Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Programming
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Databases
Mail Systems
openSolaris
Eclipse Documentation
Techotopia.com
Virtuatopia.com
Answertopia.com

How To Guides
Virtualization
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Windows
Problem Solutions
Privacy Policy

  




 

 

Securing and Optimizing Linux: RedHat Edition -A Hands on Guide
PrevChapter 24. Software -Networking/EncryptionNext

24.2. Compile and Optimize

Move into the new Openssl directory and type the following commands on your terminal:

  1. Edit the c_rehash file, vi +11 tools/c_rehash and change the line: 
             DIR=/usr/local/ssl
    To read: 
             DIR=/usr
    The changed line above will build and install OpenSSL in the default location /usr.

  2. By default, OpenSSL source files suppose that your Perl program directory is located under the /usr/local/bin/perl directory. We must modify the #!/usr/local/bin/perl line in all scripts that rely on perl to reflect our Perl directory under Red Hat Linux to be /usr/bin. 
               [root@deep ]/openssl-0.9.5a# perl util/perlpath.pl /usr/bin (1)

    (1)
    where your perl program reside.

  3. OpenSSL must know where to find the necessary OpenSSL source libraries to compile successfully its required files. With the command below, we set the PATH environment variable to the default directory where we have uncompressed the OpenSSL source files. 
             [root@deep ]/openssl-0.9.5a# export LD_LIBRARY_PATH=`pwd`

  4. Now, we must configure OpenSSL for our system: 
             CC="egcs" \
         ./Configure linux-elf -DSSL_FORBID_ENULL \ (1)
         --prefix=/usr  \
         --openssldir=/etc/ssl

    (1)
    The -DSSL_FORBID_ENULL option is required for not allowing null encryption for security reasons.

  5. Edit the Makefile.ssl file and change the following line:

    1. vi +50 Makefile.ssl 
               CC= gcc
      To read: 
               CC= egcs

    2. Edit with vi +52 Makefile.ssl and add/change the following line: 
               CFLAG= -DTHREADS -D_REENTRANT -DSSL_FORBID_ENULL -DL_ENDIAN -DTERMIO -O9 -funroll-loops -ffast-math -malign-double -mcpu=pentiumpro -march=pentiumpro -fomit-frame-pointer -fno-exceptions -Wall -DSHA1_ASM -DMD5_ASM -DRMD160_ASM

    3. Edit with vi +79 Makefile.ssl and add the following value for a Pentium Pro processor: 
               PROCESSOR=  686

      Note: The three modifications we made above will set the optimization flag for compilation of OpenSSL software on the server. For the last modification PROCESSOR= above, if you use 586 to denote a Pentium, use 686 to denote Pro/II/III, use 486 to denote a 486, depending on the type of processor you have.

    4. Edit with vi +161 Makefile.ssl and change the following line: 
               MANDIR=$(OPENSSLDIR)/man
      To read: 
               MANDIR=/usr/man
      This step is necessary to set the directory for where the man pages of OpenSSL will be installed. With this modification, we install them under /usr/man directory.

Now we must compile and install OpenSSL on the server: 
             [root@deep ]/openssl-0.9.5a# make -f  Makefile
             [root@deep ]/openssl-0.9.5a# make test
             [root@deep ]/openssl-0.9.5a# make install
             [root@deep ]/openssl-0.9.5a# mv /etc/ssl/misc/*  /usr/bin/
             [root@deep ]/openssl-0.9.5a# rm -rf  /etc/ssl/misc/
             [root@deep ]/openssl-0.9.5a# rm -rf  /etc/ssl/lib/
             [root@deep ]/openssl-0.9.5a# rm -f   /usr/bin/CA.pl
             [root@deep ]/openssl-0.9.5a# rm -f   /usr/bin/CA.sh
             [root@deep ]/openssl-0.9.5a# install -m 644 libRSAglue.a  /usr/lib/
             [root@deep ]/openssl-0.9.5a# install -m 644 rsaref/rsaref.h  /usr/include/openssl/
             [root@deep ]/openssl-0.9.5a# strip /usr/bin/openssl
             [root@deep ]/openssl-0.9.5a# mkdir -p /etc/ssl/crl

  • The make -f command will build the OpenSSL libraries, libcrypto.a and libssl.a and the OpenSSL binary openssl. The libraries will be built in the top-level directory, and the binary will be in the apps directory.

  • After a successful build, the make test will test the libraries and finally the make install will create the installation directory and install OpenSSL.

  • The mv command will move all files under the /etc/ssl/misc/ directory to the /usr/bin/ directory. These files are binary and must be located under /usr/bin/ since in our system, all binary files are keep in this directory. Also putting these files in the /usr/bin/ directory will keep them in our PATH environment variable.

  • The rm command will remove the /etc/ssl/misc/ and /etc/ssl/lib/ directories from our system, since files that were in these directories are now located in other places. Also, it will remove the CA.pl and CA.sh files, that are small scripts used to create your own CA certificates. Those scripts related to openssl ca commands has some strange requirements, and the default OpenSSL config doesn't allow one easily to use openssl ca directly. So we'll create the sign.sh script program later to replace them.

Caution

The bc-1.05a-4.i386.rpm package or higher must be already installed on your Linux server or you'll receive an error message during the library test of OpenSSL.

Please don't forget to cleanup later: 
             [root@deep] /# cd /var/tmp
             [root@deep tmp]# rm  -rf openssl-version/ openssl-version.tar.gz
The rm command will remove all the source files we have used to compile and install OpenSSL. It will also remove the OpenSSL compressed archive from th/var/tmp directory.

PrevHomeNext
Linux OPENSSL ServerUpConfigure OpenSSL to optimise
  
 
  Published under the terms of the Open Publication License Design by Interspire