| FAQ (68651) | FAQ (76866) |
|---|---|
| 1OpenSSL - Frequently Asked Questions 2-------------------------------------- 3 | 1OpenSSL - Frequently Asked Questions 2-------------------------------------- 3 |
| 4[MISC] Miscellaneous questions 5 |
|
| 4* Which is the current version of OpenSSL? 5* Where is the documentation? 6* How can I contact the OpenSSL developers? | 6* Which is the current version of OpenSSL? 7* Where is the documentation? 8* How can I contact the OpenSSL developers? |
| 9* Where can I get a compiled version of OpenSSL? 10* Why aren't tools like 'autoconf' and 'libtool' used? 11 12[LEGAL] Legal questions 13 |
|
| 7* Do I need patent licenses to use OpenSSL? | 14* Do I need patent licenses to use OpenSSL? |
| 8* Is OpenSSL thread-safe? | 15* Can I use OpenSSL with GPL software? 16 17[USER] Questions on using the OpenSSL applications 18 |
| 9* Why do I get a "PRNG not seeded" error message? | 19* Why do I get a "PRNG not seeded" error message? |
| 10* Why does the linker complain about undefined symbols? 11* Where can I get a compiled version of OpenSSL? 12* I've compiled a program under Windows and it crashes: why? 13* How do I read or write a DER encoded buffer using the ASN1 functions? 14* I've tried using <M_some_evil_pkcs12_macro> and I get errors why? 15* I've called <some function> and it fails, why? 16* I just get a load of numbers for the error output, what do they mean? 17* Why do I get errors about unknown algorithms? | |
| 18* How do I create certificates or certificate requests? 19* Why can't I create certificate requests? 20* Why does <SSL program> fail with a certificate verify error? 21* Why can I only use weak ciphers when I connect to a server using OpenSSL? 22* How can I create DSA certificates? 23* Why can't I make an SSL connection using a DSA certificate? 24* How can I remove the passphrase on a private key? | 20* How do I create certificates or certificate requests? 21* Why can't I create certificate requests? 22* Why does <SSL program> fail with a certificate verify error? 23* Why can I only use weak ciphers when I connect to a server using OpenSSL? 24* How can I create DSA certificates? 25* Why can't I make an SSL connection using a DSA certificate? 26* How can I remove the passphrase on a private key? |
| 25* Why can't the OpenSSH configure script detect OpenSSL? | 27* Why can't I use OpenSSL certificates with SSL client authentication? 28* Why does my browser give a warning about a mismatched hostname? 29 30[BUILD] Questions about building and testing OpenSSL 31 32* Why does the linker complain about undefined symbols? |
| 26* Why does the OpenSSL test fail with "bc: command not found"? 27* Why does the OpenSSL test fail with "bc: 1 no implemented"? 28* Why does the OpenSSL compilation fail on Alpha True64 Unix? 29* Why does the OpenSSL compilation fail with "ar: command not found"? | 33* Why does the OpenSSL test fail with "bc: command not found"? 34* Why does the OpenSSL test fail with "bc: 1 no implemented"? 35* Why does the OpenSSL compilation fail on Alpha True64 Unix? 36* Why does the OpenSSL compilation fail with "ar: command not found"? |
| 37* Why does the OpenSSL compilation fail on Win32 with VC++? |
|
| 30 | 38 |
| 39[PROG] Questions about programming with OpenSSL |
|
| 31 | 40 |
| 41* Is OpenSSL thread-safe? 42* I've compiled a program under Windows and it crashes: why? 43* How do I read or write a DER encoded buffer using the ASN1 functions? 44* I've tried using <M_some_evil_pkcs12_macro> and I get errors why? 45* I've called <some function> and it fails, why? 46* I just get a load of numbers for the error output, what do they mean? 47* Why do I get errors about unknown algorithms? 48* Why can't the OpenSSH configure script detect OpenSSL? 49* Can I use OpenSSL's SSL library with non-blocking I/O? 50 51=============================================================================== 52 53[MISC] ======================================================================== 54 |
|
| 32* Which is the current version of OpenSSL? 33 34The current version is available from <URL: http://www.openssl.org>. | 55* Which is the current version of OpenSSL? 56 57The current version is available from <URL: http://www.openssl.org>. |
| 35OpenSSL 0.9.6 was released on September 24th, 2000. | 58OpenSSL 0.9.6a was released on April 5th, 2001. |
