1Build and Install 2================= 3 4This document describes installation on all supported operating 5systems (the Unix/Linux family, including macOS), OpenVMS, 6and Windows). 7 8Table of Contents 9================= 10 11 - [Prerequisites](#prerequisites) 12 - [Notational Conventions](#notational-conventions) 13 - [Quick Installation Guide](#quick-installation-guide) 14 - [Building OpenSSL](#building-openssl) 15 - [Installing OpenSSL](#installing-openssl) 16 - [Configuration Options](#configuration-options) 17 - [API Level](#api-level) 18 - [Cross Compile Prefix](#cross-compile-prefix) 19 - [Build Type](#build-type) 20 - [Directories](#directories) 21 - [Compiler Warnings](#compiler-warnings) 22 - [ZLib Flags](#zlib-flags) 23 - [Seeding the Random Generator](#seeding-the-random-generator) 24 - [Setting the FIPS HMAC key](#setting-the-FIPS-HMAC-key) 25 - [Enable and Disable Features](#enable-and-disable-features) 26 - [Displaying configuration data](#displaying-configuration-data) 27 - [Installation Steps in Detail](#installation-steps-in-detail) 28 - [Configure](#configure-openssl) 29 - [Build](#build-openssl) 30 - [Test](#test-openssl) 31 - [Install](#install-openssl) 32 - [Advanced Build Options](#advanced-build-options) 33 - [Environment Variables](#environment-variables) 34 - [Makefile Targets](#makefile-targets) 35 - [Running Selected Tests](#running-selected-tests) 36 - [Troubleshooting](#troubleshooting) 37 - [Configuration Problems](#configuration-problems) 38 - [Build Failures](#build-failures) 39 - [Test Failures](#test-failures) 40 - [Notes](#notes) 41 - [Notes on multi-threading](#notes-on-multi-threading) 42 - [Notes on shared libraries](#notes-on-shared-libraries) 43 - [Notes on random number generation](#notes-on-random-number-generation) 44 - [Notes on assembler modules compilation](#notes-on-assembler-modules-compilation) 45 46Prerequisites 47============= 48 49To install OpenSSL, you will need: 50 51 * A "make" implementation 52 * Perl 5 with core modules (please read [NOTES-PERL.md](NOTES-PERL.md)) 53 * The Perl module `Text::Template` (please read [NOTES-PERL.md](NOTES-PERL.md)) 54 * an ANSI C compiler 55 * a development environment in the form of development libraries and C 56 header files 57 * a supported operating system 58 59For additional platform specific requirements, solutions to specific 60issues and other details, please read one of these: 61 62 * [Notes for UNIX-like platforms](NOTES-UNIX.md) 63 * [Notes for Android platforms](NOTES-ANDROID.md) 64 * [Notes for Windows platforms](NOTES-WINDOWS.md) 65 * [Notes for the DOS platform with DJGPP](NOTES-DJGPP.md) 66 * [Notes for the OpenVMS platform](NOTES-VMS.md) 67 * [Notes on Perl](NOTES-PERL.md) 68 * [Notes on Valgrind](NOTES-VALGRIND.md) 69 70Notational conventions 71====================== 72 73Throughout this document, we use the following conventions. 74 75Commands 76-------- 77 78Any line starting with a dollar sign is a command line. 79 80 $ command 81 82The dollar sign indicates the shell prompt and is not to be entered as 83part of the command. 84 85Choices 86------- 87 88Several words in curly braces separated by pipe characters indicate a 89**mandatory choice**, to be replaced with one of the given words. 90For example, the line 91 92 $ echo { WORD1 | WORD2 | WORD3 } 93 94represents one of the following three commands 95 96 $ echo WORD1 97 - or - 98 $ echo WORD2 99 - or - 100 $ echo WORD3 101 102One or several words in square brackets separated by pipe characters 103denote an **optional choice**. It is similar to the mandatory choice, 104but it can also be omitted entirely. 105 106So the line 107 108 $ echo [ WORD1 | WORD2 | WORD3 ] 109 110represents one of the four commands 111 112 $ echo WORD1 113 - or - 114 $ echo WORD2 115 - or - 116 $ echo WORD3 117 - or - 118 $ echo 119 120Arguments 121--------- 122 123**Mandatory arguments** are enclosed in double curly braces. 124A simple example would be 125 126 $ type {{ filename }} 127 128which is to be understood to use the command `type` on some file name 129determined by the user. 130 131**Optional Arguments** are enclosed in double square brackets. 132 133 [[ options ]] 134 135Note that the notation assumes spaces around `{`, `}`, `[`, `]`, `{{`, `}}` and 136`[[`, `]]`. This is to differentiate from OpenVMS directory 137specifications, which also use [ and ], but without spaces. 138 139Quick Installation Guide 140======================== 141 142If you just want to get OpenSSL installed without bothering too much 143about the details, here is the short version of how to build and install 144OpenSSL. If any of the following steps fails, please consult the 145[Installation in Detail](#installation-steps-in-detail) section below. 146 147Building OpenSSL 148---------------- 149 150Use the following commands to configure, build and test OpenSSL. 151The testing is optional, but recommended if you intend to install 152OpenSSL for production use. 153 154### Unix / Linux / macOS 155 156 $ ./Configure 157 $ make 158 $ make test 159 160### OpenVMS 161 162Use the following commands to build OpenSSL: 163 164 $ perl Configure 165 $ mms 166 $ mms test 167 168### Windows 169 170If you are using Visual Studio, open a Developer Command Prompt and 171issue the following commands to build OpenSSL. 172 173 $ perl Configure 174 $ nmake 175 $ nmake test 176 177As mentioned in the [Choices](#choices) section, you need to pick one 178of the four Configure targets in the first command. 179 180Most likely you will be using the `VC-WIN64A` target for 64bit Windows 181binaries (AMD64) or `VC-WIN32` for 32bit Windows binaries (X86). 182The other two options are `VC-WIN64I` (Intel IA64, Itanium) and 183`VC-CE` (Windows CE) are rather uncommon nowadays. 184 185Installing OpenSSL 186------------------ 187 188The following commands will install OpenSSL to a default system location. 189 190**Danger Zone:** even if you are impatient, please read the following two 191paragraphs carefully before you install OpenSSL. 192 193For security reasons the default system location is by default not writable 194for unprivileged users. So for the final installation step administrative 195privileges are required. The default system location and the procedure to 196obtain administrative privileges depends on the operating system. 197It is recommended to compile and test OpenSSL with normal user privileges 198and use administrative privileges only for the final installation step. 199 200On some platforms OpenSSL is preinstalled as part of the Operating System. 201In this case it is highly recommended not to overwrite the system versions, 202because other applications or libraries might depend on it. 203To avoid breaking other applications, install your copy of OpenSSL to a 204[different location](#installing-to-a-different-location) which is not in 205the global search path for system libraries. 206 207Finally, if you plan on using the FIPS module, you need to read the 208[Post-installation Notes](#post-installation-notes) further down. 209 210### Unix / Linux / macOS 211 212Depending on your distribution, you need to run the following command as 213root user or prepend `sudo` to the command: 214 215 $ make install 216 217By default, OpenSSL will be installed to 218 219 /usr/local 220 221More precisely, the files will be installed into the subdirectories 222 223 /usr/local/bin 224 /usr/local/lib 225 /usr/local/include 226 ... 227 228depending on the file type, as it is custom on Unix-like operating systems. 229 230### OpenVMS 231 232Use the following command to install OpenSSL. 233 234 $ mms install 235 236By default, OpenSSL will be installed to 237 238 SYS$COMMON:[OPENSSL] 239 240### Windows 241 242If you are using Visual Studio, open the Developer Command Prompt _elevated_ 243and issue the following command. 244 245 $ nmake install 246 247The easiest way to elevate the Command Prompt is to press and hold down both 248the `<CTRL>` and `<SHIFT>` keys while clicking the menu item in the task menu. 249 250The default installation location is 251 252 C:\Program Files\OpenSSL 253 254for native binaries, or 255 256 C:\Program Files (x86)\OpenSSL 257 258for 32bit binaries on 64bit Windows (WOW64). 