1: 2: INSTALLATION ON THE UNIX PLATFORM 3: --------------------------------- 4: 5: [Installation on DOS (with djgpp), Windows, OpenVMS, MacOS (before MacOS X) 6: and NetWare is described in INSTALL.DJGPP, INSTALL.W32, INSTALL.VMS, 7: INSTALL.MacOS and INSTALL.NW. 8: 9: This document describes installation on operating systems in the Unix 10: family.] 11: 12: To install OpenSSL, you will need: 13: 14: * make 15: * Perl 5 16: * an ANSI C compiler 17: * a development environment in form of development libraries and C 18: header files 19: * a supported Unix operating system 20: 21: Quick Start 22: ----------- 23: 24: If you want to just get on with it, do: 25: 26: $ ./config 27: $ make 28: $ make test 29: $ make install 30: 31: [If any of these steps fails, see section Installation in Detail below.] 32: 33: This will build and install OpenSSL in the default location, which is (for 34: historical reasons) /usr/local/ssl. If you want to install it anywhere else, 35: run config like this: 36: 37: $ ./config --prefix=/usr/local --openssldir=/usr/local/openssl 38: 39: 40: Configuration Options 41: --------------------- 42: 43: There are several options to ./config (or ./Configure) to customize 44: the build: 45: 46: --prefix=DIR Install in DIR/bin, DIR/lib, DIR/include/openssl. 47: Configuration files used by OpenSSL will be in DIR/ssl 48: or the directory specified by --openssldir. 49: 50: --openssldir=DIR Directory for OpenSSL files. If no prefix is specified, 51: the library files and binaries are also installed there. 52: 53: no-threads Don't try to build with support for multi-threaded 54: applications. 55: 56: threads Build with support for multi-threaded applications. 57: This will usually require additional system-dependent options! 58: See "Note on multi-threading" below. 59: 60: no-zlib Don't try to build with support for zlib compression and 61: decompression. 62: 63: zlib Build with support for zlib compression/decompression. 64: 65: zlib-dynamic Like "zlib", but has OpenSSL load the zlib library dynamically 66: when needed. This is only supported on systems where loading 67: of shared libraries is supported. This is the default choice. 68: 69: no-shared Don't try to create shared libraries. 70: 71: shared In addition to the usual static libraries, create shared 72: libraries on platforms where it's supported. See "Note on 73: shared libraries" below. 74: 75: no-asm Do not use assembler code. 76: 77: 386 Use the 80386 instruction set only (the default x86 code is 78: more efficient, but requires at least a 486). Note: Use 79: compiler flags for any other CPU specific configuration, 80: e.g. "-m32" to build x86 code on an x64 system. 81: 82: no-sse2 Exclude SSE2 code pathes. Normally SSE2 extention is 83: detected at run-time, but the decision whether or not the 84: machine code will be executed is taken solely on CPU 85: capability vector. This means that if you happen to run OS 86: kernel which does not support SSE2 extension on Intel P4 87: processor, then your application might be exposed to 88: "illegal instruction" exception. There might be a way 89: to enable support in kernel, e.g. FreeBSD kernel can be 90: compiled with CPU_ENABLE_SSE, and there is a way to 91: disengage SSE2 code pathes upon application start-up, 92: but if you aim for wider "audience" running such kernel, 93: consider no-sse2. Both 386 and no-asm options above imply 94: no-sse2. 95: 96: no-<cipher> Build without the specified cipher (bf, cast, des, dh, dsa, 97: hmac, md2, md5, mdc2, rc2, rc4, rc5, rsa, sha). 98: The crypto/<cipher> directory can be removed after running 99: "make depend". 100: 101: -Dxxx, -lxxx, -Lxxx, -fxxx, -mxxx, -Kxxx These system specific options will 102: be passed through to the compiler to allow you to 103: define preprocessor symbols, specify additional libraries, 104: library directories or other compiler options. 105: 106: 107: Installation in Detail 108: ---------------------- 109: 110: 1a. Configure OpenSSL for your operation system automatically: 111: 112: $ ./config [options] 113: 114: This guesses at your operating system (and compiler, if necessary) and 115: configures OpenSSL based on this guess. Run ./config -t to see 116: if it guessed correctly. If you want to use a different compiler, you 117: are cross-compiling for another platform, or the ./config guess was 118: wrong for other reasons, go to step 1b. Otherwise go to step 2. 