| 36 37In addition to the current stable release, you can also access daily 38snapshots of the OpenSSL development version at <URL: 39ftp://ftp.openssl.org/snapshot/>, or get it by anonymous CVS access. 40 41 42* Where is the documentation? 43 --- 29 unchanged lines hidden (view full) --- 73 74* How can I contact the OpenSSL developers? 75 76The README file describes how to submit bug reports and patches to 77OpenSSL. Information on the OpenSSL mailing lists is available from 78<URL: http://www.openssl.org>. 79 80 | 59 60In addition to the current stable release, you can also access daily 61snapshots of the OpenSSL development version at <URL: 62ftp://ftp.openssl.org/snapshot/>, or get it by anonymous CVS access. 63 64 65* Where is the documentation? 66 --- 29 unchanged lines hidden (view full) --- 96 97* How can I contact the OpenSSL developers? 98 99The README file describes how to submit bug reports and patches to 100OpenSSL. Information on the OpenSSL mailing lists is available from 101<URL: http://www.openssl.org>. 102 103 |
| 104* Where can I get a compiled version of OpenSSL? 105 106Some applications that use OpenSSL are distributed in binary form. 107When using such an application, you don't need to install OpenSSL 108yourself; the application will include the required parts (e.g. DLLs). 109 110If you want to install OpenSSL on a Windows system and you don't have 111a C compiler, read the "Mingw32" section of INSTALL.W32 for information 112on how to obtain and install the free GNU C compiler. 113 114A number of Linux and *BSD distributions include OpenSSL. 115 116 117* Why aren't tools like 'autoconf' and 'libtool' used? 118 119autoconf will probably be used in future OpenSSL versions. If it was 120less Unix-centric, it might have been used much earlier. 121 122 123[LEGAL] ======================================================================= 124 |
|
| 81* Do I need patent licenses to use OpenSSL? 82 83The patents section of the README file lists patents that may apply to 84you if you want to use OpenSSL. For information on intellectual 85property rights, please consult a lawyer. The OpenSSL team does not 86offer legal advice. 87 88You can configure OpenSSL so as not to use RC5 and IDEA by using 89 ./config no-rc5 no-idea 90 91 | 125* Do I need patent licenses to use OpenSSL? 126 127The patents section of the README file lists patents that may apply to 128you if you want to use OpenSSL. For information on intellectual 129property rights, please consult a lawyer. The OpenSSL team does not 130offer legal advice. 131 132You can configure OpenSSL so as not to use RC5 and IDEA by using 133 ./config no-rc5 no-idea 134 135 |
| 92* Is OpenSSL thread-safe? | 136* Can I use OpenSSL with GPL software? |
| 93 | 137 |
| 94Yes (with limitations: an SSL connection may not concurrently be used 95by multiple threads). On Windows and many Unix systems, OpenSSL 96automatically uses the multi-threaded versions of the standard 97libraries. If your platform is not one of these, consult the INSTALL 98file. | 138On many systems including the major Linux and BSD distributions, yes (the 139GPL does not place restrictions on using libraries that are part of the 140normal operating system distribution). |
| 99 | 141 |
| 100Multi-threaded applications must provide two callback functions to 101OpenSSL. This is described in the threads(3) manpage. | 142On other systems, the situation is less clear. Some GPL software copyright 143holders claim that you infringe on their rights if you use OpenSSL with 144their software on operating systems that don't normally include OpenSSL. |
| 102 | 145 |
| 146If you develop open source software that uses OpenSSL, you may find it 147useful to choose an other license than the GPL, or state explicitely that 148"This program is released under the GPL with the additional exemption that 149compiling, linking, and/or using OpenSSL is allowed." If you are using 150GPL software developed by others, you may want to ask the copyright holder 151for permission to use their software with OpenSSL. |
|
| 103 | 152 |
| 153 154[USER] ======================================================================== 155 |
|
