From: Matt Caswell Date: Wed, 13 Apr 2016 14:04:01 +0000 (+0100) Subject: Update the INSTALL instructions with lots of options X-Git-Tag: OpenSSL_1_1_0-pre5~36 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=ecabf05e5bddb8afcffe02c9c93736ff6e9888f8;p=oweals%2Fopenssl.git Update the INSTALL instructions with lots of options There were a lot of options missing from INSTALL. This adds descriptions for them. Reviewed-by: Richard Levitte --- diff --git a/INSTALL b/INSTALL index 6d532d4c8e..4696051839 100644 --- a/INSTALL +++ b/INSTALL @@ -77,14 +77,16 @@ --openssldir depend in what configuration is used and what Windows implementation OpenSSL is built on. More notes on this in NOTES.WIN): - --prefix=DIR The top of the installation directory tree. Defaults are: + --prefix=DIR + The top of the installation directory tree. Defaults are: Unix: /usr/local Windows: C:\Program Files\OpenSSL or C:\Program Files (x86)\OpenSSL OpenVMS: SYS$COMMON:[OPENSSL-'version'] - --openssldir=DIR Directory for OpenSSL configuration files, and also the + --openssldir=DIR + Directory for OpenSSL configuration files, and also the default certificate and key store. Defaults are: Unix: /usr/local/ssl @@ -92,60 +94,167 @@ or C:\Program Files (x86)\Common Files\SSL OpenVMS: SYS$COMMON:[OPENSSL-COMMON] - --api=x.y.z Don't build with support for deprecated APIs below the + --api=x.y.z + Don't build with support for deprecated APIs below the specified version number. For example "--api=1.1.0" will remove support for all APIS that were deprecated in OpenSSL version 1.1.0 or below. - no-deprecated Don't build with support for any deprecated APIs. This is the - same as using "--api" and supplying the latest version - number. + no-afalgeng + Don't build the AFALG engine. This option will be forced if + on a platform that does not support AFALG. + + no-asm + Do not use assembler code. + + no-async + Do not build support for async operations. - no-autoalginit Don't automatically load all supported ciphers and digests. + no-autoalginit + Don't automatically load all supported ciphers and digests. Typically OpenSSL will make available all of its supported ciphers and digests. For a statically linked application this may be undesirable if small executable size is an objective. This only affects libcrypto. Ciphers and digests will have to be loaded manually using EVP_add_cipher() and - EVP_add_digest() if this option is used. + EVP_add_digest() if this option is used. This option will + force a non-shared build. - no-autoerrinit Don't automatically load all libcrypto/libssl error strings. + no-autoerrinit + Don't automatically load all libcrypto/libssl error strings. Typically OpenSSL will automatically load human readable error strings. For a statically linked application this may be undesirable if small executable size is an objective. - no-threads Don't try to build with support for multi-threaded - applications. - threads Build with support for multi-threaded applications. - This will usually require additional system-dependent - options! See "Note on multi-threading" below. + no-capieng + Don't build the CAPI engine. This option will be forced if + on a platform that does not support CAPI. - no-zlib Don't try to build with support for zlib compression and - decompression. + no-cms + Don't build support for CMS features - zlib Build with support for zlib compression/decompression. + no-comp + Don't build support for SSL/TLS compression. If this option + is left enabled (the default), then compression will only + work if the zlib or zlib-dynamic options are also chosen. - zlib-dynamic Like "zlib", but has OpenSSL load the zlib library - dynamically when needed. This is only supported on systems - where loading of shared libraries is supported. This is the - default choice. + enable-crypto-mdebug + Build support for debugging memory allocated via + OPENSSL_malloc() or OPENSSL_zalloc(). + + enable-crypto-mdebug-backtrace + As for crypto-mdebug, but additionally provide backtrace + information for allocated memory. + + no-ct + Don't build support for Certificate Transparency. + + no-deprecated + Don't build with support for any deprecated APIs. This is the + same as using "--api" and supplying the latest version + number. + + no-dgram + Don't build support for datagram based BIOs. Selecting this + option will also force the disabling of DTLS. + + no-dso + Don't build support for loading Dynamic Shared Objects. + + no-dynamic-engine + Don't build the dynamically loaded engines. This only has an + effect in a "shared" build + + no-ec + Don't build support for Elliptic Curves. + + no-ec2m + Don't build support for binary Elliptic Curves + + enable-ec_nistp_64_gcc_128 + Enable support for optimised implementations of some commonly + used NIST elliptic curves. This is only supported on some + platforms. + + enable-egd + Build support for gathering entropy from EGD (Entropy + Gathering Daemon). + + no-engine + Don't build support for loading engines. + + no-err + Don't compile in any error strings. + + no-filenames + Don't compile in filename and line number information (e.g. + for errors and memory allocation). + + no-gost + Don't build support for GOST based ciphersuites. Note that + if this feature is enabled then GOST ciphersuites are only + available if the GOST algorithms are also available through + loading an externally supplied engine. + + enable-heartbeats + Build support for DTLS heartbeats. + + no-hw-padlock + Don't build the padlock engine. + + no-makedepend + ?? + + no-multiblock + Don't build support for writing multiple records in one + go in libssl (Note: this is a different capability to the + pipelining functionality). + + no-nextprotoneg + Don't build support for the NPN TLS extension. + + no-ocsp + Don't build support for OCSP. - no-shared Don't try to create shared libraries. + no-pic + Don't build with support for Position Independent Code. - shared In addition to the usual static libraries, create shared + no-posix-io + Don't use POSIX IO capabilities. + + no-psk + Don't build support for Pre-Shared Key based ciphersuites. + + no-rdrand + Don't use hardware RDRAND capabilities. + + no-rfc3779 + Don't build support for RFC3779 ("X.509 Extensions for IP + Addresses and AS Identifiers") + + no-sct + ?? + + sctp + Build support for SCTP + + shared + In addition to the usual static libraries, create shared libraries on platforms where it's supported. See "Note on shared libraries" below. - no-asm Do not use assembler code. + no-sock + Don't build support for socket BIOs - 386 On Intel hardware, use the 80386 instruction set only - (the default x86 code is more efficient, but requires at - least a 486). Note: Use compiler flags for any other CPU - specific configuration, e.g. "-m32" to build x86 code on - an x64 system. + no-srp + Don't build support for SRP or SRP based ciphersuites. + + no-srtp + Don't build SRTP support - no-sse2 Exclude SSE2 code pathes. Normally SSE2 extension is + no-sse2 + Exclude SSE2 code paths. Normally SSE2 extension is detected at run-time, but the decision whether or not the machine code will be executed is taken solely on CPU capability vector. This means that if you happen to run OS @@ -156,15 +265,96 @@ compiled with CPU_ENABLE_SSE, and there is a way to disengage SSE2 code pathes upon application start-up, but if you aim for wider "audience" running such kernel, - consider no-sse2. Both 386 and no-asm options above imply + consider no-sse2. Both 386 and no-the asm options imply no-sse2. - no- Build without the specified algorithm (bf, cast, des, dh, - dsa, hmac, md2, md5, mdc2, rc2, rc4, rc5, rsa, sha). + enable-ssl-trace + Build with the SSL Trace capabilities (adds the "-trace" + option to s_client and s_server). + + no-static-engine + Don't build the statically linked engines. This only + has an impact when not built "shared". + + no-stdio + Don't use any C "stdio" features. Only libcrypto and libssl + can be built in this way. Using this option will suppress + building the command line applications. Additionally since + the OpenSSL tests also use the command line applications the + tests will also be skipped. + + no-threads + Don't try to build with support for multi-threaded + applications. + + threads + Build with support for multi-threaded applications. Most + platforms will enable this by default. However if on a + platform where this is not the case then this will usually + require additional system-dependent options! See "Note on + multi-threading" below. + + no-ts + Don't build Time Stamping Authority support. + + no-ui + Don't build with the "UI" capability (i.e. the set of + features enabling text based prompts). + + enable-unit-test + Enable additional unit test APIs. This should not typically + be used in production deployments. + + enable-weak-ssl-ciphers + Build support for SSL/TLS ciphers that are considered "weak" + (e.g. RC4 based ciphersuites). + + zlib + Build with support for zlib compression/decompression. + + zlib-dynamic + Like "zlib", but has OpenSSL load the zlib library + dynamically when needed. This is only supported on systems + where loading of shared libraries is supported. + + 386 + On Intel hardware, use the 80386 instruction set only + (the default x86 code is more efficient, but requires at + least a 486). Note: Use compiler flags for any other CPU + specific configuration, e.g. "-m32" to build x86 code on + an x64 system. - -Dxxx, -lxxx, These system specific options will be passed through to the - -Lxxx, -fxxx, compiler to allow you to define preprocessor symbols, specify - -mXXX, -Kxxx additional libraries, library directories or other compiler + no- + Don't build support for negotiating the specified SSL/TLS + protocol (one of ssl, ssl3, tls, tls1, tls1_1, tls1_2, dtls, + dtls1 or dtls1_2). If "no-tls" is selected then all of tls1, + tls1_1 and tls1_2 are disabled. Similarly "no-dtls" will + disable dtls1 and dtls1_2. The "no-ssl" option is synonymous + with "no-ssl3". Note this only affects version negotiation. + OpenSSL will still provide the methods for applications to + explicitly select the individual protocol versions. + + no--method + As for no- but in addition do not build the methods for + applications to explicitly select individual protocol + versions. + + enable- + Build with support for the specified algorithm, where + is one of: md2 or rc5. + + no- + Build without support for the specified algorithm, where + is one of: bf, blake2, camellia, cast, chacha, cmac, + des, dh, dsa, ecdh, ecdsa, idea, md4, md5, mdc2, ocb, + ploy1305, rc2, rc4, rmd160, scrypt, seed or whirlpool. The + "ripemd" algorithm is deprecated and if used is synonymous + with rmd160. + + -Dxxx, -lxxx, -Lxxx, -fxxx, -mXXX, -Kxxx + These system specific options will be passed through to the + compiler to allow you to define preprocessor symbols, specify + additional libraries, library directories or other compiler options.