'How to build OpenSSL on Mac and Windows
I need to build static OpenSSL libraries for Windows, iOS, and Android (x86, MIPS, and Arm).
I have a Mac and I have a Windows PC. I do not have a Linux box. So far I've found nothing on the web to indicate building what I need is possible, but clearly people have done it.
Unfortunately the OpenSSL wiki was less than useful. Building static libraries for Windows using Visual Studio seems nigh impossible. There's a cheat for iOS but it doesn't build the version I need. And as for Android, it won't build on Windows or Mac, at least not for me.
Why is such a common and widely-adopted piece of software so impossible to build and use?
Solution 1:[1]
Windows Demo - Building OpenSSL 1.0.2d
I was frustrated too with building OpenSSL for Windows, so I created the batch files below to build it with just a click. If all goes well, you'll have an output folder called "OpenSSLoutput-1.0.2d" which contains the FIPS OpenSSL files.
Static Libs are created here:
C:\Work\OpenSSL-Builds\openssl-1.0.2d-64\out32
Import Libs/Dlls are created here:
C:\Work\OpenSSL-Builds\openssl-1.0.2d-64\out32dll
To begin the OpenSSL build, create your local folder, for example
C:\Work\OpenSSL-Builds\bin
The bin sub-folder should have these files:
7z.dll
7z.exe
wget.exe
ReadMe.txt
RunMe.bat
BuildOpenSSL.bat
replace.bat
OpenSSL files can be unzipped using 7z.dll and 7z.exe.
Available here: www.7-zip.org
Wget.exe is a free network utility to retrieve files from the Internet.
Available here: gnuwin32.sourceforge.net/packages/wget.htm
Readme.txt
--- Building FIPS Capable OpenSSL ---
Edit RunMe.bat and tweak these variables:
set fipsurl=http://www.openssl.org/source
set fipsfile=openssl-fips-2.0.11.tar.gz
set fipsfileversion=2.0.11
set opensslurl=http://www.openssl.org/source
set opensslfile=openssl-1.0.2e.tar.gz
set opensslfileversion=1.0.2e
set rootfolder="C:\OpenSSL-Builds"
set VCcompiler="C:\Program Files (x86)\Microsoft Visual Studio 9.0\VC"
To build, run the batch file:
bin\RunMe.bat
--- FIPS capable OpenSSL ---
The FIPS module was designed from the beginning to be used in conjunction with OpenSSL in a configuration we call the "FIPS Capable" OpenSSL, where the FIPS module is embedded in the OpenSSL shared library (or library plus application as an executable file) and all relevant cryptographic operations are seamlessly diverted to the FIPS module when the FIPS mode of operation is enabled. A major advantage of the "FIPS capable" OpenSSL is that vendors can ship the same software to all of their customers, those who want the FIPS 140-2 validated cryptography and those who do not. For many software products and markets the latter group of users is the largest.
The "FIPS capable" OpenSSL redirects allowed cryptography to the embedded FIPS module and disables all other cryptography (those algorithm implementations not in the FIPS module), and to be conservative we implemented the "FIPS capable" OpenSSL 1.0.1 to unconditionally redirect some cryptographic operations (SHA digests, for instance, which are the same for FIPS and non-FIPS implementations) to the FIPS module. So, a FIPS module that unconditionally disables those cryptographic operations will break OpenSSL for anyone who doesn't immediately enable FIPS mode, which is most calling applications. Note that even aside from the fact that most users won't want the overhead of the POST, it isn't possible for a library to automatically perform POST processing in a portable way.
The proper treatment for a new FIPS capable OpenSSL for use with a disabled-by-default FIPS module will be to have OpenSSL ignore the FIPS module completely until and if it is referenced via a call to the FIPS_mode_set() function.
--- System Requirements ---
Download Visual Studio 2008 with VC++ support - C:\Program Files (x86)\Microsoft Visual Studio 9.0\VC\
Download nasm assembler - C:\nasm\
Download ActiveState Perl - C:\Perl64\
RunMe.bat
REM --- Building FIPS Capable OpenSSL ---
set fipsurl=http://www.openssl.org/source
set fipsfile=openssl-fips-2.0.11.tar.gz
set fipsfileversion=2.0.11
set opensslurl=http://www.openssl.org/source
set opensslfile=openssl-1.0.2e.tar.gz
set opensslfileversion=1.0.2e
set rootfolder="C:\OpenSSL-Builds"
set VCcompiler="C:\Program Files (x86)\Microsoft Visual Studio 9.0\VC"
call buildOpenSSL.bat %fipsurl% %fipsfile% %opensslurl% %opensslfile% %fipsfileversion% %opensslfileversion% %rootfolder% %VCcompiler%
BuildOpenSSL.bat
@SETLOCAL
cd..