| 104* Why do I get a "PRNG not seeded" error message? 105 106Cryptographic software needs a source of unpredictable data to work 107correctly. Many open source operating systems provide a "randomness 108device" that serves this purpose. On other systems, applications have 109to call the RAND_add() or RAND_seed() function with appropriate data 110before generating keys or performing public key encryption. 111 --- 21 unchanged lines hidden (view full) --- 133For Solaris 2.6, Tim Nibbe <tnibbe@sprint.net> and others have suggested 134installing the SUNski package from Sun patch 105710-01 (Sparc) which 135adds a /dev/random device and make sure it gets used, usually through 136$RANDFILE. There are probably similar patches for the other Solaris 137versions. However, be warned that /dev/random is usually a blocking 138device, which may have some effects on OpenSSL. 139 140 | 156* Why do I get a "PRNG not seeded" error message? 157 158Cryptographic software needs a source of unpredictable data to work 159correctly. Many open source operating systems provide a "randomness 160device" that serves this purpose. On other systems, applications have 161to call the RAND_add() or RAND_seed() function with appropriate data 162before generating keys or performing public key encryption. 163 --- 21 unchanged lines hidden (view full) --- 185For Solaris 2.6, Tim Nibbe <tnibbe@sprint.net> and others have suggested 186installing the SUNski package from Sun patch 105710-01 (Sparc) which 187adds a /dev/random device and make sure it gets used, usually through 188$RANDFILE. There are probably similar patches for the other Solaris 189versions. However, be warned that /dev/random is usually a blocking 190device, which may have some effects on OpenSSL. 191 192 |
| 193* How do I create certificates or certificate requests? 194 195Check out the CA.pl(1) manual page. This provides a simple wrapper round 196the 'req', 'verify', 'ca' and 'pkcs12' utilities. For finer control check 197out the manual pages for the individual utilities and the certificate 198extensions documentation (currently in doc/openssl.txt). 199 200 201* Why can't I create certificate requests? 202 203You typically get the error: 204 205 unable to find 'distinguished_name' in config 206 problems making Certificate Request 207 208This is because it can't find the configuration file. Check out the 209DIAGNOSTICS section of req(1) for more information. 210 211 212* Why does <SSL program> fail with a certificate verify error? 213 214This problem is usually indicated by log messages saying something like 215"unable to get local issuer certificate" or "self signed certificate". 216When a certificate is verified its root CA must be "trusted" by OpenSSL 217this typically means that the CA certificate must be placed in a directory 218or file and the relevant program configured to read it. The OpenSSL program 219'verify' behaves in a similar way and issues similar error messages: check 220the verify(1) program manual page for more information. 221 222 223* Why can I only use weak ciphers when I connect to a server using OpenSSL? 224 225This is almost certainly because you are using an old "export grade" browser 226which only supports weak encryption. Upgrade your browser to support 128 bit 227ciphers. 228 229 230* How can I create DSA certificates? 231 232Check the CA.pl(1) manual page for a DSA certificate example. 233 234 235* Why can't I make an SSL connection to a server using a DSA certificate? 236 237Typically you'll see a message saying there are no shared ciphers when 238the same setup works fine with an RSA certificate. There are two possible 239causes. The client may not support connections to DSA servers most web 240browsers (including Netscape and MSIE) only support connections to servers 241supporting RSA cipher suites. The other cause is that a set of DH parameters 242has not been supplied to the server. DH parameters can be created with the 243dhparam(1) command and loaded using the SSL_CTX_set_tmp_dh() for example: 244check the source to s_server in apps/s_server.c for an example. 245 246 247* How can I remove the passphrase on a private key? 248 249Firstly you should be really *really* sure you want to do this. Leaving 250a private key unencrypted is a major security risk. If you decide that 251you do have to do this check the EXAMPLES sections of the rsa(1) and 252dsa(1) manual pages. 