119: 120: On some systems, you can include debugging information as follows: 121: 122: $ ./config -d [options] 123: 124: 1b. Configure OpenSSL for your operating system manually 125: 126: OpenSSL knows about a range of different operating system, hardware and 127: compiler combinations. To see the ones it knows about, run 128: 129: $ ./Configure 130: 131: Pick a suitable name from the list that matches your system. For most 132: operating systems there is a choice between using "cc" or "gcc". When 133: you have identified your system (and if necessary compiler) use this name 134: as the argument to ./Configure. For example, a "linux-elf" user would 135: run: 136: 137: $ ./Configure linux-elf [options] 138: 139: If your system is not available, you will have to edit the Configure 140: program and add the correct configuration for your system. The 141: generic configurations "cc" or "gcc" should usually work on 32 bit 142: systems. 143: 144: Configure creates the file Makefile.ssl from Makefile.org and 145: defines various macros in crypto/opensslconf.h (generated from 146: crypto/opensslconf.h.in). 147: 148: 2. Build OpenSSL by running: 149: 150: $ make 151: 152: This will build the OpenSSL libraries (libcrypto.a and libssl.a) and the 153: OpenSSL binary ("openssl"). The libraries will be built in the top-level 154: directory, and the binary will be in the "apps" directory. 155: 156: If "make" fails, look at the output. There may be reasons for 157: the failure that aren't problems in OpenSSL itself (like missing 158: standard headers). If it is a problem with OpenSSL itself, please 159: report the problem to <openssl-bugs@openssl.org> (note that your 160: message will be recorded in the request tracker publicly readable 161: via http://www.openssl.org/support/rt2.html and will be forwarded to a 162: public mailing list). Include the output of "make report" in your message. 163: Please check out the request tracker. Maybe the bug was already 164: reported or has already been fixed. 165: 166: [If you encounter assembler error messages, try the "no-asm" 167: configuration option as an immediate fix.] 168: 169: Compiling parts of OpenSSL with gcc and others with the system 170: compiler will result in unresolved symbols on some systems. 171: 172: 3. After a successful build, the libraries should be tested. Run: 173: 174: $ make test 175: 176: If a test fails, look at the output. There may be reasons for 177: the failure that isn't a problem in OpenSSL itself (like a missing 178: or malfunctioning bc). If it is a problem with OpenSSL itself, 179: try removing any compiler optimization flags from the CFLAG line 180: in Makefile.ssl and run "make clean; make". Please send a bug 181: report to <openssl-bugs@openssl.org>, including the output of 182: "make report" in order to be added to the request tracker at 183: http://www.openssl.org/support/rt2.html. 184: 185: 4. If everything tests ok, install OpenSSL with 186: 187: $ make install 188: 189: This will create the installation directory (if it does not exist) and 190: then the following subdirectories: 191: 192: certs Initially empty, this is the default location 193: for certificate files. 194: man/man1 Manual pages for the 'openssl' command line tool 195: man/man3 Manual pages for the libraries (very incomplete) 196: misc Various scripts. 197: private Initially empty, this is the default location 198: for private key files. 199: 200: If you didn't choose a different installation prefix, the 201: following additional subdirectories will be created: 202: 203: bin Contains the openssl binary and a few other 204: utility programs. 205: include/openssl Contains the header files needed if you want to 206: compile programs with libcrypto or libssl. 207: lib Contains the OpenSSL library files themselves. 208: 209: Package builders who want to configure the library for standard 210: locations, but have the package installed somewhere else so that 211: it can easily be packaged, can use 212: 213: $ make INSTALL_PREFIX=/tmp/package-root install 214: 215: (or specify "--install_prefix=/tmp/package-root" as a configure 216: option). The specified prefix will be prepended to all 217: installation target filenames. 218: 219: 220: NOTE: The header files used to reside directly in the include 221: directory, but have now been moved to include/openssl so that 222: OpenSSL can co-exist with other libraries which use some of the 223: same filenames. This means that applications that use OpenSSL 224: should now use C preprocessor directives of the form 225: 226: #include <openssl/ssl.h> 227: 228: instead of "#include <ssl.h>", which was used with library versions 229: up to OpenSSL 0.9.2b. 230: 231: If you install a new version of OpenSSL over an old library version, 232: you should delete the old header files in the include directory. 233: 234: Compatibility issues: 235: 236: * COMPILING existing applications 237: 238: To compile an application that uses old filenames -- e.g. 239: "#include <ssl.h>" --, it will usually be enough to find 240: the CFLAGS definition in the application's Makefile and 241: add a C option such as 242: 243: -I/usr/local/ssl/include/openssl 244: 245: to it. 246: 247: But don't delete the existing -I option that points to 248: the ..../include directory! Otherwise, OpenSSL header files 249: could not #include each other. 