ntp.util: Fix rpeers mode in PeerSummary.summary

[ntpsec.git] / HOWTO-OpenSSL

NTS needs TLS 1.3 or newer.
That was first supported in OpenSSL 1.1.1
  (1.1.1a is broken)
Some OSes/Distros don't support a new enough version of OpenSSL
This file contains notes on how to download, build, and install 3.2.0
It it should be close for other 3.x.y versions

It's rough.  Don't be surprised by bugs/oversights.
Corrections, clarifications and feedback encouraged.

In 2023-Nov, FreeBSD 13.2 has 1.1.1t as the main version.
It also has 3 newer versions available as packages.
You can just install one and ignore the rest of this note.
waf will find the pkg version and use it.
  sudo pkg update
  sudo pkg search openssl
openssl30-3.0.12_1             TLSv1.3 capable SSL and crypto library
openssl31-3.1.4_1              TLSv1.3 capable SSL and crypto library
openssl32-3.2.0.a2             TLSv1.3 capable SSL and crypto library
  sudo pkg install openssl32
Note: the "a2" is for "Alpha 2", not for production etc.
The rest of this recipe works if you want to try a newer version from
an OpenSSL tarball.


Download OpenSSL source from here:
  https://www.openssl.org/source/

You should be able to cut/paste many of these lines.
But check for the latest versions first.

cd xxx
mkdir OpenSSL
cd OpenSSL
for OpenSSL 3.2.0
  wget https://www.openssl.org/source/openssl-3.2.0.tar.gz
  tar -xzf openssl-3.2.0.tar.gz
  cd openssl-3.2.0

# Check NOTES.PERL
#   for CentOS, you need
  sudo yum install perl-core
# Fedora 35 for 3.0.1
  # ./config needs
  sudo dnf install perl-FindBin 'perl(IPC::Cmd)' 'perl(File::Compare)'
  # make needs
  # make test needs
  sudo dnf install 'perl(Test::Harness)' 'perl(Test::More)' 'perl(File::Copy)'
  # make install also needs:
  sudo dnf install 'perl(Pod::Html)'
# On FreeBSD for 3.0.1
  sudo pkg install perl5

By default, this recipe will install
  libcrypto.so.3 and libssl.so.3
  in /usr/local/ssl/lib64/
and they will be used by all software, not just ntpd.

If you don't want that, edit VERSION.dat and change SHLIB_VERSION
to something like 6.  That will install the libraries as
  libcrypto.so.6 and libssl.so.6
and waf will setup ntpd to use them.
openssl-3.2-beta breaks sudo on Fedora, so this is a good idea.   <======

On Linux
  openssl version -d
  OPENSSLDIR=`openssl version -d | sed "s/OPENSSLDIR: //"`
  OPENSSLDIR=`echo $OPENSSLDIR | sed s/\"//g`
  echo $OPENSSLDIR
  ./Configure --prefix=/usr/local/ssl --openssldir=$OPENSSLDIR shared

***   If you encounter a problem while building, please open an    ***
***   issue on GitHub <https://github.com/openssl/openssl/issues>  ***
***   and include the output from the following command:           ***
***                                                                ***
***       perl configdata.pm --dump                                ***

time make -j4         |& tee make.log
  # Check that we got it right.  These should match.
  openssl version -d
  ./util/shlib_wrap.sh ./apps/openssl version -d
  # ./apps/openssl without the wrapper will use the installed libraries
The above check is broken for openssl-3.2.0-beta1 on Fedora
It works on Ubuntu and FreeBSD.

time make test        |& tee test.log
time make build_docs  |& tee docs.log
sudo make install     |& tee install.log

sudo su
  cd /etc/ld.so.conf.d
  echo "/usr/local/ssl/lib" > openssl-3.2.0.conf    # 32 bit systems
  echo "/usr/local/ssl/lib64" > openssl-3.2.0.conf  # 64 bit systems
  # running ldconfig before install doesn't work
  ldconfig

On FreeBSD:
  ldconfig -m /usr/local/ssl/lib/

NetBSD:
  echo "/usr/local/ssl/lib" >> /etc/ld.so.conf
(no ldconfig on my search path.  Doesn't seem to be needed.)

# check with
/usr/local/ssl/bin/openssl version

# Note that the directories in the above config line need to
# match where wscript looks for your OS.
# The above works for CentOS 7