Pelco Developer Network (PDN)

Installing OpenSSL

Many applications rely on a Secure Sockets Layer implementation to establish a secure connection between client and server. OpenSSL is an open source implementation of the Secure Sockets Layer (v2 and v3) and Transport Layer Security (v1) that can be used with C/C++ applications, such as ONVIF clients that need to communicate securely with Pelco cameras. 

The lock icon that appears in the corner of a web browser window when connecting to a https:// URL indicates a secure connection. SSL is the underlying mechanism.

OpenSSL is easy to build and install. It follows the standard open source tool sequence of:

  1. Configure
  2. Build
  3. Test (optional)
  4. Install

Experienced open source developers will not find any surprises in this discussion, but developers who are unfamiliar with building open source software may find it useful when dealing with the seemingly endless stream of messages on the console.

Most open source projects control the build process using a Makefile, which has a specific structure and syntax. The Makefile sets flags that tell the compiler and linker what source files to include, what build options to use, and the type of the final binary. The Makefile included with OpenSSL does not include platform-specific settings. To fill-in those details, the config shell script analyzes the host system and generates a new Makefile that includes settings for the platform.

 

Configure

The first step is to configure the build environment. This is done using the included config script, which has built-in defaults for most operating systems.

$ cd /Downloads/openssl-1.0.1h
$ ./config
Operating system: i686-apple-darwinDarwin Kernel Version 12.5.0: Sun Sep 29 13:33:47 PDT 2013; root:xnu-2050.48.12~1/RELEASE_X86_64
WARNING! If you wish to build 64-bit library, then you have to
         invoke './Configure darwin64-x86_64-cc' *manually*.
         You have about 5 seconds to press Ctrl-C to abort.
Configuring for darwin-i386-cc
. . .
making links in tools...
make[1]: Nothing to be done for `links'.
generating dummy tests (if needed)...
make[1]: Nothing to be done for `generate'.

Configured for darwin-i386-cc.
$
 

In the listing above, the first few lines from config show a mismatch between the host operating system and the default specified in the script. Although it might be possible to use the 32-bit version of the libs on a 64-bit system, that can result in some performance tradeoffs. Fortunately the output also includes instructions to configure for a 64-bit system by running the Configure shell script with a specific parameter.

 
$ ./Configure darwin64-x86_64-cc
Configuring for darwin64-x86_64-cc
    no-ec_nistp_64_gcc_128 [default]  OPENSSL_NO_EC_NISTP_64_GCC_128 (skip dir)
    no-gmp          [default]  OPENSSL_NO_GMP (skip dir)
    no-jpake        [experimental] OPENSSL_NO_JPAKE (skip dir)
    no-krb5         [krb5-flavor not specified] OPENSSL_NO_KRB5
    no-md2          [default]  OPENSSL_NO_MD2 (skip dir)
    no-rc5          [default]  OPENSSL_NO_RC5 (skip dir)
    no-rfc3779      [default]  OPENSSL_NO_RFC3779 (skip dir)
    no-sctp         [default]  OPENSSL_NO_SCTP (skip dir)
    no-shared       [default]
    no-store        [experimental] OPENSSL_NO_STORE (skip dir)
    no-zlib         [default]
    no-zlib-dynamic [default]
IsMK1MF=0
CC            =cc
. . .
making links in tools...
make[1]: Nothing to be done for `links'.
generating dummy tests (if needed)...
make[1]: Nothing to be done for `generate'.

Configured for darwin64-x86_64-cc.
$

 

Build

Once the build environment is ready, the software can be compiled and linked using the make command with no parameters.
 
$ make
making all in crypto...
( echo "#ifndef MK1MF_BUILD"; \
echo '  /* auto-generated by crypto/Makefile for crypto/cversion.c */'; \
echo '  #define CFLAGS "cc -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -arch x86_64 -O3 -DL_ENDIAN -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM"'; \
echo '  #define PLATFORM "darwin64-x86_64-cc"'; \
echo "  #define DATE \"`LC_ALL=C LC_TIME=C date`\""; \
echo '#endif' ) >buildinf.h
cc -I. -I.. -I../include  -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -arch x86_64 -O3 -DL_ENDIAN -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM   -c -o cryptlib.o cryptlib.c
cc -I. -I.. -I../include  -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -arch x86_64 -O3 -DL_ENDIAN -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM   -c -o mem.o mem.c
. . .
cc -I.. -I../include  -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -arch x86_64 -O3 -DL_ENDIAN -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM   -c -o dummytest.o dummytest.c
( :; LIBDEPS="${LIBDEPS:--Wl,-search_paths_first -L.. -lssl -L.. -lcrypto  }"; LDCMD="${LDCMD:-cc}"; LDFLAGS="${LDFLAGS:--DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -arch x86_64 -O3 -DL_ENDIAN -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM}"; LIBPATH=`for x in $LIBDEPS; do echo $x; done | sed -e 's/^ *-L//;t' -e d | uniq`; LIBPATH=`echo $LIBPATH | sed -e 's/ /:/g'`; LD_LIBRARY_PATH=$LIBPATH:$LD_LIBRARY_PATH ${LDCMD} ${LDFLAGS} -o ${APPNAME:=dummytest} dummytest.o ${LIBDEPS} )
making all in tools...
make[1]: Nothing to be done for `all'.
$

