xref: /freebsd/crypto/openssl/INSTALL.md (revision 1da7f3f6f72b2245e458fc7195733268ae4a1136)
1Build and Install
2=================
3
4This document describes installation on all supported operating
5systems: the Unix/Linux family (including macOS), OpenVMS,
6and Windows.
7
8Table of Contents
9=================
10
11 - [Prerequisites](#prerequisites)
12 - [Notational Conventions](#notational-conventions)
13 - [Quick Installation Guide](#quick-installation-guide)
14   - [Building OpenSSL](#building-openssl)
15   - [Installing OpenSSL](#installing-openssl)
16 - [Configuration Options](#configuration-options)
17   - [API Level](#api-level)
18   - [Cross Compile Prefix](#cross-compile-prefix)
19   - [Build Type](#build-type)
20   - [Directories](#directories)
21   - [Compiler Warnings](#compiler-warnings)
22   - [ZLib Flags](#zlib-flags)
23   - [Seeding the Random Generator](#seeding-the-random-generator)
24   - [Setting the FIPS HMAC key](#setting-the-FIPS-HMAC-key)
25   - [Enable and Disable Features](#enable-and-disable-features)
26   - [Displaying configuration data](#displaying-configuration-data)
27 - [Installation Steps in Detail](#installation-steps-in-detail)
28   - [Configure](#configure-openssl)
29   - [Build](#build-openssl)
30   - [Test](#test-openssl)
31   - [Install](#install-openssl)
32 - [Advanced Build Options](#advanced-build-options)
33   - [Environment Variables](#environment-variables)
34   - [Makefile Targets](#makefile-targets)
35   - [Running Selected Tests](#running-selected-tests)
36 - [Troubleshooting](#troubleshooting)
37   - [Configuration Problems](#configuration-problems)
38   - [Build Failures](#build-failures)
39   - [Test Failures](#test-failures)
40 - [Notes](#notes)
41   - [Notes on multi-threading](#notes-on-multi-threading)
42   - [Notes on shared libraries](#notes-on-shared-libraries)
43   - [Notes on random number generation](#notes-on-random-number-generation)
44   - [Notes on assembler modules compilation](#notes-on-assembler-modules-compilation)
45
46Prerequisites
47=============
48
49To install OpenSSL, you will need:
50
51 * A "make" implementation
52 * Perl 5 with core modules (please read [NOTES-PERL.md](NOTES-PERL.md))
53 * The Perl module `Text::Template` (please read [NOTES-PERL.md](NOTES-PERL.md))
54 * an ANSI C compiler
55 * a development environment in the form of development libraries and C
56   header files
57 * a supported operating system
58
59For additional platform specific requirements, solutions to specific
60issues and other details, please read one of these:
61
62 * [Notes for UNIX-like platforms](NOTES-UNIX.md)
63 * [Notes for Android platforms](NOTES-ANDROID.md)
64 * [Notes for Windows platforms](NOTES-WINDOWS.md)
65 * [Notes for the DOS platform with DJGPP](NOTES-DJGPP.md)
66 * [Notes for the OpenVMS platform](NOTES-VMS.md)
67 * [Notes on Perl](NOTES-PERL.md)
68 * [Notes on Valgrind](NOTES-VALGRIND.md)
69
70Notational conventions
71======================
72
73Throughout this document, we use the following conventions.
74
75Commands
76--------
77
78Any line starting with a dollar sign is a command line.
79
80    $ command
81
82The dollar sign indicates the shell prompt and is not to be entered as
83part of the command.
84
85Choices
86-------
87
88Several words in curly braces separated by pipe characters indicate a
89**mandatory choice**, to be replaced with one of the given words.
90For example, the line
91
92    $ echo { WORD1 | WORD2 | WORD3 }
93
94represents one of the following three commands
95
96    $ echo WORD1
97    - or -
98    $ echo WORD2
99    - or -
100    $ echo WORD3
101
102One or several words in square brackets separated by pipe characters
103denote an **optional choice**.  It is similar to the mandatory choice,
104but it can also be omitted entirely.
105
106So the line
107
108    $ echo [ WORD1 | WORD2 | WORD3 ]
109
110represents one of the four commands
111
112    $ echo WORD1
113    - or -
114    $ echo WORD2
115    - or -
116    $ echo WORD3
117    - or -
118    $ echo
119
120Arguments
121---------
122
123**Mandatory arguments** are enclosed in double curly braces.
124A simple example would be
125
126    $ type {{ filename }}
127
128which is to be understood to use the command `type` on some file name
129determined by the user.
130
131**Optional Arguments** are enclosed in double square brackets.
132
133    [[ options ]]
134
135Note that the notation assumes spaces around `{`, `}`, `[`, `]`, `{{`, `}}` and
136`[[`, `]]`.  This is to differentiate from OpenVMS directory
137specifications, which also use [ and ], but without spaces.
138
139Quick Installation Guide
140========================
141
142If you just want to get OpenSSL installed without bothering too much
143about the details, here is the short version of how to build and install
144OpenSSL.  If any of the following steps fails, please consult the
145[Installation in Detail](#installation-steps-in-detail) section below.
146
147Building OpenSSL
148----------------
149
150Use the following commands to configure, build and test OpenSSL.
151The testing is optional, but recommended if you intend to install
152OpenSSL for production use.
153
154### Unix / Linux / macOS
155
156    $ ./Configure
157    $ make
158    $ make test
159
160### OpenVMS
161
162Use the following commands to build OpenSSL:
163
164    $ perl Configure
165    $ mms
166    $ mms test
167
168### Windows
169
170If you are using Visual Studio, open a Developer Command Prompt and
171issue the following commands to build OpenSSL.
172
173    $ perl Configure
174    $ nmake
175    $ nmake test
176
177As mentioned in the [Choices](#choices) section, you need to pick one
178of the four Configure targets in the first command.
179
180Most likely you will be using the `VC-WIN64A` target for 64bit Windows
181binaries (AMD64) or `VC-WIN32` for 32bit Windows binaries (X86).
182The other two options are `VC-WIN64I` (Intel IA64, Itanium) and
183`VC-CE` (Windows CE) are rather uncommon nowadays.
184
185Installing OpenSSL
186------------------
187
188The following commands will install OpenSSL to a default system location.
189
190**Danger Zone:** even if you are impatient, please read the following two
191paragraphs carefully before you install OpenSSL.
192
193For security reasons the default system location is by default not writable
194for unprivileged users.  So for the final installation step administrative
195privileges are required.  The default system location and the procedure to
196obtain administrative privileges depends on the operating system.
197It is recommended to compile and test OpenSSL with normal user privileges
198and use administrative privileges only for the final installation step.
199
200On some platforms OpenSSL is preinstalled as part of the Operating System.
201In this case it is highly recommended not to overwrite the system versions,
202because other applications or libraries might depend on it.
203To avoid breaking other applications, install your copy of OpenSSL to a
204[different location](#installing-to-a-different-location) which is not in
205the global search path for system libraries.
206
207Finally, if you plan on using the FIPS module, you need to read the
208[Post-installation Notes](#post-installation-notes) further down.
209
210### Unix / Linux / macOS
211
212Depending on your distribution, you need to run the following command as
213root user or prepend `sudo` to the command:
214
215    $ make install
216
217By default, OpenSSL will be installed to
218
219    /usr/local
220
221More precisely, the files will be installed into the  subdirectories
222
223    /usr/local/bin
224    /usr/local/lib
225    /usr/local/include
226    ...
227
228depending on the file type, as it is custom on Unix-like operating systems.
229
230### OpenVMS
231
232Use the following command to install OpenSSL.
233
234    $ mms install
235
236By default, OpenSSL will be installed to
237
238    SYS$COMMON:[OPENSSL]
239
240### Windows
241
242If you are using Visual Studio, open the Developer Command Prompt _elevated_
243and issue the following command.
