Compiling the openssl binary statically

Question

The openssl binary generated by the config & make commands when building from the source tarball is dynamically linked to these libraries:

    linux-vdso.so.1 =>  (0x00007fffa75fe000)
    libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007ff7f79ab000)
    libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007ff7f75e2000)
    /lib64/ld-linux-x86-64.so.2 (0x00007ff7f7bd2000)

My guess is if I can link statically to lib gcc, the dependencies on the other shared libraries will disappear too.

Question is how do I get the Configure script to generate a statically linked binary?

Will the process be the same for building on Windows as well?

Answer 1

The OpenSSL Compilation and Install instructions advice to use Configure over config as the difference between them is that Configure properly handles the host-arch-compiler triplet, and config does not.

The INSTALL.md instructs to use flags -no-shared and -no-pinshared at the same time to enable static library compilation:

./Configure -no-shared -no-pinshared

Answer 2

Get the source. I used git because I find it easier, but downloading the source tar.gz works too:

$ git clone git://git.openssl.org/openssl.git
Cloning into 'openssl'...
remote: Counting objects: 394745, done.
remote: Compressing objects: 100% (102341/102341), done.
remote: Total 394745 (delta 288534), reused 387444 (delta 281591)
Receiving objects: 100% (394745/394745), 92.39 MiB | 911.00 KiB/s, done.
Resolving deltas: 100% (288534/288534), done.
Updating files: 100% (24047/24047), done.

Check the remote branches (git branch -r) or tags (git tag) and choose the version to build. I used the latest 1.1.1j:

$ cd openssl
$ git checkout OpenSSL_1_1_1j
Note: switching to 'OpenSSL_1_1_1j'.
...
HEAD is now at 52c587d60b Prepare for 1.1.1j release

Run ./config with the -static parameter.

$ ./config -static
Operating system: x86_64-whatever-linux2
Configuring OpenSSL version 1.1.1j (0x101010afL) for linux-x86_64
Using os-specific seed configuration
Creating configdata.pm
Creating Makefile

**********************************************************************
***                                                                ***
***   OpenSSL has been successfully configured                     ***
***                                                                ***
***   If you encounter a problem while building, please open an    ***
***   issue on GitHub <https://github.com/openssl/openssl/issues>  ***
***   and include the output from the following command:           ***
***                                                                ***
***       perl configdata.pm --dump                                ***
***                                                                ***
***   (If you are new to OpenSSL, you might want to consult the    ***
***   'Troubleshooting' section in the INSTALL file first)         ***
***                                                                ***
**********************************************************************

I got this -static parameter from the INSTALL file:

    -Dxxx, -Ixxx, -Wp, -lxxx, -Lxxx, -Wl, -rpath, -R, -framework, -static
                     These system specific options will be recognised and
                     passed through to the compiler to allow you to define
                     preprocessor symbols, specify additional libraries, library
                     directories or other compiler options. It might be worth
                     noting that some compilers generate code specifically for
                     processor the compiler currently executes on. This is not
                     necessarily what you might have in mind, since it might be
                     unsuitable for execution on other, typically older,
                     processor. Consult your compiler documentation.

Compile:

$ make -j`nproc`
...

Check if it's a static binary:

$ ldd apps/openssl
    not a dynamic executable
$ file apps/openssl
apps/openssl: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, BuildID[sha1]=286e4615c57e3c21b8e566eb2a046353fe2308c0, for GNU/Linux 3.2.0, with debug_info, not stripped

No need to manually edit the Makefile. Unfortunately I don't know how to do it on Windows.

Answer 3

For Windows I successfully used this sequence

• clone OpenSSL_1_1_1-static branch
• Follow Windows instructions to install Perl, Netwide Assembler (NASM); add these exe's into PATH
• Using Visual Studio 2017 command prompt; cd openssl
• perl Configure VC-WIN32 /MT
  • Note: -static is invalid for Windows
• edit makefile, find '/MD' flag and remove it (/MT will be used)
• nmake
  • nmake test
  • nmake install

Then link libraries libcrypto_static.lib, libssl_static.lib to your program, which also must be compiled with /MT (/MTd for debug).

Other Visual Studio compiler versions should work the same.

Note: depending on the use case, the flag -D"OPENSSL_USE_APPLINK" may need to be removed from the makefile and the static libraries recompiled.

Answer 4

What worked for me is to pass -static and --static to the ./config step. --no-shared seems documented in INSTALL but led to build failures. -static by itself also led to build failures.

./config --static -static

Answer 5

I wasn't able to get the above solution to work. The linker threw errors about _dlopen being undefined.

I added the no-shared option to the config line, and this built openssl statically linked to the openssl libraries.

It is still dependent on libsocket.so.2, linnsl.so, libz.so, and libc.so.1

Answer 6

I came across this post while searching for the same exact thing. I do not know the proper syntax to get the configure script to do this, but this is how I achieved it.

cd /tmp
wget http://www.openssl.org/source/openssl-1.0.1e.tar.gz
tar -zxvf openssl-1.0.1e.tar.gz
cd openssl-1.0.1e
./config

I then Added "-static -static-libgcc" to the CFLAG line of openssl-1.0.1e/Makefile (Note this was AFTER I ran ./config). Then I built it like normal.

make INSTALL_PREFIX=/tmp/package-root install

it is now statically compiled

$ ldd /tmp/package-root/usr/local/ssl/bin/openssl
        not a dynamic executable