24.2. Compile and Optimize
Move into the new Openssl directory and type the following commands on your terminal:
Edit the c_rehash file, vi +11 tools/c_rehash and change the line:
To read:DIR=/usr/local/ssl
The changed line above will build and install OpenSSL in the default location /usr.DIR=/usrBy default, OpenSSL source files suppose that your Perl program directory is located under the /usr/local/bin/perl directory. We must modify the #!/usr/local/bin/perl line in all scripts that rely on perl to reflect our Perl directory under Red Hat Linux to be /usr/bin.
[root@deep ]/openssl-0.9.5a# perl util/perlpath.pl /usr/bin
- where your perl program reside.
OpenSSL must know where to find the necessary OpenSSL source libraries to compile successfully its required files. With the command below, we set the PATH environment variable to the default directory where we have uncompressed the OpenSSL source files.
[root@deep ]/openssl-0.9.5a# export LD_LIBRARY_PATH=`pwd`Now, we must configure OpenSSL for our system:
CC="egcs" \ ./Configure linux-elf -DSSL_FORBID_ENULL \
--prefix=/usr \
--openssldir=/etc/ssl
- The -DSSL_FORBID_ENULL option is required for not allowing null encryption for security reasons.
Edit the Makefile.ssl file and change the following line:
vi +50 Makefile.ssl
To read:CC= gccCC= egcsEdit with vi +52 Makefile.ssl and add/change the following line:
CFLAG= -DTHREADS -D_REENTRANT -DSSL_FORBID_ENULL -DL_ENDIAN -DTERMIO -O9 -funroll-loops -ffast-math -malign-double -mcpu=pentiumpro -march=pentiumpro -fomit-frame-pointer -fno-exceptions -Wall -DSHA1_ASM -DMD5_ASM -DRMD160_ASMEdit with vi +79 Makefile.ssl and add the following value for a Pentium Pro processor:
PROCESSOR= 686
:
The three modifications we made above will set the optimization flag for compilation of OpenSSL software on the server. For the last modification PROCESSOR= above, if you use
586 to denote a Pentium, use 686 to denote Pro/II/III, use 486 to denote a 486, depending on the type of processor you have.
Edit with vi +161 Makefile.ssl and change the following line:
To read:MANDIR=$(OPENSSLDIR)/man
This step is necessary to set the directory for where the man pages of OpenSSL will be installed. With this modification, we install them under /usr/man directory.MANDIR=/usr/man
Now we must compile and install OpenSSL on the server:
[root@deep ]/openssl-0.9.5a# make -f Makefile
[root@deep ]/openssl-0.9.5a# make test
[root@deep ]/openssl-0.9.5a# make install
[root@deep ]/openssl-0.9.5a# mv /etc/ssl/misc/* /usr/bin/
[root@deep ]/openssl-0.9.5a# rm -rf /etc/ssl/misc/
[root@deep ]/openssl-0.9.5a# rm -rf /etc/ssl/lib/
[root@deep ]/openssl-0.9.5a# rm -f /usr/bin/CA.pl
[root@deep ]/openssl-0.9.5a# rm -f /usr/bin/CA.sh
[root@deep ]/openssl-0.9.5a# install -m 644 libRSAglue.a /usr/lib/
[root@deep ]/openssl-0.9.5a# install -m 644 rsaref/rsaref.h /usr/include/openssl/
[root@deep ]/openssl-0.9.5a# strip /usr/bin/openssl
[root@deep ]/openssl-0.9.5a# mkdir -p /etc/ssl/crl
|
The make -f command will build the OpenSSL libraries, libcrypto.a and libssl.a and the OpenSSL binary openssl. The libraries will be built in the top-level directory, and the binary will be in the apps directory.
After a successful build, the make test will test the libraries and finally the make install will create the installation directory and install OpenSSL.
The mv command will move all files under the /etc/ssl/misc/ directory to the /usr/bin/ directory. These files are binary and must be located under /usr/bin/ since in our system, all binary files are keep in this directory. Also putting these files in the /usr/bin/ directory will keep them in our PATH environment variable.
The rm command will remove the /etc/ssl/misc/ and /etc/ssl/lib/ directories from our system, since files that were in these directories are now located in other places. Also, it will remove the CA.pl and CA.sh files, that are small scripts used to create your own CA certificates. Those scripts related to openssl ca commands has some strange requirements, and the default OpenSSL config doesn't allow one easily to use openssl ca directly. So we'll create the sign.sh script program later to replace them.
 |
The bc-1.05a-4.i386.rpm package or higher must be already installed on your Linux server or you'll receive an error message during the library test of OpenSSL. |
Please don't forget to cleanup later:
[root@deep] /# cd /var/tmp
[root@deep tmp]# rm -rf openssl-version/ openssl-version.tar.gz
|