244
245    $ nmake install
246
247The easiest way to elevate the Command Prompt is to press and hold down both
248the `<CTRL>` and `<SHIFT>` keys while clicking the menu item in the task menu.
249
250The default installation location is
251
252    C:\Program Files\OpenSSL
253
254for native binaries, or
255
256    C:\Program Files (x86)\OpenSSL
257
258for 32bit binaries on 64bit Windows (WOW64).
259
260#### Installing to a different location
261
262To install OpenSSL to a different location (for example into your home
263directory for testing purposes) run `Configure` as shown in the following
264examples.
265
266The options `--prefix` and `--openssldir` are explained in further detail in
267[Directories](#directories) below, and the values used here are mere examples.
268
269On Unix:
270
271    $ ./Configure --prefix=/opt/openssl --openssldir=/usr/local/ssl
272
273On OpenVMS:
274
275    $ perl Configure --prefix=PROGRAM:[INSTALLS] --openssldir=SYS$MANAGER:[OPENSSL]
276
277Note: if you do add options to the configuration command, please make sure
278you've read more than just this Quick Start, such as relevant `NOTES-*` files,
279the options outline below, as configuration options may change the outcome
280in otherwise unexpected ways.
281
282Configuration Options
283=====================
284
285There are several options to `./Configure` to customize the build (note that
286for Windows, the defaults for `--prefix` and `--openssldir` depend on what
287configuration is used and what Windows implementation OpenSSL is built on.
288For more information, see the [Notes for Windows platforms](NOTES-WINDOWS.md).
289
290API Level
291---------
292
293    --api=x.y[.z]
294
295Build the OpenSSL libraries to support the API for the specified version.
296If [no-deprecated](#no-deprecated) is also given, don't build with support
297for deprecated APIs in or below the specified version number.  For example,
298adding
299
300    --api=1.1.0 no-deprecated
301
302will remove support for all APIs that were deprecated in OpenSSL version
3031.1.0 or below.  This is a rather specialized option for developers.
304If you just intend to remove all deprecated APIs up to the current version
305entirely, just specify [no-deprecated](#no-deprecated).
306If `--api` isn't given, it defaults to the current (minor) OpenSSL version.
307
308Cross Compile Prefix
309--------------------
310
311    --cross-compile-prefix=<PREFIX>
312
313The `<PREFIX>` to include in front of commands for your toolchain.
314
315It is likely to have to end with dash, e.g. `a-b-c-` would invoke GNU compiler
316as `a-b-c-gcc`, etc.  Unfortunately cross-compiling is too case-specific to put
317together one-size-fits-all instructions.  You might have to pass more flags or
318set up environment variables to actually make it work.  Android and iOS cases
319are discussed in corresponding `Configurations/15-*.conf` files.  But there are
320cases when this option alone is sufficient.  For example to build the mingw64
321target on Linux `--cross-compile-prefix=x86_64-w64-mingw32-` works.  Naturally
322provided that mingw packages are installed.  Today Debian and Ubuntu users
323have option to install a number of prepackaged cross-compilers along with
324corresponding run-time and development packages for "alien" hardware.  To give
325another example `--cross-compile-prefix=mipsel-linux-gnu-` suffices in such
326case.
327
328For cross compilation, you must [configure manually](#manual-configuration).
329Also, note that `--openssldir` refers to target's file system, not one you are
330building on.
331
332Build Type
333----------
334
335    --debug
336
337Build OpenSSL with debugging symbols and zero optimization level.
338
339    --release
340
341Build OpenSSL without debugging symbols.  This is the default.
342
343Directories
344-----------
345
346### libdir
347
348    --libdir=DIR
349
350The name of the directory under the top of the installation directory tree
351(see the `--prefix` option) where libraries will be installed.  By default
352this is `lib`. Note that on Windows only static libraries (`*.lib`) will
353be stored in this location. Shared libraries (`*.dll`) will always be
354installed to the `bin` directory.
355
356Some build targets have a multilib postfix set in the build configuration.
357For these targets the default libdir is `lib<multilib-postfix>`. Please use
358`--libdir=lib` to override the libdir if adding the postfix is undesirable.
359
360### openssldir
361
362    --openssldir=DIR
363
364Directory for OpenSSL configuration files, and also the default certificate
365and key store.  Defaults are:
366
367    Unix:           /usr/local/ssl
368    Windows:        C:\Program Files\Common Files\SSL
369    OpenVMS:        SYS$COMMON:[OPENSSL-COMMON]
370
371For 32bit Windows applications on Windows 64bit (WOW64), always replace
372`C:\Program Files` by `C:\Program Files (x86)`.
373
374### prefix
375
376    --prefix=DIR
377
378The top of the installation directory tree.  Defaults are:
379
380    Unix:           /usr/local
381    Windows:        C:\Program Files\OpenSSL
382    OpenVMS:        SYS$COMMON:[OPENSSL]
383
384Compiler Warnings
385-----------------
386
387    --strict-warnings
388
389This is a developer flag that switches on various compiler options recommended
390for OpenSSL development.  It only works when using gcc or clang as the compiler.
391If you are developing a patch for OpenSSL then it is recommended that you use
392this option where possible.
393
394ZLib Flags
395----------
396
397### with-zlib-include
398
399    --with-zlib-include=DIR
400
401The directory for the location of the zlib include file.  This option is only
402necessary if [zlib](#zlib) is used and the include file is not
403already on the system include path.
404
405### with-zlib-lib
406
407    --with-zlib-lib=LIB
408
409**On Unix**: this is the directory containing the zlib library.
410If not provided the system library path will be used.
411
412**On Windows:** this is the filename of the zlib library (with or
413without a path).  This flag must be provided if the
414[zlib-dynamic](#zlib-dynamic) option is not also used. If `zlib-dynamic` is used
415then this flag is optional and defaults to `ZLIB1` if not provided.
416
417**On VMS:** this is the filename of the zlib library (with or without a path).
418This flag is optional and if not provided then `GNV$LIBZSHR`, `GNV$LIBZSHR32`
419or `GNV$LIBZSHR64` is used by default depending on the pointer size chosen.
420
421Seeding the Random Generator
422----------------------------
423
424    --with-rand-seed=seed1[,seed2,...]
425
426A comma separated list of seeding methods which will be tried by OpenSSL
427in order to obtain random input (a.k.a "entropy") for seeding its
428cryptographically secure random number generator (CSPRNG).
429The current seeding methods are:
430
431### os
432
433Use a trusted operating system entropy source.
434This is the default method if such an entropy source exists.
435
436### getrandom
437
438Use the [getrandom(2)][man-getrandom] or equivalent system call.
439
440[man-getrandom]: http://man7.org/linux/man-pages/man2/getrandom.2.html
441
442### devrandom
443
444Use the first device from the `DEVRANDOM` list which can be opened to read
445random bytes.  The `DEVRANDOM` preprocessor constant expands to
446
447    "/dev/urandom","/dev/random","/dev/srandom"
448
449on most unix-ish operating systems.
450
451### egd
452
453Check for an entropy generating daemon.
454This source is ignored by the FIPS provider.
455
456### rdcpu
457
458Use the `RDSEED` or `RDRAND` command if provided by the CPU.
459
460### librandom
461
462Use librandom (not implemented yet).
463This source is ignored by the FIPS provider.
464
465### none
466
467Disable automatic seeding.  This is the default on some operating systems where
468no suitable entropy source exists, or no support for it is implemented yet.
469This option is ignored by the FIPS provider.
470
471For more information, see the section [Notes on random number generation][rng]
472at the end of this document.
473
474[rng]: #notes-on-random-number-generation
475
476Setting the FIPS HMAC key
477-------------------------
478
479    --fips-key=value
480
481As part of its self-test validation, the FIPS module must verify itself
482by performing a SHA-256 HMAC computation on itself. The default key is
483the SHA256 value of "the holy handgrenade of antioch" and is sufficient
484for meeting the FIPS requirements.
