[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] Preferred OpenSSL config for Tor?



On Tue, Sep 16, 2014 at 11:08 AM, Steve Snyder <swsnyder@xxxxxxxxxxxxx> wrote:
> What are the recommended build options for OpenSSL 1.0.1x when building it for use with Tor v0.2.5.x?

Assuming you're on an x86-64 machine and have a reasonably recent GCC
(4.6 should do), as a starting point, this is how I build OpenSSL for
the CMU Tor exit:

./Configure linux-x86_64 \
        --prefix=/root/tor/ssl \
        no-shared no-gost enable-ec_nistp_64_gcc_128 \
        '-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat
-Werror=format-security -D_FORTIFY_SOURCE=2 -fPIC -Wl,-z,relro'

Replace 'linux' with your OS of choice.

It can almost certainly be tuned further.  The only thing I know for
sure you really want is 'enable-ec_nistp_64_gcc_128', which (if your
hardware and compiler support it) dramatically increases your
throughput.  GOST is disabled not to reduce footprint but because the
build failed with it on, and shared libraries are disabled because I
link the Tor binary statically.

The last line is almost entirely about compile-time stack hardening.
You must have '-O2 -fPIC' in there or the subsequent Tor build will
fail; everything else is optional-but-a-good-idea-IMNSHO.

zw
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev