mirror of
https://github.com/drwetter/testssl.sh.git
synced 2024-12-29 12:59:44 +01:00
135 lines
5.8 KiB
Markdown
135 lines
5.8 KiB
Markdown
|
|
Binaries
|
|
========
|
|
|
|
All the precompiled binaries provided here have extended support for
|
|
everything which is normally not in OpenSSL or LibreSSL -- 40+56 Bit,
|
|
export/ANON ciphers, weak DH ciphers, weak EC curves, SSLv2 etc. -- all the dirty
|
|
features needed for testing. OTOH they also come with extended support
|
|
for new / advanced cipher suites and/or features which are not in the
|
|
official branch like (old version of the) CHACHA20+POLY1305 and CAMELLIA 256 bit ciphers.
|
|
They also have IPv6 support, see below.
|
|
|
|
The (stripped) binaries this directory are all compiled from my openssl
|
|
snapshot (https://github.com/drwetter/openssl) from Peter Mosman's openssl
|
|
fork (https://github.com/PeterMosmans/openssl). Thx a bunch, Peter!
|
|
|
|
Compiled Linux and FreeBSD binaries so far come from Dirk, other
|
|
contributors see ../CREDITS.md .
|
|
|
|
**I discontinued to upload the not commonly used binaries at GitHub ** (ARM7l, Darwin.i386 and all except one kerberos compiles) **as it is not very appropriate to use GitHub especially for those. The main site for all
|
|
binaries is https://testssl.sh/openssl-1.0.2i-chacha.pm.ipv6.contributed/, also see the tarball @
|
|
https://testssl.sh/openssl-1.0.2i-chacha.pm.ipv6.Linux+FreeBSD.tar.gz**
|
|
|
|
The binaries here have the naming scheme ``openssl.$(uname).$(uname -m)``
|
|
and will be picked up from testssl.sh if you run testssl.sh directly
|
|
off the git directory. Otherwise you need ``testssl.sh`` to point to it
|
|
via the argument (``--openssl=<here>``) or as an environment variable
|
|
(``OPENSSL=<here> testssl.sh <yourargs>``).
|
|
|
|
The Linux binaries with the trailing ``-krb5`` come with Kerberos 5 support,
|
|
they won't be picked up automatically as you need to make sure first they
|
|
run (see libraries below).
|
|
|
|
|
|
Compiling and Usage Instructions
|
|
================================
|
|
|
|
General
|
|
-------
|
|
|
|
Both 64+32 bit Linux binaries were compiled under Ubuntu 12.04 LTS. Likely you
|
|
cannot use them for older distributions, younger worked in all my test environments.
|
|
I provide for each distributions two sets of binaries (no IPv6 here):
|
|
|
|
* completely statically linked binaries
|
|
* dynamically linked binaries, additionally with MIT Kerberos support ("krb5" in the name).
|
|
They provide also KRB5-* and EXP-KRB5-* support (in OpenSSL terminology, see krb5-ciphers.txt).
|
|
|
|
For the latter you need a whopping bunch of kerberos runtime libraries which you maybe need to
|
|
install from your distributor (libgssapi_krb5, libkrb5, libcom_err, libk5crypto, libkrb5support,
|
|
libkeyutils). The 'static' binaries do not have MIT kerberos support as there are no
|
|
static kerberos libs and I did not bother to compile them from the sources.
