forked from ntpsec/ntpsec
-
Notifications
You must be signed in to change notification settings - Fork 0
/
HOWTO-OpenSSL
110 lines (91 loc) · 3.67 KB
/
HOWTO-OpenSSL
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
NTS needs TLS 1.3 or newer.
That was first supported in OpenSSL 1.1.1
(1.1.1a is broken)
Some OSes/Distros don't support a new enough version of OpenSSL
This file contains notes on how to download, build, and install 3.2.0
It should be close for other 3.x.y versions
It's rough. Don't be surprised by bugs/oversights.
Corrections, clarifications and feedback encouraged.
In 2023-Nov, FreeBSD 13.2 has 1.1.1t as the main version.
It also has 3 newer versions available as packages.
You can just install one and ignore the rest of this note.
waf will find the pkg version and use it.
sudo pkg update
sudo pkg search openssl
openssl30-3.0.12_1 TLSv1.3 capable SSL and crypto library
openssl31-3.1.4_1 TLSv1.3 capable SSL and crypto library
openssl32-3.2.0.a2 TLSv1.3 capable SSL and crypto library
sudo pkg install openssl32
Note: the "a2" is for "Alpha 2", not for production etc.
The rest of this recipe works if you want to try a newer version from
an OpenSSL tarball.
Download OpenSSL source from here:
https://www.openssl.org/source/
You should be able to cut/paste many of these lines.
But check for the latest versions first.
cd xxx
mkdir OpenSSL
cd OpenSSL
for OpenSSL 3.2.0
wget https://www.openssl.org/source/openssl-3.2.0.tar.gz
tar -xzf openssl-3.2.0.tar.gz
cd openssl-3.2.0
# Check NOTES.PERL
# for CentOS, you need
sudo yum install perl-core
# Fedora 35 for 3.0.1
# ./config needs
sudo dnf install perl-FindBin 'perl(IPC::Cmd)' 'perl(File::Compare)'
# make needs
# make test needs
sudo dnf install 'perl(Test::Harness)' 'perl(Test::More)' 'perl(File::Copy)'
# make install also needs:
sudo dnf install 'perl(Pod::Html)'
# On FreeBSD for 3.0.1
sudo pkg install perl5
By default, this recipe will install
libcrypto.so.3 and libssl.so.3
in /usr/local/ssl/lib64/
and they will be used by all software, not just ntpd.
If you don't want that, edit VERSION.dat and change SHLIB_VERSION
to something like 6. That will install the libraries as
libcrypto.so.6 and libssl.so.6
and waf will setup ntpd to use them.
openssl-3.2-beta breaks sudo on Fedora, so this is a good idea. <======
On Linux
openssl version -d
OPENSSLDIR=`openssl version -d | sed "s/OPENSSLDIR: //"`
OPENSSLDIR=`echo $OPENSSLDIR | sed s/\"//g`
echo $OPENSSLDIR
./Configure --prefix=/usr/local/ssl --openssldir=$OPENSSLDIR shared
*** If you encounter a problem while building, please open an ***
*** issue on GitHub <https://github.com/openssl/openssl/issues> ***
*** and include the output from the following command: ***
*** ***
*** perl configdata.pm --dump ***
time make -j4 |& tee make.log
# Check that we got it right. These should match.
openssl version -d
./util/shlib_wrap.sh ./apps/openssl version -d
# ./apps/openssl without the wrapper will use the installed libraries
The above check is broken for openssl-3.2.0 on Fedora
It works on Ubuntu and FreeBSD.
time make test |& tee test.log
time make build_docs |& tee docs.log
sudo make install |& tee install.log
sudo su
cd /etc/ld.so.conf.d
echo "/usr/local/ssl/lib" > openssl.conf # 32 bit systems
echo "/usr/local/ssl/lib64" > openssl.conf # 64 bit systems
# running ldconfig before install doesn't work
ldconfig
On FreeBSD:
ldconfig -m /usr/local/ssl/lib/
NetBSD:
echo "/usr/local/ssl/lib" >> /etc/ld.so.conf
(no ldconfig on my search path. Doesn't seem to be needed.)
# check with
/usr/local/ssl/bin/openssl version
# Note that the directories in the above config line need to
# match where wscript looks for your OS.
# The above works for CentOS 7