259 260#### Installing to a different location 261 262To install OpenSSL to a different location (for example into your home 263directory for testing purposes) run `Configure` as shown in the following 264examples. 265 266The options `--prefix` and `--openssldir` are explained in further detail in 267[Directories](#directories) below, and the values used here are mere examples. 268 269On Unix: 270 271 $ ./Configure --prefix=/opt/openssl --openssldir=/usr/local/ssl 272 273On OpenVMS: 274 275 $ perl Configure --prefix=PROGRAM:[INSTALLS] --openssldir=SYS$MANAGER:[OPENSSL] 276 277Note: if you do add options to the configuration command, please make sure 278you've read more than just this Quick Start, such as relevant `NOTES-*` files, 279the options outline below, as configuration options may change the outcome 280in otherwise unexpected ways. 281 282Configuration Options 283===================== 284 285There are several options to `./Configure` to customize the build (note that 286for Windows, the defaults for `--prefix` and `--openssldir` depend on what 287configuration is used and what Windows implementation OpenSSL is built on. 288For more information, see the [Notes for Windows platforms](NOTES-WINDOWS.md). 289 290API Level 291--------- 292 293 --api=x.y[.z] 294 295Build the OpenSSL libraries to support the API for the specified version. 296If [no-deprecated](#no-deprecated) is also given, don't build with support 297for deprecated APIs in or below the specified version number. For example, 298adding 299 300 --api=1.1.0 no-deprecated 301 302will remove support for all APIs that were deprecated in OpenSSL version 3031.1.0 or below. This is a rather specialized option for developers. 304If you just intend to remove all deprecated APIs up to the current version 305entirely, just specify [no-deprecated](#no-deprecated). 306If `--api` isn't given, it defaults to the current (minor) OpenSSL version. 307 308Cross Compile Prefix 309-------------------- 310 311 --cross-compile-prefix=<PREFIX> 312 313The `<PREFIX>` to include in front of commands for your toolchain. 314 315It is likely to have to end with dash, e.g. `a-b-c-` would invoke GNU compiler 316as `a-b-c-gcc`, etc. Unfortunately cross-compiling is too case-specific to put 317together one-size-fits-all instructions. You might have to pass more flags or 318set up environment variables to actually make it work. Android and iOS cases 319are discussed in corresponding `Configurations/15-*.conf` files. But there are 320cases when this option alone is sufficient. For example to build the mingw64 321target on Linux `--cross-compile-prefix=x86_64-w64-mingw32-` works. Naturally 322provided that mingw packages are installed. Today Debian and Ubuntu users 323have option to install a number of prepackaged cross-compilers along with 324corresponding run-time and development packages for "alien" hardware. To give 325another example `--cross-compile-prefix=mipsel-linux-gnu-` suffices in such 326case. 327 328For cross compilation, you must [configure manually](#manual-configuration). 329Also, note that `--openssldir` refers to target's file system, not one you are 330building on. 331 332Build Type 333---------- 334 335 --debug 336 337Build OpenSSL with debugging symbols and zero optimization level. 338 339 --release 340 341Build OpenSSL without debugging symbols. This is the default. 342 343Directories 344----------- 345 346### libdir 347 348 --libdir=DIR 349 350The name of the directory under the top of the installation directory tree 351(see the `--prefix` option) where libraries will be installed. By default 352this is `lib`. Note that on Windows only static libraries (`*.lib`) will 353be stored in this location. Shared libraries (`*.dll`) will always be 354installed to the `bin` directory. 355 356Some build targets have a multilib postfix set in the build configuration. 357For these targets the default libdir is `lib<multilib-postfix>`. Please use 358`--libdir=lib` to override the libdir if adding the postfix is undesirable. 359 360### openssldir 361 362 --openssldir=DIR 363 364Directory for OpenSSL configuration files, and also the default certificate 365and key store. Defaults are: 366 367 Unix: /usr/local/ssl 368 Windows: C:\Program Files\Common Files\SSL 369 OpenVMS: SYS$COMMON:[OPENSSL-COMMON] 370 371For 32bit Windows applications on Windows 64bit (WOW64), always replace 372`C:\Program Files` by `C:\Program Files (x86)`. 373 374### prefix 375 376 --prefix=DIR 377 378The top of the installation directory tree. Defaults are: 379 380 Unix: /usr/local 381 Windows: C:\Program Files\OpenSSL 382 OpenVMS: SYS$COMMON:[OPENSSL] 383 384Compiler Warnings 385----------------- 386 387 --strict-warnings 388 389This is a developer flag that switches on various compiler options recommended 390for OpenSSL development. It only works when using gcc or clang as the compiler. 391If you are developing a patch for OpenSSL then it is recommended that you use 392this option where possible. 393 394ZLib Flags 395---------- 396 397### with-zlib-include 398 399 --with-zlib-include=DIR 400 401The directory for the location of the zlib include file. This option is only 402necessary if [zlib](#zlib) is used and the include file is not 403already on the system include path. 404 405### with-zlib-lib 406 407 --with-zlib-lib=LIB 408 409**On Unix**: this is the directory containing the zlib library. 410If not provided the system library path will be used. 411 412**On Windows:** this is the filename of the zlib library (with or 413without a path). This flag must be provided if the 414[zlib-dynamic](#zlib-dynamic) option is not also used. If `zlib-dynamic` is used 415then this flag is optional and defaults to `ZLIB1` if not provided. 416 417**On VMS:** this is the filename of the zlib library (with or without a path). 418This flag is optional and if not provided then `GNV$LIBZSHR`, `GNV$LIBZSHR32` 419or `GNV$LIBZSHR64` is used by default depending on the pointer size chosen. 420 421Seeding the Random Generator 422---------------------------- 423 424 --with-rand-seed=seed1[,seed2,...] 425 426A comma separated list of seeding methods which will be tried by OpenSSL 427in order to obtain random input (a.k.a "entropy") for seeding its 428cryptographically secure random number generator (CSPRNG). 429The current seeding methods are: 430 431### os 432 433Use a trusted operating system entropy source. 434This is the default method if such an entropy source exists. 435 436### getrandom 437 438Use the [getrandom(2)][man-getrandom] or equivalent system call. 439 440[man-getrandom]: http://man7.org/linux/man-pages/man2/getrandom.2.html 441 442### devrandom 443 444Use the first device from the `DEVRANDOM` list which can be opened to read 445random bytes. The `DEVRANDOM` preprocessor constant expands to 446 447 "/dev/urandom","/dev/random","/dev/srandom" 448 449on most unix-ish operating systems. 450 451### egd 452 453Check for an entropy generating daemon. 454This source is ignored by the FIPS provider. 455 456### rdcpu 457 458Use the `RDSEED` or `RDRAND` command if provided by the CPU. 459 460### librandom 461 462Use librandom (not implemented yet). 463This source is ignored by the FIPS provider. 464 465### none 466 467Disable automatic seeding. This is the default on some operating systems where 468no suitable entropy source exists, or no support for it is implemented yet. 469This option is ignored by the FIPS provider. 470 471For more information, see the section [Notes on random number generation][rng] 472at the end of this document. 473 474[rng]: #notes-on-random-number-generation 475 476Setting the FIPS HMAC key 477------------------------- 478 479 --fips-key=value 480 481As part of its self-test validation, the FIPS module must verify itself 482by performing a SHA-256 HMAC computation on itself. The default key is 483the SHA256 value of "the holy handgrenade of antioch" and is sufficient 484for meeting the FIPS requirements. 485 486To change the key to a different value, use this flag. The value should 487be a hex string no more than 64 characters. 488 489Enable and Disable Features 490--------------------------- 491 492Feature options always come in pairs, an option to enable feature 493`xxxx`, and an option to disable it: 494 495 [ enable-xxxx | no-xxxx ] 496 497Whether a feature is enabled or disabled by default, depends on the feature. 