485
486To change the key to a different value, use this flag. The value should
487be a hex string no more than 64 characters.
488
489Enable and Disable Features
490---------------------------
491
492Feature options always come in pairs, an option to enable feature
493`xxxx`, and an option to disable it:
494
495    [ enable-xxxx | no-xxxx ]
496
497Whether a feature is enabled or disabled by default, depends on the feature.
498In the following list, always the non-default variant is documented: if
499feature `xxxx` is disabled by default then `enable-xxxx` is documented and
500if feature `xxxx` is enabled by default then `no-xxxx` is documented.
501
502### no-afalgeng
503
504Don't build the AFALG engine.
505
506This option will be forced on a platform that does not support AFALG.
507
508### enable-ktls
509
510Build with Kernel TLS support.
511
512This option will enable the use of the Kernel TLS data-path, which can improve
513performance and allow for the use of sendfile and splice system calls on
514TLS sockets.  The Kernel may use TLS accelerators if any are available on the
515system.  This option will be forced off on systems that do not support the
516Kernel TLS data-path.
517
518### enable-asan
519
520Build with the Address sanitiser.
521
522This is a developer option only.  It may not work on all platforms and should
523never be used in production environments.  It will only work when used with
524gcc or clang and should be used in conjunction with the [no-shared](#no-shared)
525option.
526
527### enable-acvp-tests
528
529Build support for Automated Cryptographic Validation Protocol (ACVP)
530tests.
531
532This is required for FIPS validation purposes. Certain ACVP tests require
533access to algorithm internals that are not normally accessible.
534Additional information related to ACVP can be found at
535<https://github.com/usnistgov/ACVP>.
536
537### no-asm
538
539Do not use assembler code.
540
541This should be viewed as debugging/troubleshooting option rather than for
542production use.  On some platforms a small amount of assembler code may still
543be used even with this option.
544
545### no-async
546
547Do not build support for async operations.
548
549### no-autoalginit
550
551Don't automatically load all supported ciphers and digests.
552
553Typically OpenSSL will make available all of its supported ciphers and digests.
554For a statically linked application this may be undesirable if small executable
555size is an objective.  This only affects libcrypto.  Ciphers and digests will
556have to be loaded manually using `EVP_add_cipher()` and `EVP_add_digest()`
557if this option is used.  This option will force a non-shared build.
558
559### no-autoerrinit
560
561Don't automatically load all libcrypto/libssl error strings.
562
563Typically OpenSSL will automatically load human readable error strings.  For a
564statically linked application this may be undesirable if small executable size
565is an objective.
566
567### no-autoload-config
568
569Don't automatically load the default `openssl.cnf` file.
570
571Typically OpenSSL will automatically load a system config file which configures
572default SSL options.
573
574### enable-buildtest-c++
575
576While testing, generate C++ buildtest files that simply check that the public
577OpenSSL header files are usable standalone with C++.
578
579Enabling this option demands extra care.  For any compiler flag given directly
580as configuration option, you must ensure that it's valid for both the C and
581the C++ compiler.  If not, the C++ build test will most likely break.  As an
582alternative, you can use the language specific variables, `CFLAGS` and `CXXFLAGS`.
583
584### --banner=text
585
586Use the specified text instead of the default banner at the end of
587configuration.
588
589### --w
590
591On platforms where the choice of 32-bit or 64-bit architecture
592is not explicitly specified, `Configure` will print a warning
593message and wait for a few seconds to let you interrupt the
594configuration. Using this flag skips the wait.
595
596### no-bulk
597
598Build only some minimal set of features.
599This is a developer option used internally for CI build tests of the project.
600
601### no-cached-fetch
602
603Never cache algorithms when they are fetched from a provider.  Normally, a
604provider indicates if the algorithms it supplies can be cached or not.  Using
605this option will reduce run-time memory usage but it also introduces a
606significant performance penalty.  This option is primarily designed to help
607with detecting incorrect reference counting.
608
609### no-capieng
610
611Don't build the CAPI engine.
612
613This option will be forced if on a platform that does not support CAPI.
614
615### no-cmp
616
617Don't build support for Certificate Management Protocol (CMP)
618and Certificate Request Message Format (CRMF).
619
620### no-cms
621
622Don't build support for Cryptographic Message Syntax (CMS).
623
624### no-comp
625
626Don't build support for SSL/TLS compression.
627
628If this option is enabled (the default), then compression will only work if
629the zlib or `zlib-dynamic` options are also chosen.
630
631### enable-crypto-mdebug
632
633This now only enables the `failed-malloc` feature.
634
635### enable-crypto-mdebug-backtrace
636
637This is a no-op; the project uses the compiler's address/leak sanitizer instead.
638
639### no-ct
640
641Don't build support for Certificate Transparency (CT).
642
643### no-deprecated
644
645Don't build with support for deprecated APIs up until and including the version
646given with `--api` (or the current version, if `--api` wasn't specified).
647
648### no-dgram
649
650Don't build support for datagram based BIOs.
651
652Selecting this option will also force the disabling of DTLS.
653
654### no-dso
655
656Don't build support for loading Dynamic Shared Objects (DSO)
657
658### enable-devcryptoeng
659
660Build the `/dev/crypto` engine.
661
662This option is automatically selected on the BSD platform, in which case it can
663be disabled with `no-devcryptoeng`.
664
665### no-dynamic-engine
666
667Don't build the dynamically loaded engines.
668
669This only has an effect in a shared build.
670
671### no-ec
672
673Don't build support for Elliptic Curves.
674
675### no-ec2m
676
677Don't build support for binary Elliptic Curves
678
679### enable-ec_nistp_64_gcc_128
680
681Enable support for optimised implementations of some commonly used NIST
682elliptic curves.
683
684This option is only supported on platforms:
685
686 - with little-endian storage of non-byte types
687 - that tolerate misaligned memory references
688 - where the compiler:
689   - supports the non-standard type `__uint128_t`
690   - defines the built-in macro `__SIZEOF_INT128__`
691
692### enable-egd
693
694Build support for gathering entropy from the Entropy Gathering Daemon (EGD).
695
696### no-engine
697
698Don't build support for loading engines.
699
700### no-err
701
702Don't compile in any error strings.
703
704### enable-external-tests
705
706Enable building of integration with external test suites.
707
708This is a developer option and may not work on all platforms.  The following
709external test suites are currently supported:
710
711 - GOST engine test suite
712 - Python PYCA/Cryptography test suite
713 - krb5 test suite
714
715See the file [test/README-external.md](test/README-external.md)
716for further details.
717
718### no-filenames
719
720Don't compile in filename and line number information (e.g.  for errors and
721memory allocation).
722
723### enable-fips
724
725Build (and install) the FIPS provider
726
727### no-fips-securitychecks
728
729Don't perform FIPS module run-time checks related to enforcement of security
730parameters such as minimum security strength of keys.
731
732### enable-fuzz-libfuzzer, enable-fuzz-afl
733
734Build with support for fuzzing using either libfuzzer or AFL.
735
736These are developer options only.  They may not work on all  platforms and
737should never be used in production environments.
738
739See the file [fuzz/README.md](fuzz/README.md) for further details.
740
741### no-gost
742
743Don't build support for GOST based ciphersuites.
744
745Note that if this feature is enabled then GOST ciphersuites are only available
746if the GOST algorithms are also available through loading an externally supplied
747engine.
748
749### no-legacy
750
751Don't build the legacy provider.
752
753Disabling this also disables the legacy algorithms: MD2 (already disabled by default).
754
755### no-makedepend
756
757Don't generate dependencies.
758
759### no-module
760
761Don't build any dynamically loadable engines.
762
763This also implies `no-dynamic-engine`.
764
765### no-multiblock
766
767Don't build support for writing multiple records in one go in libssl
768
769Note: this is a different capability to the pipelining functionality.
770
771### no-nextprotoneg
772
773Don't build support for the Next Protocol Negotiation (NPN) TLS extension.
