如何在Ubuntu上安装和构建OpenSSL 1.0.0?
[英]How do I install and build against OpenSSL 1.0.0 on Ubuntu?
问题描述
You can consider this a follow-up question to How do I install the OpenSSL C++ library on Ubuntu? 
您可以将此问题视为如何在Ubuntu上安装OpenSSL C ++库的后续问题?
I'm trying to build some code on Ubuntu 10.04 LTS that requires OpenSSL 1.0.0. 我正在尝试在需要OpenSSL 1.0.0的Ubuntu 10.04 LTS上构建一些代码。
Ubuntu 10.04 LTS comes with OpenSSL 0.9.8k: Ubuntu 10.04 LTS附带OpenSSL 0.9.8k:
$ openssl version
OpenSSL 0.9.8k 25 Mar 2009
So after running sudo apt-get install libssl-dev and building, running ldd confirms I've linked in 0.9.8: 所以在运行sudo apt-get install libssl-dev并构建之后,运行ldd确认我已经在0.9.8中链接了:
$ ldd foo
...
libssl.so.0.9.8 => /lib/i686/cmov/libssl.so.0.9.8 (0x00110000)
...
libcrypto.so.0.9.8 => /lib/i686/cmov/libcrypto.so.0.9.8 (0x002b0000)
...
How do I install OpenSSL 1.0.0 and the 1.0.0 development package? 如何安装OpenSSL 1.0.0和1.0.0开发包?
Update : I'm writing this update after reading SB 's answer (but before trying it), because it's clear I need to explain that the obvious solution of downloading and installing OpenSSL 1.0.0 doesn't work: 更新 :我在阅读SB的答案后(但在尝试之前)写了这个更新,因为很明显我需要解释下载和安装OpenSSL 1.0.0的明显解决方案不起作用:
After successfully doing the following (recommended in the INSTALL file): 成功执行以下操作后(在INSTALL文件中推荐):
$ ./config
$ make
$ make test
$ make install
...I still get: ......我仍然得到:
OpenSSL 0.9.8k 25 Mar 2009
...and: ...和:
$ sudo apt-get install libssl-dev
Reading package lists... Done
Building dependency tree
Reading state information... Done
libssl-dev is already the newest version.
The following packages were automatically installed and are no longer required:
linux-headers-2.6.32-21 linux-headers-2.6.32-21-generic
Use 'apt-get autoremove' to remove them.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
...and (just to make sure) after rebuilding my code, ldd still returns the same thing. ...并且(只是为了确保)在重建我的代码之后,ldd仍然返回相同的东西。
Update #2 : I added the "-I/usr/local/ssl/include" and "-L/usr/local/ssl/lib" options (suggested by SB ) to my makefile, but I'm now getting a bunch of undefine reference compile errors, for example: 更新#2 :我在我的makefile中添加了“-I / usr / local / ssl / include”和“-L / usr / local / ssl / lib”选项(由SB建议),但我现在得到一堆undefine引用编译错误,例如:
/home/dspitzer/foo/foo.cpp:86: undefined reference to `BIO_f_base64'
/home/dspitzer/foo/foo.cpp:86: undefined reference to `BIO_new'
/usr/local/ssl/include/ contains only an openssl directory (which contains numerous .h files), so I also tried "-I/usr/local/ssl/include/openssl" but got the same errors. / usr / local / ssl / include /只包含一个openssl目录(包含大量的.h文件),所以我也试过“-I / usr / local / ssl / include / openssl”,但是遇到了同样的错误。
Update #3 : I tried changing the OpenSSL includes from (for example): 更新#3 :我尝试更改OpenSSL包含(例如):
#include <openssl/bio.h>
...to: ...至:
#include "openssl/bio.h"
...in the .cpp source file but still get the same undefined reference errors. ...在.cpp源文件中但仍然获得相同的未定义引用错误。
Update #4 : I now realize those undefined reference errors are linker errors. 更新#4 :我现在意识到那些未定义的引用错误是链接器错误。 If I remove the "-L/usr/local/ssl/lib" from my Makefile, I don't get the errors (but it links to OpenSSL 0.9.8). 如果我从我的Makefile中删除“-L / usr / local / ssl / lib”,我没有得到错误(但它链接到OpenSSL 0.9.8)。 The contents of /usr/local/ssl/lib/ are: / usr / local / ssl / lib /的内容是:
$ ls /usr/local/ssl/lib/
engines libcrypto.a libssl.a pkgconfig
I added -lcrypto, and the errors went away. 我添加了-lcrypto,错误消失了。
3 个解决方案
解决方案1
18 已采纳 2010-06-30 20:35:10
Get the 1.0.0a source from here . 从这里获取1.0.0a源代码。
# tar -xf openssl-1.0.0a.tar.gz
# cd openssl-1.0.0a
# ./config
# sudo make install
This puts it in /usr/local/ssl by default 这默认情况下将它放在/ usr / local / ssl中
When you build, you need to tell gcc to look for the headers in /usr/local/ssl/include and link with libs in /usr/local/ssl/lib. 构建时,需要告诉gcc在/ usr / local / ssl / include中查找头文件,并与/ usr / local / ssl / lib中的libs链接。 You can specify this by doing something like: 您可以通过执行以下操作来指定:
gcc test.c -o test -I/usr/local/ssl/include -L/usr/local/ssl/lib -lssl -lcrypto