REM ------------------- Build FIPS x86 -------------------
set rootfolder=%7
set rootfolder=%rootfolder:~1,-1%
set fipsurl=%1
set fips=%2
set OpenSSLurl=%3
set openSSL=%4
set fipsver=%5
set OpenSSLver=%6
set fipstar=%fips:~0,-3%
set fipsfolder=%fips:~0,-7%
set openSSLtar=%openSSL:~0,-3%
set openSSLfolder=%openSSL:~0,-7%
set VCcompiler=%8
set VCcompiler=%VCcompiler:~1,-1%
REM Set environment variable PROCESSOR_ARCHITECTURE briefly to x86.
REM This prevents FIPS trying to build an x64 release by default.
ECHO Setting PROCESSOR_ARCHITECTURE from AMD64 to x86
set PROCESSOR_ARCHITECTURE=x86
echo %PROCESSOR_ARCHITECTURE%
call "%VCcompiler%\vcvarsall.bat" x86
set path=C:\nasm;%rootfolder%\bin;%path%
del %fips%
del %fipstar%
rmdir /S /Q %fipsfolder%
rmdir /S /Q %fipsfolder%-64
wget -N -q --no-check-certificate %fipsurl%/%fips%
7z.exe x %fips%
7z.exe x %fipstar%
XCOPY "%rootfolder%\%fipsfolder%" "%rootfolder%\%fipsfolder%-64" /E /I /Y
cd %fipsfolder%
REM This statically links the CRT (/MT). That will remove the msvcr90.dll dependency by basically including the CRT inside the dll.
REM For VC debug builds, comment out the next line to keep /MD.
call "%rootfolder%\bin\replace.bat" "/MD" "/MT" "%rootfolder%\%fipsfolder%\util\pl\VC-32.pl"
perl Configure VC-WIN32
call "%rootfolder%\bin\replace.bat" "pause" "rem pause" "%rootfolder%\%fipsfolder%\ms\do_fips.bat"
call ms\do_fips.bat
cd "%rootfolder%"
REM ------------------- Build OpenSSL x86 -------------------
del %openSSL%
del %openSSLtar%
rmdir /S /Q %openSSLfolder%
wget -N -q --no-check-certificate %OpenSSLurl%/%openSSL%
7z.exe x %openSSL%
7z.exe x %openSSLtar%
XCOPY "%rootfolder%\%openSSLfolder%" "%rootfolder%\%openSSLfolder%-64" /E /I /Y
cd %openSSLfolder%
call "%rootfolder%\bin\replace.bat" "/MD" "/MT" "%rootfolder%\%openSSLfolder%\util\pl\VC-32.pl"
perl Configure VC-WIN32 fips --with-fipslibdir=%rootfolder%\%fipsfolder%\out32dll
call ms\do_nasm.bat
REM /fixed tells the operating system to load the program only at its preferred base address.
REM The standard OpenSSL build with the FIPS option will use a base address for libeay32.dll of 0xFB00000.
call "%rootfolder%\bin\replace.bat" "/dll" "/dll /fixed" "%rootfolder%\%openSSLfolder%\ms\ntdll.mak"
REM Embed symbols into lib files - otherwise copy \tmp32\LIB.PDB to the project.
call "%rootfolder%\bin\replace.bat" "/Zi" "/Z7" "%rootfolder%\%openSSLfolder%\ms\ntdll.mak"
REM Building the 32-bit dynamic libraries for FIPS
nmake -f ms\ntdll.mak
nmake -f ms\ntdll.mak test
REM Building the 32-bit static libraries for OPENSSL.EXE
perl Configure VC-WIN32
call ms\do_nasm.bat
REM Embed symbols into lib files.
