Document directory
- Copyright Notice
- Other works
- Bug report, discussion and discussion
- Global Options
- Algorithm options
- Compiler Options
Original Author:
Jin Bu Guo
Copyright Notice
The author of this article is a free software enthusiast, so although this article is not software, it is released in the spirit of GPL. No one can use, repost, copy, or re-distribute the statement freely. However, the author's signature must be retained and no clauses in the statement can be modified in any form or attached. You can freely link, download, and disseminate this document, provided that the full text is fully reproduced, including the complete copyright information and the translator's statement.
Other works
The author of this article is very willing to share the fruits of work with others. If you are interested in other translated works or technical articles, you can view the list of existing works in the following position:
Bug report, discussion and discussion
Due to the limited level of the author, the accuracy of the work cannot be ensured. Please identify the content yourself in reading. If you find any errors in your work, please send a letter stating that, even if it is a mistake, I will be willing to accept any suggestions to improve the quality of your work. If you are willing to further discuss the content in your work with me, you are also welcome to contact me. Contact: Email: csfrank@citiz.net; QQ: 70171448; MSN: csfrank122@hotmail.com
System Requirements
OpenSSL can be installed on multiple operating systems, but this article only discusses installation on Linux or BSD systems.
The system requirement for installing OpenSSL is very low, as long as there is an ansi c compiler (GCC recommended), Perl 5, make. However, the OpenSSL test program depends onGNU BCIf you need to run the test program, install it in advance.
Compilation options
Decompress the downloaded package and enter the decompressed directory. You can use the config or configure script to configure the package. The OpenSSL configuration script is different from most typical software packages. It has its own set of rules. Detailed installation information is located in the install configure (especially the "process_args" section) makefile. Shared makefile.org file under the source code tree. The usage and configuration information after installation are located in the doc directory. The FAQ file can also be used as a reference.
The Config script checks the system environment and calls configure to complete the configuration. Therefore, the configuration options are passed to configure through the config script. In fact, the config script is equivalent to config. guess, so if you want to directly call configure, you must specify the "Operating System-Target Platform" correctly (this is recommended ). You can use the./configure LIST command to obtain the list of all available target machines. In addition to generating makefile Based on makefile.org, the configure script also defines many macros (based on crypto/opensslconf. H. In) in crypto/opensslconf. H. In ).
You can use many options on the config or configure command line, which can be divided into three categories.
Global Options
The first category is Global Options:
-
-- Openssldir = openssldir
-
Installation directory. The default value is/usr/local/SSL.
-
-- Prefix = prefix
-
Set the prefix of the Lib include bin directory. The default value is the openssldir directory.
-
-- Install_prefix = destdir
-
Set this directory as the "root" directory during installation. It is usually used for packaging and is empty by default.
-
Zlib
Zlib-dynamic
No-zlib
-
Use static zlib compression libraries, dynamic zlib compression libraries, and the zlib compression function.
-
Threads
No-threads
-
Whether to compile a multi-threaded library. Supported by default.
-
Shared
No-shared
-
Whether to generate a dynamic Connection Library.
-
ASM
No-ASM
-
Whether to use assembly code during compilation to speed up the compilation process.
-
Enable-sse2
No-sse2
-
Enable/disable sse2 Instruction Set acceleration. If your CPU supports the sse2 instruction set, it can be enabled; otherwise, it will be disabled.
-
GMP
No-GMP
-
Enable/disable GMP Library
-
Rfc3779
No-rfc3779
-
Enable/disable IP address extension for x509v3 certificates
-
Krb5
No-krb5
-
Enable/disable Kerberos 5 support
-
SSL
No-SSL
Ssl2
Ssl3
No-ssl2
No-ssl3
TLS
No-TLS
-
Enable/disable SSL (including ssl2/ssl3) TLS protocol support.
-
DSO
No-DSO
-
Enable/disable the function of calling other dynamic link libraries. [Prompt] No-DSO is only available on the premise of No-shared.