774
775### no-ocsp
776
777Don't build support for Online Certificate Status Protocol (OCSP).
778
779### no-padlockeng
780
781Don't build the padlock engine.
782
783### no-hw-padlock
784
785As synonym for `no-padlockeng`.  Deprecated and should not be used.
786
787### no-pic
788
789Don't build with support for Position Independent Code.
790
791### no-pinshared
792
793Don't pin the shared libraries.
794
795By default OpenSSL will attempt to stay in memory until the process exits.
796This is so that libcrypto and libssl can be properly cleaned up automatically
797via an `atexit()` handler.  The handler is registered by libcrypto and cleans
798up both libraries.  On some platforms the `atexit()` handler will run on unload of
799libcrypto (if it has been dynamically loaded) rather than at process exit.
800
801This option can be used to stop OpenSSL from attempting to stay in memory until the
802process exits.  This could lead to crashes if either libcrypto or libssl have
803already been unloaded at the point that the atexit handler is invoked, e.g.  on a
804platform which calls `atexit()` on unload of the library, and libssl is unloaded
805before libcrypto then a crash is likely to happen.
806
807Note that shared library pinning is not automatically disabled for static builds,
808i.e., `no-shared` does not imply `no-pinshared`. This may come as a surprise when
809linking libcrypto statically into a shared third-party library, because in this
810case the shared library will be pinned. To prevent this behaviour, you need to
811configure the static build using `no-shared` and `no-pinshared` together.
812
813Applications can suppress running of the `atexit()` handler at run time by
814using the `OPENSSL_INIT_NO_ATEXIT` option to `OPENSSL_init_crypto()`.
815See the man page for it for further details.
816
817### no-posix-io
818
819Don't use POSIX IO capabilities.
820
821### no-psk
822
823Don't build support for Pre-Shared Key based ciphersuites.
824
825### no-rdrand
826
827Don't use hardware RDRAND capabilities.
828
829### no-rfc3779
830
831Don't build support for RFC3779, "X.509 Extensions for IP Addresses and
832AS Identifiers".
833
834### sctp
835
836Build support for Stream Control Transmission Protocol (SCTP).
837
838### no-shared
839
840Do not create shared libraries, only static ones.
841
842See [Notes on shared libraries](#notes-on-shared-libraries) below.
843
844### no-sock
845
846Don't build support for socket BIOs.
847
848### no-srp
849
850Don't build support for Secure Remote Password (SRP) protocol or
851SRP based ciphersuites.
852
853### no-srtp
854
855Don't build Secure Real-Time Transport Protocol (SRTP) support.
856
857### no-sse2
858
859Exclude SSE2 code paths from 32-bit x86 assembly modules.
860
861Normally SSE2 extension is detected at run-time, but the decision whether or not
862the machine code will be executed is taken solely on CPU capability vector.  This
863means that if you happen to run OS kernel which does not support SSE2 extension
864on Intel P4 processor, then your application might be exposed to "illegal
865instruction" exception.  There might be a way to enable support in kernel, e.g.
866FreeBSD kernel can be compiled with `CPU_ENABLE_SSE`, and there is a way to
867disengage SSE2 code paths upon application start-up, but if you aim for wider
868"audience" running such kernel, consider `no-sse2`.  Both the `386` and `no-asm`
869options imply `no-sse2`.
870
871### no-ssl-trace
872
873Don't build with SSL Trace capabilities.
874
875This removes the `-trace` option from `s_client` and `s_server`, and omits the
876`SSL_trace()` function from libssl.
877
878Disabling `ssl-trace` may provide a small reduction in libssl binary size.
879
880### no-static-engine
881
882Don't build the statically linked engines.
883
884This only has an impact when not built "shared".
885
886### no-stdio
887
888Don't use anything from the C header file `stdio.h` that makes use of the `FILE`
889type.  Only libcrypto and libssl can be built in this way.  Using this option will
890suppress building the command line applications.  Additionally, since the OpenSSL
891tests also use the command line applications, the tests will also be skipped.
892
893### no-tests
894
895Don't build test programs or run any tests.
896
897### no-threads
898
899Don't build with support for multi-threaded applications.
900
901### threads
902
903Build with support for multi-threaded applications.  Most platforms will enable
904this by default.  However, if on a platform where this is not the case then this
905will usually require additional system-dependent options!
906
907See [Notes on multi-threading](#notes-on-multi-threading) below.
908
909### enable-trace
910
911Build with support for the integrated tracing api.
912
913See manual pages OSSL_trace_set_channel(3) and OSSL_trace_enabled(3) for details.
914
915### no-ts
916
917Don't build Time Stamping (TS) Authority support.
918
919### enable-ubsan
920
921Build with the Undefined Behaviour sanitiser (UBSAN).
922
923This is a developer option only.  It may not work on all platforms and should
924never be used in production environments.  It will only work when used with
925gcc or clang and should be used in conjunction with the `-DPEDANTIC` option
926(or the `--strict-warnings` option).
927
928### no-ui-console
929
930Don't build with the User Interface (UI) console method
931
932The User Interface console method enables text based console prompts.
933
934### enable-unit-test
935
936Enable additional unit test APIs.
937
938This should not typically be used in production deployments.
939
940### no-uplink
941
942Don't build support for UPLINK interface.
943
944### enable-weak-ssl-ciphers
945
946Build support for SSL/TLS ciphers that are considered "weak"
947
948Enabling this includes for example the RC4 based ciphersuites.
949
950### zlib
951
952Build with support for zlib compression/decompression.
953
954### zlib-dynamic
955
956Like the zlib option, but has OpenSSL load the zlib library dynamically
957when needed.
958
959This is only supported on systems where loading of shared libraries is supported.
960
961### 386
962
963In 32-bit x86 builds, use the 80386 instruction set only in assembly modules
964
965The default x86 code is more efficient, but requires at least an 486 processor.
966Note: This doesn't affect compiler generated code, so this option needs to be
967accompanied by a corresponding compiler-specific option.
968
969### no-{protocol}
970
971    no-{ssl|ssl3|tls|tls1|tls1_1|tls1_2|tls1_3|dtls|dtls1|dtls1_2}
972
973Don't build support for negotiating the specified SSL/TLS protocol.
974
975If `no-tls` is selected then all of `tls1`, `tls1_1`, `tls1_2` and `tls1_3`
976are disabled.
977Similarly `no-dtls` will disable `dtls1` and `dtls1_2`.  The `no-ssl` option is
978synonymous with `no-ssl3`.  Note this only affects version negotiation.
979OpenSSL will still provide the methods for applications to explicitly select
980the individual protocol versions.
981
982### no-{protocol}-method
983
984    no-{ssl3|tls1|tls1_1|tls1_2|dtls1|dtls1_2}-method
985
986Analogous to `no-{protocol}` but in addition do not build the methods for
987applications to explicitly select individual protocol versions.  Note that there
988is no `no-tls1_3-method` option because there is no application method for
989TLSv1.3.
990
991Using individual protocol methods directly is deprecated.  Applications should
992use `TLS_method()` instead.
993
994### enable-{algorithm}
995
996    enable-{md2|rc5}
997
998Build with support for the specified algorithm.
999
1000### no-{algorithm}
1001
1002    no-{aria|bf|blake2|camellia|cast|chacha|cmac|
1003        des|dh|dsa|ecdh|ecdsa|idea|md4|mdc2|ocb|
1004        poly1305|rc2|rc4|rmd160|scrypt|seed|
1005        siphash|siv|sm2|sm3|sm4|whirlpool}
1006
1007Build without support for the specified algorithm.
1008
1009The `ripemd` algorithm is deprecated and if used is synonymous with `rmd160`.
