source: chapter08/openssl.xml@ 796b226a

multilib
Last change on this file since 796b226a was 796b226a, checked in by Thomas Trepl <thomas@…>, 13 months ago

Automatic merge of trunk into multilib
  • Property mode set to 100644
File size: 9.9 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../general.ent">
5 %general-entities;
6]>
7
8<sect1 id="ch-system-openssl" role="wrap">
9 <?dbhtml filename="openssl.html"?>
10
11 <sect1info condition="script">
12 <productname>openssl</productname>
13 <productnumber>&openssl-version;</productnumber>
14 <address>&openssl-url;</address>
15 </sect1info>
16
17 <title>OpenSSL-&openssl-version;</title>
18
19 <indexterm zone="ch-system-openssl">
20 <primary sortas="a-OpenSSL">OpenSSL</primary>
21 </indexterm>
22
23 <sect2 role="package">
24 <title/>
25
26 <para>The OpenSSL package contains management tools and libraries relating
27 to cryptography. These are useful for providing cryptographic functions
28 to other packages, such as OpenSSH, email applications, and web browsers
29 (for accessing HTTPS sites). </para>
30
31 <segmentedlist>
32 <segtitle>&buildtime;</segtitle>
33 <segtitle>&diskspace;</segtitle>
34
35 <seglistitem>
36 <seg>&openssl-fin-sbu;</seg>
37 <seg>&openssl-fin-du;</seg>
38 </seglistitem>
39 </segmentedlist>
40
41 </sect2>
42
43 <sect2 role="installation">
44 <title>Installation of OpenSSL</title>
45<!--
46 <para>First fix a problem with some advanced architectures with avx512
47 capability:</para>
48
49 <screen><userinput remap="pre">sed -e '/bn_reduce.*m1/i\ factor_size /= sizeof(BN_ULONG) * 8;' \
50 -i crypto/bn/rsaz_exp_x2.c</userinput></screen>
51-->
52 <para>Prepare OpenSSL for compilation:</para>
53
54<screen><userinput remap="configure">./config --prefix=/usr \
55 --openssldir=/etc/ssl \
56 --libdir=lib \
57 shared \
58 zlib-dynamic</userinput></screen>
59
60 <para>Compile the package:</para>
61
62<screen><userinput remap="make">make</userinput></screen>
63
64 <para>To test the results, issue:</para>
65
66<screen><userinput remap="test">make test</userinput></screen>
67
68 <para>One test, 30-test_afalg.t, is known to fail if the host kernel
69 does not have <option>CONFIG_CRYPTO_USER_API_SKCIPHER</option> enabled,
70 or does not have any options providing an AES with CBC implementation
71 (for example, the combination of <option>CONFIG_CRYPTO_AES</option>
72 and <option>CONFIG_CRYPTO_CBC</option>, or
73 <option>CONFIG_CRYPTO_AES_NI_INTEL</option> if the CPU supports AES-NI)
74 enabled. If it fails, it can safely be ignored.</para>
75
76 <para>Install the package:</para>
77
78<screen><userinput remap="install">sed -i '/INSTALL_LIBS/s/libcrypto.a libssl.a//' Makefile
79make MANSUFFIX=ssl install</userinput></screen>
80
81 <para>Add the version to the documentation directory name, to be
82 consistent with other packages:</para>
83
84<screen><userinput remap="install">mv -v /usr/share/doc/openssl /usr/share/doc/openssl-&openssl-version;</userinput></screen>
85
86 <para>If desired, install some additional documentation:</para>
87
88<screen><userinput remap="install">cp -vfr doc/* /usr/share/doc/openssl-&openssl-version;</userinput></screen>
89
90 <note>
91 <para>
92 You should update OpenSSL when a new version which fixes vulnerabilities
93 is announced. Since OpenSSL 3.0.0, the OpenSSL versioning scheme
94 follows the MAJOR.MINOR.PATCH format. API/ABI compatibility
95 is guaranteed for the same MAJOR version number. Because LFS
96 installs only the shared libraries, there is no need to recompile
97 packages which link to
98 <filename class="libraryfile">libcrypto.so</filename> or
99 <filename class="libraryfile">libssl.so</filename>
100 <emphasis>when upgrading to a version with the same MAJOR version
101 number</emphasis>.
102 </para>
103
104 <!-- https://bugzilla.mindrot.org/show_bug.cgi?id=3548 -->
105 <para>
106 If <application>OpenSSH</application> is installed, it will be an
107 exception of the general rule above. It contains an
108 over-restrictive OpenSSL version check, so both SSH client and SSH
109 server will refuse to start if OpenSSL
110 is updated with MAJOR version number unchanged but MINOR version
111 number changed. You need to rebuild
112 <application>OpenSSH</application> after such an upgrade.
113 <emphasis role='bold'>If <application>OpenSSH</application> is being
114 used to access the system, you must rebuild and reinstall it
115 after upgrading OpenSSL to a new MINOR version number before logout
116 or you won't be able to login via SSH anymore.</emphasis>
117 </para>
118
119 <para>
120 However, any running programs linked to those libraries need to be stopped
121 and restarted. Read the related entries in
122 <xref linkend='pkgmgmt-upgrade-issues'/> for details.