498In the following list, always the non-default variant is documented: if 499feature `xxxx` is disabled by default then `enable-xxxx` is documented and 500if feature `xxxx` is enabled by default then `no-xxxx` is documented. 501 502### no-afalgeng 503 504Don't build the AFALG engine. 505 506This option will be forced on a platform that does not support AFALG. 507 508### enable-ktls 509 510Build with Kernel TLS support. 511 512This option will enable the use of the Kernel TLS data-path, which can improve 513performance and allow for the use of sendfile and splice system calls on 514TLS sockets. The Kernel may use TLS accelerators if any are available on the 515system. This option will be forced off on systems that do not support the 516Kernel TLS data-path. 517 518### enable-asan 519 520Build with the Address sanitiser. 521 522This is a developer option only. It may not work on all platforms and should 523never be used in production environments. It will only work when used with 524gcc or clang and should be used in conjunction with the [no-shared](#no-shared) 525option. 526 527### enable-acvp-tests 528 529Build support for Automated Cryptographic Validation Protocol (ACVP) 530tests. 531 532This is required for FIPS validation purposes. Certain ACVP tests require 533access to algorithm internals that are not normally accessible. 534Additional information related to ACVP can be found at 535<https://github.com/usnistgov/ACVP>. 536 537### no-asm 538 539Do not use assembler code. 540 541This should be viewed as debugging/troubleshooting option rather than for 542production use. On some platforms a small amount of assembler code may still 543be used even with this option. 544 545### no-async 546 547Do not build support for async operations. 548 549### no-autoalginit 550 551Don't automatically load all supported ciphers and digests. 552 553Typically OpenSSL will make available all of its supported ciphers and digests. 554For a statically linked application this may be undesirable if small executable 555size is an objective. This only affects libcrypto. Ciphers and digests will 556have to be loaded manually using `EVP_add_cipher()` and `EVP_add_digest()` 557if this option is used. This option will force a non-shared build. 558 559### no-autoerrinit 560 561Don't automatically load all libcrypto/libssl error strings. 562 563Typically OpenSSL will automatically load human readable error strings. For a 564statically linked application this may be undesirable if small executable size 565is an objective. 566 567### no-autoload-config 568 569Don't automatically load the default `openssl.cnf` file. 570 571Typically OpenSSL will automatically load a system config file which configures 572default SSL options. 573 574### enable-buildtest-c++ 575 576While testing, generate C++ buildtest files that simply check that the public 577OpenSSL header files are usable standalone with C++. 578 579Enabling this option demands extra care. For any compiler flag given directly 580as configuration option, you must ensure that it's valid for both the C and 581the C++ compiler. If not, the C++ build test will most likely break. As an 582alternative, you can use the language specific variables, `CFLAGS` and `CXXFLAGS`. 583 584### --banner=text 585 586Use the specified text instead of the default banner at the end of 587configuration. 588 589### --w 590 591On platforms where the choice of 32-bit or 64-bit architecture 592is not explicitly specified, `Configure` will print a warning 593message and wait for a few seconds to let you interrupt the 594configuration. Using this flag skips the wait. 595 596### no-bulk 597 598Build only some minimal set of features. 599This is a developer option used internally for CI build tests of the project. 600 601### no-cached-fetch 602 603Never cache algorithms when they are fetched from a provider. Normally, a 604provider indicates if the algorithms it supplies can be cached or not. Using 605this option will reduce run-time memory usage but it also introduces a 606significant performance penalty. This option is primarily designed to help 607with detecting incorrect reference counting. 608 609### no-capieng 610 611Don't build the CAPI engine. 612 613This option will be forced if on a platform that does not support CAPI. 614 615### no-cmp 616 617Don't build support for Certificate Management Protocol (CMP) 618and Certificate Request Message Format (CRMF). 619 620### no-cms 621 622Don't build support for Cryptographic Message Syntax (CMS). 623 624### no-comp 625 626Don't build support for SSL/TLS compression. 627 628If this option is enabled (the default), then compression will only work if 629the zlib or `zlib-dynamic` options are also chosen. 630 631### enable-crypto-mdebug 632 633This now only enables the `failed-malloc` feature. 634 635### enable-crypto-mdebug-backtrace 636 637This is a no-op; the project uses the compiler's address/leak sanitizer instead. 638 639### no-ct 640 641Don't build support for Certificate Transparency (CT). 642 643### no-deprecated 644 645Don't build with support for deprecated APIs up until and including the version 646given with `--api` (or the current version, if `--api` wasn't specified). 647 648### no-dgram 649 650Don't build support for datagram based BIOs. 651 652Selecting this option will also force the disabling of DTLS. 653 654### no-dso 655 656Don't build support for loading Dynamic Shared Objects (DSO) 657 658### enable-devcryptoeng 659 660Build the `/dev/crypto` engine. 661 662This option is automatically selected on the BSD platform, in which case it can 663be disabled with `no-devcryptoeng`. 664 665### no-dynamic-engine 666 667Don't build the dynamically loaded engines. 668 669This only has an effect in a shared build. 670 671### no-ec 672 673Don't build support for Elliptic Curves. 674 675### no-ec2m 676 677Don't build support for binary Elliptic Curves 678 679### enable-ec_nistp_64_gcc_128 680 681Enable support for optimised implementations of some commonly used NIST 682elliptic curves. 683 684This option is only supported on platforms: 685 686 - with little-endian storage of non-byte types 687 - that tolerate misaligned memory references 688 - where the compiler: 689 - supports the non-standard type `__uint128_t` 690 - defines the built-in macro `__SIZEOF_INT128__` 691 692### enable-egd 693 694Build support for gathering entropy from the Entropy Gathering Daemon (EGD). 695 696### no-engine 697 698Don't build support for loading engines. 699 700### no-err 701 702Don't compile in any error strings. 703 704### enable-external-tests 705 706Enable building of integration with external test suites. 707 708This is a developer option and may not work on all platforms. The following 709external test suites are currently supported: 710 711 - GOST engine test suite 712 - Python PYCA/Cryptography test suite 713 - krb5 test suite 714 715See the file [test/README-external.md](test/README-external.md) 716for further details. 717 718### no-filenames 719 720Don't compile in filename and line number information (e.g. for errors and 721memory allocation). 722 723### enable-fips 724 725Build (and install) the FIPS provider 726 727### no-fips-securitychecks 728 729Don't perform FIPS module run-time checks related to enforcement of security 730parameters such as minimum security strength of keys. 731 732### enable-fuzz-libfuzzer, enable-fuzz-afl 733 734Build with support for fuzzing using either libfuzzer or AFL. 735 736These are developer options only. They may not work on all platforms and 737should never be used in production environments. 738 739See the file [fuzz/README.md](fuzz/README.md) for further details. 740 741### no-gost 742 743Don't build support for GOST based ciphersuites. 744 745Note that if this feature is enabled then GOST ciphersuites are only available 746if the GOST algorithms are also available through loading an externally supplied 747engine. 748 749### no-legacy 750 751Don't build the legacy provider. 752 753Disabling this also disables the legacy algorithms: MD2 (already disabled by default). 