source: chapter08/openssl.xml@ adcaa44d

multilib
Last change on this file since adcaa44d was adcaa44d, checked in by Thomas Trepl <thomas@…>, 12 months ago

Simplify instructions for m32 and mx32
  • Property mode set to 100644
File size: 9.8 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../general.ent">
5 %general-entities;
6]>
7
8<sect1 id="ch-system-openssl" role="wrap">
9 <?dbhtml filename="openssl.html"?>
10
11 <sect1info condition="script">
12 <productname>openssl</productname>
13 <productnumber>&openssl-version;</productnumber>
14 <address>&openssl-url;</address>
15 </sect1info>
16
17 <title>OpenSSL-&openssl-version;</title>
18
19 <indexterm zone="ch-system-openssl">
20 <primary sortas="a-OpenSSL">OpenSSL</primary>
21 </indexterm>
22
23 <sect2 role="package">
24 <title/>
25
26 <para>The OpenSSL package contains management tools and libraries relating
27 to cryptography. These are useful for providing cryptographic functions
28 to other packages, such as OpenSSH, email applications, and web browsers
29 (for accessing HTTPS sites). </para>
30
31 <segmentedlist>
32 <segtitle>&buildtime;</segtitle>
33 <segtitle>&diskspace;</segtitle>
34
35 <seglistitem>
36 <seg>&openssl-fin-sbu;</seg>
37 <seg>&openssl-fin-du;</seg>
38 </seglistitem>
39 </segmentedlist>
40
41 </sect2>
42
43 <sect2 role="installation">
44 <title>Installation of OpenSSL</title>
45<!--
46 <para>First fix a problem with some advanced architectures with avx512
47 capability:</para>
48
49 <screen><userinput remap="pre">sed -e '/bn_reduce.*m1/i\ factor_size /= sizeof(BN_ULONG) * 8;' \
50 -i crypto/bn/rsaz_exp_x2.c</userinput></screen>
51-->
52 <para>Prepare OpenSSL for compilation:</para>
53
54<screen><userinput remap="configure">./config --prefix=/usr \
55 --openssldir=/etc/ssl \
56 --libdir=lib \
57 shared \
58 zlib-dynamic</userinput></screen>
59
60 <para>Compile the package:</para>
61
62<screen><userinput remap="make">make</userinput></screen>
63
64 <para>To test the results, issue:</para>
65
66<screen><userinput remap="test">make test</userinput></screen>
67
68 <para>One test, 30-test_afalg.t, is known to fail if the host kernel
69 does not have <option>CONFIG_CRYPTO_USER_API_SKCIPHER</option> enabled,
70 or does not have any options providing an AES with CBC implementation
71 (for example, the combination of <option>CONFIG_CRYPTO_AES</option>
72 and <option>CONFIG_CRYPTO_CBC</option>, or
73 <option>CONFIG_CRYPTO_AES_NI_INTEL</option> if the CPU supports AES-NI)
74 enabled. If it fails, it can safely be ignored.</para>
75
76 <para>Install the package:</para>
77
78<screen><userinput remap="install">sed -i '/INSTALL_LIBS/s/libcrypto.a libssl.a//' Makefile
79make MANSUFFIX=ssl install</userinput></screen>
80
81 <para>Add the version to the documentation directory name, to be
82 consistent with other packages:</para>
83
84<screen><userinput remap="install">mv -v /usr/share/doc/openssl /usr/share/doc/openssl-&openssl-version;</userinput></screen>
85
86 <para>If desired, install some additional documentation:</para>
87
88<screen><userinput remap="install">cp -vfr doc/* /usr/share/doc/openssl-&openssl-version;</userinput></screen>
89
90 <note>
91 <para>
92 You should update OpenSSL when a new version which fixes vulnerabilities
93 is announced. Since OpenSSL 3.0.0, the OpenSSL versioning scheme
94 follows the MAJOR.MINOR.PATCH format. API/ABI compatibility
95 is guaranteed for the same MAJOR version number. Because LFS
96 installs only the shared libraries, there is no need to recompile
97 packages which link to
98 <filename class="libraryfile">libcrypto.so</filename> or
99 <filename class="libraryfile">libssl.so</filename>
100 <emphasis>when upgrading to a version with the same MAJOR version
101 number</emphasis>.
102 </para>
103
104 <!-- https://bugzilla.mindrot.org/show_bug.cgi?id=3548 -->
105 <para>
106 If <application>OpenSSH</application> is installed, it will be an
107 exception of the general rule above. It contains an
108 over-restrictive OpenSSL version check, so both SSH client and SSH
109 server will refuse to start if OpenSSL
110 is updated with MAJOR version number unchanged but MINOR version
111 number changed. You need to rebuild
112 <application>OpenSSH</application> after such an upgrade.
113 <emphasis role='bold'>If <application>OpenSSH</application> is being
114 used to access the system, you must rebuild and reinstall it
115 after upgrading OpenSSL to a new MINOR version number before logout
116 or you won't be able to login via SSH anymore.</emphasis>
117 </para>
118
119 <para>
120 However, any running programs linked to those libraries need to be stopped
121 and restarted. Read the related entries in
122 <xref linkend='pkgmgmt-upgrade-issues'/> for details.