|
|
|
|
|
|
Compilation instructions
|
|
------------------------
|
|
|
|
If you want to compile OpenSSL yourself, here are the instructions:
|
|
|
|
1.) get openssl from Peter Mosmans' repo:
|
|
|
|
git clone https://github.com/PeterMosmans/openssl
|
|
cd openssl
|
|
|
|
or use my repo:
|
|
|
|
git clone https://github.com/drwetter/openssl
|
|
cd openssl
|
|
|
|
|
|
2.) configure the damned thing. Options I used (see https://github.com/drwetter/testssl.sh/blob/master/utils/make-openssl.sh)
|
|
|
|
**for 64Bit including Kerberos ciphers:**
|
|
|
|
./config --prefix=/usr/ --openssldir=/etc/ssl enable-zlib enable-ssl2 enable-rc5 enable-rc2 \
|
|
enable-GOST enable-cms enable-md2 enable-mdc2 enable-ec enable-ec2m enable-ecdh enable-ecdsa \
|
|
enable-seed enable-camellia enable-idea enable-rfc3779 enable-ec_nistp_64_gcc_128 \
|
|
--with-krb5-flavor=MIT experimental-jpake -DOPENSSL_USE_BUILD_DATE
|
|
|
|
**for 64Bit, static binaries:**
|
|
|
|
./config --prefix=/usr/ --openssldir=/etc/ssl enable-zlib enable-ssl2 enable-rc5 enable-rc2 \
|
|
enable-GOST enable-cms enable-md2 enable-mdc2 enable-ec enable-ec2m enable-ecdh enable-ecdsa \
|
|
enable-seed enable-camellia enable-idea enable-rfc3779 enable-ec_nistp_64_gcc_128 \
|
|
-static experimental-jpake -DOPENSSL_USE_BUILD_DATE
|
|
|
|
**for 32 Bit including Kerberos ciphers:**
|
|
|
|
./config --prefix=/usr/ --openssldir=/etc/ssl enable-zlib enable-ssl2 enable-rc5 enable-rc2 \
|
|
enable-GOST enable-cms enable-md2 enable-mdc2 enable-ec enable-ec2m enable-ecdh enable-ecdsa \
|
|
enable-seed enable-camellia enable-idea enable-rfc3779 no-ec_nistp_64_gcc_128 \
|
|
--with-krb5-flavor=MIT experimental-jpake -DOPENSSL_USE_BUILD_DATE
|
|
|
|
**for 32 Bit, static binaries:**
|
|
|
|
./config --prefix=/usr/ --openssldir=/etc/ssl enable-zlib enable-ssl2 enable-rc5 enable-rc2 \
|
|
enable-GOST enable-cms enable-md2 enable-mdc2 enable-ec enable-ec2m enable-ecdh enable-ecdsa \
|
|
enable-seed enable-camellia enable-idea enable-rfc3779 no-ec_nistp_64_gcc_128 \
|
|
-static experimental-jpake -DOPENSSL_USE_BUILD_DATE
|
|
|
|
IPv6 support would need additionally the patch from ``fedora-dirk-ipv6.diff`` (included already
|
|
in my branch). This doesn't give you the option of an IPv6 enabled proxy yet.
|
|
It is good practice to compile those binaries with ``-DOPENSSL_USE_IPV6`` as
|
|
later on you can tell them apart by``openssl version -a``.
|
|
|
|
Four GOST [1][2] ciphers come via engine support automagically with this setup. Two additional GOST
|
|
ciphers can be compiled in (``GOST-GOST94``, ``GOST-MD5``) with ``-DTEMP_GOST_TLS`` but as of now they make
|
|
problems under some circumstances, so unless you desperately need those ciphers I would stay away from
|
|
``-DTEMP_GOST_TLS``.
|
|
|
|
If you don't have / don't want Kerberos libraries and devel rpms/debs, just omit "--with-krb5-flavor=MIT"
|
|
(see examples). If you have another Kerberos flavor you would need to figure out by yourself.
|
|
|
|
3.) make depend
|
|
|
|
4.) make
|
|
|
|
5.) make report (check whether it runs ok!)
|
|
|
|
6.) ``./apps/openssl ciphers -V 'ALL:COMPLEMENTOFALL' | wc -l`` lists for me
|
|
* 193(+4 GOST) ciphers including kerberos
|
|
* 179(+4 GOST) ciphers without kerberos
|
|
|
|
as opposed to ~110 from Ubuntu or Opensuse.
|
|
|
|
**Never use these binaries for anything other than testing**
|
|
|
|
Enjoy, Dirk
|
|
|
|
[1] https://en.wikipedia.org/wiki/GOST_%29block_cipher%29
|
|
|
|
[2] http://fossies.org/linux/openssl/engines/ccgost/README.gost
|
|
|
|
|