C++ 如何在 Ubuntu 上针对 OpenSSL 1.0.0 安装和构建?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/3153114/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How do I install and build against OpenSSL 1.0.0 on Ubuntu?
提问by Daryl Spitzer
You can consider this a follow-up question to How do I install the OpenSSL C++ library on Ubuntu?
您可以将此视为如何在 Ubuntu 上安装 OpenSSL C++ 库的后续问题?
I'm trying to build some code on Ubuntu 10.04 LTS that requires OpenSSL 1.0.0.
我正在尝试在需要 OpenSSL 1.0.0 的 Ubuntu 10.04 LTS 上构建一些代码。
Ubuntu 10.04 LTS comes with OpenSSL 0.9.8k:
Ubuntu 10.04 LTS 附带 OpenSSL 0.9.8k:
$ openssl version
OpenSSL 0.9.8k 25 Mar 2009
So after running sudo apt-get install libssl-devand building, running ldd confirms I've linked in 0.9.8:
因此,在运行sudo apt-get install libssl-dev和构建之后,运行 ldd 确认我已在 0.9.8 中链接:
$ ldd foo
...
libssl.so.0.9.8 => /lib/i686/cmov/libssl.so.0.9.8 (0x00110000)
...
libcrypto.so.0.9.8 => /lib/i686/cmov/libcrypto.so.0.9.8 (0x002b0000)
...
How do I install OpenSSL 1.0.0 and the 1.0.0 development package?
如何安装 OpenSSL 1.0.0 和 1.0.0 开发包?
Update: I'm writing this update after reading SB's answer (but before trying it), because it's clear I need to explain that the obvious solution of downloading and installing OpenSSL 1.0.0 doesn't work:
更新:我在阅读SB的回答后(但在尝试之前)编写此更新,因为很明显我需要解释下载和安装 OpenSSL 1.0.0 的明显解决方案不起作用:
After successfully doing the following (recommended in the INSTALL file):
成功执行以下操作后(推荐在 INSTALL 文件中):
$ ./config
$ make
$ make test
$ make install
...I still get:
...我仍然得到:
OpenSSL 0.9.8k 25 Mar 2009
...and:
...和:
$ sudo apt-get install libssl-dev
Reading package lists... Done
Building dependency tree
Reading state information... Done
libssl-dev is already the newest version.
The following packages were automatically installed and are no longer required:
linux-headers-2.6.32-21 linux-headers-2.6.32-21-generic
Use 'apt-get autoremove' to remove them.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
...and (just to make sure) after rebuilding my code, ldd still returns the same thing.
...并且(只是为了确保)在重建我的代码后, ldd 仍然返回相同的内容。
Update #2: I added the "-I/usr/local/ssl/include" and "-L/usr/local/ssl/lib" options (suggested by SB) to my makefile, but I'm now getting a bunch of undefine reference compile errors, for example:
更新 #2:我在我的 makefile 中添加了“-I/usr/local/ssl/include”和“-L/usr/local/ssl/lib”选项(由SB建议),但我现在得到了一堆未定义引用编译错误,例如:
/home/dspitzer/foo/foo.cpp:86: undefined reference to `BIO_f_base64'
/home/dspitzer/foo/foo.cpp:86: undefined reference to `BIO_new'
/usr/local/ssl/include/ contains only an openssl directory (which contains numerous .h files), so I also tried "-I/usr/local/ssl/include/openssl" but got the same errors.
/usr/local/ssl/include/ 仅包含一个 openssl 目录(其中包含许多 .h 文件),因此我也尝试了“-I/usr/local/ssl/include/openssl”但得到了相同的错误。
Update #3: I tried changing the OpenSSL includes from (for example):
更新 #3:我尝试从(例如)更改 OpenSSL 包含:
#include <openssl/bio.h>
...to:
...到:
#include "openssl/bio.h"
...in the .cpp source file but still get the same undefined reference errors.
...在 .cpp 源文件中,但仍然得到相同的未定义引用错误。
Update #4: I now realize those undefined reference errors are linker errors. If I remove the "-L/usr/local/ssl/lib" from my Makefile, I don't get the errors (but it links to OpenSSL 0.9.8). The contents of /usr/local/ssl/lib/ are:
更新 #4:我现在意识到那些未定义的引用错误是链接器错误。如果我从我的 Makefile 中删除“-L/usr/local/ssl/lib”,我不会收到错误(但它链接到 OpenSSL 0.9.8)。/usr/local/ssl/lib/ 的内容是:
$ ls /usr/local/ssl/lib/
engines libcrypto.a libssl.a pkgconfig
I added -lcrypto, and the errors went away.
我添加了 -lcrypto,错误消失了。
回答by NG.
Get the 1.0.0a source from here.
