1 | <?xml version="1.0" encoding="ISO-8859-1"?>
|
---|
2 | <!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
|
---|
3 | "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
|
---|
4 | <!ENTITY % general-entities SYSTEM "../general.ent">
|
---|
5 | %general-entities;
|
---|
6 | ]>
|
---|
7 |
|
---|
8 | <sect1 id="ch-system-openssl" role="wrap">
|
---|
9 | <?dbhtml filename="openssl.html"?>
|
---|
10 |
|
---|
11 | <sect1info condition="script">
|
---|
12 | <productname>openssl</productname>
|
---|
13 | <productnumber>&openssl-version;</productnumber>
|
---|
14 | <address>&openssl-url;</address>
|
---|
15 | </sect1info>
|
---|
16 |
|
---|
17 | <title>OpenSSL-&openssl-version;</title>
|
---|
18 |
|
---|
19 | <indexterm zone="ch-system-openssl">
|
---|
20 | <primary sortas="a-OpenSSL">OpenSSL</primary>
|
---|
21 | </indexterm>
|
---|
22 |
|
---|
23 | <sect2 role="package">
|
---|
24 | <title/>
|
---|
25 |
|
---|
26 | <para>The OpenSSL package contains management tools and libraries relating
|
---|
27 | to cryptography. These are useful for providing cryptographic functions
|
---|
28 | to other packages, such as OpenSSH, email applications, and web browsers
|
---|
29 | (for accessing HTTPS sites). </para>
|
---|
30 |
|
---|
31 | <segmentedlist>
|
---|
32 | <segtitle>&buildtime;</segtitle>
|
---|
33 | <segtitle>&diskspace;</segtitle>
|
---|
34 |
|
---|
35 | <seglistitem>
|
---|
36 | <seg>&openssl-fin-sbu;</seg>
|
---|
37 | <seg>&openssl-fin-du;</seg>
|
---|
38 | </seglistitem>
|
---|
39 | </segmentedlist>
|
---|
40 |
|
---|
41 | </sect2>
|
---|
42 |
|
---|
43 | <sect2 role="installation">
|
---|
44 | <title>Installation of OpenSSL</title>
|
---|
45 | <!--
|
---|
46 | <para>First fix a problem with some advanced architectures with avx512
|
---|
47 | capability:</para>
|
---|
48 |
|
---|
49 | <screen><userinput remap="pre">sed -e '/bn_reduce.*m1/i\ factor_size /= sizeof(BN_ULONG) * 8;' \
|
---|
50 | -i crypto/bn/rsaz_exp_x2.c</userinput></screen>
|
---|
51 | -->
|
---|
52 | <para>Prepare OpenSSL for compilation:</para>
|
---|
53 |
|
---|
54 | <screen><userinput remap="configure">./config --prefix=/usr \
|
---|
55 | --openssldir=/etc/ssl \
|
---|
56 | --libdir=lib \
|
---|
57 | shared \
|
---|
58 | zlib-dynamic</userinput></screen>
|
---|
59 |
|
---|
60 | <para>Compile the package:</para>
|
---|
61 |
|
---|
62 | <screen><userinput remap="make">make</userinput></screen>
|
---|
63 |
|
---|
64 | <para>To test the results, issue:</para>
|
---|
65 |
|
---|
66 | <screen><userinput remap="test">make test</userinput></screen>
|
---|
67 |
|
---|
68 | <para>One test, 30-test_afalg.t, is known to fail on some kernel
|
---|
69 | configurations (depending on inconsistent values of
|
---|