[Note] SSLv2, SSLv3, and TLS must be enabled to successfully install Apache mod_ssl.
Algorithm options
The second type is used to disable the subdirectories (mainly algorithms) in the crypto directory ). Although theoretically these subdirectories can be disabled through the "no-*" syntax, in fact, to minimize the installation of libcrypto, libssl, and OpenSSL, most of the directories must be retained, the actual available directories only include the following:
-
No-md2, no-md4, no-mdc2, no-ripemd
-
These are abstract algorithms with clear meanings.
-
No-Des, no-rc2, no-rc4, no-rc5, no-idea, no-BF, no-cast, no-Camellia
-
These are symmetric encryption algorithms with clear meanings. "BF" means "Blowfish.
-
No-EC, no-DSA, no-ECDSA, no-DH, no-ecdh
-
These are asymmetric encryption algorithms with clear meanings.
-
No-comp
-
Data Compression Algorithm. Because there is no compression algorithm, some empty interfaces are defined.
-
No-store
-
Object Storage function. For more details, see the crypto/store/readme file.
[Note] OpenSSH only depends on the software package's encrypted Library (libcrypto), while Apache with HTTPS support depends on the software package's encrypted library and SSL/TLS Library (libssl ). Therefore, if you do not want to use https, you can only install the no-SSL no-TLS. For more information, see the "Overview" section of the README file. In fact, to ensure successful OpenSSH installation, the ripemd, Des, RC4, BF, cast, DSA, and DH directories cannot be disabled.
Compiler Options
The third type is compiler options. Most software packages define the cppflags cflags ldflags environment variable when running the configure script to set the compilation options, but OpenSSL does not. The OpenSSL configure script allows you to directly enter cppflags cflags on the command line. For example,-ddevrandom = '"/dev/urandom"' can be used to specify random devices.-dssl_forbid_enull can be used to disable null encryption algorithms. 'Echo $ cflags 'can be used to add the cflags variable. On the other hand, ldflags cannot be set through configure. Since configure forcibly clears ldflags in makefile, after running configure, you can use a sed to modify ldflags (used to connect OpenSSL) and shared_ldflags (used to connect libcrypto) in all makefiles, libssl library ).
For example, I often use configure for configuration as follows:
./Configure ... -DSSL_FORBID_ENULL -DDEVRANDOM='"/dev/urandom"' `echo $CFLAGS`find . -name "Makefile*" -exec sed -r -i -e"s|^(SHARED_)?LDFLAGS=|& $LDFLAGS |" {} \;
[Prompt] The quotation marks on both sides of "makefile *" in the "find" command cannot be omitted.
Compile, test, and install
After the configuration is complete, you need to use make depend to re-establish the dependency, especially after you use the "no-*" option, otherwise the compilation may fail.
Then use the make command to compile. If the compilation is successful, use make test to perform the test.
If the test passes, the installation will be followed. The installation is simple. Just run the make install command. You can also use make install install_prefix =/other/DIR to install/other/DIR as "root", which is usually used for packaging.
Configuration File
After the installation is complete, configure the settings. The OpenSSL configuration file is OpenSSL. CNF, which is located in the directory specified by -- openssldir.
In practice, an important use of OpenSSL is certificate issuance and management, which requires the cooperation of the configuration file. If you only use its encrypted library without using the certificate function, you do not need to know how to configure OpenSSL.
The following is a simple OpenSSL. CNF file that can be used for certificate issuance. Of course, it's okay to use this configuration to play it on your own. Nobody will trust you.