If the environment was setup correctly make should execute without any problems. Errors encountered during the build phase can be difficult to debug and are beyond the scope of this article. Refer to the OpenSSL site for assistance.
 

Test

OpenSSL includes a test suite that can be run against the libraries prior to installation. Each test includes a main() function that exercises a specific portion of each library. Use make with the parameter test to run the tests.

$ make test
testing...
making all in apps...
make[3]: Nothing to be done for `all'.
../util/shlib_wrap.sh ./destest
Doing cbcm
Doing ecb
Doing ede ecb
Doing cbc
Doing desx cbc
Doing ede cbc
Doing pcbc
Doing cfb8 cfb16 cfb32 cfb48 cfb64 cfb64() ede_cfb64() done
Doing ofb
Doing ofb64
Doing ede_ofb64
Doing cbc_cksum
Doing quad_cksum
input word alignment test 0 1 2 3
output word alignment test 0 1 2 3
fast crypt test 
. . .
signed content test streaming BER format, 2 DSA and 2 RSA keys, keyid: OK
signed content test streaming PEM format, 2 DSA and 2 RSA keys: OK
signed content MIME format, RSA key, signed receipt request: OK
signed receipt MIME format, RSA key: OK
enveloped content test streaming S/MIME format, 3 recipients, keyid: OK
enveloped content test streaming PEM format, KEK: OK
enveloped content test streaming PEM format, KEK, key only: OK
data content test streaming PEM format: OK
encrypted content test streaming PEM format, 128 bit RC2 key: OK
encrypted content test streaming PEM format, 40 bit RC2 key: OK
encrypted content test streaming PEM format, triple DES key: OK
encrypted content test streaming PEM format, 128 bit AES key: OK
Zlib not supported: compression tests skipped
ALL TESTS SUCCESSFUL.
../util/shlib_wrap.sh ./heartbeat_test
OPENSSL_CONF=apps/openssl.cnf util/opensslwrap.sh version -a
OpenSSL 1.0.1h 5 Jun 2014
built on: Fri Jun  6 09:47:50 CDT 2014
platform: darwin64-x86_64-cc
options:  bn(64,64) rc4(ptr,char) des(idx,cisc,16,int) idea(int) blowfish(idx) 
compiler: cc -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -arch x86_64 -O3 -DL_ENDIAN -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/usr/local/ssl"
$

All tests passed!

Install

OpenSSL is ready to be installed in the common system directories. This is not required since all development environments will let you specify the location of such libraries, but it is good practice to conform to the standard. On Unix systems the installation is rooted in /usr/local.

Specifying sudo runs this command string with administrator privileges, which may be necessary to install into protected system directories. Using sudo causes the system to prompt for an administrator password before proceeding.

