Lines Matching +full:highly +full:- +full:integrated
11 - [Prerequisites](#prerequisites)
12 - [Notational Conventions](#notational-conventions)
13 - [Quick Installation Guide](#quick-installation-guide)
14 - [Building OpenSSL](#building-openssl)
15 - [Installing OpenSSL](#installing-openssl)
16 - [Configuration Options](#configuration-options)
17 - [API Level](#api-level)
18 - [Cross Compile Prefix](#cross-compile-prefix)
19 - [Build Type](#build-type)
20 - [Directories](#directories)
21 - [Compiler Warnings](#compiler-warnings)
22 - [Compression Algorithm Flags](#compression-algorithm-flags)
23 - [Seeding the Random Generator](#seeding-the-random-generator)
24 - [Setting the FIPS HMAC key](#setting-the-FIPS-HMAC-key)
25 - [Enable and Disable Features](#enable-and-disable-features)
26 - [Displaying configuration data](#displaying-configuration-data)
27 - [Installation Steps in Detail](#installation-steps-in-detail)
28 - [Configure](#configure-openssl)
29 - [Build](#build-openssl)
30 - [Test](#test-openssl)
31 - [Install](#install-openssl)
32 - [Advanced Build Options](#advanced-build-options)
33 - [Environment Variables](#environment-variables)
34 - [Makefile Targets](#makefile-targets)
35 - [Running Selected Tests](#running-selected-tests)
36 - [Troubleshooting](#troubleshooting)
37 - [Configuration Problems](#configuration-problems)
38 - [Build Failures](#build-failures)
39 - [Test Failures](#test-failures)
40 - [Notes](#notes)
41 - [Notes on multi-threading](#notes-on-multi-threading)
42 - [Notes on shared libraries](#notes-on-shared-libraries)
43 - [Notes on random number generation](#notes-on-random-number-generation)
44 - [Notes on assembler modules compilation](#notes-on-assembler-modules-compilation)
52 * Perl 5 with core modules (please read [NOTES-PERL.md](NOTES-PERL.md))
53 * The Perl module `Text::Template` (please read [NOTES-PERL.md](NOTES-PERL.md))
55 * POSIX C library (at least POSIX.1-2008), or compatible types and
64 * [Notes for UNIX-like platforms](NOTES-UNIX.md)
65 * [Notes for Android platforms](NOTES-ANDROID.md)
66 * [Notes for Windows platforms](NOTES-WINDOWS.md)
67 * [Notes for the DOS platform with DJGPP](NOTES-DJGPP.md)
68 * [Notes for the OpenVMS platform](NOTES-VMS.md)
69 * [Notes for the HPE NonStop platform](NOTES-NONSTOP.md)
70 * [Notes on POSIX](NOTES-POSIX.md)
71 * [Notes on Perl](NOTES-PERL.md)
72 * [Notes on Valgrind](NOTES-VALGRIND.md)
80 --------
90 -------
101 - or -
103 - or -
117 - or -
119 - or -
121 - or -
125 ---------
139 [Installation in Detail](#installation-steps-in-detail) section below.
142 ----------------
174 Most likely you will be using the `VC-WIN64A`/`VC-WIN64A-HYBRIDCRT` target for
175 64bit Windows binaries (AMD64) or `VC-WIN32`/`VC-WIN32-HYBRIDCRT` for 32bit
177 The other two options are `VC-WIN64I` (Intel IA64, Itanium) and
178 `VC-CE` (Windows CE) are rather uncommon nowadays.
181 ------------------
196 In this case it is highly recommended not to overwrite the system versions,
199 [different location](#installing-to-a-different-location) which is not in
203 [Post-installation Notes](#post-installation-notes) further down.
223 depending on the file type, as it is custom on Unix-like operating systems.
