testssl.sh/openssl-bins/openssl-1.0.2-chacha.pm
2014-07-16 18:35:42 +02:00
..
experimental-features.patch - new binaries with: 2014-07-04 11:59:01 +02:00
new-ciphers.txt - whopping 191 ciphers now (inckl. Kerberos and GOST) 2014-07-16 18:34:31 +02:00
openssl32-1.0.2pm-krb5.chacha+poly - whopping 191 ciphers now (inckl. Kerberos and GOST) 2014-07-16 18:34:31 +02:00
openssl32-1.0.2pm-krb5.chacha+poly.asc - whopping 191 ciphers now (inckl. Kerberos and GOST) 2014-07-16 18:34:31 +02:00
openssl32-1.0.2pm.chacha+poly - whopping 191 ciphers now (inckl. Kerberos and GOST) 2014-07-16 18:34:31 +02:00
openssl32-1.0.2pm.chacha+poly.asc - whopping 191 ciphers now (inckl. Kerberos and GOST) 2014-07-16 18:34:31 +02:00
openssl64-1.0.2pm-krb5.chacha+poly - whopping 191 ciphers now (inckl. Kerberos and GOST) 2014-07-16 18:34:31 +02:00
openssl64-1.0.2pm-krb5.chacha+poly.asc - whopping 191 ciphers now (inckl. Kerberos and GOST) 2014-07-16 18:34:31 +02:00
openssl64-1.0.2pm.chacha+poly - whopping 191 ciphers now (inckl. Kerberos and GOST) 2014-07-16 18:34:31 +02:00
openssl64-1.0.2pm.chacha+poly.asc - whopping 191 ciphers now (inckl. Kerberos and GOST) 2014-07-16 18:34:31 +02:00
openssl-telnet-starttls.patch - new binaries with: 2014-07-04 11:59:01 +02:00
openssl-Vall.txt - whopping 191 ciphers now (inckl. Kerberos and GOST) 2014-07-16 18:34:31 +02:00
openssl-xmpp-starttls-fix.patch - new binaries with: 2014-07-04 11:59:01 +02:00
Readme.md - reflects the new tree from Peter Mosmans 2014-07-16 18:35:42 +02:00

Compilation instructions

The precompiled versions here are from an OpenSSL 1.0.2 fork from Peter Mosmans. He has patched the master git branch to support chacha20+poly1305 and other ciphers (CAMELIA 256 Bit).

CHACHA20+POLY1305 cipher suites from the official git repo didn't work for me work correctly, it's also likely they'll disappear shortly (https://www.mail-archive.com/openssl-dev@openssl.org/msg34756.html).

General

  • 64 bit versions were compiled under Opensuse 12.3
  • 32 bit versions were compiled under Ubuntu 12.04 LTS

Likely you cannot use older distributions, younger should work. I provide for each distributions two sets of binaries:

  • statically linked binaries (except a few libs which are nowadays difficult to statically link)
  • dynamically linked binaries with MIT Kerberos support ("krb5" in the name)

For the latter you need a whopping bunch of kerberos libraries which you maybe need to install from your distributor (libgssapi_krb5, libkrb5, libcom_err, libk5crypto, libkrb5support, libkeyutils). For the 'static' binaries kerberos is not compiled in, so that's is not needed.

All binaries are signed with my gpg key (.asc files).

Compilation instructions

If you want to compile OpenSSL yourself, here are the instructions:

1.) get openssl from Peter Mosmans' repo:

 git clone https://github.com/PeterMosmans/openssl
 cd openssl

2.) configure the damned thing. Options I used:

for 64Bit:

./config --prefix=/usr/ --openssldir=/etc/ssl enable-zlib enable-ssl2 enable-rc5 enable-rc2 enable-GOST \
enable-cms enable-md2 enable-mdc2 enable-ec enable-ec2m enable-ecdh enable-ecdsa enable-seed enable-camellia \   
enable-idea enable-rfc3779 enable-ec_nistp_64_gcc_128 --with-krb5-flavor=MIT experimental-jpake  

for 32 Bit:

./config --prefix=/usr/ --openssldir=/etc/ssl enable-zlib enable-ssl2 enable-rc5 enable-rc2 enable-GOST \
enable-cms enable-md2 enable-mdc2 enable-ec enable-ec2m enable-ecdh enable-ecdsa enable-seed enable-camellia \
enable-idea enable-rfc3779 no-ec_nistp_64_gcc_128 --with-krb5-flavor=MIT experimental-jpake 

Don't use -DTEMP_GOST_TLS, it currently breaks things and it is not needed for general GOST support.

If you don't have / don't want Kerberos libraries and devel rpms/debs, omit "--with-krb5-flavor=MIT". If you have other Kerberos flavors you need to figure out by yourself.

3.) make depend

4.) make

5.) make report (check whether it runs ok)

6.) "openssl ciphers -V ALL:COMPLEMENTOFALL | wc -l" lists for me * 187 + 4 russian GOST ciphers -- including kerberos * 173 + 4 russian GOST ciphers without kerberos

as opposed to 111/109 from Ubuntu or Opensuse.

Enjoy, Dirk

PS: Never use these binaries for anything else then for testing

[1] https://en.wikipedia.org/wiki/GOST_%29block_cipher%29