call "%rootfolder%\bin\replace.bat" "/Zi" "/Z7" "%rootfolder%\%openSSLfolder%\ms\nt.mak"
nmake -f ms\nt.mak
nmake -f ms\nt.mak test
cd "%rootfolder%"
rmdir /S /Q OpenSSLoutput-%OpenSSLver%
mkdir OpenSSLoutput-%OpenSSLver%
copy "%rootfolder%\%openSSLfolder%\out32dll\libeay32.lib" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\libeay32_%OpenSSLver%-fips-%fipsver%_W32.lib"
copy "%rootfolder%\%openSSLfolder%\out32dll\libeay32.dll" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\libeay32.dll"
copy "%rootfolder%\%openSSLfolder%\out32dll\ssleay32.lib" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\ssleay32_%OpenSSLver%-fips-%fipsver%_W32.lib"
copy "%rootfolder%\%openSSLfolder%\out32dll\ssleay32.dll" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\ssleay32.dll"
copy "%rootfolder%\%openSSLfolder%\out32\openssl.exe" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\OpenSSL.exe"
REM Copy Static Libs (Non FIPS)
copy "%rootfolder%\%openSSLfolder%\out32\libeay32.lib" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\libeay32_%OpenSSLver%_W32.lib"
copy "%rootfolder%\%openSSLfolder%\out32\ssleay32.lib" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\ssleay32_%OpenSSLver%_W32.lib"
REM ------------------- Build FIPS x64 -------------------
ECHO Setting PROCESSOR_ARCHITECTURE from x86 to AMD64
set PROCESSOR_ARCHITECTURE=AMD64
echo %PROCESSOR_ARCHITECTURE%
call "%VCcompiler%\vcvarsall.bat" x86_amd64
set path=C:\nasm;%rootfolder%\bin;%path%
cd %fipsfolder%-64
REM This statically links the CRT (/MT). That will remove the msvcr90.dll dependency by basically including the CRT inside the dll.
call "%rootfolder%\bin\replace.bat" "/MD" "/MT" "%rootfolder%\%fipsfolder%-64\util\pl\VC-32.pl"
perl Configure VC-WIN64A
call "%rootfolder%\bin\replace.bat" "pause" "rem pause" "%rootfolder%\%fipsfolder%-64\ms\do_fips.bat"
call ms\do_fips.bat
REM ------------------- Build OpenSSL x64 -------------------
cd "%rootfolder%\%openSSLfolder%-64"
call "%rootfolder%\bin\replace.bat" "/MD" "/MT" "%rootfolder%\%openSSLfolder%-64\util\pl\VC-32.pl"
perl Configure VC-WIN64A fips --with-fipslibdir=%rootfolder%\%fipsfolder%-64\out32dll
call ms\do_win64a.bat
REM /fixed tells the operating system to load the program only at its preferred base address.
REM The standard OpenSSL build with the FIPS option will use a base address for libeay32.dll of 0xFB00000.
call "%rootfolder%\bin\replace.bat" "/dll" "/dll /fixed" "%rootfolder%\%openSSLfolder%-64\ms\ntdll.mak"
REM Embed symbols into lib files.
call "%rootfolder%\bin\replace.bat" "/Zi" "/Z7" "%rootfolder%\%openSSLfolder%-64\ms\ntdll.mak"
REM Create 64-bit named binaries to prevent clashing with 32-bit binaries
call "%rootfolder%\bin\replace.bat" "SSL=ssleay32" "SSL=ssleay64" "%rootfolder%\%openSSLfolder%-64\ms\ntdll.mak"
call "%rootfolder%\bin\replace.bat" "CRYPTO=libeay32" "CRYPTO=libeay64" "%rootfolder%\%openSSLfolder%-64\ms\ntdll.mak"
call "%rootfolder%\bin\replace.bat" "SSLEAY32" "SSLEAY64" "%rootfolder%\%openSSLfolder%-64\ms\ssleay32.def"
call "%rootfolder%\bin\replace.bat" "LIBEAY32" "LIBEAY64" "%rootfolder%\%openSSLfolder%-64\ms\libeay32.def"
REM Building the 64-bit dynamic libraries for FIPS
nmake -f ms\ntdll.mak
nmake -f ms\ntdll.mak test
REM Building the 64-bit static libraries for OPENSSL.EXE
perl Configure VC-WIN64A
call ms\do_win64a.bat
call "%rootfolder%\bin\replace.bat" "SSL=ssleay32" "SSL=ssleay64" "%rootfolder%\%openSSLfolder%-64\ms\nt.mak"
call "%rootfolder%\bin\replace.bat" "CRYPTO=libeay32" "CRYPTO=libeay64" "%rootfolder%\%openSSLfolder%-64\ms\nt.mak"
REM Embed symbols into lib files.