70 | CONFIG_CRYPTO_USER_API* settings.) If it fails, it can safely be
|
---|
71 | ignored.</para>
|
---|
72 |
|
---|
73 | <para>Install the package:</para>
|
---|
74 |
|
---|
75 | <screen><userinput remap="install">sed -i '/INSTALL_LIBS/s/libcrypto.a libssl.a//' Makefile
|
---|
76 | make MANSUFFIX=ssl install</userinput></screen>
|
---|
77 |
|
---|
78 | <para>Add the version to the documentation directory name, to be
|
---|
79 | consistent with other packages:</para>
|
---|
80 |
|
---|
81 | <screen><userinput remap="install">mv -v /usr/share/doc/openssl /usr/share/doc/openssl-&openssl-version;</userinput></screen>
|
---|
82 |
|
---|
83 | <para>If desired, install some additional documentation:</para>
|
---|
84 |
|
---|
85 | <screen><userinput remap="install">cp -vfr doc/* /usr/share/doc/openssl-&openssl-version;</userinput></screen>
|
---|
86 |
|
---|
87 | <note>
|
---|
88 | <para>
|
---|
89 | You should update OpenSSL when a new version which fixes vulnerabilities
|
---|
90 | is announced. Since OpenSSL 3.0.0, the OpenSSL versioning scheme
|
---|
91 | follows the MAJOR.MINOR.PATCH format. API/ABI compatibility
|
---|
92 | is guaranteed for the same MAJOR version number. Because LFS
|
---|
93 | installs only the shared libraries, there is no need to recompile
|
---|
94 | packages which link to
|
---|
95 | <filename class="libraryfile">libcrypto.so</filename> or
|
---|
96 | <filename class="libraryfile">libssl.so</filename>
|
---|
97 | <emphasis>when upgrading to a version with the same MAJOR version
|
---|
98 | number</emphasis>.
|
---|
99 | </para>
|
---|
100 |
|
---|
101 | <!-- https://bugzilla.mindrot.org/show_bug.cgi?id=3548 -->
|
---|
102 | <para>
|
---|
103 | If <application>OpenSSH</application> is installed, it will be an
|
---|
104 | exception of the general rule above. It contains an
|
---|
105 | over-restrictive OpenSSL version check, so both SSH client and SSH
|
---|
106 | server will refuse to start if OpenSSL
|
---|
107 | is updated with MAJOR version number unchanged but MINOR version
|
---|
108 | number changed. You need to rebuild
|
---|
109 | <application>OpenSSH</application> after such an upgrade.
|
---|
110 | <emphasis role='bold'>If <application>OpenSSH</application> is being
|
---|
111 | used to access the system, you must rebuild and reinstall it
|
---|
112 | after upgrading OpenSSL to a new MINOR version number before logout
|
---|
113 | or you won't be able to login via SSH anymore.</emphasis>
|
---|
114 | </para>
|
---|
115 |
|
---|
116 | <para>
|
---|
117 | However, any running programs linked to those libraries need to be stopped
|
---|
118 | and restarted. Read the related entries in
|
---|
119 | <xref linkend='pkgmgmt-upgrade-issues'/> for details.