261 The options `--prefix` and `--openssldir` are explained in further detail in
266 $ ./Configure --prefix=/opt/openssl --openssldir=/usr/local/ssl
270 $ perl Configure --prefix=PROGRAM:[INSTALLS] --openssldir=SYS$MANAGER:[OPENSSL]
273 you've read more than just this Quick Start, such as relevant `NOTES-*` files,
281 for Windows, the defaults for `--prefix` and `--openssldir` depend on what
283 For more information, see the [Notes for Windows platforms](NOTES-WINDOWS.md).
286 ---------
288 --api=x.y[.z]
291 If [no-deprecated](#no-deprecated) is also given, don't build with support
295 --api=1.1.0 no-deprecated
300 entirely, just specify [no-deprecated](#no-deprecated).
301 If `--api` isn't given, it defaults to the current (minor) OpenSSL version.
304 --------------------
306 --cross-compile-prefix=<PREFIX>
310 It is likely to have to end with dash, e.g. `a-b-c-` would invoke GNU compiler
311 as `a-b-c-gcc`, etc. Unfortunately cross-compiling is too case-specific to put
312 together one-size-fits-all instructions. You might have to pass more flags or
314 are discussed in corresponding `Configurations/15-*.conf` files. But there are
316 target on Linux `--cross-compile-prefix=x86_64-w64-mingw32-` works. Naturally
318 have option to install a number of prepackaged cross-compilers along with
319 corresponding run-time and development packages for "alien" hardware. To give
320 another example `--cross-compile-prefix=mipsel-linux-gnu-` suffices in such
323 For cross compilation, you must [configure manually](#manual-configuration).
324 Also, note that `--openssldir` refers to target's file system, not one you are
328 ----------
330 --debug
334 --release
339 -----------
343 --libdir=DIR
346 (see the `--prefix` option) where libraries will be installed. By default
352 For these targets the default libdir is `lib<multilib-postfix>`. Please use
353 `--libdir=lib` to override the libdir if adding the postfix is undesirable.
357 --openssldir=DIR
364 OpenVMS: SYS$COMMON:[OPENSSL-COMMON]
371 --prefix=DIR
380 -----------------
382 --strict-warnings
390 ---------------------------
392 ### with-brotli-include
394 --with-brotli-include=DIR
398 [enable-brotli](#enable-brotli) is used and the include files are not already
401 ### with-brotli-lib
403 --with-brotli-lib=LIB
423 ### with-zlib-include
425 --with-zlib-include=DIR
431 ### with-zlib-lib
433 --with-zlib-lib=LIB
440 [zlib-dynamic](#zlib-dynamic) option is not also used. If `zlib-dynamic` is used
447 ### with-zstd-include
449 --with-zstd-include=DIR
452 necessary if [enable-std](#enable-zstd) is used and the include file is not
460 ### with-zstd-lib
462 --with-zstd-lib=LIB
469 [enable-zstd-dynamic](#enable-zstd-dynamic) option is not also used.
470 If `zstd-dynamic` is used then this flag is optional and defaults
474 ----------------------------
476 --with-rand-seed=seed1[,seed2,...]
490 Use the [getrandom(2)][man-getrandom] or equivalent system call.
492 [man-getrandom]: http://man7.org/linux/man-pages/man2/getrandom.2.html
501 on most unix-ish operating systems.
522 [rng]: #notes-on-random-number-generation
526 When configured with `enable-jitter`, a "JITTER" RNG is compiled that
539 It uses a statically linked [jitterentropy-library] as the seed source.
543 --with-jitter-include=DIR
548 --with-jitter-lib=DIR
554 -------------------------
556 --fips-key=value
558 As part of its self-test validation, the FIPS module must verify itself
559 by performing a SHA-256 HMAC computation on itself. The default key is
567 ---------------------------
572 [ enable-xxxx | no-xxxx ]
575 In the following list, always the non-default variant is documented: if
576 feature `xxxx` is disabled by default then `enable-xxxx` is documented and
577 if feature `xxxx` is enabled by default then `no-xxxx` is documented.