######################### OpenSSL configuration file demonstration ########### ############## [note] This demo file is not set by default. ######### Syntax ########## variable = value ## the syntax is simple and easy to understand at a glance, but there are several points to explain: #1. it is best to use double quotation marks to define string values, and escape sequences such as "\ n", "\ r", and "\ t" ("\") can be used ?). #2. variables in the same field can be referenced in the form of $ {variable name}, and variables in other fields can be referenced in the form of $ {field name: variable name. #3. You can use $ {EVP: Environment Variable} to reference the environment variables defined in the operating system. If the variables do not exist, errors may occur. #4. You can define a variable with the same name as the operating system environment variable in the default field as the default value to avoid errors caused by the absence of environment variables. #5. If multiple variables with the same name exist in the same field, the subsequent values overwrite the previous values. ############# Default field ############# this part is the default field [configuration segment]. it must be placed before all fields. # When reading the configuration file data, the corresponding configuration segment is first searched based on the field name. If no configuration segment is found, the default field is used. # Define the default value of home to prevent the operating system from having the home environment variable. Home =. # The default Random Seed file is/dev/random or/dev/urandomrandfile = $ ENV: Home /. RND # extended object definition # For example, OpenSSL does not define the extended item of the X.509 certificate, which is obtained from the definition of the extended object. # There are two methods to be defined. The first method (against) is stored in an external file, that is, the file defined by the "oid_file" variable. # Oid_file = $ ENV: Home/. OID # The second type is stored in a field in the configuration file, that is, the field specified by the variable value "oid_section. Oid_section = new_oids [new_oids] # You can add extension object definitions here. For example, they can be used by 'CA' and 'req. # Format: # object abbreviation = Object digital ID ################################# ######################################## ######################################## ################# certificate request configuration #################### ### before applying for a certificate, you must first generate a certificate request Encapsulation Format that complies with the PKCS #10 standard. # The req command of OpenSSL enables certificate generation. The default values of related options are from the settings here. # The configuration of the certificate request is divided into several fields, including a basic field and several ancillary fields. ##### "Basic fields" configured for the certificate request ", all other ancillary Fields use it as the entry #### [req] # The default length of the RSA key pair in the generated certificate. The value is the integer power of 2. We recommend that you use more than 4096. Default_bits = 1024 # Save the default file name of the generated private key file default_keyfile = privkey. pem # Whether the generated private key file uses password encryption protection, which can be set to yes or no. Encrypt_key = yes # password used to read the private key file. If not set, a prompt is displayed. # Input_password = Secret # password used to save the output private key file. If not set, a prompt is displayed. # Output_password = Secret # information digest algorithm used by default for signature, which can be MD5, sha1, mdc2, md2default_md = MD5 # Set the default string type for some fields, for example, the name of the city and organization in the certificate request. Possible values and explanations are as follows: # default: includes three types: printablestring, t61string, and BMP string # pkix: Includes printablestring and BMP string # utf8only: Only utf8 string is used. We recommend that you use this to perfectly include any character. # Nombstr: contains two types: printablestring and t61string (do not use BMP or utf8string multi-byte character types) string_mask = nombstr # If set to yes, the strings in both the command line and configuration file are viewed in UTF-8 encoding. The default value "no" indicates that only ASCII encoding is used. Utf8 = No # if it is set to no, the req command will directly read the certificate field information from the configuration file without prompting the user to enter it. Prompt = yes # define the "feature name" field name for the input user information option. This extension field defines multiple user information. Distinguished_name = req_distinguished_name # defines the field name of the certificate request attribute. This extension field defines some attributes of the certificate request, but the OpenSSL Certificate issuing tool does not use them. Attributes = req_attributes # field name of the certificate request extension, which defines a series of extensions to be added