253 254 255* Why can't I use OpenSSL certificates with SSL client authentication? 256 257What will typically happen is that when a server requests authentication 258it will either not include your certificate or tell you that you have 259no client certificates (Netscape) or present you with an empty list box 260(MSIE). The reason for this is that when a server requests a client 261certificate it includes a list of CAs names which it will accept. Browsers 262will only let you select certificates from the list on the grounds that 263there is little point presenting a certificate which the server will 264reject. 265 266The solution is to add the relevant CA certificate to your servers "trusted 267CA list". How you do this depends on the server sofware in uses. You can 268print out the servers list of acceptable CAs using the OpenSSL s_client tool: 269 270openssl s_client -connect www.some.host:443 -prexit 271 272If your server only requests certificates on certain URLs then you may need 273to manually issue an HTTP GET command to get the list when s_client connects: 274 275GET /some/page/needing/a/certificate.html 276 277If your CA does not appear in the list then this confirms the problem. 278 279 280* Why does my browser give a warning about a mismatched hostname? 281 282Browsers expect the server's hostname to match the value in the commonName 283(CN) field of the certificate. If it does not then you get a warning. 284 285 286[BUILD] ======================================================================= 287 |
|
| 141* Why does the linker complain about undefined symbols? 142 143Maybe the compilation was interrupted, and make doesn't notice that 144something is missing. Run "make clean; make". 145 146If you used ./Configure instead of ./config, make sure that you 147selected the right target. File formats may differ slightly between 148OS versions (for example sparcv8/sparcv9, or a.out/elf). --- 8 unchanged lines hidden (view full) --- 157 bn_sqr_comba8, bn_sqr_words, bn_sub_words, des_decrypt3, 158 des_ede3_cbc_encrypt, des_encrypt, des_encrypt2, des_encrypt3, 159 des_ncbc_encrypt, md5_block_asm_host_order, sha1_block_asm_data_order 160 161If none of these helps, you may want to try using the current snapshot. 162If the problem persists, please submit a bug report. 163 164 | 288* Why does the linker complain about undefined symbols? 289 290Maybe the compilation was interrupted, and make doesn't notice that 291something is missing. Run "make clean; make". 292 293If you used ./Configure instead of ./config, make sure that you 294selected the right target. File formats may differ slightly between 295OS versions (for example sparcv8/sparcv9, or a.out/elf). --- 8 unchanged lines hidden (view full) --- 304 bn_sqr_comba8, bn_sqr_words, bn_sub_words, des_decrypt3, 305 des_ede3_cbc_encrypt, des_encrypt, des_encrypt2, des_encrypt3, 306 des_ncbc_encrypt, md5_block_asm_host_order, sha1_block_asm_data_order 307 308If none of these helps, you may want to try using the current snapshot. 309If the problem persists, please submit a bug report. 310 311 |
| 165* Where can I get a compiled version of OpenSSL? | 312* Why does the OpenSSL test fail with "bc: command not found"? |
| 166 | 313 |
| 167Some applications that use OpenSSL are distributed in binary form. 168When using such an application, you don't need to install OpenSSL 169yourself; the application will include the required parts (e.g. DLLs). | 314You didn't install "bc", the Unix calculator. If you want to run the 315tests, get GNU bc from ftp://ftp.gnu.org or from your OS distributor. |
| 170 | 316 |
| 171If you want to install OpenSSL on a Windows system and you don't have 172a C compiler, read the "Mingw32" section of INSTALL.W32 for information 173on how to obtain and install the free GNU C compiler. | |
| 174 | 317 |
| 175A number of Linux and *BSD distributions include OpenSSL. | 318* Why does the OpenSSL test fail with "bc: 1 no implemented"? |
| 176 | 319 |
| 320On some SCO installations or versions, bc has a bug that gets triggered 321when you run the test suite (using "make test"). The message returned is 322"bc: 1 not implemented". |
|
| 177 | 323 |