579 ### no-afalgeng
585 ### enable-ktls
589 This option will enable the use of the Kernel TLS data-path, which can improve
593 Kernel TLS data-path.
595 ### enable-asan
601 gcc or clang and should be used in conjunction with the [no-shared](#no-shared)
604 ### enable-acvp-tests
614 ### no-apps
619 ### no-asm
627 ### no-async
631 ### no-atexit
637 By default, NonStop configurations use `no-atexit`.
639 ### no-autoalginit
647 if this option is used. This option will force a non-shared build.
649 ### no-autoerrinit
657 ### enable-brotli
661 ### enable-brotli-dynamic
663 Like the enable-brotli option, but has OpenSSL load the brotli library dynamically
668 ### no-autoload-config
675 ### enable-buildtest-c++
685 ### --banner=text
690 ### --w
692 On platforms where the choice of 32-bit or 64-bit architecture
697 ### no-bulk
702 ### no-cached-fetch
706 this option will reduce run-time memory usage but it also introduces a
710 ### no-capieng
716 ### no-cmp
721 ### no-cms
725 ### no-comp
730 the zlib or `zlib-dynamic` options are also chosen.
732 ### enable-crypto-mdebug
734 This now only enables the `failed-malloc` feature.
736 ### enable-crypto-mdebug-backtrace
738 This is a no-op; the project uses the compiler's address/leak sanitizer instead.
740 ### no-ct
744 ### no-deprecated
747 given with `--api` (or the current version, if `--api` wasn't specified).
749 ### no-dgram
755 ### no-docs
759 ### no-dso
763 ### enable-devcryptoeng
768 be disabled with `no-devcryptoeng`.
770 ### no-dynamic-engine
776 ### no-ec
780 ### no-ec2m
784 ### no-tls-deprecated-ec
788 binary Elliptic curves that would also be disabled by C<no-ec2m>.
790 ### enable-ec_nistp_64_gcc_128
797 - with little-endian storage of non-byte types
798 - that tolerate misaligned memory references
799 - where the compiler:
800 - supports the non-standard type `__uint128_t`
801 - defines the built-in macro `__SIZEOF_INT128__`
803 ### enable-egd
807 ### no-engine
811 ### no-err
815 ### enable-external-tests
822 - GOST engine test suite
823 - Python PYCA/Cryptography test suite
824 - krb5 test suite
826 See the file [test/README-external.md](test/README-external.md)
829 ### no-filenames
834 ### enable-fips
838 ### no-fips-securitychecks
840 Don't perform FIPS module run-time checks related to enforcement of security
843 ### no-fips-post
848 non-compliant. It is useful when setting breakpoints in FIPS algorithms.
850 ### enable-fips-jitter
856 1. independently performed the required [SP 800-90B] entropy assessments;
857 2. meet the minimum required entropy as specified by [jitterentropy-library];
858 3. obtain an [ESV] certificate for the [jitterentropy-library] and
861 Failure to do all of these will produce a non-compliant FIPS provider.
863 ### enable-fuzz-libfuzzer, enable-fuzz-afl
872 ### no-gost
880 ### no-http
884 ### no-legacy
890 ### no-makedepend
894 ### no-ml-dsa
896 Disable Module-Lattice-Based Digital Signature Standard (ML-DSA) support.
897 ML-DSA is based on CRYSTALS-DILITHIUM. See [FIPS 204].
899 ### no-ml-kem
901 Disable Module-Lattice-Based Key-Encapsulation Mechanism Standard (ML-KEM)
902 support. ML-KEM is based on CRYSTALS-KYBER. See [FIPS 203].