1010
1011### Compiler-specific options
1012
1013    -Dxxx, -Ixxx, -Wp, -lxxx, -Lxxx, -Wl, -rpath, -R, -framework, -static
1014
1015These system specific options will be recognised and passed through to the
1016compiler to allow you to define preprocessor symbols, specify additional
1017libraries, library directories or other compiler options.  It might be worth
1018noting that some compilers generate code specifically for processor the
1019compiler currently executes on.  This is not necessarily what you might have
1020in mind, since it might be unsuitable for execution on other, typically older,
1021processor.  Consult your compiler documentation.
1022
1023Take note of the [Environment Variables](#environment-variables) documentation
1024below and how these flags interact with those variables.
1025
1026    -xxx, +xxx, /xxx
1027
1028Additional options that are not otherwise recognised are passed through as
1029they are to the compiler as well.  Unix-style options beginning with a
1030`-` or `+` and Windows-style options beginning with a `/` are recognized.
1031Again, consult your compiler documentation.
1032
1033If the option contains arguments separated by spaces, then the URL-style
1034notation `%20` can be used for the space character in order to avoid having
1035to quote the option.  For example, `-opt%20arg` gets expanded to `-opt arg`.
1036In fact, any ASCII character can be encoded as %xx using its hexadecimal
1037encoding.
1038
1039Take note of the [Environment Variables](#environment-variables) documentation
1040below and how these flags interact with those variables.
1041
1042### Environment Variables
1043
1044    VAR=value
1045
1046Assign the given value to the environment variable `VAR` for `Configure`.
1047
1048These work just like normal environment variable assignments, but are supported
1049on all platforms and are confined to the configuration scripts only.
1050These assignments override the corresponding value in the inherited environment,
1051if there is one.
1052
1053The following variables are used as "`make` variables" and can be used as an
1054alternative to giving preprocessor, compiler and linker options directly as
1055configuration.  The following variables are supported:
1056
1057    AR              The static library archiver.
1058    ARFLAGS         Flags for the static library archiver.
1059    AS              The assembler compiler.
1060    ASFLAGS         Flags for the assembler compiler.
1061    CC              The C compiler.
1062    CFLAGS          Flags for the C compiler.
1063    CXX             The C++ compiler.
1064    CXXFLAGS        Flags for the C++ compiler.
1065    CPP             The C/C++ preprocessor.
1066    CPPFLAGS        Flags for the C/C++ preprocessor.
1067    CPPDEFINES      List of CPP macro definitions, separated
1068                    by a platform specific character (':' or
1069                    space for Unix, ';' for Windows, ',' for
1070                    VMS).  This can be used instead of using
1071                    -D (or what corresponds to that on your
1072                    compiler) in CPPFLAGS.
1073    CPPINCLUDES     List of CPP inclusion directories, separated
1074                    the same way as for CPPDEFINES.  This can
1075                    be used instead of -I (or what corresponds
1076                    to that on your compiler) in CPPFLAGS.
1077    HASHBANGPERL    Perl invocation to be inserted after '#!'
1078                    in public perl scripts (only relevant on
1079                    Unix).
1080    LD              The program linker (not used on Unix, $(CC)
1081                    is used there).
1082    LDFLAGS         Flags for the shared library, DSO and
1083                    program linker.
1084    LDLIBS          Extra libraries to use when linking.
1085                    Takes the form of a space separated list
1086                    of library specifications on Unix and
1087                    Windows, and as a comma separated list of
1088                    libraries on VMS.
1089    RANLIB          The library archive indexer.
1090    RC              The Windows resource compiler.
1091    RCFLAGS         Flags for the Windows resource compiler.
1092    RM              The command to remove files and directories.
1093
1094These cannot be mixed with compiling/linking flags given on the command line.
1095In other words, something like this isn't permitted.
1096
1097    $ ./Configure -DFOO CPPFLAGS=-DBAR -DCOOKIE
1098
1099Backward compatibility note:
1100
1101To be compatible with older configuration scripts, the environment variables
1102are ignored if compiling/linking flags are given on the command line, except
1103for the following:
1104
1105    AR, CC, CXX, CROSS_COMPILE, HASHBANGPERL, PERL, RANLIB, RC, and WINDRES
1106
1107For example, the following command will not see `-DBAR`:
1108
1109    $ CPPFLAGS=-DBAR ./Configure -DCOOKIE
1110
1111However, the following will see both set variables:
1112
1113    $ CC=gcc CROSS_COMPILE=x86_64-w64-mingw32- ./Configure -DCOOKIE
1114
1115If `CC` is set, it is advisable to also set `CXX` to ensure both the C and C++
1116compiler are in the same "family".  This becomes relevant with
1117`enable-external-tests` and `enable-buildtest-c++`.
1118
1119### Reconfigure
1120
1121    reconf
1122    reconfigure
1123
1124Reconfigure from earlier data.
1125
1126This fetches the previous command line options and environment from data
1127saved in `configdata.pm` and runs the configuration process again, using
1128these options and environment.  Note: NO other option is permitted together
1129with `reconf`.  Note: The original configuration saves away values for ALL
1130environment variables that were used, and if they weren't defined, they are
1131still saved away with information that they weren't originally defined.
1132This information takes precedence over environment variables that are
1133defined when reconfiguring.
1134
1135Displaying configuration data
1136-----------------------------
1137
1138The configuration script itself will say very little, and finishes by
1139creating `configdata.pm`.  This perl module can be loaded by other scripts
1140to find all the configuration data, and it can also be used as a script to
1141display all sorts of configuration data in a human readable form.
1142
1143For more information, please do:
1144
1145    $ ./configdata.pm --help                         # Unix
1146
1147or
1148
1149    $ perl configdata.pm --help                      # Windows and VMS
1150
1151Installation Steps in Detail
1152============================
1153
1154Configure OpenSSL
1155-----------------
1156
1157### Automatic Configuration
1158
1159In previous version, the `config` script determined the platform type and
1160compiler and then called `Configure`. Starting with this release, they are
1161the same.
1162
1163#### Unix / Linux / macOS
1164
1165    $ ./Configure [[ options ]]
1166
1167#### OpenVMS
1168
1169    $ perl Configure [[ options ]]
1170
1171#### Windows
1172
1173    $ perl Configure [[ options ]]
1174
1175### Manual Configuration
1176
1177OpenSSL knows about a range of different operating system, hardware and
1178compiler combinations.  To see the ones it knows about, run
1179
1180    $ ./Configure LIST                               # Unix
1181
1182or
1183
1184    $ perl Configure LIST                            # All other platforms
1185
1186For the remainder of this text, the Unix form will be used in all examples.
1187Please use the appropriate form for your platform.
1188
1189Pick a suitable name from the list that matches your system.  For most
1190operating systems there is a choice between using cc or gcc.
1191When you have identified your system (and if necessary compiler) use this
1192name as the argument to `Configure`.  For example, a `linux-elf` user would
1193run:
1194
1195    $ ./Configure linux-elf [[ options ]]
1196
1197### Creating your own Configuration
1198
1199If your system isn't listed, you will have to create a configuration
1200file named `Configurations/{{ something }}.conf` and add the correct
1201configuration for your system.  See the available configs as examples
1202and read [Configurations/README.md](Configurations/README.md) and
1203[Configurations/README-design.md](Configurations/README-design.md)
1204for more information.
1205
1206The generic configurations `cc` or `gcc` should usually work on 32 bit
1207Unix-like systems.
1208
1209`Configure` creates a build file (`Makefile` on Unix, `makefile` on Windows
1210and `descrip.mms` on OpenVMS) from a suitable template in `Configurations/`,
1211and defines various macros in `include/openssl/configuration.h` (generated
1212from `include/openssl/configuration.h.in`.
1213
1214If none of the generated build files suit your purpose, it's possible to
1215write your own build file template and give its name through the environment
1216variable `BUILDFILE`.  For example, Ninja build files could be supported by
1217writing `Configurations/build.ninja.tmpl` and then configure with `BUILDFILE`
1218set like this (Unix syntax shown, you'll have to adapt for other platforms):
1219
1220    $ BUILDFILE=build.ninja perl Configure [options...]