|
---|
120 | </para>
|
---|
121 |
|
---|
122 | </note>
|
---|
123 |
|
---|
124 | </sect2>
|
---|
125 |
|
---|
126 | <sect2 id="contents-openssl" role="content">
|
---|
127 | <title>Contents of OpenSSL</title>
|
---|
128 |
|
---|
129 | <segmentedlist>
|
---|
130 | <segtitle>Installed programs</segtitle>
|
---|
131 | <segtitle>Installed libraries</segtitle>
|
---|
132 | <segtitle>Installed directories</segtitle>
|
---|
133 |
|
---|
134 | <seglistitem>
|
---|
135 | <seg>
|
---|
136 | c_rehash and openssl
|
---|
137 | </seg>
|
---|
138 | <seg>
|
---|
139 | libcrypto.so and libssl.so
|
---|
140 | </seg>
|
---|
141 | <seg>
|
---|
142 | /etc/ssl,
|
---|
143 | /usr/include/openssl,
|
---|
144 | /usr/lib/engines and
|
---|
145 | /usr/share/doc/openssl-&openssl-version;
|
---|
146 | </seg>
|
---|
147 | </seglistitem>
|
---|
148 | </segmentedlist>
|
---|
149 |
|
---|
150 | <variablelist>
|
---|
151 | <bridgehead renderas="sect3">Short Descriptions</bridgehead>
|
---|
152 | <?dbfo list-presentation="list"?>
|
---|
153 | <?dbhtml list-presentation="table"?>
|
---|
154 |
|
---|
155 | <varlistentry id="c_rehash">
|
---|
156 | <term><command>c_rehash</command></term>
|
---|
157 | <listitem>
|
---|
158 | <para>
|
---|
159 | is a <application>Perl</application> script that
|
---|
160 | scans all files in a directory and adds symbolic links to their
|
---|
161 | hash values. Use of <command>c_rehash</command> is considered
|
---|
162 | obsolete and should be replaced by
|
---|
163 | <command>openssl rehash</command> command
|
---|
164 | </para>
|
---|
165 | <indexterm zone="ch-system-openssl c_rehash">
|
---|
166 | <primary sortas="b-c_rehash">c_rehash</primary>
|
---|
167 | </indexterm>
|
---|
168 | </listitem>
|
---|
169 | </varlistentry>
|
---|
170 |
|
---|
171 | <varlistentry id="openssl-prog">
|
---|
172 | <term><command>openssl</command></term>
|
---|
173 | <listitem>
|
---|
174 | <para>
|
---|
175 | is a command-line tool for using the various cryptography functions
|
---|
176 | of <application>OpenSSL</application>'s crypto library from the
|
---|
177 | shell. It can be used for various functions which are documented in
|
---|
178 | <command>man 1 openssl</command>
|
---|
179 | </para>
|
---|
180 | <indexterm zone="ch-system-openssl openssl-prog">
|
---|
181 | <primary sortas="b-openssl">openssl</primary>
|
---|
182 | </indexterm>
|
---|
183 | </listitem>
|
---|
184 | </varlistentry>
|
---|
185 |
|
---|
186 | <varlistentry id="libcrypto">
|
---|
187 | <term><filename class="libraryfile">libcrypto.so</filename></term>
|
---|
188 | <listitem>
|
---|
189 | <para>
|
---|
190 | implements a wide range of cryptographic algorithms used in various
|
---|
191 | Internet standards. The services provided by this library are used
|
---|
192 | by the <application>OpenSSL</application> implementations of SSL,
|
---|
193 | TLS and S/MIME, and they have also been used to implement
|
---|
194 | <application>OpenSSH</application>,
|
---|
195 | <application>OpenPGP</application>, and other cryptographic
|
---|
196 | standards
|
---|
197 | </para>
|
---|
198 | <indexterm zone="ch-system-openssl libcrypto">
|
---|
199 | <primary sortas="c-libcrypto">libcrypto.so</primary>
|
---|
200 | </indexterm>
|
---|
201 | </listitem>
|
---|
202 | </varlistentry>
|
---|
203 |
|
---|
204 | <varlistentry id="libssl">
|
---|
205 | <term><filename class="libraryfile">libssl.so</filename></term>
|
---|
206 | <listitem>
|
---|
207 | <para>
|
---|
208 | implements the Transport Layer Security (TLS v1) protocol.
|
---|
209 | It provides a rich API, documentation
|
---|
210 | on which can be found by running <command>man 7 ssl</command>
|
---|
211 | </para>
|
---|
212 | <indexterm zone="ch-system-openssl libssl">
|
---|
213 | <primary sortas="c-libssl">libssl.so</primary>
|
---|
214 | </indexterm>
|
---|
215 | </listitem>
|
---|
216 | </varlistentry>
|
---|
217 |
|
---|
218 | </variablelist>
|
---|
219 |
|
---|
220 | </sect2>
|
---|
221 |
|
---|
222 | </sect1>
|
---|