904 ### no-module
908 This also implies `no-dynamic-engine`.
910 ### no-multiblock
916 ### no-nextprotoneg
920 ### no-ocsp
924 ### no-padlockeng
928 ### no-hw-padlock
930 As synonym for `no-padlockeng`. Deprecated and should not be used.
932 ### no-pic
936 ### enable-pie
940 ### no-pinshared
957 i.e., `no-shared` does not imply `no-pinshared`. This may come as a surprise when
958 linking libcrypto statically into a shared third-party library, because in this
960 configure the static build using `no-shared` and `no-pinshared` together.
966 ### no-posix-io
970 ### no-psk
972 Don't build support for Pre-Shared Key based ciphersuites.
974 ### no-rdrand
978 ### no-rfc3779
987 ### no-shared
991 See [Notes on shared libraries](#notes-on-shared-libraries) below.
993 ### no-slh-dsa
996 (SLH-DSA is based on SPHINCS+. See [FIPS 205])
998 ### no-sm2-precomp
1002 ### no-sock
1006 ### no-srp
1011 ### no-srtp
1013 Don't build Secure Real-Time Transport Protocol (SRTP) support.
1015 ### no-sse2
1017 Exclude SSE2 code paths from 32-bit x86 assembly modules.
1019 Normally SSE2 extension is detected at run-time, but the decision whether or not
1025 disengage SSE2 code paths upon application start-up, but if you aim for wider
1026 "audience" running such kernel, consider `no-sse2`. Both the `386` and `no-asm`
1027 options imply `no-sse2`.
1029 ### no-ssl-trace
1033 This removes the `-trace` option from `s_client` and `s_server`, and omits the
1036 Disabling `ssl-trace` may provide a small reduction in libssl binary size.
1038 ### no-static-engine
1044 ### no-stdio
1051 ### no-tests
1055 ### enable-tfo
1059 ### no-quic
1063 ### no-threads
1065 Don't build with support for multi-threaded applications.
1069 Build with support for multi-threaded applications. Most platforms will enable
1071 will usually require additional system-dependent options!
1073 See [Notes on multi-threading](#notes-on-multi-threading) below.
1075 ### no-thread-pool
1079 ### thread-pool
1086 ### no-default-thread-pool
1090 ### default-thread-pool
1096 ### enable-trace
1098 Build with support for the integrated tracing api.
1102 ### enable-sslkeylog
1111 [the draft standard for SSLKEYLOGFILE](https://datatracker.ietf.org/doc/draft-ietf-tls-keylogfile/)
1113 ### no-ts
1117 ### enable-ubsan
1123 gcc or clang and should be used in conjunction with the `-DPEDANTIC` option
1124 (or the `--strict-warnings` option).
1126 ### no-ui-console
1132 ### enable-unit-test
1138 ### no-uplink
1142 ### enable-weak-ssl-ciphers
1152 ### zlib-dynamic
1159 ### enable-zstd
1163 ### enable-zstd-dynamic
1165 Like the enable-zstd option, but has OpenSSL load the Zstd library dynamically
1170 ### enable-unstable-qlog
1176 the manpage openssl-qlog(7) for details.
1180 In 32-bit x86 builds, use the 80386 instruction set only in assembly modules
1184 accompanied by a corresponding compiler-specific option.
1186 ### no-{protocol}
1188 no-{ssl|ssl3|tls|tls1|tls1_1|tls1_2|tls1_3|dtls|dtls1|dtls1_2}
1192 If `no-tls` is selected then all of `tls1`, `tls1_1`, `tls1_2` and `tls1_3`
1194 Similarly `no-dtls` will disable `dtls1` and `dtls1_2`. The `no-ssl` option is
1195 synonymous with `no-ssl3`. Note this only affects version negotiation.
