Beyond Linux® From Scratch - Version 6.3

Chapter 4. Security

OpenSSL-0.9.8g

Introduction to OpenSSL

The OpenSSL package contains management tools and libraries relating to cryptography. These are useful for providing cryptography functions to other packages, notably OpenSSH, email applications and web browsers (for accessing HTTPS sites).

Package Information

Additional Downloads

OpenSSL Dependencies

Optional

bc-1.06 (recommended if you run the test suite during the build)

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/OpenSSL

Installation of OpenSSL

Install OpenSSL by running the following commands: 

patch -Np1 -i ../openssl-0.9.8g-fix_manpages-1.patch &&
./config --openssldir=/etc/ssl --prefix=/usr shared &&
make MANDIR=/usr/share/man

To test the results, issue: make test.

Now, as the root user: 

make MANDIR=/usr/share/man install &&
cp -v -r certs /etc/ssl &&
install -v -d -m755 /usr/share/doc/openssl-0.9.8g &&
cp -v -r doc/{HOWTO,README,*.{txt,html,gif}} \
    /usr/share/doc/openssl-0.9.8g

Command Explanations

no-rc5 no-idea: When added to the ./config command, this will eliminate the building of those encryption methods. Patent licenses may be needed for you to utilize either of those methods in your projects.

enable-tlsext: When added to the ./config command, this switch will enable TLS Extensions. Currently this is only RFC 3546 and 4507bis for Server Name Indication. This allows the use of multiple SSL certificates with multiple virtual hosts in Apache, while using only one IP address and one port for all virtual hosts.

make MANDIR=/usr/share/man; make MANDIR=/usr/share/man install: These commands install OpenSSL with the man pages in /usr/share/man instead of /etc/ssl/man.

cp -v -r certs /etc/ssl: The certificates must be copied manually as the default installation skips this step.

Configuring OpenSSL

Config Files

/etc/ssl/openssl.cnf

Configuration Information

Most people who just want to use OpenSSL for providing functions to other programs such as OpenSSH and web browsers won't need to worry about configuring OpenSSL. Configuring OpenSSL is an advanced topic and so those who do would normally be expected to either know how to do it or to be able to find out how to do it.

Contents

Installed Programs: c_rehash and openssl
Installed Libraries: libcrypto.{so,a}, libssl.{so,a}, and additional encryption libraries in /usr/lib/engines/ (lib4758cca.so, libaep.so, libatalla.so, libchil.so, libcswift.so, libgmp.so, libnuron.so, libsureware.so and libubsec.so)
Installed Directories: /etc/ssl, /usr/include/ssl, /usr/lib/engines and /usr/share/doc/openssl-0.9.8g

Short Descriptions

c_rehash

is a Perl script that scans all files in a directory and adds symbolic links to their hash values.

openssl

is a command-line tool for using the various cryptography functions of OpenSSL's crypto library from the shell. It can be used for various functions which are documented in man 1 openssl.

libcrypto.{so,a}

implements a wide range of cryptographic algorithms used in various Internet standards. The services provided by this library are used by the OpenSSL implementations of SSL, TLS and S/MIME, and they have also been used to implement OpenSSH, OpenPGP, and other cryptographic standards.

libssl.{so,a}

implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols. It provides a rich API, documentation on which can be found by running man 3 ssl.

Last updated on 2008-03-22 21:40:43 -0500