INSTALLATION ON THE UNIX PLATFORM
---------------------------------
- [Installation on Windows, OpenVMS and MacOS (before MacOS X) is described
- in INSTALL.W32, INSTALL.VMS and INSTALL.MacOS.]
+ [Installation on DOS (with djgpp), Windows, OpenVMS, MacOS (before MacOS X)
+ and NetWare is described in INSTALL.DJGPP, INSTALL.W32, INSTALL.VMS,
+ INSTALL.MacOS and INSTALL.NW.
+
+ This document describes installation on operating systems in the Unix
+ family.]
To install OpenSSL, you will need:
zlib-dynamic Like "zlib", but has OpenSSL load the zlib library dynamically
when needed. This is only supported on systems where loading
- of shared libraries is supported.
+ of shared libraries is supported. This is the default choice.
no-shared Don't try to create shared libraries.
386 Use the 80386 instruction set only (the default x86 code is
more efficient, but requires at least a 486).
+ no-sse2 Exclude SSE2 code pathes. Normally SSE2 extention is
+ detected at run-time, but the decision whether or not the
+ machine code will be executed is taken solely on CPU
+ capability vector. This means that if you happen to run OS
+ kernel which does not support SSE2 extension on Intel P4
+ processor, then your application might be exposed to
+ "illegal instruction" exception. There might be a way
+ to enable support in kernel, e.g. FreeBSD kernel can be
+ compiled with CPU_ENABLE_SSE, and there is a way to
+ disengage SSE2 code pathes upon application start-up,
+ but if you aim for wider "audience" running such kernel,
+ consider no-sse2. Both 386 and no-asm options above imply
+ no-sse2.
+
no-<cipher> Build without the specified cipher (bf, cast, des, dh, dsa,
hmac, md2, md5, mdc2, rc2, rc4, rc5, rsa, sha).
The crypto/<cipher> directory can be removed after running
the failure that aren't problems in OpenSSL itself (like missing
standard headers). If it is a problem with OpenSSL itself, please
report the problem to <openssl-bugs@openssl.org> (note that your
- message will be forwarded to a public mailing list). Include the
- output of "make report" in your message.
+ message will be recorded in the request tracker publicly readable
+ via http://www.openssl.org/support/rt2.html and will be forwarded to a
+ public mailing list). Include the output of "make report" in your message.
+ Please check out the request tracker. Maybe the bug was already
+ reported or has already been fixed.
[If you encounter assembler error messages, try the "no-asm"
configuration option as an immediate fix.]
If a test fails, look at the output. There may be reasons for
the failure that isn't a problem in OpenSSL itself (like a missing
or malfunctioning bc). If it is a problem with OpenSSL itself,
- try removing any compiler optimization flags from the CFLAGS line
+ try removing any compiler optimization flags from the CFLAG line
in Makefile.ssl and run "make clean; make". Please send a bug
report to <openssl-bugs@openssl.org>, including the output of
- "make report".
+ "make report" in order to be added to the request tracker at
+ http://www.openssl.org/support/rt2.html.
4. If everything tests ok, install OpenSSL with
targets for shared library creation, like linux-shared. Those targets
can currently be used on their own just as well, but this is expected
to change in future versions of OpenSSL.
+
+ Note on random number generation
+ --------------------------------
+
+ Availability of cryptographically secure random numbers is required for
+ secret key generation. OpenSSL provides several options to seed the
+ internal PRNG. If not properly seeded, the internal PRNG will refuse
+ to deliver random bytes and a "PRNG not seeded error" will occur.
+ On systems without /dev/urandom (or similar) device, it may be necessary
+ to install additional support software to obtain random seed.
+ Please check out the manual pages for RAND_add(), RAND_bytes(), RAND_egd(),
+ and the FAQ for more information.
+
+ Note on support for multiple builds
+ -----------------------------------
+
+ OpenSSL is usually built in it's source tree. Unfortunately, this doesn't
+ support building for multiple platforms from the same source tree very well.
+ It is however possible to build in a separate tree through the use of lots
+ of symbolic links, which should be prepared like this:
+
+ mkdir -p objtree/"`uname -s`-`uname -r`-`uname -m`"
+ cd objtree/"`uname -s`-`uname -r`-`uname -m`"
+ (cd $OPENSSL_SOURCE; find . -type f) | while read F; do
+ mkdir -p `dirname $F`
+ rm -f $F; ln -s $OPENSSL_SOURCE/$F $F
+ echo $F '->' $OPENSSL_SOURCE/$F
+ done
+ make -f Makefile.org clean
+
+ OPENSSL_SOURCE is an environment variable that contains the absolute (this
+ is important!) path to the OpenSSL source tree.
+
+ Also, operations like 'make update' should still be made in the source tree.