754 755### no-makedepend 756 757Don't generate dependencies. 758 759### no-module 760 761Don't build any dynamically loadable engines. 762 763This also implies `no-dynamic-engine`. 764 765### no-multiblock 766 767Don't build support for writing multiple records in one go in libssl 768 769Note: this is a different capability to the pipelining functionality. 770 771### no-nextprotoneg 772 773Don't build support for the Next Protocol Negotiation (NPN) TLS extension. 774 775### no-ocsp 776 777Don't build support for Online Certificate Status Protocol (OCSP). 778 779### no-padlockeng 780 781Don't build the padlock engine. 782 783### no-hw-padlock 784 785As synonym for `no-padlockeng`. Deprecated and should not be used. 786 787### no-pic 788 789Don't build with support for Position Independent Code. 790 791### no-pinshared 792 793Don't pin the shared libraries. 794 795By default OpenSSL will attempt to stay in memory until the process exits. 796This is so that libcrypto and libssl can be properly cleaned up automatically 797via an `atexit()` handler. The handler is registered by libcrypto and cleans 798up both libraries. On some platforms the `atexit()` handler will run on unload of 799libcrypto (if it has been dynamically loaded) rather than at process exit. 800 801This option can be used to stop OpenSSL from attempting to stay in memory until the 802process exits. This could lead to crashes if either libcrypto or libssl have 803already been unloaded at the point that the atexit handler is invoked, e.g. on a 804platform which calls `atexit()` on unload of the library, and libssl is unloaded 805before libcrypto then a crash is likely to happen. 806 807Note that shared library pinning is not automatically disabled for static builds, 808i.e., `no-shared` does not imply `no-pinshared`. This may come as a surprise when 809linking libcrypto statically into a shared third-party library, because in this 810case the shared library will be pinned. To prevent this behaviour, you need to 811configure the static build using `no-shared` and `no-pinshared` together. 812 813Applications can suppress running of the `atexit()` handler at run time by 814using the `OPENSSL_INIT_NO_ATEXIT` option to `OPENSSL_init_crypto()`. 815See the man page for it for further details. 816 817### no-posix-io 818 819Don't use POSIX IO capabilities. 820 821### no-psk 822 823Don't build support for Pre-Shared Key based ciphersuites. 824 825### no-rdrand 826 827Don't use hardware RDRAND capabilities. 828 829### no-rfc3779 830 831Don't build support for RFC3779, "X.509 Extensions for IP Addresses and 832AS Identifiers". 833 834### sctp 835 836Build support for Stream Control Transmission Protocol (SCTP). 837 838### no-shared 839 840Do not create shared libraries, only static ones. 841 842See [Notes on shared libraries](#notes-on-shared-libraries) below. 843 844### no-sock 845 846Don't build support for socket BIOs. 847 848### no-srp 849 850Don't build support for Secure Remote Password (SRP) protocol or 851SRP based ciphersuites. 852 853### no-srtp 854 855Don't build Secure Real-Time Transport Protocol (SRTP) support. 856 857### no-sse2 858 859Exclude SSE2 code paths from 32-bit x86 assembly modules. 860 861Normally SSE2 extension is detected at run-time, but the decision whether or not 862the machine code will be executed is taken solely on CPU capability vector. This 863means that if you happen to run OS kernel which does not support SSE2 extension 864on Intel P4 processor, then your application might be exposed to "illegal 865instruction" exception. There might be a way to enable support in kernel, e.g. 866FreeBSD kernel can be compiled with `CPU_ENABLE_SSE`, and there is a way to 867disengage SSE2 code paths upon application start-up, but if you aim for wider 868"audience" running such kernel, consider `no-sse2`. Both the `386` and `no-asm` 869options imply `no-sse2`. 870 871### no-ssl-trace 872 873Don't build with SSL Trace capabilities. 874 875This removes the `-trace` option from `s_client` and `s_server`, and omits the 876`SSL_trace()` function from libssl. 877 878Disabling `ssl-trace` may provide a small reduction in libssl binary size. 879 880### no-static-engine 881 882Don't build the statically linked engines. 883 884This only has an impact when not built "shared". 885 886### no-stdio 887 888Don't use anything from the C header file `stdio.h` that makes use of the `FILE` 889type. Only libcrypto and libssl can be built in this way. Using this option will 890suppress building the command line applications. Additionally, since the OpenSSL 891tests also use the command line applications, the tests will also be skipped. 892 893### no-tests 894 895Don't build test programs or run any tests. 896 897### no-threads 898 899Don't build with support for multi-threaded applications. 900 901### threads 902 903Build with support for multi-threaded applications. Most platforms will enable 904this by default. However, if on a platform where this is not the case then this 905will usually require additional system-dependent options! 906 907See [Notes on multi-threading](#notes-on-multi-threading) below. 908 909### enable-trace 910 911Build with support for the integrated tracing api. 912 913See manual pages OSSL_trace_set_channel(3) and OSSL_trace_enabled(3) for details. 914 915### no-ts 916 917Don't build Time Stamping (TS) Authority support. 918 919### enable-ubsan 920 921Build with the Undefined Behaviour sanitiser (UBSAN). 922 923This is a developer option only. It may not work on all platforms and should 924never be used in production environments. It will only work when used with 925gcc or clang and should be used in conjunction with the `-DPEDANTIC` option 926(or the `--strict-warnings` option). 927 928### no-ui-console 929 930Don't build with the User Interface (UI) console method 931 932The User Interface console method enables text based console prompts. 933 934### enable-unit-test 935 936Enable additional unit test APIs. 937 938This should not typically be used in production deployments. 939 940### no-uplink 941 942Don't build support for UPLINK interface. 943 944### enable-weak-ssl-ciphers 945 946Build support for SSL/TLS ciphers that are considered "weak" 947 948Enabling this includes for example the RC4 based ciphersuites. 949 950### zlib 951 952Build with support for zlib compression/decompression. 953 954### zlib-dynamic 955 956Like the zlib option, but has OpenSSL load the zlib library dynamically 957when needed. 958 959This is only supported on systems where loading of shared libraries is supported. 960 961### 386 962 963In 32-bit x86 builds, use the 80386 instruction set only in assembly modules 964 965The default x86 code is more efficient, but requires at least an 486 processor. 966Note: This doesn't affect compiler generated code, so this option needs to be 967accompanied by a corresponding compiler-specific option. 968 969### no-{protocol} 970 971 no-{ssl|ssl3|tls|tls1|tls1_1|tls1_2|tls1_3|dtls|dtls1|dtls1_2} 972 973Don't build support for negotiating the specified SSL/TLS protocol. 974 975If `no-tls` is selected then all of `tls1`, `tls1_1`, `tls1_2` and `tls1_3` 976are disabled. 977Similarly `no-dtls` will disable `dtls1` and `dtls1_2`. The `no-ssl` option is 978synonymous with `no-ssl3`. Note this only affects version negotiation. 979OpenSSL will still provide the methods for applications to explicitly select 980the individual protocol versions. 981 982### no-{protocol}-method 983 984 no-{ssl3|tls1|tls1_1|tls1_2|dtls1|dtls1_2}-method 985 986Analogous to `no-{protocol}` but in addition do not build the methods for 987applications to explicitly select individual protocol versions. Note that there 988is no `no-tls1_3-method` option because there is no application method for 989TLSv1.3. 990 991Using individual protocol methods directly is deprecated. Applications should 992use `TLS_method()` instead. 993 994### enable-{algorithm} 995 996 enable-{md2|rc5} 997 998Build with support for the specified algorithm. 999 1000### no-{algorithm} 1001 1002 no-{aria|bf|blake2|camellia|cast|chacha|cmac| 1003 des|dh|dsa|ecdh|ecdsa|idea|md4|mdc2|ocb| 1004 poly1305|rc2|rc4|rmd160|scrypt|seed| 1005 siphash|siv|sm2|sm3|sm4|whirlpool} 1006 1007Build without support for the specified algorithm. 