从这里获取 1.0.0a 源。
# tar -xf openssl-1.0.0a.tar.gz
# cd openssl-1.0.0a
# ./config
# sudo make install
This puts it in /usr/local/ssl by default
这默认将它放在 /usr/local/ssl 中
When you build, you need to tell gcc to look for the headers in /usr/local/ssl/include and link with libs in /usr/local/ssl/lib. You can specify this by doing something like:
构建时,需要告诉 gcc 在 /usr/local/ssl/include 中查找头文件,并与 /usr/local/ssl/lib 中的 libs 链接。您可以通过执行以下操作来指定它:
gcc test.c -o test -I/usr/local/ssl/include -L/usr/local/ssl/lib -lssl -lcrypto
EDITDO NOT overwrite any system libraries. It's best to keep new libs in /usr/local. Overwriting Ubuntu defaults can be hazardous to your health and break your system.
编辑不要覆盖任何系统库。最好将新库保存在 /usr/local 中。覆盖 Ubuntu 默认设置可能会危害您的健康并破坏您的系统。
Additionally, I was wrong about the paths as I just tried this in Ubuntu 10.04 VM. Fixed.
此外,我刚刚在 Ubuntu 10.04 VM 中尝试过这个路径,我错了。固定的。
Note, there is no need to change LD_LIBRARY_PATH since the openssl libs you link against by default are static libs (at least by default - there might be a way to configure them as dynamic libs in the ./config step)
请注意,无需更改 LD_LIBRARY_PATH,因为您默认链接的 openssl 库是静态库(至少在默认情况下 - 可能有一种方法可以在 ./config 步骤中将它们配置为动态库)
You may need to link against libcrypto because you are using some calls that are built and defined in the libcrypto package. Openssl 1.0.0 actually builds two libraries, libcrypto and libssl.
您可能需要链接 libcrypto,因为您正在使用在 libcrypto 包中构建和定义的一些调用。Openssl 1.0.0 实际上构建了两个库,libcrypto 和 libssl。
EDIT 2Added -lcryptoto gcc line.
编辑 2添加-lcrypto到 gcc 行。
回答by Mariano Ivaldi
Instead of:
代替:
$ ./config
$ make
$ make test
$ make install
Do:
做:
$ sudo ./config --prefix=/usr
$ sudo make
$ sudo make test
$ sudo make install
This will help you update to openssl 1.0.1g to patch for CVE-2014-0160 (Heartbleed).
这将帮助您更新到 openssl 1.0.1g 以修补 CVE-2014-0160 (Heartbleed)。
OpenSSL Security Advisory [07 Apr 2014]
OpenSSL 安全公告 [2014 年 4 月 7 日]
TLS heartbeat read overrun (CVE-2014-0160)
TLS 心跳读取溢出 (CVE-2014-0160)
A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server.
在处理 TLS 心跳扩展时缺少边界检查可用于向连接的客户端或服务器显示多达 64k 的内存。
Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1.
只有 OpenSSL 的 1.0.1 和 1.0.2-beta 版本受到影响,包括 1.0.1f 和 1.0.2-beta1。
Thanks for Neel Mehta of Google Security for discovering this bug and to Adam Langley and Bodo Moeller for preparing the fix.
感谢 Google Security 的 Neel Mehta 发现这个错误,感谢 Adam Langley 和 Bodo Moeller 准备修复。
Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.
受影响的用户应升级到 OpenSSL 1.0.1g。无法立即升级的用户也可以使用 -DOPENSSL_NO_HEARTBEATS 重新编译 OpenSSL。
1.0.2 will be fixed in 1.0.2-beta2.
1.0.2 将在 1.0.2-beta2 中修复。
回答by Zakit
Here's what solved it for me: Upgrade latest version OpenSSL on Ubuntu
这是为我解决的问题: 在 Ubuntu 上升级最新版本的 OpenSSL
Transcribing the main informations:
转录主要信息:
Download the OpenSSL v1.0.0g source:
$ wget http://www.openssl.org/source/openssl-1.0.0g.tar.gz
Unpack the archive and install:
$ tar xzvf openssl-1.0.0g.tar.gz
$ cd openssl-1.0.0g
$ ./config
$ make
$ make test
$ sudo make install
All files, including binaries and man pages are install under the directory /usr/local/ssl. To ensure users use this version of OpenSSL instead of the previous version you must update the paths for man pages and binaries.
Edit the file /etc/manpath.config adding the following line before the first MANPATH_MAP:
MANPATH_MAP /usr/local/ssl/bin /usr/local/ssl/man
Update the man database (I honestly can't remember and don't know for sure if this command was necessary - maybe try without it and at the end when testing if the man pages are still the old versions come back and run mandb):
sudo mandb
Edit the file /etc/environment and insert the path for OpenSSL binaries (/usr/local/ssl/bin) before the path for Ubuntu's version of OpenSSL (/usr/bin). My environment file looks like this:
PATH="/usr/local/sbin:/usr/local/bin:/usr/local/ssl/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games"
Logout and login and test:
$ openssl version
OpenSSL 1.0.0g 18 Jan 2012
Also test the man pages by running man openssl and at the very bottom in the left hand corner it should report 1.0.0g.
Note that although the users will now automatically use the new version of OpenSSL, existing programs (e.g. Apache) may not as they are linked against the libraries from the Ubuntu version.
