Hardened Linux From Scratch - Version SVN-200800519

Chapter 6. Installing Basic System Software

6.16. OpenSSL-0.9.8g

The OpenSSL package contains management tools and libraries relating to cryptography.

User Notes: http://wiki.linuxfromscratch.org/hlfs/wiki/openssl

6.16.1. Installation of OpenSSL

Apply this patch to fix conflicts between OpenSSL manual pages and manual pages from other packages: 

patch -Np1 -i ../openssl-0.9.8g-fix_manpages-1.patch

OpenSSL command line tools will try to use the $RANDFILE, $HOME/.rnd, or $(pwd)/.rnd files files to initially seed its random number generator. If none are found then the “PRNG not seeded” error message may occur. We can build OpenSSL with a contingency plan, to use /dev/urandom, instead of causing an error. See http://www.openssl.org/support/faq.cgi#USER1 for more details. The following command is optional: 

sed -e 's/__OpenBSD__/__linux__/' -e 's/arandom/urandom/' \
    -i.orig crypto/rand/randfile.c

Optionally, use arc4random(), instead of /dev/urandom, for entropy in the OpenSSL library. arc4random() is more reliable than /dev/urandom, such as from a chroot, at the risk of being less random (such as from a chroot). If you're profoundly paranoid you should not enter the following command: 

sed 's/__OpenBSD__/__linux__/' -i.orig crypto/rand/rand_unix.c

The as assembler program will incorrectly mark libcrypto.so as needing an executable stack, if OpenSSL is built with its assembly code. The following command adds an assembler option to mark the library correctly: 

find crypto/ -name Makefile -exec \
    sed 's/^ASFLAGS=/&-Wa,--noexecstack /' -i.orig {} \;

You may wish to add extra -D definitions, such as NO_IDEA, NO_RC4, and NO_RC2 to disable weak alogorithms, REF_CHECK to add assertions, CRYPTO_MDEBUG and MFUNC to add extra memory checking code. Prepare OpenSSL for compilation: 

./config --openssldir=/etc/ssl --prefix=/usr shared zlib-dynamic \
    -DSSL_FORBID_ENULL

The meaning of the configure options:

--openssldir=/etc/ssl

This option tells OpenSSL to install and use configuration files from /etc/ssl.

shared

This option tells OpenSSL to build the shared libraries of OpenSSL.

zlib-dynamic

This option tells OpenSSL to use the Zlib shared library, rather than the static version.

-DSSL_FORBID_ENULL

This option will forbid the use of the NULL encryption cipher.

Compile the package: 

make MANDIR=/usr/share/man

To test the results, issue: make test.

Install the package: 

make MANDIR=/usr/share/man install
cp -v -r certs /etc/ssl

Install the documentation: 

install -v -d -m755 /usr/share/doc/openssl-0.9.8g
cp -v -r doc/{HOWTO,README,*.{txt,html,gif}} \
    /usr/share/doc/openssl-0.9.8g

Move the static libraries: 

mv -v /usr/lib/{libcrypto,libssl}.a /usr/lib/static

6.16.2. Contents of OpenSSL

Installed libraries: FIXME

Short Descriptions

FIXME

FIXME