- the build:
-
- --prefix=DIR Install in DIR/bin, DIR/lib, DIR/include/openssl.
- Configuration files used by OpenSSL will be in DIR/ssl
- or the directory specified by --openssldir.
-
- --openssldir=DIR Directory for OpenSSL files. If no prefix is specified,
- the library files and binaries are also installed there.
-
- no-threads Don't try to build with support for multi-threaded
- applications.
-
- threads Build with support for multi-threaded applications.
- This will usually require additional system-dependent options!
- See "Note on multi-threading" below.
-
- no-zlib Don't try to build with support for zlib compression and
- decompression.
-
- zlib Build with support for zlib compression/decompression.
-
- zlib-dynamic Like "zlib", but has OpenSSL load the zlib library dynamically
- when needed. This is only supported on systems where loading
- of shared libraries is supported. This is the default choice.
-
- no-shared Don't try to create shared libraries.
-
- shared In addition to the usual static libraries, create shared
- libraries on platforms where it's supported. See "Note on
- shared libraries" below.
-
- no-asm Do not use assembler code.
-
- 386 Use the 80386 instruction set only (the default x86 code is
- more efficient, but requires at least a 486). Note: Use
- compiler flags for any other CPU specific configuration,
- e.g. "-m32" to build x86 code on an x64 system.
-
- no-sse2 Exclude SSE2 code pathes. Normally SSE2 extention is
- detected at run-time, but the decision whether or not the
- machine code will be executed is taken solely on CPU
- capability vector. This means that if you happen to run OS
- kernel which does not support SSE2 extension on Intel P4
- processor, then your application might be exposed to
- "illegal instruction" exception. There might be a way
- to enable support in kernel, e.g. FreeBSD kernel can be
- compiled with CPU_ENABLE_SSE, and there is a way to
- disengage SSE2 code pathes upon application start-up,
- but if you aim for wider "audience" running such kernel,
- consider no-sse2. Both 386 and no-asm options above imply
- no-sse2.
-
- no-<cipher> Build without the specified cipher (bf, cast, des, dh, dsa,
- hmac, md2, md5, mdc2, rc2, rc4, rc5, rsa, sha).
- The crypto/<cipher> directory can be removed after running
- "make depend".
-
- -Dxxx, -lxxx, -Lxxx, -fxxx, -mXXX, -Kxxx These system specific options will
- be passed through to the compiler to allow you to
- define preprocessor symbols, specify additional libraries,
- library directories or other compiler options.
-
- -DHAVE_CRYPTODEV Enable the BSD cryptodev engine even if we are not using
- BSD. Useful if you are running ocf-linux or something
- similar. Once enabled you can also enable the use of
- cryptodev digests, which is usually slower unless you have
- large amounts data. Use -DUSE_CRYPTODEV_DIGESTS to force
- it.
+ the build (note that for Windows, the defaults for --prefix and
+ --openssldir depend in what configuration is used and what Windows
+ implementation OpenSSL is built on. More notes on this in NOTES.WIN):
+
+ --api=x.y.z
+ Don't build with support for deprecated APIs below the
+ specified version number. For example "--api=1.1.0" will
+ remove support for all APIS that were deprecated in OpenSSL
+ version 1.1.0 or below.
+
+ --cross-compile-prefix=PREFIX
+ The PREFIX to include in front of commands for your
+ toolchain. It's likely to have to end with dash, e.g.
+ a-b-c- would invoke GNU compiler as a-b-c-gcc, etc.
+ Unfortunately cross-compiling is too case-specific to
+ put together one-size-fits-all instructions. You might
+ have to pass more flags or set up environment variables
+ to actually make it work. Android and iOS cases are
+ discussed in corresponding Configurations/10-main.cf
+ sections. But there are cases when this option alone is
+ sufficient. For example to build the mingw64 target on
+ Linux "--cross-compile-prefix=x86_64-w64-mingw32-"
+ works. Naturally provided that mingw packages are
+ installed. Today Debian and Ubuntu users have option to
+ install a number of prepackaged cross-compilers along
+ with corresponding run-time and development packages for
+ "alien" hardware. To give another example
+ "--cross-compile-prefix=mipsel-linux-gnu-" suffices
+ in such case. Needless to mention that you have to
+ invoke ./Configure, not ./config, and pass your target
+ name explicitly.