1008 1009The `ripemd` algorithm is deprecated and if used is synonymous with `rmd160`. 1010 1011### Compiler-specific options 1012 1013 -Dxxx, -Ixxx, -Wp, -lxxx, -Lxxx, -Wl, -rpath, -R, -framework, -static 1014 1015These system specific options will be recognised and passed through to the 1016compiler to allow you to define preprocessor symbols, specify additional 1017libraries, library directories or other compiler options. It might be worth 1018noting that some compilers generate code specifically for processor the 1019compiler currently executes on. This is not necessarily what you might have 1020in mind, since it might be unsuitable for execution on other, typically older, 1021processor. Consult your compiler documentation. 1022 1023Take note of the [Environment Variables](#environment-variables) documentation 1024below and how these flags interact with those variables. 1025 1026 -xxx, +xxx, /xxx 1027 1028Additional options that are not otherwise recognised are passed through as 1029they are to the compiler as well. Unix-style options beginning with a 1030`-` or `+` and Windows-style options beginning with a `/` are recognized. 1031Again, consult your compiler documentation. 1032 1033If the option contains arguments separated by spaces, then the URL-style 1034notation `%20` can be used for the space character in order to avoid having 1035to quote the option. For example, `-opt%20arg` gets expanded to `-opt arg`. 1036In fact, any ASCII character can be encoded as %xx using its hexadecimal 1037encoding. 1038 1039Take note of the [Environment Variables](#environment-variables) documentation 1040below and how these flags interact with those variables. 1041 1042### Environment Variables 1043 1044 VAR=value 1045 1046Assign the given value to the environment variable `VAR` for `Configure`. 1047 1048These work just like normal environment variable assignments, but are supported 1049on all platforms and are confined to the configuration scripts only. 1050These assignments override the corresponding value in the inherited environment, 1051if there is one. 1052 1053The following variables are used as "`make` variables" and can be used as an 1054alternative to giving preprocessor, compiler and linker options directly as 1055configuration. The following variables are supported: 1056 1057 AR The static library archiver. 1058 ARFLAGS Flags for the static library archiver. 1059 AS The assembler compiler. 1060 ASFLAGS Flags for the assembler compiler. 1061 CC The C compiler. 1062 CFLAGS Flags for the C compiler. 1063 CXX The C++ compiler. 1064 CXXFLAGS Flags for the C++ compiler. 1065 CPP The C/C++ preprocessor. 1066 CPPFLAGS Flags for the C/C++ preprocessor. 1067 CPPDEFINES List of CPP macro definitions, separated 1068 by a platform specific character (':' or 1069 space for Unix, ';' for Windows, ',' for 1070 VMS). This can be used instead of using 1071 -D (or what corresponds to that on your 1072 compiler) in CPPFLAGS. 1073 CPPINCLUDES List of CPP inclusion directories, separated 1074 the same way as for CPPDEFINES. This can 1075 be used instead of -I (or what corresponds 1076 to that on your compiler) in CPPFLAGS. 1077 HASHBANGPERL Perl invocation to be inserted after '#!' 1078 in public perl scripts (only relevant on 1079 Unix). 1080 LD The program linker (not used on Unix, $(CC) 1081 is used there). 1082 LDFLAGS Flags for the shared library, DSO and 1083 program linker. 1084 LDLIBS Extra libraries to use when linking. 1085 Takes the form of a space separated list 1086 of library specifications on Unix and 1087 Windows, and as a comma separated list of 1088 libraries on VMS. 1089 RANLIB The library archive indexer. 1090 RC The Windows resource compiler. 1091 RCFLAGS Flags for the Windows resource compiler. 1092 RM The command to remove files and directories. 1093 1094These cannot be mixed with compiling/linking flags given on the command line. 1095In other words, something like this isn't permitted. 1096 1097 $ ./Configure -DFOO CPPFLAGS=-DBAR -DCOOKIE 1098 1099Backward compatibility note: 1100 1101To be compatible with older configuration scripts, the environment variables 1102are ignored if compiling/linking flags are given on the command line, except 1103for the following: 1104 1105 AR, CC, CXX, CROSS_COMPILE, HASHBANGPERL, PERL, RANLIB, RC, and WINDRES 1106 1107For example, the following command will not see `-DBAR`: 1108 1109 $ CPPFLAGS=-DBAR ./Configure -DCOOKIE 1110 1111However, the following will see both set variables: 1112 1113 $ CC=gcc CROSS_COMPILE=x86_64-w64-mingw32- ./Configure -DCOOKIE 1114 1115If `CC` is set, it is advisable to also set `CXX` to ensure both the C and C++ 1116compiler are in the same "family". This becomes relevant with 1117`enable-external-tests` and `enable-buildtest-c++`. 1118 1119### Reconfigure 1120 1121 reconf 1122 reconfigure 1123 1124Reconfigure from earlier data. 1125 1126This fetches the previous command line options and environment from data 1127saved in `configdata.pm` and runs the configuration process again, using 1128these options and environment. Note: NO other option is permitted together 1129with `reconf`. Note: The original configuration saves away values for ALL 1130environment variables that were used, and if they weren't defined, they are 1131still saved away with information that they weren't originally defined. 1132This information takes precedence over environment variables that are 1133defined when reconfiguring. 1134 1135Displaying configuration data 1136----------------------------- 1137 1138The configuration script itself will say very little, and finishes by 1139creating `configdata.pm`. This perl module can be loaded by other scripts 1140to find all the configuration data, and it can also be used as a script to 1141display all sorts of configuration data in a human readable form. 1142 1143For more information, please do: 1144 1145 $ ./configdata.pm --help # Unix 1146 1147or 1148 1149 $ perl configdata.pm --help # Windows and VMS 1150 1151Installation Steps in Detail 1152============================ 1153 1154Configure OpenSSL 1155----------------- 1156 1157### Automatic Configuration 1158 1159In previous version, the `config` script determined the platform type and 1160compiler and then called `Configure`. Starting with this release, they are 1161the same. 1162 1163#### Unix / Linux / macOS 1164 1165 $ ./Configure [[ options ]] 1166 1167#### OpenVMS 1168 1169 $ perl Configure [[ options ]] 1170 1171#### Windows 1172 1173 $ perl Configure [[ options ]] 1174 1175### Manual Configuration 1176 1177OpenSSL knows about a range of different operating system, hardware and 1178compiler combinations. To see the ones it knows about, run 1179 1180 $ ./Configure LIST # Unix 1181 1182or 1183 1184 $ perl Configure LIST # All other platforms 1185 1186For the remainder of this text, the Unix form will be used in all examples. 1187Please use the appropriate form for your platform. 1188 1189Pick a suitable name from the list that matches your system. For most 1190operating systems there is a choice between using cc or gcc. 1191When you have identified your system (and if necessary compiler) use this 1192name as the argument to `Configure`. For example, a `linux-elf` user would 1193run: 1194 1195 $ ./Configure linux-elf [[ options ]] 1196 1197### Creating your own Configuration 1198 1199If your system isn't listed, you will have to create a configuration 1200file named `Configurations/{{ something }}.conf` and add the correct 1201configuration for your system. See the available configs as examples 1202and read [Configurations/README.md](Configurations/README.md) and 1203[Configurations/README-design.md](Configurations/README-design.md) 1204for more information. 1205 1206The generic configurations `cc` or `gcc` should usually work on 32 bit 1207Unix-like systems. 1208 1209`Configure` creates a build file (`Makefile` on Unix, `makefile` on Windows 1210and `descrip.mms` on OpenVMS) from a suitable template in `Configurations/`, 1211and defines various macros in `include/openssl/configuration.h` (generated 1212from `include/openssl/configuration.h.in`. 