EDIT DO NOT overwrite any system libraries. 编辑不要覆盖任何系统库。 It's best to keep new libs in /usr/local. 最好将新库保留在/ usr / local中。 Overwriting Ubuntu defaults can be hazardous to your health and break your system. 覆盖Ubuntu默认值可能会危害您的健康并破坏您的系统。
Additionally, I was wrong about the paths as I just tried this in Ubuntu 10.04 VM. 另外,我在Ubuntu 10.04 VM中试过这个路径时错了。 Fixed. 固定。
Note, there is no need to change LD_LIBRARY_PATH since the openssl libs you link against by default are static libs (at least by default - there might be a way to configure them as dynamic libs in the ./config step) 注意,没有必要更改LD_LIBRARY_PATH,因为默认链接的openssl库是静态库(至少在默认情况下 - 可能有一种方法可以在./config步骤中将它们配置为动态库)
You may need to link against libcrypto because you are using some calls that are built and defined in the libcrypto package. 您可能需要链接libcrypto,因为您正在使用libcrypto包中构建和定义的一些调用。 Openssl 1.0.0 actually builds two libraries, libcrypto and libssl. Openssl 1.0.0实际上构建了两个库,libcrypto和libssl。
EDIT 2 Added -lcrypto to gcc line. 编辑2添加-lcrypto到gcc行。
解决方案2
4 2014-04-09 16:56:24
Instead of: 代替:
$ ./config
$ make
$ make test
$ make install
Do: 做:
$ sudo ./config --prefix=/usr
$ sudo make
$ sudo make test
$ sudo make install
This will help you update to openssl 1.0.1g to patch for CVE-2014-0160 (Heartbleed). 这将帮助您更新到openssl 1.0.1g以修补CVE-2014-0160(Heartbleed)。
OpenSSL Security Advisory [07 Apr 2014] OpenSSL安全通报[2014年4月7日]
TLS heartbeat read overrun (CVE-2014-0160) TLS心跳读取超限(CVE-2014-0160)
A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server. 处理TLS心跳扩展的缺失边界检查可用于向连接的客户端或服务器显示高达64k的内存。
Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1. 只有1.0.1和1.0.2-beta版本的OpenSSL受到影响,包括1.0.1f和1.0.2-beta1。
Thanks for Neel Mehta of Google Security for discovering this bug and to Adam Langley and Bodo Moeller for preparing the fix. 感谢Google Security的Neel Mehta发现此错误,感谢Adam Langley和Bodo Moeller准备修复程序。
Affected users should upgrade to OpenSSL 1.0.1g. 受影响的用户应升级到OpenSSL 1.0.1g。 Users unable to immediately upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS. 无法立即升级的用户也可以使用-DOPENSSL_NO_HEARTBEATS重新编译OpenSSL。
1.0.2 will be fixed in 1.0.2-beta2. 1.0.2将在1.0.2-beta2中修复。
Source: https://www.openssl.org/news/secadv_20140407.txt 资料来源: https : //www.openssl.org/news/secadv_20140407.txt
解决方案3
1 2016-03-29 15:47:32
Here's what solved it for me: Upgrade latest version OpenSSL on Ubuntu 以下是为我解决的问题: 在Ubuntu上升级最新版本的OpenSSL
Transcribing the main informations: 转录主要信息:
Download the OpenSSL v1.0.0g source:
$ wget http://www.openssl.org/source/openssl-1.0.0g.tar.gz
Unpack the archive and install:
$ tar xzvf openssl-1.0.0g.tar.gz
$ cd openssl-1.0.0g
$ ./config
$ make
$ make test
$ sudo make install
All files, including binaries and man pages are install under the directory /usr/local/ssl. To ensure users use this version of OpenSSL instead of the previous version you must update the paths for man pages and binaries.
Edit the file /etc/manpath.config adding the following line before the first MANPATH_MAP:
MANPATH_MAP /usr/local/ssl/bin /usr/local/ssl/man
Update the man database (I honestly can't remember and don't know for sure if this command was necessary - maybe try without it and at the end when testing if the man pages are still the old versions come back and run mandb):
sudo mandb
Edit the file /etc/environment and insert the path for OpenSSL binaries (/usr/local/ssl/bin) before the path for Ubuntu's version of OpenSSL (/usr/bin). My environment file looks like this:
PATH="/usr/local/sbin:/usr/local/bin:/usr/local/ssl/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games"
Logout and login and test:
$ openssl version
OpenSSL 1.0.0g 18 Jan 2012
Also test the man pages by running man openssl and at the very bottom in the left hand corner it should report 1.0.0g.
Note that although the users will now automatically use the new version of OpenSSL, existing programs (e.g. Apache) may not as they are linked against the libraries from the Ubuntu version.
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.