1221
1222### Out of Tree Builds
1223
1224OpenSSL can be configured to build in a build directory separate from the
1225source code directory.  It's done by placing yourself in some other
1226directory and invoking the configuration commands from there.
1227
1228#### Unix example
1229
1230    $ mkdir /var/tmp/openssl-build
1231    $ cd /var/tmp/openssl-build
1232    $ /PATH/TO/OPENSSL/SOURCE/Configure [[ options ]]
1233
1234#### OpenVMS example
1235
1236    $ set default sys$login:
1237    $ create/dir [.tmp.openssl-build]
1238    $ set default [.tmp.openssl-build]
1239    $ perl D:[PATH.TO.OPENSSL.SOURCE]Configure [[ options ]]
1240
1241#### Windows example
1242
1243    $ C:
1244    $ mkdir \temp-openssl
1245    $ cd \temp-openssl
1246    $ perl d:\PATH\TO\OPENSSL\SOURCE\Configure [[ options ]]
1247
1248Paths can be relative just as well as absolute.  `Configure` will do its best
1249to translate them to relative paths whenever possible.
1250
1251Build OpenSSL
1252-------------
1253
1254Build OpenSSL by running:
1255
1256    $ make                                           # Unix
1257    $ mms                                            ! (or mmk) OpenVMS
1258    $ nmake                                          # Windows
1259
1260This will build the OpenSSL libraries (`libcrypto.a` and `libssl.a` on
1261Unix, corresponding on other platforms) and the OpenSSL binary
1262(`openssl`).  The libraries will be built in the top-level directory,
1263and the binary will be in the `apps/` subdirectory.
1264
1265If the build fails, take a look at the [Build Failures](#build-failures)
1266subsection of the [Troubleshooting](#troubleshooting) section.
1267
1268Test OpenSSL
1269------------
1270
1271After a successful build, and before installing, the libraries should
1272be tested.  Run:
1273
1274    $ make test                                      # Unix
1275    $ mms test                                       ! OpenVMS
1276    $ nmake test                                     # Windows
1277
1278**Warning:** you MUST run the tests from an unprivileged account (or disable
1279your privileges temporarily if your platform allows it).
1280
1281See [test/README.md](test/README.md) for further details how run tests.
1282
1283See [test/README-dev.md](test/README-dev.md) for guidelines on adding tests.
1284
1285Install OpenSSL
1286---------------
1287
1288If everything tests ok, install OpenSSL with
1289
1290    $ make install                                   # Unix
1291    $ mms install                                    ! OpenVMS
1292    $ nmake install                                  # Windows
1293
1294Note that in order to perform the install step above you need to have
1295appropriate permissions to write to the installation directory.
1296
1297The above commands will install all the software components in this
1298directory tree under `<PREFIX>` (the directory given with `--prefix` or
1299its default):
1300
1301### Unix / Linux / macOS
1302
1303    bin/           Contains the openssl binary and a few other
1304                   utility scripts.
1305    include/openssl
1306                   Contains the header files needed if you want
1307                   to build your own programs that use libcrypto
1308                   or libssl.
1309    lib            Contains the OpenSSL library files.
1310    lib/engines    Contains the OpenSSL dynamically loadable engines.
1311
1312    share/man/man1 Contains the OpenSSL command line man-pages.
1313    share/man/man3 Contains the OpenSSL library calls man-pages.
1314    share/man/man5 Contains the OpenSSL configuration format man-pages.
1315    share/man/man7 Contains the OpenSSL other misc man-pages.
1316
1317    share/doc/openssl/html/man1
1318    share/doc/openssl/html/man3
1319    share/doc/openssl/html/man5
1320    share/doc/openssl/html/man7
1321                   Contains the HTML rendition of the man-pages.
1322
1323### OpenVMS
1324
1325'arch' is replaced with the architecture name, `ALPHA` or `IA64`,
1326'sover' is replaced with the shared library version (`0101` for 1.1), and
1327'pz' is replaced with the pointer size OpenSSL was built with:
1328
1329    [.EXE.'arch']  Contains the openssl binary.
1330    [.EXE]         Contains a few utility scripts.
1331    [.include.openssl]
1332                   Contains the header files needed if you want
1333                   to build your own programs that use libcrypto
1334                   or libssl.
1335    [.LIB.'arch']  Contains the OpenSSL library files.
1336    [.ENGINES'sover''pz'.'arch']
1337                   Contains the OpenSSL dynamically loadable engines.
1338    [.SYS$STARTUP] Contains startup, login and shutdown scripts.
1339                   These define appropriate logical names and
1340                   command symbols.
1341    [.SYSTEST]     Contains the installation verification procedure.
1342    [.HTML]        Contains the HTML rendition of the manual pages.
1343
1344### Additional Directories
1345
1346Additionally, install will add the following directories under
1347OPENSSLDIR (the directory given with `--openssldir` or its default)
1348for you convenience:
1349
1350    certs          Initially empty, this is the default location
1351                   for certificate files.
1352    private        Initially empty, this is the default location
1353                   for private key files.
1354    misc           Various scripts.
1355
1356The installation directory should be appropriately protected to ensure
1357unprivileged users cannot make changes to OpenSSL binaries or files, or
1358install engines.  If you already have a pre-installed version of OpenSSL as
1359part of your Operating System it is recommended that you do not overwrite
1360the system version and instead install to somewhere else.
1361
1362Package builders who want to configure the library for standard locations,
1363but have the package installed somewhere else so that it can easily be
1364packaged, can use
1365
1366    $ make DESTDIR=/tmp/package-root install         # Unix
1367    $ mms/macro="DESTDIR=TMP:[PACKAGE-ROOT]" install ! OpenVMS
1368
1369The specified destination directory will be prepended to all installation
1370target paths.
1371
1372Compatibility issues with previous OpenSSL versions
1373---------------------------------------------------
1374
1375### COMPILING existing applications
1376
1377Starting with version 1.1.0, OpenSSL hides a number of structures that were
1378previously open.  This includes all internal libssl structures and a number
1379of EVP types.  Accessor functions have been added to allow controlled access
1380to the structures' data.
1381
1382This means that some software needs to be rewritten to adapt to the new ways
1383of doing things.  This often amounts to allocating an instance of a structure
1384explicitly where you could previously allocate them on the stack as automatic
1385variables, and using the provided accessor functions where you would previously
1386access a structure's field directly.
1387
1388Some APIs have changed as well.  However, older APIs have been preserved when
1389possible.
1390
1391Post-installation Notes
1392-----------------------
1393
1394With the default OpenSSL installation comes a FIPS provider module, which
1395needs some post-installation attention, without which it will not be usable.
1396This involves using the following command:
1397
1398    $ openssl fipsinstall
1399
1400See the openssl-fipsinstall(1) manual for details and examples.
1401
1402Advanced Build Options
1403======================
1404
1405Environment Variables
1406---------------------
1407
1408A number of environment variables can be used to provide additional control
1409over the build process.  Typically these should be defined prior to running
1410`Configure`.  Not all environment variables are relevant to all platforms.
1411
1412    AR
1413                   The name of the ar executable to use.
1414
1415    BUILDFILE
1416                   Use a different build file name than the platform default
1417                   ("Makefile" on Unix-like platforms, "makefile" on native Windows,
1418                   "descrip.mms" on OpenVMS).  This requires that there is a
1419                   corresponding build file template.
1420                   See [Configurations/README.md](Configurations/README.md)
1421                   for further information.
1422
1423    CC
1424                   The compiler to use. Configure will attempt to pick a default
1425                   compiler for your platform but this choice can be overridden
1426                   using this variable. Set it to the compiler executable you wish
1427                   to use, e.g. gcc or clang.
1428
1429    CROSS_COMPILE
1430                   This environment variable has the same meaning as for the
1431                   "--cross-compile-prefix" Configure flag described above. If both
1432                   are set then the Configure flag takes precedence.