1213 1214If none of the generated build files suit your purpose, it's possible to 1215write your own build file template and give its name through the environment 1216variable `BUILDFILE`. For example, Ninja build files could be supported by 1217writing `Configurations/build.ninja.tmpl` and then configure with `BUILDFILE` 1218set like this (Unix syntax shown, you'll have to adapt for other platforms): 1219 1220 $ BUILDFILE=build.ninja perl Configure [options...] 1221 1222### Out of Tree Builds 1223 1224OpenSSL can be configured to build in a build directory separate from the 1225source code directory. It's done by placing yourself in some other 1226directory and invoking the configuration commands from there. 1227 1228#### Unix example 1229 1230 $ mkdir /var/tmp/openssl-build 1231 $ cd /var/tmp/openssl-build 1232 $ /PATH/TO/OPENSSL/SOURCE/Configure [[ options ]] 1233 1234#### OpenVMS example 1235 1236 $ set default sys$login: 1237 $ create/dir [.tmp.openssl-build] 1238 $ set default [.tmp.openssl-build] 1239 $ perl D:[PATH.TO.OPENSSL.SOURCE]Configure [[ options ]] 1240 1241#### Windows example 1242 1243 $ C: 1244 $ mkdir \temp-openssl 1245 $ cd \temp-openssl 1246 $ perl d:\PATH\TO\OPENSSL\SOURCE\Configure [[ options ]] 1247 1248Paths can be relative just as well as absolute. `Configure` will do its best 1249to translate them to relative paths whenever possible. 1250 1251Build OpenSSL 1252------------- 1253 1254Build OpenSSL by running: 1255 1256 $ make # Unix 1257 $ mms ! (or mmk) OpenVMS 1258 $ nmake # Windows 1259 1260This will build the OpenSSL libraries (`libcrypto.a` and `libssl.a` on 1261Unix, corresponding on other platforms) and the OpenSSL binary 1262(`openssl`). The libraries will be built in the top-level directory, 1263and the binary will be in the `apps/` subdirectory. 1264 1265If the build fails, take a look at the [Build Failures](#build-failures) 1266subsection of the [Troubleshooting](#troubleshooting) section. 1267 1268Test OpenSSL 1269------------ 1270 1271After a successful build, and before installing, the libraries should 1272be tested. Run: 1273 1274 $ make test # Unix 1275 $ mms test ! OpenVMS 1276 $ nmake test # Windows 1277 1278**Warning:** you MUST run the tests from an unprivileged account (or disable 1279your privileges temporarily if your platform allows it). 1280 1281See [test/README.md](test/README.md) for further details how run tests. 1282 1283See [test/README-dev.md](test/README-dev.md) for guidelines on adding tests. 1284 1285Install OpenSSL 1286--------------- 1287 1288If everything tests ok, install OpenSSL with 1289 1290 $ make install # Unix 1291 $ mms install ! OpenVMS 1292 $ nmake install # Windows 1293 1294Note that in order to perform the install step above you need to have 1295appropriate permissions to write to the installation directory. 1296 1297The above commands will install all the software components in this 1298directory tree under `<PREFIX>` (the directory given with `--prefix` or 1299its default): 1300 1301### Unix / Linux / macOS 1302 1303 bin/ Contains the openssl binary and a few other 1304 utility scripts. 1305 include/openssl 1306 Contains the header files needed if you want 1307 to build your own programs that use libcrypto 1308 or libssl. 1309 lib Contains the OpenSSL library files. 1310 lib/engines Contains the OpenSSL dynamically loadable engines. 1311 1312 share/man/man1 Contains the OpenSSL command line man-pages. 1313 share/man/man3 Contains the OpenSSL library calls man-pages. 1314 share/man/man5 Contains the OpenSSL configuration format man-pages. 1315 share/man/man7 Contains the OpenSSL other misc man-pages. 1316 1317 share/doc/openssl/html/man1 1318 share/doc/openssl/html/man3 1319 share/doc/openssl/html/man5 1320 share/doc/openssl/html/man7 1321 Contains the HTML rendition of the man-pages. 1322 1323### OpenVMS 1324 1325'arch' is replaced with the architecture name, `ALPHA` or `IA64`, 1326'sover' is replaced with the shared library version (`0101` for 1.1), and 1327'pz' is replaced with the pointer size OpenSSL was built with: 1328 1329 [.EXE.'arch'] Contains the openssl binary. 1330 [.EXE] Contains a few utility scripts. 1331 [.include.openssl] 1332 Contains the header files needed if you want 1333 to build your own programs that use libcrypto 1334 or libssl. 1335 [.LIB.'arch'] Contains the OpenSSL library files. 1336 [.ENGINES'sover''pz'.'arch'] 1337 Contains the OpenSSL dynamically loadable engines. 1338 [.SYS$STARTUP] Contains startup, login and shutdown scripts. 1339 These define appropriate logical names and 1340 command symbols. 1341 [.SYSTEST] Contains the installation verification procedure. 1342 [.HTML] Contains the HTML rendition of the manual pages. 1343 1344### Additional Directories 1345 1346Additionally, install will add the following directories under 1347OPENSSLDIR (the directory given with `--openssldir` or its default) 1348for you convenience: 1349 1350 certs Initially empty, this is the default location 1351 for certificate files. 1352 private Initially empty, this is the default location 1353 for private key files. 1354 misc Various scripts. 1355 1356The installation directory should be appropriately protected to ensure 1357unprivileged users cannot make changes to OpenSSL binaries or files, or 1358install engines. If you already have a pre-installed version of OpenSSL as 1359part of your Operating System it is recommended that you do not overwrite 1360the system version and instead install to somewhere else. 1361 1362Package builders who want to configure the library for standard locations, 1363but have the package installed somewhere else so that it can easily be 1364packaged, can use 1365 1366 $ make DESTDIR=/tmp/package-root install # Unix 1367 $ mms/macro="DESTDIR=TMP:[PACKAGE-ROOT]" install ! OpenVMS 1368 1369The specified destination directory will be prepended to all installation 1370target paths. 1371 1372Compatibility issues with previous OpenSSL versions 1373--------------------------------------------------- 1374 1375### COMPILING existing applications 1376 1377Starting with version 1.1.0, OpenSSL hides a number of structures that were 1378previously open. This includes all internal libssl structures and a number 1379of EVP types. Accessor functions have been added to allow controlled access 1380to the structures' data. 1381 1382This means that some software needs to be rewritten to adapt to the new ways 1383of doing things. This often amounts to allocating an instance of a structure 1384explicitly where you could previously allocate them on the stack as automatic 1385variables, and using the provided accessor functions where you would previously 1386access a structure's field directly. 1387 1388Some APIs have changed as well. However, older APIs have been preserved when 1389possible. 1390 1391Post-installation Notes 1392----------------------- 1393 1394With the default OpenSSL installation comes a FIPS provider module, which 1395needs some post-installation attention, without which it will not be usable. 1396This involves using the following command: 1397 1398 $ openssl fipsinstall 1399 1400See the openssl-fipsinstall(1) manual for details and examples. 1401 1402Advanced Build Options 1403====================== 1404 1405Environment Variables 1406--------------------- 1407 1408A number of environment variables can be used to provide additional control 1409over the build process. Typically these should be defined prior to running 1410`Configure`. Not all environment variables are relevant to all platforms. 1411 1412 AR 1413 The name of the ar executable to use. 1414 1415 BUILDFILE 1416 Use a different build file name than the platform default 1417 ("Makefile" on Unix-like platforms, "makefile" on native Windows, 1418 "descrip.mms" on OpenVMS). This requires that there is a 1419 corresponding build file template. 1420 See [Configurations/README.md](Configurations/README.md) 1421 for further information. 1422 1423 CC 1424 The compiler to use. Configure will attempt to pick a default 1425 compiler for your platform but this choice can be overridden 1426 using this variable. Set it to the compiler executable you wish 1427 to use, e.g. gcc or clang. 1428 1429 CROSS_COMPILE 1430 This environment variable has the same meaning as for the 1431 "--cross-compile-prefix" Configure flag described above. If both 1432 are set then the Configure flag takes precedence. 