Linux OPENSSL 伺服器
2001-05-13 11:15
發布者:netbull 閱讀次數:93
LinuxByte注:本站有OpenSSL下載
概述
加密的優勢
數據的保密性
數據的一致性
安全驗證
專利
注意事項
安裝軟體包需要注意的問題
軟體包的來源
編譯
編譯與優化
配置
配置「/etc/ssl/openssl.cnf」文件
創建「/usr/bin/sign.sh」腳本文件
保證OPENSSL的安全
命令
為Apache伺服器創建用口令保護的RSA私人密匙。
用伺服器的RSA私人密匙創建Certificate Signing Request(CSR)
為自己的CA創建RSA私人密匙
用CA的RSA密匙創建自我簽訂的證書(x509 結構)
簽訂一個證書請求(用自己的CA)
安裝到系統中的文件
概述
OpenSSL項目是一個合作的項目,開發一個健壯的、商業等級的、完整的開發源代碼的工具包,用強大的加密演算法來實現安全的Socket層(Secure Sockets Layer,SSL v2/v3)和傳輸層的安全性(Transport Layer Security,TLS v1)。
這個項目是由全世界的志願者管理的,他們通過Internet相互交流、制定計劃和開發OpenSSL工具包和相關文檔。
加密的優勢
數據的保密性
信息加密就是把純文本的輸入文件用加密演算法轉換成加密的文件以實現數據的保密。加密的過程需要用到密匙來加密數據然後再解密。沒有了密匙,就無法解開加密的數據。數據加密之後,只有密匙要用一個安全的方法傳送。加密過的數據可以公開地傳送。
數據的一致性
加密也能保證數據的一致性。例如:加密的校驗碼,也叫做消息驗證碼(Message Authentication Code,MAC),能夠校驗用戶提供的加密信息。加密的數據和MAC一起發送給接收者,接收者就可以用MAC來校驗加密數據,保證數據沒有被竄改過。
安全驗證
加密的另外一個用途是用來作為個人的標識,用戶的密匙可以作為他的安全驗證的標識。
專利
各種各樣的公司在世界各地擁有各種各樣演算法的專利。在使用加密演算法之前必須檢查一下這個演算法有沒有受到本國專利的限制。下面列出一些受到專利保護的演算法(可能不確切):
RSA Data Security在美國和日本擁有RSA和RC5演算法的專利。必須和RSA Data Security聯繫以得到許可條例。其主頁是:http://www.rsa.com/。
RC4是RSA Data Security的商標,使用這個標誌必須得到RSA Data Security的許可。
IDEA演算法在澳大利亞、法國、德國、義大利、日本、荷蘭、西班牙、瑞典、瑞士、英國和美國受專利保護。如果要使用這個演算法必須得到許可,其主頁是:http://www.ascom.ch/。
注意事項
下面所有的命令都是Unix兼容的命令。
源路徑都為「/var/tmp」(當然在實際情況中也可以用其它路徑)。
安裝在RedHat Linux 6.1下測試通過。
要用「root」用戶進行安裝。
OpenSSL的版本是0.9.4。
安裝軟體包需要注意的問題
最好在編譯前和編譯后都做一張系統中所有文件的列表,然後用「diff」命令去比較它們,找出其中的差別並知道到底把軟體安裝在哪裡。只要簡單地在編譯之前運行一下命令「find /* >ssl1」,在編譯和安裝完軟體之後運行命令「find /* > ssl2」,最後用命令「diff ssl1 ssl2 > ssl」找出變化。
軟體包的來源
OpenSSL的主頁是:http://www.openssl.org/。
下載:openssl-0.9.4.tar.gz
編譯
把軟體包(tar.Z)解壓縮:
[root@deep]# cp openssl_version.tar.gz /var/tmp
[root@deep]# cd /var/tmp
[root@deep]# tar xzpf openssl_version.tar.gz
編譯與優化
轉到OpenSSL目錄下。
第一步
編輯「c_rehash」文件(vi +11 tools/c_rehash),把:
DIR=/usr/local/ssl
改為:
DIR=/usr
這個改變是使編譯和安裝OpenSSL時用「/usr」這個默認目錄。
第二步
在默認情況下OpenSSL把Perl程序的目錄設置為「/usr/local/bin/perl」目錄。必須改變所有腳本中的「#!/usr/local/bin/perl」這一行,因為在RedHat Linux中Perl的路徑是「/usr/bin」。用下面的命令:
[root@deep]# perl util/perlpath.pl /usr/bin (where your perl program reside).
