OpenSSL: The best ssl tls encryption Library (1)

The purpose of the OpenSSL Project is to develop a robust, full-featured, and open-source application for SSL v2/v3Secure Sockets Layer through the spirit of open-source cooperation) and TLS v1Transport Layer Security. This project is maintained by volunteers worldwide who contact, plan, and develop OpenSSL toolsets and their related documents over the Internet.

Download link: http://down.51cto.com/data/155531

> Go to the treasure chest of network security tools and check out other security tools.

System Requirements

OpenSSL can be installed on multiple operating systems, but this article only discusses installation on Linux or BSD systems.

The system requirement for installing OpenSSL is very low, as long as there is an ansi c compiler (GCC recommended), Perl 5, make. However, the OpenSSL test program depends on gnu bc. If you need to run the test program, install it in advance.

Compilation options

Decompress the downloaded package and enter the decompressed directory. You can use the config or Configure script to Configure the package. The OpenSSL configuration script is different from most typical software packages. It has its own set of rules. Detailed installation information is located in the INSTALL Configure (especially the "PROCESS_ARGS" section) Makefile. shared Makefile.org file under the source code tree. The usage and configuration information after installation are located in the doc directory. The FAQ file can also be used as a reference.

The config script checks the system environment and calls Configure to complete the configuration. Therefore, the configuration options are passed to Configure through the config script. In fact, the config script is equivalent to config. guess, so if you want to directly call Configure, you must specify the "Operating System-Target Platform" correctly (this is recommended ). You can use the./Configure LIST command to obtain the LIST of all available target machines. In addition to generating Makefile Based on Makefile.org, the Configure script also defines many macros (based on crypto/opensslconf. h. in) in crypto/opensslconf. h. in ).

You can use many options on the config or Configure command line, which can be divided into three categories.

Global Options

The first category is Global Options:

-- Openssldir = OPENSSLDIR

Installation directory. The default value is/usr/local/ssl.

-- Prefix = PREFIX

Set the prefix of the lib include bin directory. The default value is the OPENSSLDIR directory.

-- Install_prefix = DESTDIR

Set this directory as the "root" directory during installation. It is usually used for packaging and is empty by default.

Zlib

Zlib-dynamic

No-zlib

Use static zlib compression libraries, dynamic zlib compression libraries, and the zlib compression function.

Threads

No-threads

Whether to compile a multi-threaded library. Supported by default.

Shared

No-shared

Whether to generate a dynamic Connection Library.

Asm

No-asm

Whether to use assembly code during compilation to speed up the compilation process.

Enable-sse2

No-sse2

Enable/disable SSE2 Instruction Set acceleration. If your CPU supports the SSE2 instruction set, it can be enabled; otherwise, it will be disabled.

Gmp

No-gmp

Enable/disable GMP Library

Rfc3779

No-rfc3779

Enable/disable IP address extension for X509v3 certificates

Krb5

No-krb5

Enable/disable Kerberos 5 support

Ssl

No-ssl

Ssl2

Ssl3

No-ssl2

No-ssl3

Tls

No-tls

Enable/disable SSL (including SSL2/SSL3) TLS protocol support.

Dso

No-dso

Enable/disable the function of calling other dynamic link libraries. [Prompt] no-dso is only available on the premise of no-shared.

[Note] SSLv2, SSLv3, and TLS must be enabled to successfully install Apache mod_ssl.

Algorithm options

The second type is used to disable the subdirectories (mainly algorithms) in the crypto directory ). Although theoretically these subdirectories can be disabled through the "no-*" syntax, in fact, to minimize the installation of libcrypto, libssl, and openssl, most of the directories must be retained, the actual available directories only include the following:

No-md2, no-md4, no-mdc2, no-ripemd

These are abstract algorithms with clear meanings.

No-des, no-rc2, no-rc4, no-rc5, no-idea, no-bf, no-cast, no-camellia

These are symmetric encryption algorithms with clear meanings. "Bf" means "Blowfish.

No-ec, no-dsa, no-ecdsa, no-dh, no-ecdh

These are asymmetric encryption algorithms with clear meanings.

No-comp

Data Compression Algorithm. Because there is no compression algorithm, some empty interfaces are defined.

No-store

Object Storage function. For more details, see the crypto/store/README file.

[Note] OpenSSH only depends on the software package's encrypted Library (libcrypto), while Apache with HTTPS support depends on the software package's encrypted library and SSL/TLS Library (libssl ). Therefore, if you do not want to use HTTPS, you can only install the no-ssl no-tls. For more information, see the "OVERVIEW" section of the README file. In fact, to ensure successful OpenSSH installation, the ripemd, des, rc4, bf, cast, dsa, and dh directories cannot be disabled.