1433 1434 HASHBANGPERL 1435 The command string for the Perl executable to insert in the 1436 #! line of perl scripts that will be publicly installed. 1437 Default: /usr/bin/env perl 1438 Note: the value of this variable is added to the same scripts 1439 on all platforms, but it's only relevant on Unix-like platforms. 1440 1441 KERNEL_BITS 1442 This can be the value `32` or `64` to specify the architecture 1443 when it is not "obvious" to the configuration. It should generally 1444 not be necessary to specify this environment variable. 1445 1446 NM 1447 The name of the nm executable to use. 1448 1449 OPENSSL_LOCAL_CONFIG_DIR 1450 OpenSSL comes with a database of information about how it 1451 should be built on different platforms as well as build file 1452 templates for those platforms. The database is comprised of 1453 ".conf" files in the Configurations directory. The build 1454 file templates reside there as well as ".tmpl" files. See the 1455 file [Configurations/README.md](Configurations/README.md) 1456 for further information about the format of ".conf" files 1457 as well as information on the ".tmpl" files. 1458 In addition to the standard ".conf" and ".tmpl" files, it is 1459 possible to create your own ".conf" and ".tmpl" files and 1460 store them locally, outside the OpenSSL source tree. 1461 This environment variable can be set to the directory where 1462 these files are held and will be considered by Configure 1463 before it looks in the standard directories. 1464 1465 PERL 1466 The name of the Perl executable to use when building OpenSSL. 1467 Only needed if builing should use a different Perl executable 1468 than what is used to run the Configure script. 1469 1470 RANLIB 1471 The name of the ranlib executable to use. 1472 1473 RC 1474 The name of the rc executable to use. The default will be as 1475 defined for the target platform in the ".conf" file. If not 1476 defined then "windres" will be used. The WINDRES environment 1477 variable is synonymous to this. If both are defined then RC 1478 takes precedence. 1479 1480 WINDRES 1481 See RC. 1482 1483Makefile Targets 1484---------------- 1485 1486The `Configure` script generates a Makefile in a format relevant to the specific 1487platform. The Makefiles provide a number of targets that can be used. Not all 1488targets may be available on all platforms. Only the most common targets are 1489described here. Examine the Makefiles themselves for the full list. 1490 1491 all 1492 The target to build all the software components and 1493 documentation. 1494 1495 build_sw 1496 Build all the software components. 1497 THIS IS THE DEFAULT TARGET. 1498 1499 build_docs 1500 Build all documentation components. 1501 1502 clean 1503 Remove all build artefacts and return the directory to a "clean" 1504 state. 1505 1506 depend 1507 Rebuild the dependencies in the Makefiles. This is a legacy 1508 option that no longer needs to be used since OpenSSL 1.1.0. 1509 1510 install 1511 Install all OpenSSL components. 1512 1513 install_sw 1514 Only install the OpenSSL software components. 1515 1516 install_docs 1517 Only install the OpenSSL documentation components. 1518 1519 install_man_docs 1520 Only install the OpenSSL man pages (Unix only). 1521 1522 install_html_docs 1523 Only install the OpenSSL HTML documentation. 1524 1525 install_fips 1526 Install the FIPS provider module configuration file. 1527 1528 list-tests 1529 Prints a list of all the self test names. 1530 1531 test 1532 Build and run the OpenSSL self tests. 1533 1534 uninstall 1535 Uninstall all OpenSSL components. 1536 1537 reconfigure 1538 reconf 1539 Re-run the configuration process, as exactly as the last time 1540 as possible. 1541 1542 update 1543 This is a developer option. If you are developing a patch for 1544 OpenSSL you may need to use this if you want to update 1545 automatically generated files; add new error codes or add new 1546 (or change the visibility of) public API functions. (Unix only). 1547 1548Running Selected Tests 1549---------------------- 1550 1551You can specify a set of tests to be performed 1552using the `make` variable `TESTS`. 1553 1554See the section [Running Selected Tests of 1555test/README.md](test/README.md#running-selected-tests). 1556 1557Troubleshooting 1558=============== 1559 1560Configuration Problems 1561---------------------- 1562 1563### Selecting the correct target 1564 1565The `./Configure` script tries hard to guess your operating system, but in some 1566cases it does not succeed. You will see a message like the following: 1567 1568 $ ./Configure 1569 Operating system: x86-whatever-minix 1570 This system (minix) is not supported. See file INSTALL.md for details. 1571 1572Even if the automatic target selection by the `./Configure` script fails, 1573chances are that you still might find a suitable target in the `Configurations` 1574directory, which you can supply to the `./Configure` command, 1575possibly after some adjustment. 1576 1577The `Configurations/` directory contains a lot of examples of such targets. 1578The main configuration file is [10-main.conf], which contains all targets that 1579are officially supported by the OpenSSL team. Other configuration files contain 1580targets contributed by other OpenSSL users. The list of targets can be found in 1581a Perl list `my %targets = ( ... )`. 1582 1583 my %targets = ( 1584 ... 1585 "target-name" => { 1586 inherit_from => [ "base-target" ], 1587 CC => "...", 1588 cflags => add("..."), 1589 asm_arch => '...', 1590 perlasm_scheme => "...", 1591 }, 1592 ... 1593 ) 1594 1595If you call `./Configure` without arguments, it will give you a list of all 1596known targets. Using `grep`, you can lookup the target definition in the 1597`Configurations/` directory. For example the `android-x86_64` can be found in 1598[Configurations/15-android.conf](Configurations/15-android.conf). 1599 1600The directory contains two README files, which explain the general syntax and 1601design of the configuration files. 1602 1603 - [Configurations/README.md](Configurations/README.md) 1604 - [Configurations/README-design.md](Configurations/README-design.md) 1605 1606If you need further help, try to search the [openssl-users] mailing list 1607or the [GitHub Issues] for existing solutions. If you don't find anything, 1608you can [raise an issue] to ask a question yourself. 1609 1610More about our support resources can be found in the [SUPPORT] file. 1611 1612### Configuration Errors 1613 1614If the `./Configure` or `./Configure` command fails with an error message, 1615read the error message carefully and try to figure out whether you made 1616a mistake (e.g., by providing a wrong option), or whether the script is 1617working incorrectly. If you think you encountered a bug, please 1618[raise an issue] on GitHub to file a bug report. 1619 1620Along with a short description of the bug, please provide the complete 1621configure command line and the relevant output including the error message. 1622 1623Note: To make the output readable, pleace add a 'code fence' (three backquotes 1624` ``` ` on a separate line) before and after your output: 1625 1626 ``` 1627 ./Configure [your arguments...] 1628 1629 [output...] 1630 1631 ``` 1632 1633Build Failures 1634-------------- 1635 1636If the build fails, look carefully at the output. Try to locate and understand 1637the error message. It might be that the compiler is already telling you 1638exactly what you need to do to fix your problem. 1639 1640There may be reasons for the failure that aren't problems in OpenSSL itself, 1641for example if the compiler reports missing standard or third party headers. 1642 1643If the build succeeded previously, but fails after a source or configuration 1644change, it might be helpful to clean the build tree before attempting another 1645build. Use this command: 1646 1647 $ make clean # Unix 1648 $ mms clean ! (or mmk) OpenVMS 1649 $ nmake clean # Windows 1650 1651Assembler error messages can sometimes be sidestepped by using the `no-asm` 1652configuration option. See also [notes](#notes-on-assembler-modules-compilation). 