123 </para>
124
125 </note>
126
127 </sect2>
128
129 <!-- - - - - - - - - - -->
130 <!-- Multilib - 32bit -->
131 <!-- - - - - - - - - - -->
132
133 <sect2 arch="ml_32,ml_all" role="installation">
134 <title>Installation of OpenSSL - 32bit</title>
135
136 <para>Clean previous build:</para>
137
138<screen><userinput remap="pre">make distclean</userinput></screen>
139
140 <para>Prepare OpenSSL for compilation:</para>
141
142<screen><userinput remap="configure">CFLAGS="-m32 -march=i686 -Wall -O3" CXXFLAGS="$CFLAGS" \
143./config --prefix=/usr \
144 --openssldir=/etc/ssl \
145 --libdir=lib32 \
146 shared \
147 zlib-dynamic \
148 linux-generic32</userinput></screen>
149
150 <para>Compile the package:</para>
151
152<screen><userinput remap="make">make</userinput></screen>
153
154 <para>Install the package:</para>
155
156<screen><userinput remap="install">make DESTDIR=$PWD/DESTDIR install
157cp -Rv DESTDIR/usr/lib32/* /usr/lib32
158rm -rf DESTDIR</userinput></screen>
159
160 </sect2><!-- m32 -->
161
162 <!-- - - - - - - - - - -->
163 <!-- Multilib - x32bit -->
164 <!-- - - - - - - - - - -->
165
166 <sect2 arch="ml_x32,ml_all" role="installation">
167 <title>Installation of OpenSSL - x32bit</title>
168
169 <para>Clean previous build:</para>
170
171<screen><userinput remap="pre">make distclean</userinput></screen>
172
173 <para>Prepare OpenSSL for compilation:</para>
174
175<screen><userinput remap="configure">CFLAGS="-mx32 -march=x86-64 -Wall -O3" CXXFLAGS="$CFLAGS" \
176./config --prefix=/usr \
177 --openssldir=/etc/ssl \
178 --libdir=libx32 \
179 shared \
180 zlib-dynamic \
181 linux-x32</userinput></screen>
182
183 <para>Compile the package:</para>
184
185<screen><userinput remap="make">make</userinput></screen>
186
187 <para>Install the package:</para>
188
189<screen><userinput remap="install">make DESTDIR=$PWD/DESTDIR install
190cp -Rv DESTDIR/usr/libx32/* /usr/libx32
191rm -rf DESTDIR</userinput></screen>
192
193 </sect2><!-- mx32 -->
194
195 <sect2 id="contents-openssl" role="content">
196 <title>Contents of OpenSSL</title>
197
198 <segmentedlist>
199 <segtitle>Installed programs</segtitle>
200 <segtitle>Installed libraries</segtitle>
201 <segtitle>Installed directories</segtitle>
202
203 <seglistitem>
204 <seg>
205 c_rehash and openssl
206 </seg>
207 <seg>
208 libcrypto.so and libssl.so
209 </seg>
210 <seg>
211 /etc/ssl,
212 /usr/include/openssl,
213 /usr/lib/engines and
214 /usr/share/doc/openssl-&openssl-version;
215 </seg>
216 </seglistitem>
217 </segmentedlist>
218
219 <variablelist>
220 <bridgehead renderas="sect3">Short Descriptions</bridgehead>
221 <?dbfo list-presentation="list"?>
222 <?dbhtml list-presentation="table"?>
223
224 <varlistentry id="c_rehash">
225 <term><command>c_rehash</command></term>
226 <listitem>
227 <para>
228 is a <application>Perl</application> script that
229 scans all files in a directory and adds symbolic links to their
230 hash values. Use of <command>c_rehash</command> is considered
231 obsolete and should be replaced by
232 <command>openssl rehash</command> command
233 </para>
234 <indexterm zone="ch-system-openssl c_rehash">
235 <primary sortas="b-c_rehash">c_rehash</primary>
236 </indexterm>
237 </listitem>
238 </varlistentry>
239
240 <varlistentry id="openssl-prog">
241 <term><command>openssl</command></term>
242 <listitem>
243 <para>
244 is a command-line tool for using the various cryptography functions
245 of <application>OpenSSL</application>'s crypto library from the
246 shell. It can be used for various functions which are documented in
247 <command>man 1 openssl</command>
248 </para>
249 <indexterm zone="ch-system-openssl openssl-prog">
250 <primary sortas="b-openssl">openssl</primary>
251 </indexterm>
252 </listitem>
253 </varlistentry>
254
255 <varlistentry id="libcrypto">
256 <term><filename class="libraryfile">libcrypto.so</filename></term>
257 <listitem>
258 <para>
259 implements a wide range of cryptographic algorithms used in various
260 Internet standards. The services provided by this library are used
261 by the <application>OpenSSL</application> implementations of SSL,
262 TLS and S/MIME, and they have also been used to implement
263 <application>OpenSSH</application>,
264 <application>OpenPGP</application>, and other cryptographic
265 standards
266 </para>
267 <indexterm zone="ch-system-openssl libcrypto">
268 <primary sortas="c-libcrypto">libcrypto.so</primary>
269 </indexterm>
270 </listitem>
271 </varlistentry>
272
273 <varlistentry id="libssl">
274 <term><filename class="libraryfile">libssl.so</filename></term>
275 <listitem>
276 <para>
277 implements the Transport Layer Security (TLS v1) protocol.
278 It provides a rich API, documentation
279 on which can be found by running <command>man 7 ssl</command>
280 </para>
281 <indexterm zone="ch-system-openssl libssl">
282 <primary sortas="c-libssl">libssl.so</primary>
283 </indexterm>
284 </listitem>
285 </varlistentry>
286
287 </variablelist>
288
289 </sect2>
290
291</sect1>
Note: See TracBrowser for help on using the repository browser.