb5-flavor=MIT".
|
If you don't have / don't want Kerberos libraries and devel rpms/debs, omit "--with-krb5-flavor=MIT".
|
||||||
If you have e.g. Heimdal --> figure out by yourself.
|
If you have other Kerberos flavors you need to figure out by yourself.
|
||||||
|
|
||||||
For real GOST cipher [1] support you need to built static libs as the crypto
|
For real GOST cipher [1] support you need to built static libs as the crypto
|
||||||
engine is a shared lib (additional options: "shared -fPIC -DOPENSSL_PIC").
|
engine is a shared lib (additional options: "shared -fPIC -DOPENSSL_PIC"). I didn't
|
||||||
If you aiming at this you rather should compile everything with another prefix
|
do that yet. If you aiming at this you rather should compile everything with another prefix
|
||||||
as you don't want your openssl binary to end up loading system libraries like libssl or
|
as you don't want your openssl binary to end up loading system libraries like libssl or
|
||||||
libcrypto. Alternatively you can hack the Makefile and include those
|
libcrypto. Alternatively you can hack the Makefile and include those
|
||||||
libs which you compiled statically as ".a".
|
libs which you compiled statically as ".a".
|
||||||
|
|
||||||
4.) make depend
|
4.) make depend
|
||||||
|
|
||||||
5.) make
|
5.) make
|
||||||
|
|
||||||
6.) make report (check whether it runs ok)
|
6.) make report (check whether it runs ok)
|
||||||
|
|
||||||
7.) "openssl ciphers -V ALL:COMPLEMENTOFALL | wc -l" lists for me w/ kerberos and w/o GOST cipher engine
|
7.) "openssl ciphers -V ALL:COMPLEMENTOFALL | wc -l" lists for me w/ kerberos and w/o GOST cipher engine
|
||||||
|
Loading…
Reference in New Issue
Block a user