$ sudo make install
Password:
making all in crypto...
making all in crypto/objects...
make[2]: Nothing to be done for `all'.
making all in crypto/md4...
make[2]: Nothing to be done for `all'.
making all in crypto/md5...
make[2]: Nothing to be done for `all'.
making all in crypto/sha...
make[2]: Nothing to be done for `all'.
making all in crypto/mdc2...
make[2]: Nothing to be done for `all'.
. . .
making install in tools...
installing libcrypto.a
/usr/bin/ranlib: file: /usr/local/ssl/lib/libcrypto.a.new(ebcdic.o) has no symbols
/usr/bin/ranlib: file: /usr/local/ssl/lib/libcrypto.a.new(fips_ers.o) has no symbols
/usr/bin/ranlib: file: /usr/local/ssl/lib/libcrypto.a.new(ecp_nistp224.o) has no symbols
/usr/bin/ranlib: file: /usr/local/ssl/lib/libcrypto.a.new(ecp_nistp256.o) has no symbols
/usr/bin/ranlib: file: /usr/local/ssl/lib/libcrypto.a.new(ecp_nistp521.o) has no symbols
/usr/bin/ranlib: file: /usr/local/ssl/lib/libcrypto.a.new(ecp_nistputil.o) has no symbols
/usr/bin/ranlib: file: /usr/local/ssl/lib/libcrypto.a.new(rand_win.o) has no symbols
/usr/bin/ranlib: file: /usr/local/ssl/lib/libcrypto.a.new(rand_os2.o) has no symbols
/usr/bin/ranlib: file: /usr/local/ssl/lib/libcrypto.a.new(rand_nw.o) has no symbols
/usr/bin/ranlib: file: /usr/local/ssl/lib/libcrypto.a.new(e_rc5.o) has no symbols
/usr/bin/ranlib: file: /usr/local/ssl/lib/libcrypto.a.new(m_md2.o) has no symbols
/usr/bin/ranlib: file: /usr/local/ssl/lib/libcrypto.a.new(evp_fips.o) has no symbols
/usr/bin/ranlib: file: /usr/local/ssl/lib/libcrypto.a.new(v3_asid.o) has no symbols
/usr/bin/ranlib: file: /usr/local/ssl/lib/libcrypto.a.new(v3_addr.o) has no symbols
/usr/bin/ranlib: file: /usr/local/ssl/lib/libcrypto.a.new(cms_cd.o) has no symbols
/usr/bin/ranlib: file: /usr/local/ssl/lib/libcrypto.a.new(e_gmp.o) has no symbols
installing libssl.a
/usr/bin/ranlib: file: /usr/local/ssl/lib/libssl.a.new(kssl.o) has no symbols
cp libcrypto.pc /usr/local/ssl/lib/pkgconfig
chmod 644 /usr/local/ssl/lib/pkgconfig/libcrypto.pc
cp libssl.pc /usr/local/ssl/lib/pkgconfig
chmod 644 /usr/local/ssl/lib/pkgconfig/libssl.pc
cp openssl.pc /usr/local/ssl/lib/pkgconfig
chmod 644 /usr/local/ssl/lib/pkgconfig/openssl.pc
$ 

The installation was successful. By default on this platform OpenSSL installs everything in subdirectories under /usr/local/ssl, which is important to remember when adding headers and libraries to projects.
 
$ cd /usr/local/ssl/include/openssl
$ ls
aes.h
blowfish.h
cmac.h
crypto.h
. . .
ossl_typ.h
pqueue.h
rsa.h
srtp.h
stack.h
ui.h
x509v3.h
 
By contrast, most open source tools install files in application-specific directories under a common path. Binary files root in /usr/local/bin, libraries in /usr/local/lib, and header files in /usr/local/include:
 
$ cd /usr/local/include
$ ls -l
total 272
drwxr-xr-x    5 root  wheel    170 Jul 26  2009 ACEXML
drwxr-xr-x   25 root  wheel    850 Jul 26  2009 Kokyu
drwxr-xr-x@ 317 root  wheel  10778 Jun  5 11:26 Poco
drwxr-xr-x  802 root  wheel  27268 Jul 26  2009 ace
drwxr-xr-x   10 root  wheel    340 Apr 26  2008 fuse
-rw-r--r--    1 root  wheel    246 Apr 26  2008 fuse.h
drwxr-xr-x    6 root  wheel    204 Jul 10  2009 libavcodec
drwxr-xr-x    3 root  wheel    102 Jul 10  2009 libavdevice
drwxr-xr-x    4 root  wheel    136 Jul 10  2009 libavformat
drwxr-xr-x   18 root  wheel    612 Jul 10  2009 libavutil
drwxr-xr-x    3 root  wheel    102 Jul 10  2009 libswscale
drwxr-xr-x   13 root  wheel    442 Apr 27  2011 opencv
drwxr-xr-x   15 root  wheel    510 Apr 27  2011 opencv2
drwxr-xr-x   53 root  wheel   1802 Apr 14  2008 rpm
-rw-rw-rw-@   1 root  wheel  92575 Nov  1  2012 stdsoap2.h
-rw-r--r--    1 root  wheel    679 Apr 26  2008 ulockmgr.h
-rw-r--r--@   1 root  wheel  33179 Jun 25  2009 xvid.h
 
At this point OpenSSL is ready for use by other tools, such as gSOAP, and client applications.
 

For More Information...

The man page for the openssl command-line tool provides an overview of the features of the OpenSSL libraries:

  • Creation of RSA, DH and DSA key parameters
  • Creation of X.509 certificates, CSRs and CRLs
  • Calculation of Message Digests
  • Encryption and Decryption with Ciphers
  • SSL/TLS Client and Server Tests
  • Handling of S/MIME signed or encrypted mail

Visit the OpenSSL site to download the archive. Download v1.0.1g or later to avoid the Heartbleed security bug.