24.2. Compile and Optimize

Move into the new Openssl directory and type the following commands on your terminal:

  1. Edit the c_rehash file, vi +11 tools/c_rehash and change the line:
    
         DIR=/usr/local/ssl
             
    To read:
    
         DIR=/usr
             
    The changed line above will build and install OpenSSL in the default location /usr.

  2. By default, OpenSSL source files suppose that your Perl program directory is located under the /usr/local/bin/perl directory. We must modify the #!/usr/local/bin/perl line in all scripts that rely on perl to reflect our Perl directory under Red Hat Linux to be /usr/bin.
    
           [root@deep ]/openssl-0.9.5a# perl util/perlpath.pl /usr/bin (1)
             

    (1)
    where your perl program reside.

  3. OpenSSL must know where to find the necessary OpenSSL source libraries to compile successfully its required files. With the command below, we set the PATH environment variable to the default directory where we have uncompressed the OpenSSL source files.
    
         [root@deep ]/openssl-0.9.5a# export LD_LIBRARY_PATH=`pwd`
             

  4. Now, we must configure OpenSSL for our system:
    
         CC="egcs" \
             ./Configure linux-elf -DSSL_FORBID_ENULL \ (1)
             --prefix=/usr  \
             --openssldir=/etc/ssl
             

    (1)
    The -DSSL_FORBID_ENULL option is required for not allowing null encryption for security reasons.

  5. Edit the Makefile.ssl file and change the following line:

    1. vi +50 Makefile.ssl
      
         CC= gcc
               
      To read:
      
         CC= egcs
               

    2. Edit with vi +52 Makefile.ssl and add/change the following line:
      
         CFLAG= -DTHREADS -D_REENTRANT -DSSL_FORBID_ENULL -DL_ENDIAN -DTERMIO -O9 -funroll-loops -ffast-math -malign-double -mcpu=pentiumpro -march=pentiumpro -fomit-frame-pointer -fno-exceptions -Wall -DSHA1_ASM -DMD5_ASM -DRMD160_ASM
               

    3. Edit with vi +79 Makefile.ssl and add the following value for a Pentium Pro processor:
      
         PROCESSOR=  686
               

      Note: The three modifications we made above will set the optimization flag for compilation of OpenSSL software on the server. For the last modification PROCESSOR= above, if you use 586 to denote a Pentium, use 686 to denote Pro/II/III, use 486 to denote a 486, depending on the type of processor you have.

    4. Edit with vi +161 Makefile.ssl and change the following line:
      
         MANDIR=$(OPENSSLDIR)/man
               
      To read:
      
         MANDIR=/usr/man
               
      This step is necessary to set the directory for where the man pages of OpenSSL will be installed. With this modification, we install them under /usr/man directory.

Now we must compile and install OpenSSL on the server:

             [root@deep ]/openssl-0.9.5a# make -f  Makefile
             [root@deep ]/openssl-0.9.5a# make test
             [root@deep ]/openssl-0.9.5a# make install
             [root@deep ]/openssl-0.9.5a# mv /etc/ssl/misc/*  /usr/bin/
             [root@deep ]/openssl-0.9.5a# rm -rf  /etc/ssl/misc/
             [root@deep ]/openssl-0.9.5a# rm -rf  /etc/ssl/lib/
             [root@deep ]/openssl-0.9.5a# rm -f   /usr/bin/CA.pl
             [root@deep ]/openssl-0.9.5a# rm -f   /usr/bin/CA.sh
             [root@deep ]/openssl-0.9.5a# install -m 644 libRSAglue.a  /usr/lib/
             [root@deep ]/openssl-0.9.5a# install -m 644 rsaref/rsaref.h  /usr/include/openssl/
             [root@deep ]/openssl-0.9.5a# strip /usr/bin/openssl
             [root@deep ]/openssl-0.9.5a# mkdir -p /etc/ssl/crl
           

Caution

The bc-1.05a-4.i386.rpm package or higher must be already installed on your Linux server or you'll receive an error message during the library test of OpenSSL.

Please don't forget to cleanup later:

             [root@deep] /# cd /var/tmp
             [root@deep tmp]# rm  -rf openssl-version/ openssl-version.tar.gz
           
The rm command will remove all the source files we have used to compile and install OpenSSL. It will also remove the OpenSSL compressed archive from th/var/tmp directory.