+
+ --debug
+ Build OpenSSL with debugging symbols.
+
+ --libdir=DIR
+ The name of the directory under the top of the installation
+ directory tree (see the --prefix option) where libraries will
+ be installed. By default this is "lib". Note that on Windows
+ only ".lib" files will be stored in this location. dll files
+ will always be installed to the "bin" directory.
+
+ --openssldir=DIR
+ Directory for OpenSSL configuration files, and also the
+ default certificate and key store. Defaults are:
+
+ Unix: /usr/local/ssl
+ Windows: C:\Program Files\Common Files\SSL
+ or C:\Program Files (x86)\Common Files\SSL
+ OpenVMS: SYS$COMMON:[OPENSSL-COMMON]
+
+ --prefix=DIR
+ The top of the installation directory tree. Defaults are:
+
+ Unix: /usr/local
+ Windows: C:\Program Files\OpenSSL
+ or C:\Program Files (x86)\OpenSSL
+ OpenVMS: SYS$COMMON:[OPENSSL-'version']
+
+ --release
+ Build OpenSSL without debugging symbols. This is the default.
+
+ --strict-warnings
+ This is a developer flag that switches on various compiler
+ options recommended for OpenSSL development. It only works
+ when using gcc or clang as the compiler. If you are
+ developing a patch for OpenSSL then it is recommended that
+ you use this option where possible.
+
+ --with-zlib-include=DIR
+ The directory for the location of the zlib include file. This
+ option is only necessary if enable-zlib (see below) is used
+ and the include file is not already on the system include
+ path.
+
+ --with-zlib-lib=LIB
+ On Unix: this is the directory containing the zlib library.
+ If not provided the system library path will be used.
+ On Windows: this is the filename of the zlib library (with or
+ without a path). This flag must be provided if the
+ zlib-dynamic option is not also used. If zlib-dynamic is used
+ then this flag is optional and a default value ("ZLIB1") is
+ used if not provided.
+ On VMS: this is the filename of the zlib library (with or
+ without a path). This flag is optional and if not provided
+ then "GNV$LIBZSHR", "GNV$LIBZSHR32" or "GNV$LIBZSHR64" is
+ used by default depending on the pointer size chosen.
+
+ no-afalgeng
+ Don't build the AFALG engine. This option will be forced if
+ on a platform that does not support AFALG.
+
+ enable-asan
+ Build with the Address sanitiser. This is a developer option
+ only. It may not work on all platforms and should never be
+ used in production environments. It will only work when used
+ with gcc or clang and should be used in conjunction with the
+ no-shared option.
+
+ no-asm
+ Do not use assembler code. On some platforms a small amount
+ of assembler code may still be used.
+
+ no-async
+ Do not build support for async operations.
+
+ no-autoalginit
+ Don't automatically load all supported ciphers and digests.
+ Typically OpenSSL will make available all of its supported
+ ciphers and digests. For a statically linked application this
+ may be undesirable if small executable size is an objective.
+ This only affects libcrypto. Ciphers and digests will have to
+ be loaded manually using EVP_add_cipher() and
+ EVP_add_digest() if this option is used. This option will
+ force a non-shared build.
+
+ no-autoerrinit
+ Don't automatically load all libcrypto/libssl error strings.
+ Typically OpenSSL will automatically load human readable
+ error strings. For a statically linked application this may
+ be undesirable if small executable size is an objective.
+
+
+ no-capieng
+ Don't build the CAPI engine. This option will be forced if
+ on a platform that does not support CAPI.
+
+ no-cms
+ Don't build support for CMS features
+
+ no-comp
+ Don't build support for SSL/TLS compression. If this option
+ is left enabled (the default), then compression will only
+ work if the zlib or zlib-dynamic options are also chosen.