| 324The best way to deal with this is to find another implementation of bc 325and compile/install it. GNU bc (see http://www.gnu.org/software/software.html 326for download instructions) can be safely used, for example. 327 328 329* Why does the OpenSSL compilation fail on Alpha True64 Unix? 330 331On some Alpha installations running True64 Unix and Compaq C, the compilation 332of crypto/sha/sha_dgst.c fails with the message 'Fatal: Insufficient virtual 333memory to continue compilation.' As far as the tests have shown, this may be 334a compiler bug. What happens is that it eats up a lot of resident memory 335to build something, probably a table. The problem is clearly in the 336optimization code, because if one eliminates optimization completely (-O0), 337the compilation goes through (and the compiler consumes about 2MB of resident 338memory instead of 240MB or whatever one's limit is currently). 339 340There are three options to solve this problem: 341 3421. set your current data segment size soft limit higher. Experience shows 343that about 241000 kbytes seems to be enough on an AlphaServer DS10. You do 344this with the command 'ulimit -Sd nnnnnn', where 'nnnnnn' is the number of 345kbytes to set the limit to. 346 3472. If you have a hard limit that is lower than what you need and you can't 348get it changed, you can compile all of OpenSSL with -O0 as optimization 349level. This is however not a very nice thing to do for those who expect to 350get the best result from OpenSSL. A bit more complicated solution is the 351following: 352 353----- snip:start ----- 354 make DIRS=crypto SDIRS=sha "`grep '^CFLAG=' Makefile.ssl | \ 355 sed -e 's/ -O[0-9] / -O0 /'`" 356 rm `ls crypto/*.o crypto/sha/*.o | grep -v 'sha_dgst\.o'` 357 make 358----- snip:end ----- 359 360This will only compile sha_dgst.c with -O0, the rest with the optimization 361level chosen by the configuration process. When the above is done, do the 362test and installation and you're set. 363 364 365* Why does the OpenSSL compilation fail with "ar: command not found"? 366 367Getting this message is quite usual on Solaris 2, because Sun has hidden 368away 'ar' and other development commands in directories that aren't in 369$PATH by default. One of those directories is '/usr/ccs/bin'. The 370quickest way to fix this is to do the following (it assumes you use sh 371or any sh-compatible shell): 372 373----- snip:start ----- 374 PATH=${PATH}:/usr/ccs/bin; export PATH 375----- snip:end ----- 376 377and then redo the compilation. What you should really do is make sure 378'/usr/ccs/bin' is permanently in your $PATH, for example through your 379'.profile' (again, assuming you use a sh-compatible shell). 380 381 382* Why does the OpenSSL compilation fail on Win32 with VC++? 383 384Sometimes, you may get reports from VC++ command line (cl) that it 385can't find standard include files like stdio.h and other weirdnesses. 386One possible cause is that the environment isn't correctly set up. 387To solve that problem, one should run VCVARS32.BAT which is found in 388the 'bin' subdirectory of the VC++ installation directory (somewhere 389under 'Program Files'). This needs to be done prior to running NMAKE, 390and the changes are only valid for the current DOS session. 391 392 393[PROG] ======================================================================== 394 395* Is OpenSSL thread-safe? 396 397Yes (with limitations: an SSL connection may not concurrently be used 398by multiple threads). On Windows and many Unix systems, OpenSSL 399automatically uses the multi-threaded versions of the standard 400libraries. If your platform is not one of these, consult the INSTALL 401file. 402 403Multi-threaded applications must provide two callback functions to 404OpenSSL. This is described in the threads(3) manpage. 405 406 |
|