250: 251: * WRITING applications 252: 253: To write an application that is able to handle both the new 254: and the old directory layout, so that it can still be compiled 255: with library versions up to OpenSSL 0.9.2b without bothering 256: the user, you can proceed as follows: 257: 258: - Always use the new filename of OpenSSL header files, 259: e.g. #include <openssl/ssl.h>. 260: 261: - Create a directory "incl" that contains only a symbolic 262: link named "openssl", which points to the "include" directory 263: of OpenSSL. 264: For example, your application's Makefile might contain the 265: following rule, if OPENSSLDIR is a pathname (absolute or 266: relative) of the directory where OpenSSL resides: 267: 268: incl/openssl: 269: -mkdir incl 270: cd $(OPENSSLDIR) # Check whether the directory really exists 271: -ln -s `cd $(OPENSSLDIR); pwd`/include incl/openssl 272: 273: You will have to add "incl/openssl" to the dependencies 274: of those C files that include some OpenSSL header file. 275: 276: - Add "-Iincl" to your CFLAGS. 277: 278: With these additions, the OpenSSL header files will be available 279: under both name variants if an old library version is used: 280: Your application can reach them under names like <openssl/foo.h>, 281: while the header files still are able to #include each other 282: with names of the form <foo.h>. 283: 284: 285: Note on multi-threading 286: ----------------------- 287: 288: For some systems, the OpenSSL Configure script knows what compiler options 289: are needed to generate a library that is suitable for multi-threaded 290: applications. On these systems, support for multi-threading is enabled 291: by default; use the "no-threads" option to disable (this should never be 292: necessary). 293: 294: On other systems, to enable support for multi-threading, you will have 295: to specify at least two options: "threads", and a system-dependent option. 296: (The latter is "-D_REENTRANT" on various systems.) The default in this 297: case, obviously, is not to include support for multi-threading (but 298: you can still use "no-threads" to suppress an annoying warning message 299: from the Configure script.) 300: 301: 302: Note on shared libraries 303: ------------------------ 304: 305: Shared libraries have certain caveats. Binary backward compatibility 306: can't be guaranteed before OpenSSL version 1.0. The only reason to 307: use them would be to conserve memory on systems where several programs 308: are using OpenSSL. 309: 310: For some systems, the OpenSSL Configure script knows what is needed to 311: build shared libraries for libcrypto and libssl. On these systems, 312: the shared libraries are currently not created by default, but giving 313: the option "shared" will get them created. This method supports Makefile 314: targets for shared library creation, like linux-shared. Those targets 315: can currently be used on their own just as well, but this is expected 316: to change in future versions of OpenSSL. 317: 318: Note on random number generation 319: -------------------------------- 320: 321: Availability of cryptographically secure random numbers is required for 322: secret key generation. OpenSSL provides several options to seed the 323: internal PRNG. If not properly seeded, the internal PRNG will refuse 324: to deliver random bytes and a "PRNG not seeded error" will occur. 325: On systems without /dev/urandom (or similar) device, it may be necessary 326: to install additional support software to obtain random seed. 327: Please check out the manual pages for RAND_add(), RAND_bytes(), RAND_egd(), 328: and the FAQ for more information. 329: 330: Note on support for multiple builds 331: ----------------------------------- 332: 333: OpenSSL is usually built in its source tree. Unfortunately, this doesn't 334: support building for multiple platforms from the same source tree very well. 335: It is however possible to build in a separate tree through the use of lots 336: of symbolic links, which should be prepared like this: 337: 338: mkdir -p objtree/"`uname -s`-`uname -r`-`uname -m`" 339: cd objtree/"`uname -s`-`uname -r`-`uname -m`" 340: (cd $OPENSSL_SOURCE; find . -type f) | while read F; do 341: mkdir -p `dirname $F` 342: rm -f $F; ln -s $OPENSSL_SOURCE/$F $F 343: echo $F '->' $OPENSSL_SOURCE/$F 344: done 345: make -f Makefile.org clean 346: 347: OPENSSL_SOURCE is an environment variable that contains the absolute (this 348: is important!) path to the OpenSSL source tree. 349: 350: Also, operations like 'make update' should still be made in the source tree.