+
+ enable-crypto-mdebug
+ Build support for debugging memory allocated via
+ OPENSSL_malloc() or OPENSSL_zalloc().
+
+ enable-crypto-mdebug-backtrace
+ As for crypto-mdebug, but additionally provide backtrace
+ information for allocated memory.
+ TO BE USED WITH CARE: this uses GNU C functionality, and
+ is therefore not usable for non-GNU config targets. If
+ your build complains about the use of '-rdynamic' or the
+ lack of header file execinfo.h, this option is not for you.
+ ALSO NOTE that even though execinfo.h is available on your
+ system (through Gnulib), the functions might just be stubs
+ that do nothing.
+
+ no-ct
+ Don't build support for Certificate Transparency.
+
+ no-deprecated
+ Don't build with support for any deprecated APIs. This is the
+ same as using "--api" and supplying the latest version
+ number.
+
+ no-dgram
+ Don't build support for datagram based BIOs. Selecting this
+ option will also force the disabling of DTLS.
+
+ no-dso
+ Don't build support for loading Dynamic Shared Objects.
+
+ no-dynamic-engine
+ Don't build the dynamically loaded engines. This only has an
+ effect in a "shared" build
+
+ no-ec
+ Don't build support for Elliptic Curves.
+
+ no-ec2m
+ Don't build support for binary Elliptic Curves
+
+ enable-ec_nistp_64_gcc_128
+ Enable support for optimised implementations of some commonly
+ used NIST elliptic curves. This is only supported on some
+ platforms.
+
+ enable-egd
+ Build support for gathering entropy from EGD (Entropy
+ Gathering Daemon).
+
+ no-engine
+ Don't build support for loading engines.
+
+ no-err
+ Don't compile in any error strings.
+
+ no-filenames
+ Don't compile in filename and line number information (e.g.
+ for errors and memory allocation).
+
+ enable-fuzz-libfuzzer, enable-fuzz-afl
+ Build with support for fuzzing using either libfuzzer or AFL.
+ These are developer options only. They may not work on all
+ platforms and should never be used in production environments.
+ See the file fuzz/README.md for further details.
+
+ no-gost
+ Don't build support for GOST based ciphersuites. Note that
+ if this feature is enabled then GOST ciphersuites are only
+ available if the GOST algorithms are also available through
+ loading an externally supplied engine.
+
+ enable-heartbeats
+ Build support for DTLS heartbeats.
+
+ no-hw-padlock
+ Don't build the padlock engine.
+
+ no-makedepend
+ Don't generate dependencies.
+
+ no-multiblock
+ Don't build support for writing multiple records in one
+ go in libssl (Note: this is a different capability to the
+ pipelining functionality).
+
+ no-nextprotoneg
+ Don't build support for the NPN TLS extension.
+
+ no-ocsp
+ Don't build support for OCSP.
+
+ no-pic
+ Don't build with support for Position Independent Code.
+
+ no-posix-io
+ Don't use POSIX IO capabilities.
+
+ no-psk
+ Don't build support for Pre-Shared Key based ciphersuites.
+
+ no-rdrand
+ Don't use hardware RDRAND capabilities.
+
+ no-rfc3779
+ Don't build support for RFC3779 ("X.509 Extensions for IP
+ Addresses and AS Identifiers")
+
+ sctp
+ Build support for SCTP
+
+ no-shared
+ Do not create shared libraries, only static ones. See "Note
+ on shared libraries" below.
+
+ no-sock
+ Don't build support for socket BIOs
+
+ no-srp
+ Don't build support for SRP or SRP based ciphersuites.
