OpenSSL (CVS changes log) with version 1.0.1 will introduce support for improved TLS, GnuTLS had it for few years now.
Here are few "simple" steps to install and play around with the latest software without interfering in system.
I'm doing everything in /tmp dir since it's running on tmpfs (ramdisk). Zlib is used to present a fun way to use env and LD_LIBRARY_PATH, and maybe for those interested with really old systems.
1. Downloading sources
mkdir /tmp/src /tmp/opt cd /tmp/src wget http://zlib.net/zlib-1.2.6.tar.gz aria2c http://ftp.gnu.org/gnu/gnutls/gnutls-3.0.15.tar.xz curl -O ftp://ftp.openssl.org/snapshot/openssl-1.0.1-stable-SNAP-20120311.tar.gz tar xzf zlib-1.2.6.tar.gz tar xJf gnutls-3.0.15.tar.xz tar xzf openssl-1.0.1-stable-SNAP-20120311.tar.gzHint : tar xjf some.tar.bz2 for bz2 compressed tars.
2. Compiling zlib
cd zlib-1.2.6 ./configure --prefix=/tmp/opt/zlib --64 make && make install
3. Compiling openssl
cd ../openssl-1.0.1-stable-SNAP-20120311 ./config --prefix=/tmp/opt/ssl --with-zlib-lib=/tmp/opt/zlib/lib --with-zlib-include=/tmp/opt/zlib/include zlib threads shared env LD_LIBRARY_PATH=/tmp/opt/zlib/lib make && make install
4. Compiling gnutls
cd ../gnutls-3.0.15 ./configure --prefix=/tmp/opt/tls --with-libz-prefix=/tmp/opt/zlib --disable-openssl-compatibility env LD_LIBRARY_PATH=/tmp/opt/zlib/lib make && make install
Sure, you could create my.conf in /etc/ld.so.conf.d/ containing path /tmp/opt/zlib/lib and run ldconfig, but this way may cause a problem.
# ldd /tmp/opt/ssl/lib/libcrypto.so.1.0.0 linux-vdso.so.1 => (0x00007ffff2da8000) libdl.so.2 => /lib/libdl.so.2 (0x00007f9a81116000) libz.so.1 => /usr/lib/libz.so.1 (0x00007f9a80f00000) libc.so.6 => /lib/libc.so.6 (0x00007f9a80b5e000) /lib/ld-linux-x86-64.so.2 (0x00007f9a81711000) # env LD_LIBRARY_PATH=/tmp/opt/zlib/lib ldd /tmp/opt/ssl/lib/libcrypto.so.1.0.0 linux-vdso.so.1 => (0x00007fffe35ff000) libdl.so.2 => /lib/libdl.so.2 (0x00007f062222c000) libz.so.1 => /tmp/opt/zlib/lib/libz.so.1 (0x00007f0622016000) libc.so.6 => /lib/libc.so.6 (0x00007f0621c74000) /lib/ld-linux-x86-64.so.2 (0x00007f0622827000)
Depending on content /etc/ld.so.conf custom confs from /etc/ld.so.conf.d/ may be used prior or after paths with standard system libraries. This means either every binary linked against libz.so.1 will use system library or that build in /tmp/opt/zlib/lib (apps I just compiled would use /usr/lib/libz.so.1, or everything would use my libz) - and I didn't want that.
5. We will need keys/certs
export LD_LIBRARY_PATH=/tmp/opt/zlib/lib cd /tmp/opt ssl/bin/openssl req -new -nodes -out req.pem -keyout key.pem ssl/bin/openssl rsa -in key.pem -out new.key.pem ssl/bin/openssl x509 -in req.pem -out server.pem -req -signkey new.key.pem -days 3650
Remember that export variable=value expires after login out or exiting mc if you're using Ctrl+o.
6. Run gnutls as a simple http server
env LD_LIBRARY_PATH=/tmp/opt/zlib/lib tls/bin/gnutls-serv -p 443 --http -g --x509certfile=server.pem --x509keyfile=key.pemCtrl+C to exit.
In Opera : Tools > Preferences > Advanced > Security > Security Protocols ... - leave only [Enable TLS 1.2] checked (1.1). You have to close and open Opera anew for the changes to take effect. Now open https://localhost/ - you have to [Approve] the Security Issue.
7. Run openssl as a simple http server
You can force TLS version by using -tls1_2, -tls1_1, -tls1 or disable like this -no_tls1_2 - you can have all {Security Protocols} in Opera enabled.
cd /tmp/opt env LD_LIBRARY_PATH=/tmp/opt/zlib/lib ssl/bin/openssl s_server -accept 443 -key new.key.pem -tls1_2 -wwwCtrl+C to exit.
Well that was fun, right ;]. More fun with LD_LIBRARY_PATH soon.
No comments:
Post a Comment