Git/testssl.sh
1
0
Fork 0
mirror of https://github.com/drwetter/testssl.sh.git synced 2025-01-30 12:21:17 +01:00
Code Issues Packages Projects Releases Wiki Activity

- reflects the new tree from Peter Mosmans

Browse Source
This commit is contained in:
Dirk Wetter 2014-07-16 18:35:42 +02:00
parent d03e8a2133
commit 818cd4b014
1 changed files with 38 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

80
openssl-bins/openssl-1.0.2-chacha.pm/Readme.md
View File

@ -2,42 +2,45 @@
Compilation instructions Compilation instructions
======================== ========================
The precompiled versions here are from OpenSSL 1.0.2, The precompiled versions here are from an OpenSSL 1.0.2 fork
they are a fork of OpenSSL from Peter Mosmans, from Peter Mosmans. He has patched the master git branch
just to get chacha20+poly1305 support (thx!). The one from to support chacha20+poly1305 and other ciphers (CAMELIA 256 Bit).
the official git repo didn't work for me work correctly,
it's also likely they'll disappear shortly CHACHA20+POLY1305 cipher suites from the official git repo didn't
work for me work correctly, it's also likely they'll disappear shortly
(https://www.mail-archive.com/openssl-dev@openssl.org/msg34756.html). (https://www.mail-archive.com/openssl-dev@openssl.org/msg34756.html).
$ git clone https://github.com/PeterMosmans/openssl
$ cd openssl General
-------
* 64 bit versions were compiled under Opensuse 12.3
* 32 bit versions were compiled under Ubuntu 12.04 LTS
Likely you cannot use older distributions, younger should work.
I provide for each distributions two sets of binaries:
* statically linked binaries (except a few libs which are nowadays difficult to statically link)
* dynamically linked binaries with MIT Kerberos support ("krb5" in the name)
For the latter you need a whopping bunch of kerberos libraries which you maybe need to
install from your distributor (libgssapi_krb5, libkrb5, libcom_err, libk5crypto, libkrb5support,
libkeyutils). For the 'static' binaries kerberos is not compiled in, so that's is not needed.
All binaries are signed with my gpg key (.asc files).
General instructions Compilation instructions
-------------------- ------------------------
* 64 bit version was compiled under Opensuse 12.3
* 32 bit version was compiled under Ubuntu 12.04 LTS
In addition to the statically linked binaries I provide -- except a few
libs which are nowadays difficult to statically link in -- I compiled a set of
dynamic binaries. The catch here are the Kerberos libs: No Linux
distributor provides static libs. As of now I feel too lazy ;-) to compile
MIT or KTH from scratch to get statitic libs.
So for the kerberos binaries I provide (openssl??-1.0.2pm-krb5*) you need a whopping bunch of
kerberos libraries which you maybe need to install (libgssapi_krb5, libkrb5, libcom_err,
libk5crypto, libkrb5support, libkeyutils). For the 'static' binaries kerberos is not compiled in, so that's is not needed.
If you want to compile OpenSSL yourself, here are the instructions: If you want to compile OpenSSL yourself, here are the instructions:
1.) apply experimental-features.patch (otherwise you miss the experimental features) 1.) get openssl from Peter Mosmans' repo:
2.) apply openssl-telnet-starttls.patch and openssl-xmpp-starttls-fix.patch git clone https://github.com/PeterMosmans/openssl
(provided by Stefan Zehl, thx!). cd openssl
3.) configure the damned thing. Options I used: 2.) configure the damned thing. Options I used:
**for 64Bit:** **for 64Bit:**
@ -51,33 +54,26 @@ If you want to compile OpenSSL yourself, here are the instructions:
enable-cms enable-md2 enable-mdc2 enable-ec enable-ec2m enable-ecdh enable-ecdsa enable-seed enable-camellia \ enable-cms enable-md2 enable-mdc2 enable-ec enable-ec2m enable-ecdh enable-ecdsa enable-seed enable-camellia \
enable-idea enable-rfc3779 no-ec_nistp_64_gcc_128 --with-krb5-flavor=MIT experimental-jpake enable-idea enable-rfc3779 no-ec_nistp_64_gcc_128 --with-krb5-flavor=MIT experimental-jpake
Don't use -DTEMP_GOST_TLS, it breaks things! Don't use -DTEMP_GOST_TLS, it currently breaks things and it is not needed for general GOST support.
If you don't have / don't want Kerberos libraries and devel rpms/debs, omit "--with-krb5-flavor=MIT". If you don't have / don't want Kerberos libraries and devel rpms/debs, omit "--with-krb5-flavor=MIT".
If you have other Kerberos flavors you need to figure out by yourself. If you have other Kerberos flavors you need to figure out by yourself.
For real GOST cipher [1] support you need to built static libs as the crypto 3.) make depend
engine is a shared lib (additional options: "shared -fPIC -DOPENSSL_PIC"). I didn't
do that yet. If you aiming at this you rather should compile everything with another prefix
as you don't want your openssl binary to end up loading system libraries like libssl or
libcrypto. Alternatively you can hack the Makefile and include those
libs which you compiled statically as ".a".
4.) make depend 4.) make
5.) make 5.) make report (check whether it runs ok)
6.) make report (check whether it runs ok) 6.) "openssl ciphers -V ALL:COMPLEMENTOFALL | wc -l" lists for me
* 187 + 4 russian GOST ciphers -- including kerberos
* 173 + 4 russian GOST ciphers without kerberos
7.) "openssl ciphers -V ALL:COMPLEMENTOFALL | wc -l" lists for me w/ kerberos and w/o GOST cipher engine as opposed to 111/109 from Ubuntu or Opensuse.
167 ciphers as opposed to 111/109 from Ubuntu or Opensuse.
Enjoy, Dirk Enjoy, Dirk
PS: **Never use these binaries for anything else then for testing** PS: **Never use these binaries for anything else then for testing**
[1] https://en.wikipedia.org/wiki/GOST_%29block_cipher%29 [1] https://en.wikipedia.org/wiki/GOST_%29block_cipher%29