+
+ no-srtp
+ Don't build SRTP support
+
+ no-sse2
+ Exclude SSE2 code paths. Normally SSE2 extension is
+ detected at run-time, but the decision whether or not the
+ machine code will be executed is taken solely on CPU
+ capability vector. This means that if you happen to run OS
+ kernel which does not support SSE2 extension on Intel P4
+ processor, then your application might be exposed to
+ "illegal instruction" exception. There might be a way
+ to enable support in kernel, e.g. FreeBSD kernel can be
+ compiled with CPU_ENABLE_SSE, and there is a way to
+ disengage SSE2 code paths upon application start-up,
+ but if you aim for wider "audience" running such kernel,
+ consider no-sse2. Both the 386 and no-asm options imply
+ no-sse2.
+
+ enable-ssl-trace
+ Build with the SSL Trace capabilities (adds the "-trace"
+ option to s_client and s_server).
+
+ no-static-engine
+ Don't build the statically linked engines. This only
+ has an impact when not built "shared".
+
+ no-stdio
+ Don't use any C "stdio" features. Only libcrypto and libssl
+ can be built in this way. Using this option will suppress
+ building the command line applications. Additionally since
+ the OpenSSL tests also use the command line applications the
+ tests will also be skipped.
+
+ no-threads
+ Don't try to build with support for multi-threaded
+ applications.
+
+ threads
+ Build with support for multi-threaded applications. Most
+ platforms will enable this by default. However if on a
+ platform where this is not the case then this will usually
+ require additional system-dependent options! See "Note on
+ multi-threading" below.
+
+ no-ts
+ Don't build Time Stamping Authority support.
+
+ enable-ubsan
+ Build with the Undefined Behaviour sanitiser. This is a
+ developer option only. It may not work on all platforms and
+ should never be used in production environments. It will only
+ work when used with gcc or clang and should be used in
+ conjunction with the "-DPEDANTIC" option (or the
+ --strict-warnings option).
+
+ no-ui
+ Don't build with the "UI" capability (i.e. the set of
+ features enabling text based prompts).
+
+ enable-unit-test
+ Enable additional unit test APIs. This should not typically
+ be used in production deployments.
+
+ enable-weak-ssl-ciphers
+ Build support for SSL/TLS ciphers that are considered "weak"
+ (e.g. RC4 based ciphersuites).
+
+ zlib
+ Build with support for zlib compression/decompression.
+
+ zlib-dynamic
+ Like "zlib", but has OpenSSL load the zlib library
+ dynamically when needed. This is only supported on systems
+ where loading of shared libraries is supported.
+
+ 386
+ On Intel hardware, use the 80386 instruction set only
+ (the default x86 code is more efficient, but requires at
+ least a 486). Note: Use compiler flags for any other CPU
+ specific configuration, e.g. "-m32" to build x86 code on
+ an x64 system.
+
+ no-<prot>
+ Don't build support for negotiating the specified SSL/TLS
+ protocol (one of ssl, ssl3, tls, tls1, tls1_1, tls1_2, dtls,
+ dtls1 or dtls1_2). If "no-tls" is selected then all of tls1,
+ tls1_1 and tls1_2 are disabled. Similarly "no-dtls" will
+ disable dtls1 and dtls1_2. The "no-ssl" option is synonymous
+ with "no-ssl3". Note this only affects version negotiation.
+ OpenSSL will still provide the methods for applications to
+ explicitly select the individual protocol versions.
+
+ no-<prot>-method
+ As for no-<prot> but in addition do not build the methods for
+ applications to explicitly select individual protocol
+ versions.
+
+ enable-<alg>
+ Build with support for the specified algorithm, where <alg>
+ is one of: md2 or rc5.
+
+ no-<alg>
+ Build without support for the specified algorithm, where
+ <alg> is one of: bf, blake2, camellia, cast, chacha, cmac,
+ des, dh, dsa, ecdh, ecdsa, idea, md4, mdc2, ocb, poly1305,
+ rc2, rc4, rmd160, scrypt, seed or whirlpool. The "ripemd"
+ algorithm is deprecated and if used is synonymous with rmd160.
+
+ -Dxxx, -lxxx, -Lxxx, -fxxx, -mXXX, -Kxxx
+ These system specific options will be passed through to the
+ compiler to allow you to define preprocessor symbols, specify
+ additional libraries, library directories or other compiler
+ options.
+