1653 1654Compiling parts of OpenSSL with gcc and others with the system compiler will 1655result in unresolved symbols on some systems. 1656 1657If you are still having problems, try to search the [openssl-users] mailing 1658list or the [GitHub Issues] for existing solutions. If you think you 1659encountered an OpenSSL bug, please [raise an issue] to file a bug report. 1660Please take the time to review the existing issues first; maybe the bug was 1661already reported or has already been fixed. 1662 1663Test Failures 1664------------- 1665 1666If some tests fail, look at the output. There may be reasons for the failure 1667that isn't a problem in OpenSSL itself (like an OS malfunction or a Perl issue). 1668 1669You may want increased verbosity, that can be accomplished as described in 1670section [Test Failures of test/README.md](test/README.md#test-failures). 1671 1672You may also want to selectively specify which test(s) to perform. This can be 1673done using the `make` variable `TESTS` as described in section [Running 1674Selected Tests of test/README.md](test/README.md#running-selected-tests). 1675 1676If you find a problem with OpenSSL itself, try removing any 1677compiler optimization flags from the `CFLAGS` line in the Makefile and 1678run `make clean; make` or corresponding. 1679 1680To report a bug please open an issue on GitHub, at 1681<https://github.com/openssl/openssl/issues>. 1682 1683Notes 1684===== 1685 1686Notes on multi-threading 1687------------------------ 1688 1689For some systems, the OpenSSL `Configure` script knows what compiler options 1690are needed to generate a library that is suitable for multi-threaded 1691applications. On these systems, support for multi-threading is enabled 1692by default; use the `no-threads` option to disable (this should never be 1693necessary). 1694 1695On other systems, to enable support for multi-threading, you will have 1696to specify at least two options: `threads`, and a system-dependent option. 1697(The latter is `-D_REENTRANT` on various systems.) The default in this 1698case, obviously, is not to include support for multi-threading (but 1699you can still use `no-threads` to suppress an annoying warning message 1700from the `Configure` script.) 1701 1702OpenSSL provides built-in support for two threading models: pthreads (found on 1703most UNIX/Linux systems), and Windows threads. No other threading models are 1704supported. If your platform does not provide pthreads or Windows threads then 1705you should use `Configure` with the `no-threads` option. 1706 1707For pthreads, all locks are non-recursive. In addition, in a debug build, 1708the mutex attribute `PTHREAD_MUTEX_ERRORCHECK` is used. If this is not 1709available on your platform, you might have to add 1710`-DOPENSSL_NO_MUTEX_ERRORCHECK` to your `Configure` invocation. 1711(On Linux `PTHREAD_MUTEX_ERRORCHECK` is an enum value, so a built-in 1712ifdef test cannot be used.) 1713 1714Notes on shared libraries 1715------------------------- 1716 1717For most systems the OpenSSL `Configure` script knows what is needed to 1718build shared libraries for libcrypto and libssl. On these systems 1719the shared libraries will be created by default. This can be suppressed and 1720only static libraries created by using the `no-shared` option. On systems 1721where OpenSSL does not know how to build shared libraries the `no-shared` 1722option will be forced and only static libraries will be created. 1723 1724Shared libraries are named a little differently on different platforms. 1725One way or another, they all have the major OpenSSL version number as 1726part of the file name, i.e. for OpenSSL 1.1.x, `1.1` is somehow part of 1727the name. 1728 1729On most POSIX platforms, shared libraries are named `libcrypto.so.1.1` 1730and `libssl.so.1.1`. 1731 1732on Cygwin, shared libraries are named `cygcrypto-1.1.dll` and `cygssl-1.1.dll` 1733with import libraries `libcrypto.dll.a` and `libssl.dll.a`. 1734 1735On Windows build with MSVC or using MingW, shared libraries are named 1736`libcrypto-1_1.dll` and `libssl-1_1.dll` for 32-bit Windows, 1737`libcrypto-1_1-x64.dll` and `libssl-1_1-x64.dll` for 64-bit x86_64 Windows, 1738and `libcrypto-1_1-ia64.dll` and `libssl-1_1-ia64.dll` for IA64 Windows. 1739With MSVC, the import libraries are named `libcrypto.lib` and `libssl.lib`, 1740while with MingW, they are named `libcrypto.dll.a` and `libssl.dll.a`. 1741 1742On VMS, shareable images (VMS speak for shared libraries) are named 1743`ossl$libcrypto0101_shr.exe` and `ossl$libssl0101_shr.exe`. However, when 1744OpenSSL is specifically built for 32-bit pointers, the shareable images 1745are named `ossl$libcrypto0101_shr32.exe` and `ossl$libssl0101_shr32.exe` 1746instead, and when built for 64-bit pointers, they are named 1747`ossl$libcrypto0101_shr64.exe` and `ossl$libssl0101_shr64.exe`. 1748 1749Notes on random number generation 1750--------------------------------- 1751 1752Availability of cryptographically secure random numbers is required for 1753secret key generation. OpenSSL provides several options to seed the 1754internal CSPRNG. If not properly seeded, the internal CSPRNG will refuse 1755to deliver random bytes and a "PRNG not seeded error" will occur. 1756 1757The seeding method can be configured using the `--with-rand-seed` option, 1758which can be used to specify a comma separated list of seed methods. 1759However, in most cases OpenSSL will choose a suitable default method, 1760so it is not necessary to explicitly provide this option. Note also 1761that not all methods are available on all platforms. The FIPS provider will 1762silently ignore seed sources that were not validated. 1763 1764I) On operating systems which provide a suitable randomness source (in 1765form of a system call or system device), OpenSSL will use the optimal 1766available method to seed the CSPRNG from the operating system's 1767randomness sources. This corresponds to the option `--with-rand-seed=os`. 1768 1769II) On systems without such a suitable randomness source, automatic seeding 1770and reseeding is disabled (`--with-rand-seed=none`) and it may be necessary 1771to install additional support software to obtain a random seed and reseed 1772the CSPRNG manually. Please check out the manual pages for `RAND_add()`, 1773`RAND_bytes()`, `RAND_egd()`, and the FAQ for more information. 1774 1775Notes on assembler modules compilation 1776-------------------------------------- 1777 1778Compilation of some code paths in assembler modules might depend on whether the 1779current assembler version supports certain ISA extensions or not. Code paths 1780that use the AES-NI, PCLMULQDQ, SSSE3, and SHA extensions are always assembled. 1781Apart from that, the minimum requirements for the assembler versions are shown 1782in the table below: 1783 1784| ISA extension | GNU as | nasm | llvm | 1785|---------------|--------|--------|---------| 1786| AVX | 2.19 | 2.09 | 3.0 | 1787| AVX2 | 2.22 | 2.10 | 3.1 | 1788| ADCX/ADOX | 2.23 | 2.10 | 3.3 | 1789| AVX512 | 2.25 | 2.11.8 | 3.6 (*) | 1790| AVX512IFMA | 2.26 | 2.11.8 | 6.0 (*) | 1791| VAES | 2.30 | 2.13.3 | 6.0 (*) | 1792 1793--- 1794 1795(*) Even though AVX512 support was implemented in llvm 3.6, prior to version 7.0 1796an explicit -march flag was apparently required to compile assembly modules. But 1797then the compiler generates processor-specific code, which in turn contradicts 1798the idea of performing dispatch at run-time, which is facilitated by the special 1799variable `OPENSSL_ia32cap`. For versions older than 7.0, it is possible to work 1800around the problem by forcing the build procedure to use the following script: 1801 1802 #!/bin/sh 1803 exec clang -no-integrated-as "$@" 1804 1805instead of the real clang. In which case it doesn't matter what clang version 1806is used, as it is the version of the GNU assembler that will be checked. 1807 1808--- 1809 1810<!-- Links --> 1811 1812[openssl-users]: 1813 <https://mta.openssl.org/mailman/listinfo/openssl-users> 1814 1815[SUPPORT]: 1816 ./SUPPORT.md 1817 1818[GitHub Issues]: 1819 <https://github.com/openssl/openssl/issues> 1820 1821[raise an issue]: 1822 <https://github.com/openssl/openssl/issues/new/choose> 1823 1824[10-main.conf]: 1825 Configurations/10-main.conf 1826