What are the recommended build options for OpenSSL 1.0.1x when building it for use with Tor v0.2.5.x?
Put another way, what default OpenSSL features (ciphers, etc.) should be disabled and what optional features should be enabled?
My goal here is to build a Tor-oriented OpenSSL, one that dispenses with features Tor doesn't need/use while enabling those that improve security and/or performance.
Thanks.
On Tue, Sep 16, 2014 at 11:08 AM, Steve Snyder swsnyder@snydernet.net wrote:
What are the recommended build options for OpenSSL 1.0.1x when building it for use with Tor v0.2.5.x?
Assuming you're on an x86-64 machine and have a reasonably recent GCC (4.6 should do), as a starting point, this is how I build OpenSSL for the CMU Tor exit:
./Configure linux-x86_64 \ --prefix=/root/tor/ssl \ no-shared no-gost enable-ec_nistp_64_gcc_128 \ '-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -fPIC -Wl,-z,relro'
Replace 'linux' with your OS of choice.
It can almost certainly be tuned further. The only thing I know for sure you really want is 'enable-ec_nistp_64_gcc_128', which (if your hardware and compiler support it) dramatically increases your throughput. GOST is disabled not to reduce footprint but because the build failed with it on, and shared libraries are disabled because I link the Tor binary statically.
The last line is almost entirely about compile-time stack hardening. You must have '-O2 -fPIC' in there or the subsequent Tor build will fail; everything else is optional-but-a-good-idea-IMNSHO.
zw
-
Steve Snyder -
Zack Weinberg