1433
1434    HASHBANGPERL
1435                   The command string for the Perl executable to insert in the
1436                   #! line of perl scripts that will be publicly installed.
1437                   Default: /usr/bin/env perl
1438                   Note: the value of this variable is added to the same scripts
1439                   on all platforms, but it's only relevant on Unix-like platforms.
1440
1441    KERNEL_BITS
1442                   This can be the value `32` or `64` to specify the architecture
1443                   when it is not "obvious" to the configuration. It should generally
1444                   not be necessary to specify this environment variable.
1445
1446    NM
1447                   The name of the nm executable to use.
1448
1449    OPENSSL_LOCAL_CONFIG_DIR
1450                   OpenSSL comes with a database of information about how it
1451                   should be built on different platforms as well as build file
1452                   templates for those platforms. The database is comprised of
1453                   ".conf" files in the Configurations directory.  The build
1454                   file templates reside there as well as ".tmpl" files. See the
1455                   file [Configurations/README.md](Configurations/README.md)
1456                   for further information about the format of ".conf" files
1457                   as well as information on the ".tmpl" files.
1458                   In addition to the standard ".conf" and ".tmpl" files, it is
1459                   possible to create your own ".conf" and ".tmpl" files and
1460                   store them locally, outside the OpenSSL source tree.
1461                   This environment variable can be set to the directory where
1462                   these files are held and will be considered by Configure
1463                   before it looks in the standard directories.
1464
1465    PERL
1466                   The name of the Perl executable to use when building OpenSSL.
1467                   Only needed if builing should use a different Perl executable
1468                   than what is used to run the Configure script.
1469
1470    RANLIB
1471                   The name of the ranlib executable to use.
1472
1473    RC
1474                   The name of the rc executable to use. The default will be as
1475                   defined for the target platform in the ".conf" file. If not
1476                   defined then "windres" will be used. The WINDRES environment
1477                   variable is synonymous to this. If both are defined then RC
1478                   takes precedence.
1479
1480    WINDRES
1481                   See RC.
1482
1483Makefile Targets
1484----------------
1485
1486The `Configure` script generates a Makefile in a format relevant to the specific
1487platform.  The Makefiles provide a number of targets that can be used.  Not all
1488targets may be available on all platforms.  Only the most common targets are
1489described here.  Examine the Makefiles themselves for the full list.
1490
1491    all
1492                   The target to build all the software components and
1493                   documentation.
1494
1495    build_sw
1496                   Build all the software components.
1497                   THIS IS THE DEFAULT TARGET.
1498
1499    build_docs
1500                   Build all documentation components.
1501
1502    clean
1503                   Remove all build artefacts and return the directory to a "clean"
1504                   state.
1505
1506    depend
1507                   Rebuild the dependencies in the Makefiles. This is a legacy
1508                   option that no longer needs to be used since OpenSSL 1.1.0.
1509
1510    install
1511                   Install all OpenSSL components.
1512
1513    install_sw
1514                   Only install the OpenSSL software components.
1515
1516    install_docs
1517                   Only install the OpenSSL documentation components.
1518
1519    install_man_docs
1520                   Only install the OpenSSL man pages (Unix only).
1521
1522    install_html_docs
1523                   Only install the OpenSSL HTML documentation.
1524
1525    install_fips
1526                   Install the FIPS provider module configuration file.
1527
1528    list-tests
1529                   Prints a list of all the self test names.
1530
1531    test
1532                   Build and run the OpenSSL self tests.
1533
1534    uninstall
1535                   Uninstall all OpenSSL components.
1536
1537    reconfigure
1538    reconf
1539                   Re-run the configuration process, as exactly as the last time
1540                   as possible.
1541
1542    update
1543                   This is a developer option. If you are developing a patch for
1544                   OpenSSL you may need to use this if you want to update
1545                   automatically generated files; add new error codes or add new
1546                   (or change the visibility of) public API functions. (Unix only).
1547
1548Running Selected Tests
1549----------------------
1550
1551You can specify a set of tests to be performed
1552using the `make` variable `TESTS`.
1553
1554See the section [Running Selected Tests of
1555test/README.md](test/README.md#running-selected-tests).
1556
1557Troubleshooting
1558===============
1559
1560Configuration Problems
1561----------------------
1562
1563### Selecting the correct target
1564
1565The `./Configure` script tries hard to guess your operating system, but in some
1566cases it does not succeed. You will see a message like the following:
1567
1568    $ ./Configure
1569    Operating system: x86-whatever-minix
1570    This system (minix) is not supported. See file INSTALL.md for details.
1571
1572Even if the automatic target selection by the `./Configure` script fails,
1573chances are that you still might find a suitable target in the `Configurations`
1574directory, which you can supply to the `./Configure` command,
1575possibly after some adjustment.
1576
1577The `Configurations/` directory contains a lot of examples of such targets.
1578The main configuration file is [10-main.conf], which contains all targets that
1579are officially supported by the OpenSSL team. Other configuration files contain
1580targets contributed by other OpenSSL users. The list of targets can be found in
1581a Perl list `my %targets = ( ... )`.
1582
1583    my %targets = (
1584    ...
1585    "target-name" => {
1586        inherit_from     => [ "base-target" ],
1587        CC               => "...",
1588        cflags           => add("..."),
1589        asm_arch         => '...',
1590        perlasm_scheme   => "...",
1591    },
1592    ...
1593    )
1594
1595If you call `./Configure` without arguments, it will give you a list of all
1596known targets. Using `grep`, you can lookup the target definition in the
1597`Configurations/` directory. For example the `android-x86_64` can be found in
1598[Configurations/15-android.conf](Configurations/15-android.conf).
1599
1600The directory contains two README files, which explain the general syntax and
1601design of the configuration files.
1602
1603 - [Configurations/README.md](Configurations/README.md)
1604 - [Configurations/README-design.md](Configurations/README-design.md)
1605
1606If you need further help, try to search the [openssl-users] mailing list
1607or the [GitHub Issues] for existing solutions. If you don't find anything,
1608you can [raise an issue] to ask a question yourself.
1609
1610More about our support resources can be found in the [SUPPORT] file.
1611
1612### Configuration Errors
1613
1614If the `./Configure` or `./Configure` command fails with an error message,
1615read the error message carefully and try to figure out whether you made
1616a mistake (e.g., by providing a wrong option), or whether the script is
1617working incorrectly. If you think you encountered a bug, please
1618[raise an issue] on GitHub to file a bug report.
1619
1620Along with a short description of the bug, please provide the complete
1621configure command line and the relevant output including the error message.
1622
1623Note: To make the output readable, pleace add a 'code fence' (three backquotes
1624` ``` ` on a separate line) before and after your output:
1625
1626     ```
1627     ./Configure [your arguments...]
1628
1629     [output...]
1630
1631     ```
1632
1633Build Failures
1634--------------
1635
1636If the build fails, look carefully at the output. Try to locate and understand
1637the error message. It might be that the compiler is already telling you
1638exactly what you need to do to fix your problem.
1639
1640There may be reasons for the failure that aren't problems in OpenSSL itself,
1641for example if the compiler reports missing standard or third party headers.
1642
1643If the build succeeded previously, but fails after a source or configuration
1644change, it might be helpful to clean the build tree before attempting another
1645build.  Use this command:
1646
1647    $ make clean                                     # Unix
1648    $ mms clean                                      ! (or mmk) OpenVMS
1649    $ nmake clean                                    # Windows
1650
1651Assembler error messages can sometimes be sidestepped by using the `no-asm`
1652configuration option. See also [notes](#notes-on-assembler-modules-compilation).
1653
1654Compiling parts of OpenSSL with gcc and others with the system compiler will
1655result in unresolved symbols on some systems.
1656
1657If you are still having problems, try to search the [openssl-users] mailing
1658list or the [GitHub Issues] for existing solutions. If you think you
1659encountered an OpenSSL bug, please [raise an issue] to file a bug report.
1660Please take the time to review the existing issues first; maybe the bug was
1661already reported or has already been fixed.
1662
1663Test Failures
1664-------------
1665
1666If some tests fail, look at the output.  There may be reasons for the failure
1667that isn't a problem in OpenSSL itself (like an OS malfunction or a Perl issue).
1668
1669You may want increased verbosity, that can be accomplished as described in
1670section [Test Failures of test/README.md](test/README.md#test-failures).
1671
1672You may also want to selectively specify which test(s) to perform. This can be
1673done using the `make` variable `TESTS` as described in section [Running
1674Selected Tests of test/README.md](test/README.md#running-selected-tests).
1675
1676If you find a problem with OpenSSL itself, try removing any
1677compiler optimization flags from the `CFLAGS` line in the Makefile and
1678run `make clean; make` or corresponding.
1679
1680To report a bug please open an issue on GitHub, at
1681<https://github.com/openssl/openssl/issues>.
1682
1683Notes
1684=====
1685
1686Notes on multi-threading
1687------------------------
1688
1689For some systems, the OpenSSL `Configure` script knows what compiler options
1690are needed to generate a library that is suitable for multi-threaded
1691applications.  On these systems, support for multi-threading is enabled
1692by default; use the `no-threads` option to disable (this should never be
1693necessary).
1694
1695On other systems, to enable support for multi-threading, you will have
1696to specify at least two options: `threads`, and a system-dependent option.
1697(The latter is `-D_REENTRANT` on various systems.)  The default in this
1698case, obviously, is not to include support for multi-threading (but
1699you can still use `no-threads` to suppress an annoying warning message
1700from the `Configure` script.)
1701
1702OpenSSL provides built-in support for two threading models: pthreads (found on
1703most UNIX/Linux systems), and Windows threads.  No other threading models are
1704supported.  If your platform does not provide pthreads or Windows threads then
1705you should use `Configure` with the `no-threads` option.
1706
1707For pthreads, all locks are non-recursive. In addition, in a debug build,
1708the mutex attribute `PTHREAD_MUTEX_ERRORCHECK` is used. If this is not
1709available on your platform, you might have to add
1710`-DOPENSSL_NO_MUTEX_ERRORCHECK` to your `Configure` invocation.
1711(On Linux `PTHREAD_MUTEX_ERRORCHECK` is an enum value, so a built-in
1712ifdef test cannot be used.)
1713
1714Notes on shared libraries
1715-------------------------
1716
1717For most systems the OpenSSL `Configure` script knows what is needed to
1718build shared libraries for libcrypto and libssl.  On these systems
1719the shared libraries will be created by default.  This can be suppressed and
1720only static libraries created by using the `no-shared` option.  On systems
1721where OpenSSL does not know how to build shared libraries the `no-shared`
1722option will be forced and only static libraries will be created.
1723
1724Shared libraries are named a little differently on different platforms.
1725One way or another, they all have the major OpenSSL version number as
1726part of the file name, i.e.  for OpenSSL 1.1.x, `1.1` is somehow part of
1727the name.
1728
1729On most POSIX platforms, shared libraries are named `libcrypto.so.1.1`
1730and `libssl.so.1.1`.
1731
1732on Cygwin, shared libraries are named `cygcrypto-1.1.dll` and `cygssl-1.1.dll`
1733with import libraries `libcrypto.dll.a` and `libssl.dll.a`.
1734
1735On Windows build with MSVC or using MingW, shared libraries are named
1736`libcrypto-1_1.dll` and `libssl-1_1.dll` for 32-bit Windows,
1737`libcrypto-1_1-x64.dll` and `libssl-1_1-x64.dll` for 64-bit x86_64 Windows,
1738and `libcrypto-1_1-ia64.dll` and `libssl-1_1-ia64.dll` for IA64 Windows.
1739With MSVC, the import libraries are named `libcrypto.lib` and `libssl.lib`,
1740while with MingW, they are named `libcrypto.dll.a` and `libssl.dll.a`.
1741
1742On VMS, shareable images (VMS speak for shared libraries) are named
1743`ossl$libcrypto0101_shr.exe` and `ossl$libssl0101_shr.exe`.  However, when
1744OpenSSL is specifically built for 32-bit pointers, the shareable images
1745are named `ossl$libcrypto0101_shr32.exe` and `ossl$libssl0101_shr32.exe`
1746instead, and when built for 64-bit pointers, they are named
1747`ossl$libcrypto0101_shr64.exe` and `ossl$libssl0101_shr64.exe`.
1748
1749Notes on random number generation
1750---------------------------------
1751
1752Availability of cryptographically secure random numbers is required for
1753secret key generation.  OpenSSL provides several options to seed the
1754internal CSPRNG.  If not properly seeded, the internal CSPRNG will refuse
1755to deliver random bytes and a "PRNG not seeded error" will occur.
1756
1757The seeding method can be configured using the `--with-rand-seed` option,
1758which can be used to specify a comma separated list of seed methods.
1759However, in most cases OpenSSL will choose a suitable default method,
1760so it is not necessary to explicitly provide this option.  Note also
1761that not all methods are available on all platforms.  The FIPS provider will
1762silently ignore seed sources that were not validated.
1763
1764I) On operating systems which provide a suitable randomness source (in
1765form  of a system call or system device), OpenSSL will use the optimal
1766available  method to seed the CSPRNG from the operating system's
1767randomness sources.  This corresponds to the option `--with-rand-seed=os`.
1768
1769II) On systems without such a suitable randomness source, automatic seeding
1770and reseeding is disabled (`--with-rand-seed=none`) and it may be necessary
1771to install additional support software to obtain a random seed and reseed
1772the CSPRNG manually.  Please check out the manual pages for `RAND_add()`,
1773`RAND_bytes()`, `RAND_egd()`, and the FAQ for more information.
1774
1775Notes on assembler modules compilation
1776--------------------------------------
1777
1778Compilation of some code paths in assembler modules might depend on whether the
1779current assembler version supports certain ISA extensions or not. Code paths
1780that use the AES-NI, PCLMULQDQ, SSSE3, and SHA extensions are always assembled.
1781Apart from that, the minimum requirements for the assembler versions are shown
1782in the table below:
1783
1784| ISA extension | GNU as | nasm   | llvm    |
1785|---------------|--------|--------|---------|
1786| AVX           | 2.19   | 2.09   | 3.0     |
1787| AVX2          | 2.22   | 2.10   | 3.1     |
1788| ADCX/ADOX     | 2.23   | 2.10   | 3.3     |
1789| AVX512        | 2.25   | 2.11.8 | 3.6 (*) |
1790| AVX512IFMA    | 2.26   | 2.11.8 | 6.0 (*) |
1791| VAES          | 2.30   | 2.13.3 | 6.0 (*) |
1792
1793---
1794
1795(*) Even though AVX512 support was implemented in llvm 3.6, prior to version 7.0
1796an explicit -march flag was apparently required to compile assembly modules. But
1797then the compiler generates processor-specific code, which in turn contradicts
1798the idea of performing dispatch at run-time, which is facilitated by the special
1799variable `OPENSSL_ia32cap`. For versions older than 7.0, it is possible to work
1800around the problem by forcing the build procedure to use the following script:
1801
1802    #!/bin/sh
1803    exec clang -no-integrated-as "$@"
1804
1805instead of the real clang. In which case it doesn't matter what clang version
1806is used, as it is the version of the GNU assembler that will be checked.
1807
1808---
1809
1810<!-- Links  -->
1811
1812[openssl-users]:
1813    <https://mta.openssl.org/mailman/listinfo/openssl-users>
1814
1815[SUPPORT]:
1816    ./SUPPORT.md
1817
1818[GitHub Issues]:
1819    <https://github.com/openssl/openssl/issues>
1820
1821[raise an issue]:
1822    <https://github.com/openssl/openssl/issues/new/choose>
1823
1824[10-main.conf]:
1825    Configurations/10-main.conf
1826