Linux From Scratch - Version 12.0-systemd

Chapter 8. Installing Basic System Software

8.47. OpenSSL-3.1.2

The OpenSSL package contains management tools and libraries relating to cryptography. These are useful for providing cryptographic functions to other packages, such as OpenSSH, email applications, and web browsers (for accessing HTTPS sites).

Approximate build time: 3.0 SBU
Required disk space: 587 MB

8.47.1. Installation of OpenSSL

Prepare OpenSSL for compilation: 

./config --prefix=/usr         \
         --openssldir=/etc/ssl \
         --libdir=lib          \
         shared                \
         zlib-dynamic

Compile the package: 

make

To test the results, issue: 

make test

One test, 30-test_afalg.t, is known to fail if the host kernel does not have CONFIG_CRYPTO_USER_API_SKCIPHER enabled, or does not have any options providing an AES with CBC implementation (for example, the combination of CONFIG_CRYPTO_AES and CONFIG_CRYPTO_CBC, or CONFIG_CRYPTO_AES_NI_INTEL if the CPU supports AES-NI) enabled. If it fails, it can safely be ignored.

Install the package: 

sed -i '/INSTALL_LIBS/s/libcrypto.a libssl.a//' Makefile
make MANSUFFIX=ssl install

Add the version to the documentation directory name, to be consistent with other packages: 

mv -v /usr/share/doc/openssl /usr/share/doc/openssl-3.1.2

If desired, install some additional documentation: 

cp -vfr doc/* /usr/share/doc/openssl-3.1.2
[Note]

Note

You should update OpenSSL when a new version which fixes vulnerabilities is announced. Since OpenSSL 3.0.0, the OpenSSL versioning scheme follows the MAJOR.MINOR.PATCH format. API/ABI compatibility is guaranteed for the same MAJOR version number. Because LFS installs only the shared libraries, there is no need to recompile packages which link to libcrypto.so or libssl.so when upgrading to a version with the same MAJOR version number.

If OpenSSH is installed, it will be an exception of the general rule above. It contains an over-restrictive OpenSSL version check, so both SSH client and SSH server will refuse to start if OpenSSL is updated with MAJOR version number unchanged but MINOR version number changed. You need to rebuild OpenSSH after such an upgrade. If OpenSSH is being used to access the system, you must rebuild and reinstall it after upgrading OpenSSL to a new MINOR version number before logout or you won't be able to login via SSH anymore.

However, any running programs linked to those libraries need to be stopped and restarted. Read the related entries in Section 8.2.1, “Upgrade Issues” for details.

8.47.2. Contents of OpenSSL

Installed programs: c_rehash and openssl
Installed libraries: libcrypto.so and libssl.so
Installed directories: /etc/ssl, /usr/include/openssl, /usr/lib/engines and /usr/share/doc/openssl-3.1.2

Short Descriptions

c_rehash

is a Perl script that scans all files in a directory and adds symbolic links to their hash values. Use of c_rehash is considered obsolete and should be replaced by openssl rehash command

openssl

is a command-line tool for using the various cryptography functions of OpenSSL's crypto library from the shell. It can be used for various functions which are documented in man 1 openssl

libcrypto.so

implements a wide range of cryptographic algorithms used in various Internet standards. The services provided by this library are used by the OpenSSL implementations of SSL, TLS and S/MIME, and they have also been used to implement OpenSSH, OpenPGP, and other cryptographic standards

libssl.so

implements the Transport Layer Security (TLS v1) protocol. It provides a rich API, documentation on which can be found by running man 7 ssl