1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
|
NTS needs TLS 1.3 or newer.
That was first supported in OpenSSL 1.1.1
(1.1.1a is broken)
Some OSes/Distros don't support a new enough version of OpenSSL
This file contains notes on how to download, build, and install 3.4.1
It should be close for other 3.x.y versions so you can test newer
versions than whatever your distro provides.
It's rough. Don't be surprised by bugs/oversights.
Corrections, clarifications and feedback encouraged.
In 2025-Feb-15, FreeBSD 13.4 has 1.1.1w as the main version.
It also has several newer versions available as packages.
You can just install one and ignore the rest of this note.
waf will find the pkg version and use it.
sudo pkg update
sudo pkg search openssl | grep openssl3
openssl31-3.1.7_1 TLSv1.3 capable SSL and crypto library
openssl31-quictls-3.1.7_1 QUIC capable fork of OpenSSL
openssl32-3.2.4 TLSv1.3 capable SSL and crypto library
openssl33-3.3.3 TLSv1.3 capable SSL and crypto library
openssl34-3.4.1 TLSv1.3 capable SSL and crypto library
sudo pkg install openssl34
The rest of this recipe works if you want to try a newer version from
an OpenSSL tarball.
2025-Feb-18
Similarly, NetBSD 9.4 has 1.1.1t
while pkgin has
pkgin avail | grep openssl-3
openssl-3.3.2 Secure Socket Layer and cryptographic library
Again, the rest of this recipe works if you want to try a newer
version from an OpenSSL tarball.
Download OpenSSL source from here:
https://www.openssl.org/source/
You should be able to cut/paste many of these lines.
But check for the latest versions first.
cd xxx
mkdir OpenSSL
cd OpenSSL
for OpenSSL 3.4.1
# https://www.openssl.org/source/
wget https://github.com/openssl/openssl/releases/download/openssl-3.4.1/openssl-3.4.1.tar.gz
tar -xzf openssl-3.4.1.tar.gz
cd openssl-3.4.1
# Check NOTES.PERL
# Fedora needs
sudo dnf install perl-core
# FreeBSD needs
sudo pkg install perl5
By default, this recipe will install
libcrypto.so.3 and libssl.so.3
in /usr/local/ssl/lib64/
and they will be used by all software, not just ntpd.
If you don't want that, edit VERSION.dat and change SHLIB_VERSION
to something like 6. That will install the libraries as
libcrypto.so.6 and libssl.so.6
and waf will setup ntpd to use them.
The default configure breaks things on Fedora, so this is a good idea. <======
On Linux
make clean
openssl version -d
OPENSSLDIR=`openssl version -d | sed "s/OPENSSLDIR: //"`
OPENSSLDIR=`echo $OPENSSLDIR | sed s/\"//g`
echo $OPENSSLDIR
./Configure --prefix=/usr/local/ssl --openssldir=$OPENSSLDIR shared
*** If you encounter a problem while building, please open an ***
*** issue on GitHub <https://github.com/openssl/openssl/issues> ***
*** and include the output from the following command: ***
*** perl configdata.pm --dump ***
time make -j4 |& tee make.log
# Check that we got it right. These should match.
openssl version -d
./util/shlib_wrap.sh ./apps/openssl version -d
# ./apps/openssl without the wrapper will use the installed libraries
The above check is broken on Fedora
(I think Fedora needs some old/weak crypto that default OpenSSL
no longer provides. I haven't gone donw this rabbit hole.)
It works on Debian, Ubuntu and FreeBSD.
time make test |& tee test.log
time make build_docs |& tee docs.log
sudo make install |& tee install.log
On Linux:
sudo su
cd /etc/ld.so.conf.d
echo "/usr/local/ssl/lib" > openssl.conf # 32 bit systems
echo "/usr/local/ssl/lib64" > openssl.conf # 64 bit systems
# running ldconfig before install doesn't work
ldconfig
On FreeBSD:
sudo ldconfig -m /usr/local/ssl/lib/
?? You have to do this each time you boot
NetBSD:
echo "/usr/local/ssl/lib" >> /etc/ld.so.conf
(no ldconfig on my search path. Doesn't seem to be needed.)
On NetBSD, OpenSSL hangs in the tests.
This is the last line it prints:
04-test_bio_core.t ...................... ok
It seems to work OK.
[GPSD had a lot of trouble getting their tests to work on NetBSD.]
# check with
/usr/local/ssl/bin/openssl version
# Note that the directories in the above config line need to
# match where wscript looks for your OS.
----------
FIPS:
For FIPS mode, add enable-fips to Configure step
mumble needs config stuff
Fedora:
man fips-mode-setup
|
