Compiling OpenSSL from Source (Windows and Linux)

OpenSSL is a popular library used for performing various actions around SSL/TLS such as generating keypairs, creating CSRs, and testing connectivity against endpoints encrypted via SSL/TLS. While alternatives such as BoringSSL and LibreSSL do exist, OpenSSL is ubiquitous in the enterprise. OpenSSL comes pre-packed with most Linux distributions, and most of the time, assuming your system is up to date, using the pre-packaged version from your trusted package manager is absolutely fine. On Windows systems, the answer is not so clear-cut.

Many independent parties offer a pre-compiled and packaged version of OpenSSL for Windows, but this requires a certain amount of trust in those third parties which personally makes me uncomfortable. Imagine if the C source were to be modified to send any generated private keys to an attacker on the internet!

Beyond the threat of bad actors, there are a myriad of reasons why compiling OpenSSL yourself might be advantageous. Perhaps you need a specific version for security research that is no longer made available for good reason. Perhaps you are developing a product on the bleeding edge and need to take advantage of a branch of OpenSSL which is not yet stable. Whatever the reason, we have you covered.

Compiling OpenSSL from Source on Windows and Linux

State of Compilers

There are many compilers available for C on both Windows and Linux. In theory it is possible to compile OpenSSL for Windows directly on a windows machine using either Borland or Visual Studio. On Linux, GCC is the most common choice, but there is no reason you couldn’t use a compiler such as clang. However, it is the aim of this guide to produce an OpenSSL binary for both Linux and Windows with as little friction as possible. Therefore, we will be using Ubuntu 20.04 to compile OpenSSL natively with GCC, as well as to cross-compile OpenSSL for Windows via mingw-w64.

Compiling OpenSSL for Linux on Ubuntu 20.04

Start by making sure everything is up to date:

shell

apt-get update

Now, let’s install some dependencies needed to build OpenSSL for Linux.

shell

apt-get install build-essential checkinstall zlib1g-dev -y

We need to install Git so that we can pull down the source for OpenSSL

shell

apt-get install git

I like to uninstall the system packaged version of OpenSSL on my build machine to avoid any confusion.

shell

Apt-get remove openssl

Next, let’s CD to our home directory.

shell

cd openssl

In addition to the more advanced .configure script provided with the source, OpenSSL’s source directory includes a friendlier .config script with common defaults. Make this script executable and run it.

shell

Chmod +x ./config
./config

Now, we can issue make.

shell

Make

This will take several minutes to complete. Assuming it finishes successfully, issue make install

shell

Make install

This will place a binary named openssl in /usr/local/bin/

Issue Ldconfig in order to rebuild the search path for libraries we've added to our installation

shell

ldconfig

Now, let’s make sure OpenSSL works correctly:

shell

cd /usr/local/bin/

Check openssl version:

shell

./openssl version
Check OpenSSL Version

Notice in the above that the “version” command against the binary functions, outputting the specific revision (j). This indicates that our build was successful.

Cross Compiling OpenSSL for Windows on Ubuntu 20.04

Start by making sure everything is up to date:

shell

apt-get update

Now, let’s install some dependencies needed to build OpenSSL for Linux:

shell

apt-get install build-essential checkinstall zlib1g-dev -y

We need to install Git so that we can pull down the source for OpenSSL

shell

apt-get install git

We have an additional for the compilation dependency, mingw-64:

shell

sudo apt-get install mingw-w64

We will also need zip in order to zip up our binary for transporting to the windows system which it will ultimately live:

shell

apt-get install zip

I like to uninstall the system packaged version of OpenSSL on my build machine to avoid any confusion:

shell

apt-get remove openssl

Next, let’s CD to our home directory:

shell

cd ~

Issue the following to clone the source for OpenSSL 1.1.1, the latest stable branch at this time, into a directory under our home directory named openssl:

shell

git clone --branch OpenSSL_1_1_1-stable https://github.com/openssl/openssl.git

Since cross compilation is a little more advanced than what .config offers, we will use the .configure script with some very specific parameters indicating our desire for cross-compilation:

shell

chmod +x ./configure
./Configure --cross-compile-prefix=x86_64-w64-mingw32- mingw64

Like before, we will issue make. This will take several minutes. :

shell

Make

Finally, we will issue make install:

shell

Make install

Perhaps somewhat unintuitively, a folder named C: will have been created in your openssl source directory containing artifacts that represent an overlay for a windows installation:

OpenSSL Folder

Notice that inside of C:\’program files’ we have two folders, “Common Files” and “OpenSSL”

OpenSSL Files

Inside of OpenSSL/bin we will find openssl.exe, an executable which will run on a Windows System:

OpenSSL on Windows

Navigate back to your openssl folder:

shell

cd ~/openssl

And zip up the C: folder containing your build artifacts:

shell

zip -r openssl.zip C:

Using winscp, or whatever method you prefer, bring openssl.zip to your local windows machine.
If you unzip the folder and place the contents of the “Program Files” directory into the “C:\Program Files: files directory on your machine, you will be able to use the OpenSSL executable.

Unzip the folder, and run openssl version:

OpenSSL unzip on Windows

As you can see, the cross compilation resulted in a fully functional version of OpenSSL for your windows machine.

Conclusion

While it is not always necessary to compile OpenSSL from source in every environment, there are security benefits to doing so. Additionally, as you can see from the above, the procedure is neither especially complex nor time consuming. It is worthwhile for everyone administrator to become familiar with compiling tools from source, whether or not it is something you will commonly have to do – you never know when it will come in handy!

Discussions and Comments

Click here to view and join in on any discussions and comments on this article.

Written by
Jeremy Schatten


Helpful Guides

View more Guides, FAQs and information to help with your Certificate purchases.

Learning Centre

View more resources on cyber security, encryption and the internet.