From 0de4e6e0703f47be954f4cfa37648dd58665c819 Mon Sep 17 00:00:00 2001 From: Laurent Bercot Date: Mon, 30 Nov 2020 12:55:39 +0000 Subject: Fix build with skalibs 2.10.0.0; document dependencies --- INSTALL | 70 +++++++++++++++++++++++++++++++++++++++-------------------------- 1 file changed, 42 insertions(+), 28 deletions(-) (limited to 'INSTALL') diff --git a/INSTALL b/INSTALL index 37e0076..b7f9a64 100644 --- a/INSTALL +++ b/INSTALL @@ -6,13 +6,15 @@ Build Instructions - A POSIX-compliant C development environment - GNU make version 3.81 or later - - skalibs version 2.9.4.0 or later: https://skarnet.org/software/skalibs/ - - (Optional) execline version 2.6.1.1 or later: https://skarnet.org/software/execline/ - - s6 version 2.9.2.0 or later: https://skarnet.org/software/s6/ + - skalibs version 2.10.0.0 or later: https://skarnet.org/software/skalibs/ + - (Optional) execline version 2.7.0.0 or later: https://skarnet.org/software/execline/ + - s6 version 2.10.0.0 or later: https://skarnet.org/software/s6/ - s6-dns version 2.3.3.0 or later: https://skarnet.org/software/s6-dns/ - Depending on whether you build the SSL tools, - libressl version 3.1.4 or later: https://libressl.org/ - or bearssl version 0.6 or later: https://bearssl.org/ + bearssl version 0.6 or later: https://bearssl.org/ + or libressl version 3.2.2 or later: https://libressl.org/ + or openssl version 1.1.1h or later: https://openssl.org/ *in addition to* + libretls version 3.3.0 or later: https://git.causal.agency/libretls/about/ This software will run on any operating system that implements POSIX.1-2008, available at: @@ -182,14 +184,22 @@ source tree if parallel builds are needed. * SSL support ----------- - s6-networking implements UCSPI tools for SSL/TLS connections: s6-tlsclient, -s6-tlsserver, s6-tlsc and s6-tlsd. Those are built if you give the ---enable-ssl= flag to configure. There are two supported -values for : libressl (in which case the tools will be -built against libtls) and bearssl (in which case the tools will be built -against libbearssl). You should install the relevant header and library -files for your chosen implementation, be it LibreSSL or BearSSL, before -building a SSL-enabled s6-networking. + s6-networking implements UCSPI tools for SSL/TLS connections: see the +doc/tls-overview.html page for a listing of these tools and what they do. +The TLS tools are built if you give the --enable-ssl= +flag to configure. There are two supported values for : +bearssl and libtls. You should install the relevant header and library +files for your chosen implementation before building a SSL-enabled +s6-networking. + "bearssl" uses the BearSSL API, of which there's only one implementation, +from bearssl.org. + "libtls" uses the libtls API, which has two possible implementations: + - The original one, from libressl.org, bundled with LibreSSL + - An alternative one, from causal.agency, that is used on top of +OpenSSL. + + For compatibility, "libressl" is accepted as and is +an alias to libtls. If your SSL headers and library files are not installed in /usr/include and /usr/lib, you can use the --with-ssl-path=DIR configure option: @@ -198,23 +208,27 @@ DIR/lib. For more complex setups, use the generic --with-include and --with-dir configure options. If you choose --enable-ssl=bearssl, then s6-networking will build a -"libsbearssl" support library, which s6-tlsc and s6-tlsd will be linked -against. This support library depends on libbearssl interfaces. - - If you choose --enable-ssl=libressl, then s6-networking will build -a "libstls" support library, which s6-tlsc and s6-tlsd will be linked -against. This support library depends on libtls interfaces, but not -on libssl or libcrypto interfaces - so it is possible to use alternative -implementations of the libtls API. +"libsbearssl" support library, which s6-tlsc-io and s6-tlsd-io will be +linked against. This support library depends on libbearssl interfaces. + + If you choose --enable-ssl=libtls, then s6-networking will build a +"libstls" support library, which s6-tlsc-io and s6-tlsd-io will be +linked against. This support library depends on libtls interfaces, but +not on libssl or libcrypto interfaces, so it is possible to use other +alternative implementations of the libtls API. There is one such +implementation: libtls-bearssl, implementing libtls on top of bearssl, +but using it with s6-networking is a waste since s6-networking supports +bearssl natively. If your SSL implementation library needs nonstandard -l options to link against it, you can override the CRYPTO_LIB make variable. -By default, CRYPTO_LIB is "-lbearssl" when building against BearSSL, -and "-ltls -lssl -lcrypto" when building against LibreSSL. +By default, CRYPTO_LIB is "-lbearssl" when building against bearssl, +and "-ltls -lssl -lcrypto" when building against libtls. - As of 2019-02-12, please note that BearSSL is considered beta quality + As of 2020-11-30, please note that BearSSL is considered beta quality by its author, so use with caution. Nevertheless, it's an incredibly -promising library with high-quality interfaces and implementation. -When statically linked against BearSSL, the s6-tlsc and s6-tlsd binaries -are 1/10th the size of what they are when statically linked against LibreSSL, -with a smaller RAM footprint too. +good beta, with high-quality interfaces and implementation, and no +known serious bugs. +When statically linked against BearSSL, the s6-tlsc-io and s6-tlsd-io +binaries are 1/10th the size of what they are when statically linked +against libressl/openssl, with a much smaller RAM footprint too. -- cgit v1.2.3