123 </para>
124
125 </note>
126
127 </sect2>
128
129 <!-- - - - - - - - - - -->
130 <!-- Multilib - 32bit -->
131 <!-- - - - - - - - - - -->
132
133 <sect2 arch="ml_32,ml_all" role="installation">
134 <title>Installation of OpenSSL - 32bit</title>
135
136 <para>Clean previous build:</para>
137
138<screen><userinput remap="pre">make distclean</userinput></screen>
139
140 <para>Prepare OpenSSL for compilation:</para>
141
142<screen><userinput remap="configure">./config --prefix=/usr \
143 --openssldir=/etc/ssl \
144 --libdir=lib32 \
145 shared \
146 zlib-dynamic \
147 linux-x86</userinput></screen>
148
149 <para>Compile the package:</para>
150
151<screen><userinput remap="make">make</userinput></screen>
152
153 <para>Install the package:</para>
154
155<screen><userinput remap="install">make DESTDIR=$PWD/DESTDIR install
156cp -Rv DESTDIR/usr/lib32/* /usr/lib32
157rm -rf DESTDIR</userinput></screen>
158
159 </sect2><!-- m32 -->
160
161 <!-- - - - - - - - - - -->
162 <!-- Multilib - x32bit -->
163 <!-- - - - - - - - - - -->
164
165 <sect2 arch="ml_x32,ml_all" role="installation">
166 <title>Installation of OpenSSL - x32bit</title>
167
168 <para>Clean previous build:</para>
169
170<screen><userinput remap="pre">make distclean</userinput></screen>
171
172 <para>Prepare OpenSSL for compilation:</para>
173
174<screen><userinput remap="configure">./config --prefix=/usr \
175 --openssldir=/etc/ssl \
176 --libdir=libx32 \
177 shared \
178 zlib-dynamic \
179 linux-x32</userinput></screen>
180
181 <para>Compile the package:</para>
182
183<screen><userinput remap="make">make</userinput></screen>
184
185 <para>Install the package:</para>
186
187<screen><userinput remap="install">make DESTDIR=$PWD/DESTDIR install
188cp -Rv DESTDIR/usr/libx32/* /usr/libx32
189rm -rf DESTDIR</userinput></screen>
190
191 </sect2><!-- mx32 -->
192
193 <sect2 id="contents-openssl" role="content">
194 <title>Contents of OpenSSL</title>
195
196 <segmentedlist>
197 <segtitle>Installed programs</segtitle>
198 <segtitle>Installed libraries</segtitle>
199 <segtitle>Installed directories</segtitle>
200
201 <seglistitem>
202 <seg>
203 c_rehash and openssl
204 </seg>
205 <seg>
206 libcrypto.so and libssl.so
207 </seg>
208 <seg>
209 /etc/ssl,
210 /usr/include/openssl,
211 /usr/lib/engines and
212 /usr/share/doc/openssl-&openssl-version;
213 </seg>
214 </seglistitem>
215 </segmentedlist>
216
217 <variablelist>
218 <bridgehead renderas="sect3">Short Descriptions</bridgehead>
219 <?dbfo list-presentation="list"?>
220 <?dbhtml list-presentation="table"?>
221
222 <varlistentry id="c_rehash">
223 <term><command>c_rehash</command></term>
224 <listitem>
225 <para>
226 is a <application>Perl</application> script that
227 scans all files in a directory and adds symbolic links to their
228 hash values. Use of <command>c_rehash</command> is considered
229 obsolete and should be replaced by
230 <command>openssl rehash</command> command
231 </para>
232 <indexterm zone="ch-system-openssl c_rehash">
233 <primary sortas="b-c_rehash">c_rehash</primary>
234 </indexterm>
235 </listitem>
236 </varlistentry>
237
238 <varlistentry id="openssl-prog">
239 <term><command>openssl</command></term>
240 <listitem>
241 <para>
242 is a command-line tool for using the various cryptography functions
243 of <application>OpenSSL</application>'s crypto library from the
244 shell. It can be used for various functions which are documented in
245 <command>man 1 openssl</command>
246 </para>
247 <indexterm zone="ch-system-openssl openssl-prog">
248 <primary sortas="b-openssl">openssl</primary>
249 </indexterm>
250 </listitem>
251 </varlistentry>
252
253 <varlistentry id="libcrypto">
254 <term><filename class="libraryfile">libcrypto.so</filename></term>
255 <listitem>
256 <para>
257 implements a wide range of cryptographic algorithms used in various
258 Internet standards. The services provided by this library are used
259 by the <application>OpenSSL</application> implementations of SSL,
260 TLS and S/MIME, and they have also been used to implement
261 <application>OpenSSH</application>,
262 <application>OpenPGP</application>, and other cryptographic
263 standards
264 </para>
265 <indexterm zone="ch-system-openssl libcrypto">
266 <primary sortas="c-libcrypto">libcrypto.so</primary>
267 </indexterm>
268 </listitem>
269 </varlistentry>
270
271 <varlistentry id="libssl">
272 <term><filename class="libraryfile">libssl.so</filename></term>
273 <listitem>
274 <para>
275 implements the Transport Layer Security (TLS v1) protocol.
276 It provides a rich API, documentation
277 on which can be found by running <command>man 7 ssl</command>
278 </para>
279 <indexterm zone="ch-system-openssl libssl">
280 <primary sortas="c-libssl">libssl.so</primary>
281 </indexterm>
282 </listitem>
283 </varlistentry>
284
285 </variablelist>
286
287 </sect2>
288
289</sect1>
Note: See TracBrowser for help on using the repository browser.