to the certificate request. # Req_extensions = v3_req # Name of the certificate Extension field used to generate a self-signed certificate. This extension field defines a series of extension items to be added to the certificate. X509_extensions = v3_ca ##### the "feature name" field contains the user's identification information ##### [req_distinguished_name] countryname = cn # Country Code stateorprovincename = beijinorganizationname = Organization Name CommonName = company name #### the certificate request attribute field defines some attributes of the certificate request (none of them are required) ##### [req_attributes] ##### a series of extension items to be added to the certificate request ##### [v3_req] basicconstraints = Ca: falsekeyusage = nonrepudiation, digitalsignature, keyencipherment #### certificate Extension used to generate a self-signed certificate ####### because this part is not mandatory You can delete this part of [v3_ca] # pkix recommendation. subjectkeyidentifier = hashauthoritykeyidentifier = keyid: Always, issuer: always # This is what pkix recommends but some broken software chokes on critical # extensions. # basicconstraints = critical, CA: true # So we do this instead. basicconstraints = Ca: true # Key Usage: This is typical for a CA certificate. however since it will # prevent it being used S an test self-signed certificate it is best # left out by default. # keyusage = crlsign, keycertsign # Some might want this also # nscerttype = sslca, emailca # include email address in subject alt name: Another pkix recommendation # subjectaltname = Email: copy # copy issuer details # issueraltname = issuer: Copy # der Hex Encoding of an extension: Beware experts only! # OBJ = der: 02: 03 # Where 'obj 'is a standard or added object # You can even override a supported extension: # basicconstraints = critical, der: 30: 03: 01: 01: FF ####################################### ######################################## ######################################## ########## certificate issuance configuration ######################## OpenSSL ca command to implement the certificate issuing function, the default values of related options are from the settings here. # This field only uses the unique default_ca variable to specify the entry of the default ca master configuration field (the default value of the-name command line option) [Ca] default_ca = ca_default ##### default main ca configuration field ##### [ca_default] # folder for saving all information, this variable is only used to give the following variables dir =. /democa # Name of the root certificate for storing ca itself: Certificate = $ DIR/cacert. PEM # file name for storing the private key of CA itself: private_key = $ DIR/private/cakey. PEM # The serial number text file used to issue the certificate, which must contain the next available hexadecimal number. Serial = $ DIR/serial # stores the default directory of the newly issued certificate. The Certificate Name is the serial number of the certificate. The suffix is. pemnew_certs_dir = $ DIR/newcerts # The default save directory of the generated certificate certs = $ DIR/certs # Save the text database file of the issued certificate, which is blank at the beginning. Database = $ DIR/index.txt # stores the file with the current CRL number, for the CRL of the V1 version, you must comment out the line crlnumber = $ DIR/crlnumber # The current CRL file CRL = $ DIR/CRl. PEM # The default save directory of the Certificate Revocation List (CRL) generated crl_dir = $ DIR/CRL # whether the same subject can only create one certificate, if it is set to no, multiple unique_subject = yes # The default Digest algorithm for issuing a new certificate and CRL can be created. MD5, md2, mdc2, sha1default_md = sha1 # is generally used, the Parameter order of the special name (DN) domain issued by the certificate is the same as that of the certificate policy. # However, if this parameter is set to yes, it must be consistent with the parameter order in the certificate request. Preserve = No # display the mode of the DN domain of the readable certificate when the user needs to confirm the certificate is issued. The available value is the same as the-nameopt option of the X509 command. Name_opt = ca_default # The certificate domain method is displayed when the user needs to confirm the certificate issue. # The available value is the same as the-certopt option of the X509 command, but no_signame and no_sigdump are always set by default. Cert_opt = ca_default # default validity period of the new certificate. If not set, the time when the certificate is issued is used. Format: yymmddhhnnssz (year, month, day, hour, minute, second Z) # default_startdate = 080303223344z # default expiration date of the new certificate. Format: yymmddhhnnssz (year, month, day, minute, second Z) # default_enddate = 090303223344z # default validity period of the new certificate, default_days = 365 # withdraw from the current CRL (certificate list) in days) ult_crl_days = 30 # whether to add the extension item information in the certificate request to the certificate Extension