Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
OpenSSL configure options

Deprecated - Use LibreSSL Portable instead

OpenSSL Configure Options (1.0.1e)

Standard party line

Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [experimental-<cipher> ...]
                 [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw]
                 [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm]
                 [no-dso] [no-krb5] [sctp] [386] [--prefix=DIR]
                 [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity]
                 os/compiler[:flags]

Raw list

$ grep -r '^#if.*OPENSSL_NO' . | grep -o 'OPENSSL_NO_[a-zA-Z0-9_]*' | sort -u | sed 's/OPENSSL_//' | tr '[A-Z_]' '[a-z-]'

no-aes
no-algorithms
no-asm
no-bf
no-bio
no-buffer
no-buf-freelists
no-camellia
no-capieng
no-cast
no-chain-verify
no-cms
no-comp
no-decc-init
no-deprecated
no-des
no-descbcm
no-dgram
no-dh
no-dsa
no-dtls1
no-dynamic-engine
no-ec
no-ec2m
no-ecdh
no-ecdsa
no-ec-nistp-64-gcc-128
no-engine
no-err
no-evp
no-fp-api
no-gmp
no-gost
no-hash-comp
no-heartbeats
no-hmac
no-hw
no-hw-4758-cca
no-hw-aep
no-hw-atalla
no-hw-chil
no-hw-cswift
no-hw-ibmca
no-hw-ncipher
no-hw-nuron
no-hw-padlock
no-hw-sureware
no-hw-ubsec
no-hw-zencod
no-idea
no-inline-asm
no-jpake
no-krb5
no-lhash
no-locking
no-md2
no-md4
no-md5
no-mdc2
no-multibyte
no-nextprotoneg
no-object
no-ocsp
no-posix-io
no-psk
no-rc2
no-rc4
no-rc5
no-rdrand
no-rfc3779
no-ripemd
no-ripemd160
no-rmd160
no-rsa
no-rsax
no-sctp
no-seed
no-setvbuf-ionbf
no-sha
no-sha0
no-sha1
no-sha256
no-sha512
no-sock
no-speed
no-srp
no-srtp
no-ssl2
no-ssl3
no-ssl-intern
no-stack
no-static-engine
no-stdio
no-store
no-tls
no-tls1
no-tls1-2-client
no-tlsext
no-whirlpool
no-x509
no-x509-verify

Full list

* Default

  • ec - Elliptic curve support*

  • no-ec - No Elliptic curve support

  • ecdsa - *

  • no-ecdsa

  • ecdh - *

  • no-ecdh

  • no-ec2m

  • no-mdc2

  • no-idea - No International Data Encryption Algorithm (IDEA)

  • no-deprecated

  • no-capieng

  • no-chain-verify

  • no-cms

  • no-comp

  • no-decc-init

  • no-dgram

  • no-engine - No runtime-loadable engines

    • no-dynamic-engine
  • fips - *

  • no-fips

  • dh - With Diffie-Hellman*

  • no-dh - Without Diffie-Hellman*

  • des - With DES support.*

  • no-des - No DES support. Note: make test will fail

    • no-descbcm
  • no-bf - No Blowfish

  • no-dsa - No DSA

  • no-rsa - No RSA

  • aes - AES *

  • no-aes - No AES

  • gmp - With GNU Multi-Precision Library

  • no-gmp - No GNU Multi-Precision Library *

  • no-camellia - No Camellia

  • no-cast - No CAST

  • no-seed - No SEED

  • gost - *

  • no-gost - No GOST (as an engine, force disabled if no-engine)

  • rfc3779 -

  • no-rfc3779 - *

  • md2

  • no-md2 - *

  • no-md4

  • no-md5

  • no-rc2

  • no-rc4

  • rc5

  • no-rc5 - *

  • no-hmac

  • no-ocsp - No revocation checking via Online Certificate Status Protocol (OCSP)

  • no-x509 - No certificate support

  • no-whirlpool

  • no-tls

  • no-tls1

  • no-dtls1

  • no-tls1-2-client

  • ssl2 *

  • no-ssl2 - Probably a good idea

  • ssl3 *

  • no-ssl3 - Maybe needed if too many legacy ciphers / digests are disabled

  • no-srp

  • no-srtp

  • no-sha0

  • no-sha1

  • no-sha

  • no-sha256

  • no-sha512

  • no-rmd160

  • no-rnrand

  • no-store -

  • enable-<cipher>

    • enable-ec_nistp_64_gcc_128
  • experimental-<cipher>

    • experimental-jpake
    • no-jpake - *
  • -Dxxx - Define xxx

  • -lxxx - Link against library xxx

  • -Lxxx - Search path xxx for libraries to link against

  • -fxxx - Enable compiler feature xxx

  • -Kxxx

  • hw - *

  • no-hw - No external hardware (ie HSM) support

  • threads - Build threaded openssl*

  • no-threads - Build single-threaded openssl

  • shared - *

  • no-shared -

  • no-zlib - *

  • no-zlib-dynamic - *

  • zlib - May enable CRIME and BEAST attacks.

  • zlib-dynamic - May enable CRIME and BEAST attacks.

  • no-asm - No assembly

  • no-dso - No shared libraries

  • krb5 - Build with Kerberos v5 support

  • no-krb5 - Build without Kerberos v5 support*

  • sctp - Build with SCTP support (an IP protocol)

  • no-sctp - Build without SCTP support (an IP protocol)*

  • 386

  • --prefix

  • --openssldir

  • --test-sanity

  • os/compiler

    • darwin-i386-cc - OSX 32-bit
    • darwin64-x86_64-cc - OSX 64-bit
@steakknife

This comment has been minimized.

Copy link
Owner Author

steakknife commented Apr 1, 2016

openssl-1.1.0 (prerelease, non-beta)

no-aes
no-afalgeng
no-algorithms
no-asm
no-async
no-autoalginit
no-autoerrinit
no-bf
no-blake2
no-camellia
no-cast
no-chacha
no-cmac
no-cms
no-comp
no-crypto-mdebug
no-crypto-mdebug-backtrace
no-ct
no-decc-init
no-deprecated
no-des
no-dgram
no-dh
no-dsa
no-dtls
no-dtls1
no-dtls1-2
no-dtls1-2-method
no-dtls1-method
no-dynamic-engine
no-ec
no-ec2m
no-ec-nistp-64-gcc-128
no-egd
no-engine
no-err
no-gost
no-heartbeats
no-hmac
no-hw
no-hw-padlock
no-idea
no-inline-asm
no-md2
no-md4
no-md5
no-mdc2
no-multiblock
no-nextprotoneg
no-ocb
no-ocsp
no-poly1305
no-posix-io
no-psk
no-rc2
no-rc4
no-rc5
no-rdrand
no-rfc3779
no-rmd160
no-rsa
no-scrypt
no-sct
no-sctp
no-seed
no-sha
no-sha1
no-sock
no-srp
no-srtp
no-ssl
no-ssl3
no-ssl3-method
no-ssl-trace
no-stdio
no-tls
no-tls1
no-tls1-1
no-tls1-1-method
no-tls1-2
no-tls1-2-method
no-tls1-method
no-ts
no-ui
no-unit-test
no-weak-ssl-ciphers
no-whirlpool
@21Arti

This comment has been minimized.

Copy link

21Arti commented Nov 11, 2019

Hi,
Can we enable CCM ciphers with openssl 1.0.2k version

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.