call "%rootfolder%\bin\replace.bat" "/Zi" "/Z7" "%rootfolder%\%openSSLfolder%-64\ms\nt.mak"
nmake -f ms\nt.mak
nmake -f ms\nt.mak test
cd "%rootfolder%"
copy "%rootfolder%\%openSSLfolder%-64\out32dll\libeay64.lib" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\libeay64_%OpenSSLver%-fips-%fipsver%_W64.lib"
copy "%rootfolder%\%openSSLfolder%-64\out32dll\libeay64.dll" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\libeay64.dll"
copy "%rootfolder%\%openSSLfolder%-64\out32dll\ssleay64.lib" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\ssleay64_%OpenSSLver%-fips-%fipsver%_W64.lib"
copy "%rootfolder%\%openSSLfolder%-64\out32dll\ssleay64.dll" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\ssleay64.dll"
copy "%rootfolder%\%openSSLfolder%-64\out32\openssl.exe" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\OpenSSL64.exe"
REM Copy Static Libs (Non FIPS)
copy "%rootfolder%\%openSSLfolder%-64\out32\libeay64.lib" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\libeay64_%OpenSSLver%_W64.lib"
copy "%rootfolder%\%openSSLfolder%-64\out32\ssleay64.lib" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\ssleay64_%OpenSSLver%_W64.lib"
REM ------------------- Cleanup Build -------------------
del %fips%
del %fipstar%
rmdir /S /Q %fipsfolder%
rmdir /S /Q %fipsfolder%-64
del %openSSL%
del %openSSLtar%
rmdir /S /Q %openSSLfolder%
rmdir /S /Q %openSSLfolder%-64
exit
Replace.bat
@echo ON
setlocal
call :FindReplace %1 %2 %3
exit /b
:FindReplace <findstr> <replstr> <file>
set tmp="%temp%\tmp.txt"
If not exist %temp%\_.vbs call :MakeReplace
for /f "tokens=*" %%a in ('dir "%3" /s /b /a-d /on') do (
for /f "usebackq" %%b in (`Findstr /mic:"%~1" "%%a"`) do (
echo(&Echo Replacing "%~1" with "%~2" in file %%~nxa
<%%a cscript //nologo %temp%\_.vbs "%~1" "%~2">%tmp%
if exist %tmp% move /Y %tmp% "%%~dpnxa">nul
)
)
del %temp%\_.vbs
exit /b
:MakeReplace
>%temp%\_.vbs echo with Wscript
>>%temp%\_.vbs echo set args=.arguments
>>%temp%\_.vbs echo .StdOut.Write _
>>%temp%\_.vbs echo Replace(.StdIn.ReadAll,args(0),args(1),1,-1,1)
>>%temp%\_.vbs echo end with
Using OpenSSL in Visual Studio
Several Configuration Properties use these boost/openssl paths:
a. C/C++ -> Additional Include Directories -> C:\boost64\include;C:\Work\OpenSSL-Builds\openssl-1.0.2d-64\inc32
b. Linker -> General -> Additional Library Directories -> C:\boost64\lib;C:\Work\OpenSSL-Builds\openssl-1.0.2d-64\out32
c. Linker -> Command Line -> Additional Options -> Add libeay64.lib and ssleay64.lib
Solution 2:[2]
Building Windows OpenSSL 3.0
The initial build folder structure is
C:\OpenSSL-Builds>tree /a /f
Folder PATH listing
Volume serial number is 448B-63A8
C:.
