[tor-dev] Preferred OpenSSL config for Tor?

Zack Weinberg zackw at panix.com
Tue Sep 16 16:36:56 UTC 2014

On Tue, Sep 16, 2014 at 11:08 AM, Steve Snyder <swsnyder at snydernet.net> wrote:
> What are the recommended build options for OpenSSL 1.0.1x when building it for use with Tor v0.2.5.x?

Assuming you're on an x86-64 machine and have a reasonably recent GCC
(4.6 should do), as a starting point, this is how I build OpenSSL for
the CMU Tor exit:

./Configure linux-x86_64 \
        --prefix=/root/tor/ssl \
        no-shared no-gost enable-ec_nistp_64_gcc_128 \
        '-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat
-Werror=format-security -D_FORTIFY_SOURCE=2 -fPIC -Wl,-z,relro'

Replace 'linux' with your OS of choice.

It can almost certainly be tuned further.  The only thing I know for
sure you really want is 'enable-ec_nistp_64_gcc_128', which (if your
hardware and compiler support it) dramatically increases your
throughput.  GOST is disabled not to reduce footprint but because the
build failed with it on, and shared libraries are disabled because I
link the Tor binary statically.

The last line is almost entirely about compile-time stack hardening.
You must have '-O2 -fPIC' in there or the subsequent Tor build will
fail; everything else is optional-but-a-good-idea-IMNSHO.


More information about the tor-dev mailing list