1 2Binaries 3======== 4 5All the precompiled binaries provided here have extended support for 6everything which is normally not in OpenSSL or LibreSSL -- 40+56 Bit, 7export/ANON ciphers, weak DH ciphers, weak EC curves, SSLv2 etc. -- all the dirty 8features needed for testing. OTOH they also come with extended support 9for new / advanced cipher suites and/or features which are not in the 10official branch like (old version of the) CHACHA20+POLY1305 and CAMELLIA 256 bit ciphers. 11They also have IPv6 support, see below. 12 13The (stripped) binaries this directory are all compiled from my openssl 14snapshot (https://github.com/drwetter/openssl) from Peter Mosman's openssl 15fork (https://github.com/PeterMosmans/openssl). Thx a bunch, Peter! 16 17Compiled Linux and FreeBSD binaries so far come from Dirk, other 18contributors see ../CREDITS.md . 19 20**I discontinued to upload the not commonly used binaries at github ** (ARM7l, Darwin.i386 and all except one kerberos compiles) **as it is not very appropriate to use github especially for those. The main site for all 21binaries is https://testssl.sh/openssl-1.0.2i-chacha.pm.ipv6.contributed/, also see the tarball @ 22https://testssl.sh/openssl-1.0.2i-chacha.pm.ipv6.Linux+FreeBSD.tar.gz** 23 24The binaries here have the naming scheme ``openssl.$(uname).$(uname -m)`` 25and will be picked up from testssl.sh if you run testssl.sh directly 26off the git directory. Otherwise you need ``testssl.sh`` to point to it 27via the argument (``--openssl=<here>``) or as an environment variable 28(``OPENSSL=<here> testssl.sh <yourargs>``). 29 30The Linux binaries with the trailing ``-krb5`` come with Kerberos 5 support, 31they won't be picked up automatically as you need to make sure first they 32run (see libraries below). 33 34 35Compiling and Usage Instructions 36================================ 37 38General 39------- 40 41Both 64+32 bit Linux binaries were compiled under Ubuntu 12.04 LTS. Likely you 42cannot use them for older distributions, younger worked in all my test environments. 43I provide for each distributions two sets of binaries (no IPv6 here): 44 45* completely statically linked binaries 46* dynamically linked binaries, additionally with MIT Kerberos support ("krb5" in the name). 47 They provide also KRB5-* and EXP-KRB5-* support (in OpenSSL terminology, see krb5-ciphers.txt). 48 49For the latter you need a whopping bunch of kerberos runtime libraries which you maybe need to 50install from your distributor (libgssapi_krb5, libkrb5, libcom_err, libk5crypto, libkrb5support, 51libkeyutils). The 'static' binaries do not have MIT kerberos support as there are no 52static kerberos libs and I did not bother to compile them from the sources. 53 54 55Compilation instructions 56------------------------ 57 58If you want to compile OpenSSL yourself, here are the instructions: 59 601.) get openssl from Peter Mosmans' repo: 61 62 git clone https://github.com/PeterMosmans/openssl 63 cd openssl 64 65or use my repo: 66 67 git clone https://github.com/drwetter/openssl 68 cd openssl 69 70 712.) configure the damned thing. Options I used (see https://github.com/drwetter/testssl.sh/blob/master/utils/make-openssl.sh) 72 73**for 64Bit including Kerberos ciphers:** 74 75 ./config --prefix=/usr/ --openssldir=/etc/ssl enable-zlib enable-ssl2 enable-rc5 enable-rc2 \ 76 enable-GOST enable-cms enable-md2 enable-mdc2 enable-ec enable-ec2m enable-ecdh enable-ecdsa \ 77 enable-seed enable-camellia enable-idea enable-rfc3779 enable-ec_nistp_64_gcc_128 \ 78 --with-krb5-flavor=MIT experimental-jpake -DOPENSSL_USE_BUILD_DATE 79 80**for 64Bit, static binaries:** 81 82 ./config --prefix=/usr/ --openssldir=/etc/ssl enable-zlib enable-ssl2 enable-rc5 enable-rc2 \ 83 enable-GOST enable-cms enable-md2 enable-mdc2 enable-ec enable-ec2m enable-ecdh enable-ecdsa \ 84 enable-seed enable-camellia enable-idea enable-rfc3779 enable-ec_nistp_64_gcc_128 \ 85 -static experimental-jpake -DOPENSSL_USE_BUILD_DATE 86 87**for 32 Bit including Kerberos ciphers:** 88 89 ./config --prefix=/usr/ --openssldir=/etc/ssl enable-zlib enable-ssl2 enable-rc5 enable-rc2 \ 90 enable-GOST enable-cms enable-md2 enable-mdc2 enable-ec enable-ec2m enable-ecdh enable-ecdsa \ 91 enable-seed enable-camellia enable-idea enable-rfc3779 no-ec_nistp_64_gcc_128 \ 92 --with-krb5-flavor=MIT experimental-jpake -DOPENSSL_USE_BUILD_DATE 93 94 **for 32 Bit, static binaries:** 95 96 ./config --prefix=/usr/ --openssldir=/etc/ssl enable-zlib enable-ssl2 enable-rc5 enable-rc2 \ 97 enable-GOST enable-cms enable-md2 enable-mdc2 enable-ec enable-ec2m enable-ecdh enable-ecdsa \ 98 enable-seed enable-camellia enable-idea enable-rfc3779 no-ec_nistp_64_gcc_128 \ 99 -static experimental-jpake -DOPENSSL_USE_BUILD_DATE 100 101IPv6 support would need additionally the patch from ``fedora-dirk-ipv6.diff`` (included already 102in my branch). This doesn't give you the option of an IPv6 enabled proxy yet. 103It is good practice to compile those binaries with ``-DOPENSSL_USE_IPV6`` as 104later on you can tell them apart by``openssl version -a``. 105 106Four GOST [1][2] ciphers come via engine support automagically with this setup. Two additional GOST 107ciphers can be compiled in (``GOST-GOST94``, ``GOST-MD5``) with ``-DTEMP_GOST_TLS`` but as of now they make 108problems under some circumstances, so unless you desperately need those ciphers I would stay away from 109``-DTEMP_GOST_TLS``. 110 111If you don't have / don't want Kerberos libraries and devel rpms/debs, just omit "--with-krb5-flavor=MIT" 112(see examples). If you have another Kerberos flavor you would need to figure out by yourself. 113 1143.) make depend 115 1164.) make 117 1185.) make report (check whether it runs ok!) 119 1206.) ``./apps/openssl ciphers -V 'ALL:COMPLEMENTOFALL' | wc -l`` lists for me 121* 193(+4 GOST) ciphers including kerberos 122* 179(+4 GOST) ciphers without kerberos 123 124as opposed to ~110 from Ubuntu or Opensuse. 125 126**Never use these binaries for anything other than testing** 127 128Enjoy, Dirk 129 130[1] https://en.wikipedia.org/wiki/GOST_%29block_cipher%29 131 132[2] http://fossies.org/linux/openssl/engines/ccgost/README.gost 133 134 135