| openssl-3.0.2.tar.gz
|
\---bin
7z.dll
7z.exe
BuildOpenSSL300.bat
openssl-fips.cnf
ReadMe.txt
RunMe300.bat
openssl-fips.cnf
openssl_conf = openssl_init
[openssl_init]
providers = provider_sect
[provider_sect]
fips = fips_sect
base = base_sect
[base_sect]
activate = 1
ReadMe.txt
--- Building FIPS OpenSSL 3.0 Series ---
Download the latest OpenSSL 3.0 series from https://www.openssl.org/source/
Edit RunMe300.bat and tweak these variables:
set opensslfile=openssl-3.0.2.tar.gz
set opensslfileversion=3.0.2
set rootfolder="C:\OpenSSL-Builds"
set VCcompiler="C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\VC\Auxiliary\Build"
To build, run the batch file:
bin\RunMe300.bat
-- Official Release Files Output ---
C:\OpenSSL-Builds\OpenSSLoutput-3.0.2
FIPS64
fips.dll
openssl-fips.cnf
LIBS64
libeay64_3.0.2_W64.lib
ssleay64_3.0.2_W64.lib
OPENSSL64
OpenSSL64.exe
OpenSSL.cnf
--- System Requirements ---
Download Visual Studio 2019 with VC++ support
https://visualstudio.microsoft.com/downloads/
C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\VC\
Download nasm assembler
https://www.nasm.us/
C:\nasm\
Download Strawberry Perl
http://strawberryperl.com/
C:\Strawberry\
RunMe300.bat
REM --- Building OpenSSL 3.0.0 series ---
set opensslfile=openssl-3.0.2.tar.gz
set opensslfileversion=3.0.2
set rootfolder="C:\OpenSSL-Builds"
set VCcompiler="C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\VC\Auxiliary\Build"
call BuildOpenSSL300.bat %opensslfile% %opensslfileversion% %rootfolder% %VCcompiler%
BuildOpenSSL300.bat
@SETLOCAL
cd..
set rootfolder=%3
set rootfolder=%rootfolder:~1,-1%
set openSSL=%1
set OpenSSLver=%2
set openSSLtar=%openSSL:~0,-3%
set openSSLfolder=%openSSL:~0,-7%
set VCcompiler=%4
set VCcompiler=%VCcompiler:~1,-1%
REM ------------------- Build OpenSSL x64 -------------------
call "%VCcompiler%\vcvarsall.bat" x86_amd64
set path=C:\nasm;C:\Strawberry;%rootfolder%\bin;%path%
cd "%rootfolder%"
del "%rootfolder%\pax_global_header"
7z.exe x %openSSL%
7z.exe x %openSSLtar%
cd "%rootfolder%\%openSSLfolder%"
perl Configure VC-WIN64A -MT -Z7 no-shared enable-fips
nmake
nmake test
mkdir "%rootfolder%\OpenSSLoutput-%OpenSSLver%\OPENSSL64"
copy "%rootfolder%\%openSSLfolder%\apps\openssl.exe" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\OPENSSL64\OpenSSL64.exe"
copy "%rootfolder%\%openSSLfolder%\apps\openssl.cnf" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\OPENSSL64\OpenSSL.cnf"
mkdir "%rootfolder%\OpenSSLoutput-%OpenSSLver%\LIBS64"
copy "%rootfolder%\%openSSLfolder%\libcrypto_static.lib" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\LIBS64\libeay64_%OpenSSLver%_W64.lib"
copy "%rootfolder%\%openSSLfolder%\libssl_static.lib" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\LIBS64\ssleay64_%OpenSSLver%_W64.lib"
mkdir "%rootfolder%\OpenSSLoutput-%OpenSSLver%\FIPS64"
copy "%rootfolder%\%openSSLfolder%\providers\fips.dll" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\FIPS64\fips.dll"
copy "%rootfolder%\%openSSLfolder%\providers\fipsmodule.cnf" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\FIPS64\fipsmodule.cnf"
copy "%rootfolder%\bin\openssl-fips.cnf" "%rootfolder%\OpenSSLoutput-%OpenSSLver%\FIPS64\openssl-fips.cnf"
type "%rootfolder%\OpenSSLoutput-%OpenSSLver%\FIPS64\fipsmodule.cnf" >> "%rootfolder%\OpenSSLoutput-%OpenSSLver%\FIPS64\openssl-fips.cnf"
del "%rootfolder%\OpenSSLoutput-%OpenSSLver%\FIPS64\fipsmodule.cnf"
REM --- Done ---
After a successful build, the output files are located here:
C:\OpenSSL-Builds\OpenSSLoutput-3.0.2>tree /a /f
Folder PATH listing
Volume serial number is 448B-63A8
C:.
+---FIPS64
| fips.dll
| openssl-fips.cnf
|
+---LIBS64
| libeay64_3.0.2_W64.lib
| ssleay64_3.0.2_W64.lib
|
\---OPENSSL64
OpenSSL.cnf
OpenSSL64.exe
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | |
| Solution 2 |