| 178* I've compiled a program under Windows and it crashes: why? 179 180This is usually because you've missed the comment in INSTALL.W32. You 181must link with the multithreaded DLL version of the VC++ runtime library 182otherwise the conflict will cause a program to crash: typically on the 183first BIO related read or write operation. 184 185 --- 68 unchanged lines hidden (view full) --- 254* Why do I get errors about unknown algorithms? 255 256This can happen under several circumstances such as reading in an 257encrypted private key or attempting to decrypt a PKCS#12 file. The cause 258is forgetting to load OpenSSL's table of algorithms with 259OpenSSL_add_all_algorithms(). See the manual page for more information. 260 261 | 407* I've compiled a program under Windows and it crashes: why? 408 409This is usually because you've missed the comment in INSTALL.W32. You 410must link with the multithreaded DLL version of the VC++ runtime library 411otherwise the conflict will cause a program to crash: typically on the 412first BIO related read or write operation. 413 414 --- 68 unchanged lines hidden (view full) --- 483* Why do I get errors about unknown algorithms? 484 485This can happen under several circumstances such as reading in an 486encrypted private key or attempting to decrypt a PKCS#12 file. The cause 487is forgetting to load OpenSSL's table of algorithms with 488OpenSSL_add_all_algorithms(). See the manual page for more information. 489 490 |
| 262* How do I create certificates or certificate requests? 263 264Check out the CA.pl(1) manual page. This provides a simple wrapper round 265the 'req', 'verify', 'ca' and 'pkcs12' utilities. For finer control check 266out the manual pages for the individual utilities and the certificate 267extensions documentation (currently in doc/openssl.txt). 268 269 270* Why can't I create certificate requests? 271 272You typically get the error: 273 274 unable to find 'distinguished_name' in config 275 problems making Certificate Request 276 277This is because it can't find the configuration file. Check out the 278DIAGNOSTICS section of req(1) for more information. 279 280 281* Why does <SSL program> fail with a certificate verify error? 282 283This problem is usually indicated by log messages saying something like 284"unable to get local issuer certificate" or "self signed certificate". 285When a certificate is verified its root CA must be "trusted" by OpenSSL 286this typically means that the CA certificate must be placed in a directory 287or file and the relevant program configured to read it. The OpenSSL program 288'verify' behaves in a similar way and issues similar error messages: check 289the verify(1) program manual page for more information. 290 291 292* Why can I only use weak ciphers when I connect to a server using OpenSSL? 293 294This is almost certainly because you are using an old "export grade" browser 295which only supports weak encryption. Upgrade your browser to support 128 bit 296ciphers. 297 298 299* How can I create DSA certificates? 300 301Check the CA.pl(1) manual page for a DSA certificate example. 302 303 304* Why can't I make an SSL connection to a server using a DSA certificate? 305 306Typically you'll see a message saying there are no shared ciphers when 307the same setup works fine with an RSA certificate. There are two possible 308causes. The client may not support connections to DSA servers most web 309browsers (including Netscape and MSIE) only support connections to servers 310supporting RSA cipher suites. The other cause is that a set of DH parameters 311has not been supplied to the server. DH parameters can be created with the 312dhparam(1) command and loaded using the SSL_CTX_set_tmp_dh() for example: 313check the source to s_server in apps/s_server.c for an example. 314 315 316* How can I remove the passphrase on a private key? 317 318Firstly you should be really *really* sure you want to do this. Leaving 319a private key unencrypted is a major security risk. If you decide that 320you do have to do this check the EXAMPLES sections of the rsa(1) and 321dsa(1) manual pages. 322 323 | |
| 324* Why can't the OpenSSH configure script detect OpenSSL? 325 326There is a problem with OpenSSH 1.2.2p1, in that the configure script 327can't find the installed OpenSSL libraries. The problem is actually 328a small glitch that is easily solved with the following patch to be 329applied to the OpenSSH distribution: 330 331----- snip:start ----- --- 25 unchanged lines hidden (view full) --- 357- LIBS="$LIBS -R$ssldir" 358+ LIBS="$LIBS -R$ssldir/lib" 359 fi 360 fi 361 LIBS="$LIBS -lcrypto" 362----- snip:end ----- 363 364 | 491* Why can't the OpenSSH configure script detect OpenSSL? 492 493There is a problem with OpenSSH 1.2.2p1, in that the configure script 494can't find the installed OpenSSL libraries. The problem is actually 495a small glitch that is easily solved with the following patch to be 496applied to the OpenSSH distribution: 497 498----- snip:start ----- --- 25 unchanged lines hidden (view full) --- 524- LIBS="$LIBS -R$ssldir" 525+ LIBS="$LIBS -R$ssldir/lib" 526 fi 527 fi 528 LIBS="$LIBS -lcrypto" 529----- snip:end ----- 530 531 |