1199 ### no-integrity-only-ciphers
1203 ### no-{protocol}-method
1205 no-{ssl3|tls1|tls1_1|tls1_2|dtls1|dtls1_2}-method
1207 Analogous to `no-{protocol}` but in addition do not build the methods for
1209 is no `no-tls1_3-method` option because there is no application method for
1215 ### enable-{algorithm}
1217 enable-{md2|rc5}
1221 ### no-{algorithm}
1223 no-{aria|bf|blake2|camellia|cast|chacha|cmac|
1224 des|dh|dsa|ecdh|ecdsa|idea|md4|mdc2|ml-dsa|
1225 ml-kem|ocb|poly1305|rc2|rc4|rmd160|scrypt|
1232 ### Compiler-specific options
1234 -Dxxx, -Ixxx, -Wp, -lxxx, -Lxxx, -Wl, -rpath, -R, -framework, -static
1244 Take note of the [Environment Variables](#environment-variables) documentation
1247 -xxx, +xxx, /xxx
1250 they are to the compiler as well. Unix-style options beginning with a
1251 `-` or `+` and Windows-style options beginning with a `/` are recognised.
1254 If the option contains arguments separated by spaces, then the URL-style
1256 to quote the option. For example, `-opt%20arg` gets expanded to `-opt arg`.
1260 Take note of the [Environment Variables](#environment-variables) documentation
1292 -D (or what corresponds to that on your
1296 be used instead of -I (or what corresponds
1318 $ ./Configure -DFOO CPPFLAGS=-DBAR -DCOOKIE
1328 For example, the following command will not see `-DBAR`:
1330 $ CPPFLAGS=-DBAR ./Configure -DCOOKIE
1334 $ CC=gcc CROSS_COMPILE=x86_64-w64-mingw32- ./Configure -DCOOKIE
1338 `enable-external-tests` and `enable-buildtest-c++`.
1357 -----------------------------
1366 $ ./configdata.pm --help # Unix
1370 $ perl configdata.pm --help # Windows and VMS
1376 -----------------
1413 name as the argument to `Configure`. For example, a `linux-elf` user would
1416 $ ./Configure linux-elf [options...]
1425 [Configurations/README-design.md](Configurations/README-design.md)
1429 Unix-like systems.
1452 $ mkdir /var/tmp/openssl-build
1453 $ cd /var/tmp/openssl-build
1459 $ create/dir [.tmp.openssl-build]
1460 $ set default [.tmp.openssl-build]
1466 $ mkdir \temp-openssl
1467 $ cd \temp-openssl
1474 -------------
1484 (`openssl`). The libraries will be built in the top-level directory,
1487 If the build fails, take a look at the [Build Failures](#build-failures)
1491 ------------
1505 See [test/README-dev.md](test/README-dev.md) for guidelines on adding tests.
1508 ---------------
1520 directory tree under `<PREFIX>` (the directory given with `--prefix` or
1534 share/man/man1 Contains the OpenSSL command line man-pages.
1535 share/man/man3 Contains the OpenSSL library calls man-pages.
1536 share/man/man5 Contains the OpenSSL configuration format man-pages.
1537 share/man/man7 Contains the OpenSSL other misc man-pages.
1543 Contains the HTML rendition of the man-pages.
1569 OPENSSLDIR (the directory given with `--openssldir` or its default)
1580 install engines. If you already have a pre-installed version of OpenSSL as
1588 $ make DESTDIR=/tmp/package-root install # Unix
1589 $ mms/macro="DESTDIR=TMP:[PACKAGE-ROOT]" install ! OpenVMS
1595 ---------------------------------------------------
1613 Post-installation Notes
1614 -----------------------
1617 needs some post-installation attention, without which it will not be usable.
1622 See the openssl-fipsinstall(1) manual for details and examples.
1628 ---------------------
1639 ("Makefile" on Unix-like platforms, "makefile" on native Windows,
1653 "--cross-compile-prefix" Configure flag described above. If both
1661 on all platforms, but it's only relevant on Unix-like platforms.
1706 ----------------
1728 in post-mortem (core dump) debugging
1756 list-tests
1767 Re-run the configuration process, as exactly as the last time
1777 ----------------------
1783 test/README.md](test/README.md#running-selected-tests).