Compiler Options

The third type is compiler options. Most software packages define the cppflags cflags ldflags environment variable when running the configure script to set the compilation options, but OpenSSL does not. The OpenSSL Configure script allows you to directly enter cppflags cflags on the command line. For example,-DDEVRANDOM = '"/dev/urandom"' can be used to specify random devices.-DSSL_FORBID_ENULL can be used to disable NULL encryption algorithms. 'Echo $ CFLAGS 'can be used to add the CFLAGS variable. On the other hand, LDFLAGS cannot be set through Configure. Since Configure forcibly clears LDFLAGS in Makefile, after running Configure, you can use a sed to modify LDFLAGS (used to connect openssl) and SHARED_LDFLAGS (used to connect libcrypto) in all makefiles, libssl library ).

For example, I often use Configure for configuration as follows:

./Configure...-DSSL_FORBID_ENULL-DDEVRANDOM = '"/dev/urandom" ''echo $ CFLAGS'

Find.-name "Makefile *"-exec sed-r-I-e "s | ^ (SHARED _)? LDFLAGS = | & $ LDFLAGS | "{}\;

[Prompt] The quotation marks on both sides of "Makefile *" in the "find" command cannot be omitted.

Compile, test, and install

After the configuration is complete, you need to use make depend to re-establish the dependency, especially after you use the "no-*" option, otherwise the compilation may fail.

Then use the make command to compile. If the compilation is successful, use make test to perform the test.

If the test passes, the installation will be followed. The installation is simple. Just run the make install command. You can also use make install INSTALL_PREFIX =/other/dir to install/other/dir as "root", which is usually used for packaging.

Configuration File

After the installation is complete, configure the settings. The OpenSSL configuration file is openssl. cnf, which is located in the directory specified by -- openssldir.

In practice, an important use of OpenSSL is certificate issuance and management, which requires the cooperation of the configuration file. If you only use its encrypted library without using the certificate function, you do not need to know how to configure OpenSSL.

The following is a simple openssl. cnf file that can be used for certificate issuance. Of course, it's okay to use this configuration to play it on your own and expect it to be the real "Big Brother". No one will trust you :)

 
 

  
  
########################
  
  
# OpenSSL configuration file demonstration #
  
  
########################
  
  
# [Note] This demo file is not set by default.
  
  
 
  
  
 
  
  
########
  
  
# Syntax #
  
  
########
  
  
#
  
  
# Variable = Value
  
  
#
  
  
# The syntax is simple. You can understand it at first glance, but there are several points to explain:
  
  
#1. It is best to use double quotation marks to define string values, and use escape sequences such as "\ n", "\ r", and "\ t ?).
  
  
#2. variables in the same field can be referenced in the form of $ {variable name}, and variables in other fields can be referenced in the form of $ {field name: variable name.
  
  
#3. You can use $ {EVP: Environment Variable} to reference the environment variables defined in the operating system. If the variables do not exist, errors may occur.
  
  
#4. You can define a variable with the same name as the operating system environment variable in the default field as the default value to avoid errors caused by the absence of environment variables.
  
  
#5. If multiple variables with the same name exist in the same field, the subsequent values overwrite the previous values.
  
  
#
  
  
 
  
  
 
  
  
############
  
  
# Default field #
  
  
############
  
  
# This part is the default field [configuration segment] and must be placed before all fields.
  
  
# When reading the configuration file data, the corresponding configuration segment is first searched based on the field name. If no configuration segment is found, the default field is used.
  
  
 
  
  
# Define the default value of HOME to prevent the operating system from having the HOME environment variable.
  
  
HOME =.
  
  
 
  
  
# The default random Seed file is/dev/random or/dev/urandom.
  
  
RANDFILE = $ ENV: HOME/. rnd
  
  
 
  
  
# Extended object definition
  
  
# For example, OpenSSL does not define an X.509 certificate Extension item. When used, it will be obtained from the following definition of the extension object.
  
  
# There are two methods to be defined. The first method (against) is stored in an external file, that is, the file defined by the "oid_file" variable.
  
  
# Oid_file = $ ENV: HOME/. oid
  
  
# The second type is stored in a field in the configuration file, that is, the field specified by the "oid_section" variable value.
  
  
Oid_section = new_oids
  
  
 
  
  
[New_oids]
  
  
# You can add extension object definitions here, for example, they can be used by 'CA' and 'req.
  
  
# Format:
  
  
# Object abbreviation = Object digital ID