[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] Preferred OpenSSL config for Tor?

To: "tor-dev@xxxxxxxxxxxxxxxxxxxx" <tor-dev@xxxxxxxxxxxxxxxxxxxx>
Subject: Re: [tor-dev] Preferred OpenSSL config for Tor?
From: Zack Weinberg <zackw@xxxxxxxxx>
Date: Tue, 16 Sep 2014 12:36:56 -0400
Delivered-to: archiver@xxxxxxxx
Delivery-date: Tue, 16 Sep 2014 12:57:09 -0400
In-reply-to: <1410880094.003232688@xxxxxxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-dev/>
List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>
List-post: <mailto:tor-dev@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
References: <1410880094.003232688@xxxxxxxxxxxxxxxxxx>
Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>

On Tue, Sep 16, 2014 at 11:08 AM, Steve Snyder <swsnyder@xxxxxxxxxxxxx> wrote:
> What are the recommended build options for OpenSSL 1.0.1x when building it for use with Tor v0.2.5.x?

Assuming you're on an x86-64 machine and have a reasonably recent GCC
(4.6 should do), as a starting point, this is how I build OpenSSL for
the CMU Tor exit:

./Configure linux-x86_64 \
        --prefix=/root/tor/ssl \
        no-shared no-gost enable-ec_nistp_64_gcc_128 \
        '-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat
-Werror=format-security -D_FORTIFY_SOURCE=2 -fPIC -Wl,-z,relro'

Replace 'linux' with your OS of choice.

It can almost certainly be tuned further.  The only thing I know for
sure you really want is 'enable-ec_nistp_64_gcc_128', which (if your
hardware and compiler support it) dramatically increases your
throughput.  GOST is disabled not to reduce footprint but because the
build failed with it on, and shared libraries are disabled because I
link the Tor binary statically.

The last line is almost entirely about compile-time stack hardening.
You must have '-O2 -fPIC' in there or the subsequent Tor build will
fail; everything else is optional-but-a-good-idea-IMNSHO.

zw
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

References:
- [tor-dev] Preferred OpenSSL config for Tor?
  - From: Steve Snyder

Prev by Author: Re: [tor-dev] obfs4 test bundles
Previous by thread: [tor-dev] Preferred OpenSSL config for Tor?
Next by thread: Re: [tor-dev] [RFC] Proposal draft: The move to a single guard node
Index(es):
- Author
- Thread