| 365* Why does the OpenSSL test fail with "bc: command not found"? | 532* Can I use OpenSSL's SSL library with non-blocking I/O? |
| 366 | 533 |
| 367You didn't install "bc", the Unix calculator. If you want to run the 368tests, get GNU bc from ftp://ftp.gnu.org or from your OS distributor. | 534Yes; make sure to read the SSL_get_error(3) manual page! |
| 369 | 535 |
| 536A pitfall to avoid: Don't assume that SSL_read() will just read from 537the underlying transport or that SSL_write() will just write to it -- 538it is also possible that SSL_write() cannot do any useful work until 539there is data to read, or that SSL_read() cannot do anything until it 540is possible to send data. One reason for this is that the peer may 541request a new TLS/SSL handshake at any time during the protocol, 542requiring a bi-directional message exchange; both SSL_read() and 543SSL_write() will try to continue any pending handshake. |
|
| 370 | 544 |
| 371* Why does the OpenSSL test fail with "bc: 1 no implemented"? | |
| 372 | 545 |
| 373On some SCO installations or versions, bc has a bug that gets triggered when 374you run the test suite (using "make test"). The message returned is "bc: 3751 not implemented". The best way to deal with this is to find another 376implementation of bc and compile/install it. For example, GNU bc (see 377http://www.gnu.org/software/software.html for download instructions) can 378be safely used. | 546=============================================================================== |
| 379 | 547 |
| 380 381* Why does the OpenSSL compilation fail on Alpha True64 Unix? 382 383On some Alpha installations running True64 Unix and Compaq C, the compilation 384of crypto/sha/sha_dgst.c fails with the message 'Fatal: Insufficient virtual 385memory to continue compilation.' As far as the tests have shown, this may be 386a compiler bug. What happens is that it eats up a lot of resident memory 387to build something, probably a table. The problem is clearly in the 388optimization code, because if one eliminates optimization completely (-O0), 389the compilation goes through (and the compiler consumes about 2MB of resident 390memory instead of 240MB or whatever one's limit is currently). 391 392There are three options to solve this problem: 393 3941. set your current data segment size soft limit higher. Experience shows 395that about 241000 kbytes seems to be enough on an AlphaServer DS10. You do 396this with the command 'ulimit -Sd nnnnnn', where 'nnnnnn' is the number of 397kbytes to set the limit to. 398 3992. If you have a hard limit that is lower than what you need and you can't 400get it changed, you can compile all of OpenSSL with -O0 as optimization 401level. This is however not a very nice thing to do for those who expect to 402get the best result from OpenSSL. A bit more complicated solution is the 403following: 404 405----- snip:start ----- 406 make DIRS=crypto SDIRS=sha "`grep '^CFLAG=' Makefile.ssl | \ 407 sed -e 's/ -O[0-9] / -O0 /'`" 408 rm `ls crypto/*.o crypto/sha/*.o | grep -v 'sha_dgst\.o'` 409 make 410----- snip:end ----- 411 412This will only compile sha_dgst.c with -O0, the rest with the optimization 413level chosen by the configuration process. When the above is done, do the 414test and installation and you're set. 415 416 417* Why does the OpenSSL compilation fail with "ar: command not found"? 418 419Getting this message is quite usual on Solaris 2, because Sun has hidden 420away 'ar' and other development commands in directories that aren't in 421$PATH by default. One of those directories is '/usr/ccs/bin'. The 422quickest way to fix this is to do the following (it assumes you use sh 423or any sh-compatible shell): 424 425----- snip:start ----- 426 PATH=${PATH}:/usr/ccs/bin; export PATH 427----- snip:end ----- 428 429and then redo the compilation. What you should really do is make sure 430'/usr/ccs/bin' is permanently in your $PATH, for example through your 431'.profile' (again, assuming you use a sh-compatible shell). 432 | |