[openssl-users] recommended build options

Viktor Dukhovni openssl-users at dukhovni.org
Wed Mar 2 20:11:58 UTC 2016

On Wed, Mar 02, 2016 at 02:57:13PM -0500, Wall, Stephen wrote:

> Is there a set of recommended build options for openssl?  For instance,
> "no-ssl2 no-comp -DOPENSSL_NO_HEARTBEATS no-md4 ..."

By and large what should be off by default eventually or already
is, but there can be some delay for backwards compatibility.

The below non-experimental features are disabled by default in
OpenSSL 1.0.2s:

    my %disabled = ( # "what"         => "comment" [or special keyword "experimental "]
                 "ec_nistp_64_gcc_128" => "default",
                 "gmp"            => "default",
                 "md2"            => "default",
                 "rc5"            => "default",
                 "rfc3779"        => "default",
                 "sctp"           => "default",
                 "shared"         => "default",
                 "ssl-trace"      => "default",
                 "ssl2"           => "default",
                 "unit-test"      => "default",
                 "weak-ssl-ciphers" => "default",
                 "zlib"           => "default",
                 "zlib-dynamic"   => "default"

With these you're covered for no-ssl2 no-comp and no weak ciphers.

In most cases you'll want shared libraries, but this requires
"Configure shared ...".  Some might choose to disable SSLv3 as well
with "no-ssl3".  It may also be reasonable to disable "idea", "seed"
and "rc2".


More information about the openssl-users mailing list