1789 ----------------------
1797 Operating system: x86-whatever-minix
1806 The main configuration file is [10-main.conf], which contains all targets that
1813 "target-name" => {
1814 inherit_from => [ "base-target" ],
1825 `Configurations/` directory. For example the `android-x86_64` can be found in
1826 [Configurations/15-android.conf](Configurations/15-android.conf).
1831 - [Configurations/README.md](Configurations/README.md)
1832 - [Configurations/README-design.md](Configurations/README-design.md)
1834 If you need further help, try to search the [openssl-users] mailing list
1862 --------------
1879 Assembler error messages can sometimes be sidestepped by using the `no-asm`
1880 configuration option. See also [notes](#notes-on-assembler-modules-compilation).
1885 If you are still having problems, try to search the [openssl-users] mailing
1892 -------------
1898 section [Test Failures of test/README.md](test/README.md#test-failures).
1902 Selected Tests of test/README.md](test/README.md#running-selected-tests).
1914 Notes on multi-threading
1915 ------------------------
1918 are needed to generate a library that is suitable for multi-threaded
1919 applications. On these systems, support for multi-threading is enabled
1920 by default; use the `no-threads` option to disable (this should never be
1923 On other systems, to enable support for multi-threading, you will have
1924 to specify at least two options: `threads`, and a system-dependent option.
1925 (The latter is `-D_REENTRANT` on various systems.) The default in this
1926 case, obviously, is not to include support for multi-threading (but
1927 you can still use `no-threads` to suppress an annoying warning message
1930 OpenSSL provides built-in support for two threading models: pthreads (found on
1933 you should use `Configure` with the `no-threads` option.
1935 For pthreads, all locks are non-recursive. In addition, in a debug build,
1938 `-DOPENSSL_NO_MUTEX_ERRORCHECK` to your `Configure` invocation.
1939 (On Linux `PTHREAD_MUTEX_ERRORCHECK` is an enum value, so a built-in
1943 -------------------------
1948 only static libraries created by using the `no-shared` option. On systems
1949 where OpenSSL does not know how to build shared libraries the `no-shared`
1960 on Cygwin, shared libraries are named `cygcrypto-1.1.dll` and `cygssl-1.1.dll`
1964 `libcrypto-1_1.dll` and `libssl-1_1.dll` for 32-bit Windows,
1965 `libcrypto-1_1-x64.dll` and `libssl-1_1-x64.dll` for 64-bit x86_64 Windows,
1966 and `libcrypto-1_1-ia64.dll` and `libssl-1_1-ia64.dll` for IA64 Windows.
1972 OpenSSL is specifically built for 32-bit pointers, the shareable images
1974 instead, and when built for 64-bit pointers, they are named
1978 ---------------------------------
1985 The seeding method can be configured using the `--with-rand-seed` option,
1995 randomness sources. This corresponds to the option `--with-rand-seed=os`.
1998 and reseeding is disabled (`--with-rand-seed=none`) and it may be necessary
2004 --------------------------------------
2008 that use the AES-NI, PCLMULQDQ, SSSE3, and SHA extensions are always assembled.
2013 |---------------|--------|--------|---------|
2021 ---
2024 an explicit -march flag was apparently required to compile assembly modules. But
2025 then the compiler generates processor-specific code, which in turn contradicts
2026 the idea of performing dispatch at run-time, which is facilitated by the special
2031 exec clang -no-integrated-as "$@"
2036 ---
2038 <!-- Links -->
2040 [openssl-users]:
2041 <https://mta.openssl.org/mailman/listinfo/openssl-users>
2052 [10-main.conf]:
2053 Configurations/10-main.conf
2056 <https://csrc.nist.gov/projects/cryptographic-module-validation-program>
2059 <https://csrc.nist.gov/Projects/cryptographic-module-validation-program/entropy-validations>
2067 [SP 800-90B]:
2070 [jitterentropy-library]:
2071 <https://github.com/smuellerDD/jitterentropy-library>