item by the number of days before the next CRL release. Value range and explanation: # none: Ignore all extension items in the certificate request # copy: copy the items not included in the certificate Extension item to the certificate # copyall: copy all the extensions in the certificate request and overwrite the existing values in the certificate Extension. Copy_extensions = none # defines the fields used for the DN domain matching policy of the certificate request, which are used to determine the CA requirements and rules for processing the parameter values of the DN domain provided by the certificate request. Policy = policy_match # defines the field of the X.509 Certificate extension. If this field is not provided, an x.509v1 certificate is generated instead of a V3 certificate. X509_extensions = usr_cert # defines the extension field to be added when the CRL is generated. If no definition is set, the CRL of V1 is generated instead of that of V2. # Crl_extensions = crl_ext ##### matching policy for certificate request information ###### the variable name is the name of the DN domain object. The variable value can be: # match: the value of this variable in the certificate request must be exactly the same as the variable value corresponding to the CA certificate; otherwise, the certificate is rejected. # Supplied: this variable must be provided in the certificate request (the value can be different); otherwise, the signature is rejected. # Optional: this variable may or may not exist in the certificate request (equivalent to no requirement ). # Unless preserve = yes or-preservedn is used in the CA command, the objects not mentioned in the matching policy will be deleted when the certificate is issued. [Policy_match] countryname = matchstateorprovincename = matchorganizationname = matchcommonname = optional = optionalemailaddress = optional ### the following parts are not necessary and therefore are not translated. ### In fact, you can delete these contents from the configuration file [usr_cert] # these extensions are added when 'CA' signs a request. # This goes against pkix guidelines but some CAS do it and some software # requires this to avoid interpreting an end user certificate as a ca. basicconstraints = Ca: false # Here are some examples of the usage of nscerttype. if it is omitted # The certificate can be used for anything * handle T * Object signing. # This is OK for an SSL server. # nscerttype = server # For an object signing Certificate this wocould be used. # nscerttype = objsign # For normal client use this is typical # nscerttype = client, email # And for everything including object signing: # nscerttype = client, email, objsign # This is typical in keyusage for a client certificate. # keyusage = nonrepudiation, digitalsignature, keyencipherment # This will be displayed in Netscape's comment ListBox. nscomment = "OpenSSL generated Certificate" # pkix recommendations harmless if already ded in all certificates. subjectkeyidentifier = hashauthoritykeyidentifier = keyid, issuer # This stuff is for subjectaltname and issueraltname. # import the email address. # subjectaltname = Email: Copy # an alternative to produce certificates that aren't # deprecated according to pkix. # subjectaltname = Email: move # copy subject details # issueraltname = issuer: Copy # nscarevocationurl = javascrl_ext] # CRL extensions. # Only issueraltname and authoritykeyidentifier make any sense in a crl. # issueraltname = issuer: copyauthoritykeyidentifier = keyid: Always, issuer: always [proxy_cert_ext] # these extensions shocould be added when creating a proxy certificate # This goes against pkix guidelines but some CAS do it and some software # requires this to avoid interpreting an end user certificate A ca. basicconstraints = Ca: false # Here are some examples of the usage of nscerttype. if it is omitted # The certificate can be used for anything * handle T * Object signing. # This is OK for an SSL server. # nscerttype = server # For an object signing Certificate this wocould be used. # nscerttype = objsign # For normal client use this is typical # nscerttype = client, email # And for everything including object signing: # nscerttype = client, email, objsign # This is typical in keyusage for a client certificate. # keyusage = nonrepudiation, digitalsignature, keyencipherment # This will be displayed in Netscape's comment ListBox. nscomment = "OpenSSL generated Certificate" # pkix recommendations harmless if already ded in all certificates. subjectkeyidentifier = hashauthoritykeyidentifier = keyid, issuer: always # This stuff is for subjectaltname and issueraltname. # import the email address. # subjectaltname = Email: Copy # an alternative to produce certificates that aren't # deprecated according to pkix. # subjectaltname = Email: move # copy subject details # issueraltname = issuer: Copy # nscarevocationurl = http://www.domain.dom/ca-crl.pem#nsBaseUrl#nsRevocationUrl#nsRenewalUrl#nsCaPolicyUrl#nsSslServerName# this really needs to be in place for it to be a proxy certificate. proxycertinfo = critical, language: ID-PPL-anylanguage, pathlen: 3, Policy: foo