On Tue, Sep 16, 2014 at 11:08 AM, Steve Snyder swsnyder@snydernet.net wrote:
What are the recommended build options for OpenSSL 1.0.1x when building it for use with Tor v0.2.5.x?
Assuming you're on an x86-64 machine and have a reasonably recent GCC (4.6 should do), as a starting point, this is how I build OpenSSL for the CMU Tor exit:
./Configure linux-x86_64 \ --prefix=/root/tor/ssl \ no-shared no-gost enable-ec_nistp_64_gcc_128 \ '-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -fPIC -Wl,-z,relro'
Replace 'linux' with your OS of choice.
It can almost certainly be tuned further. The only thing I know for sure you really want is 'enable-ec_nistp_64_gcc_128', which (if your hardware and compiler support it) dramatically increases your throughput. GOST is disabled not to reduce footprint but because the build failed with it on, and shared libraries are disabled because I link the Tor binary statically.
The last line is almost entirely about compile-time stack hardening. You must have '-O2 -fPIC' in there or the subsequent Tor build will fail; everything else is optional-but-a-good-idea-IMNSHO.
zw