第三步
為了成功編譯OpenSSL,必須知道函數庫所在的路徑。用下面的命令設置PATH環境變數:
[root@deep]# export LD_LIBRARY_PATH=`pwd`
設置編譯器的編譯參數:
CC="egcs"
./Configure linux-elf -DSSL_FORBID_ENULL
--prefix=/usr
--openssldir=/etc/ssl
注意:因為安全方面的原因要禁止「不加密」,所以「-DSSL_FORBID_ENULL」參數是必須的。
編輯「Makefile.ssl」文件(vi +52 Makefile.ssl),加入:
CFLAG= -DTHREADS -D_REENTRANT -DSSL_FORBID_ENULL -DL_ENDIAN -DTERMIO -O9 -funroll-loops -ffast-math -malign-double -mcpu=pentiumpro -march=pentiumpro -fomit-frame-pointer -fno-exceptions -Wall -DSHA1_ASM -DMD5_ASM -DRMD160_ASM
這是編譯OpenSSL的優化參數。
編輯「Makefile.ssl」文件(vi +77 Makefile.ssl),加入:
PROCESSOR= 686
注意:如果CPU是Pentium,用586表示,PentiumPro/II/III用686,486用486。
[root@deep]# make -f Makefile
[root@deep]# make test
[root@deep]# make install
[root@deep]# mv /etc/ssl/misc/* /usr/bin/
[root@deep]# rm -rf /etc/ssl/misc/
[root@deep]# rm -rf /etc/ssl/lib/
[root@deep]# rm -f /usr/bin/CA.pl
[root@deep]# rm -f /usr/bin/CA.sh
[root@deep]# install -m 644 libRSAglue.a /usr/lib/
[root@deep]# install -m 644 rsaref/rsaref.h /usr/include/openssl/
[root@deep]# strip /usr/bin/openssl
[root@deep]# mkdir -p /etc/ssl/crl
「make ?f」命令編譯OpenSSL函數庫(libcrypto.a和libssl.a)以及OpenSSL的二進位文件「openssl」。編譯完之後函數庫在頂層目錄,二進位程序在「apps」子目錄。成編譯之後,「make test」測試函數庫是否正常。最後,「make install」安裝OpenSSL。
「mv」命令把「/etc/ssl/misc」目錄下的所有文件移到「/usr/bin」目錄下。因為在我們的系統中所有的二進位文件都在「/usr/bin」目錄下,所以要把二進位文件都移到這個目錄下。
「rm」命令刪除「/etc/ssl/misc」和「/etc/ssl/lib」目錄,因為這個目錄中的文件都在別的地方了。「CA.pl」和「CA.sh」文件是小的腳本文件用來創建CA認證。這個腳本和「openssl ca」命令相關,而且有一些奇怪的要求。在默認情況下,OpenSSL的配置不能很容易地使用「openssl ca」。所以我們後面會用「sign.sh」腳本來替換它們。
清除不必要的文件
[root@deep]# cd /var/tmp
[root@deep]# rm -rf openssl-version/ openssl_version.tar.gz
「rm」命令刪除所有的編譯和安裝OpenSSL軟體所需的源文件,並把OpenSSL軟體的壓縮包刪除。
配置
可以到這去下載「floppy.tgz」文件:http://pages.infinit.net/lotus1/doc/opti/floppy.tgz。把「floppy.tgz」文件解開之後,可以在相應的目錄下發現我們在這本書中介紹的所有軟體的配置文件。這樣就沒有必要手工重新生成這些文件,或者用拷貝粘貼的方法把它們粘貼到配置文件中去。不管是打算自己動手生成配置文件還是拷貝現成的,你都要學會自己修改配置文件並且把配置文件拷貝到正確的目錄下。下面將具體說明。
為了運行OpenSSL伺服器,必須創建或者把下面的文件拷貝到相應的目錄下:
l 把「openssl.cnf」文件拷貝到「/etc/ssl」目錄下
l 把「sign.sh」文件拷貝到「/usr/bin」目錄下
可以把「floppy.tgz」解壓之後,找到上面列出來的文件,並拷貝到相應的目錄下,或者用拷貝粘貼的方法從本書中直接粘貼出。
配置「/etc/ssl/openssl.cnf」文件
這是openssl程序總的配置文件,可以配置密匙的過期時間、公司的名稱、地址,等等。需要改變得配置在[CA_default]和[req_distinguished_name]這兩個section里。
編輯「openssl.cnf」文件(vi /etc/ssl/openssl.cnf),加入並改變:
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#
RANDFILE = $ENV::HOME/.rnd
oid_file = $ENV::HOME/.oid
oid_section = new_oids
# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
[ new_oids ]
# We can add new OIDs in here for use by ca and eq.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = /etc/ssl # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/ca.db.index # database index file.
new_certs_dir = $dir/ca.db.certs # default place for new certs.
certificate = $dir/certs/ca.crt # The CA certificate
serial = $dir/ca.db.serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/ca.key # The private key
RANDFILE = $dir/ca.db.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 365 # how long to certify for
default_crl_days = 30 # how long before next CRL
default_md = md5 # which md to use.
Preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For the anything policy
# At this point in time, you must list all acceptable object
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ req ]
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = CA
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Quebec
localityName = Locality Name (eg, city)
localityName_default = Montreal
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Open Network Architecture
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = Internet Department
commonName = Common Name (eg, YOUR name)
commonName_default = www.openarch.com
commonName_max = 64
emailAddress = Email Address
emailAddress_default = admin@openarch.com
emailAddress_max = 40
# SET-ex3 = SET extension number 3
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
# These extensions are added when ca signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscapes comment listbox.
nsComment = "OpenSSL Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
[ v3_ca]
# Extensions for a typical CA
# PKIX recommendation.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign
# Some might want this also
# nsCertType = sslCA, emailCA
# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
# issuerAltName=issuer:copy
# RAW DER hex encoding of an extension: beware experts only!
# 1.2.3.5=RAW:02:03
# You can even override a supported extension:
# basicConstraints= critical, RAW:30:03:01:01:FF
[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always,issuer:always
注意:編譯和安裝完OpenSSL程序之後,「openssl.cnf」文件在伺服器上已經存在了,可以在「/et/ssl」目錄下找到。沒有必要改變這個文件中所有的默認配置,經常需要修改的只是[CA_default]和[req_distinguished_name]這兩個section。
創建「/usr/bin/sign.sh」腳本文件
「openssl ca」命令有一些奇怪的要求,OpenSSL默認的配置並不是很容易直接使用「openssl ca」,因此我們用「sign.sh」腳本文件替代它。
創建「sign.sh」腳本(touch /usr/bin/sign.sh),加入:
#!/bin/sh
##
## sign.sh -- Sign a SSL Certificate Request (CSR)
## Copyright (c) 1998-1999 Ralf S. Engelschall, All Rights Reserved.
##
# argument line handling
CSR=$1
if [ $# -ne 1 ]; then
echo "Usage: sign.sign .csr"; exit 1
fi
if [ ! -f $CSR ]; then
echo "CSR not found: $CSR"; exit 1
fi
case $CSR in
*.csr ) CERT="`echo $CSR | sed -e s/.csr/.crt/`" ;;
* ) CERT="$CSR.crt" ;;
esac
# make sure environment exists
if [ ! -d ca.db.certs ]; then
mkdir ca.db.certs
fi
if [ ! -f ca.db.serial ]; then
echo 1 >ca.db.serial
fi
if [ ! -f ca.db.index ]; then
cp /dev/null ca.db.index
fi
# create an own SSLeay config
cat >ca.config < [ ca ]
default_ca = CA_own
[ CA_own ]
dir = /etc/ssl
certs = /etc/ssl/certs
new_certs_dir = /etc/ssl/ca.db.certs
database = /etc/ssl/ca.db.index
serial = /etc/ssl/ca.db.serial
RANDFILE = /etc/ssl/ca.db.rand
certificate = /etc/ssl/certs/ca.crt
private_key = /etc/ssl/private/ca.key
default_days = 365
default_crl_days = 30
default_md = md5
preserve = no
policy = policy_anything
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
EOT
# sign the certificate
echo "CA signing: $CSR -> $CERT:"
openssl ca -config ca.config -out $CERT -infiles $CSR
echo "CA verifying: $CERT <-> CA cert"
openssl verify -CAfile /etc/ssl/certs/ca.crt $CERT
# cleanup after SSLeay
rm -f ca.config
rm -f ca.db.serial.old
rm -f ca.db.index.old
# die gracefully
exit 0
現在,讓這個腳本可執行並改變它的默認許可權:
[root@deep]# chmod 755 /usr/bin/sign.sh
注意:解開「floppy.tgz」文件之後,可以在「mod_ssl-version/pkg.contrib」目錄下找到「sign.sh」文件。要根據實際情況改變[CA_own]這一節,而且不要忘了改變「openssl verify -CAfile /etc/ssl/certs/ca.crt $CERT」這一行。
保證OPENSSL的安全
把密匙設置成只能被超級用戶「root」可執行和可寫。必須保證其他人不能訪問這個文件。
用下面的命令使得密匙只能被「root」可執行和可寫:
[root@deep]# chmod 600 /etc/ssl/certs/ca.crt
[root@deep]# chmod 600 /etc/ssl/certs/server.crt
[root@deep]# chmod 600 /chroot/httpd/etc/ssl/private/ca.key
[root@deep]# chmod 600 /chroot/httpd/etc/ssl/private/server.key
命令
下面列出的是一些我們經常要用到的命令,當然還有很多其它的命令,更詳細的信息可以查看man幫助頁或其它文檔。
在下面這個例子中,我們指導你如何為Apache Web伺服器創建認證:
注意:下面所有的命令都在「/etc/ssl」目錄下運行的。
為Apache伺服器創建用口令保護的RSA私人密匙。
[root@deep]# openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus
......................+++++
.....+++++
e is 65537 (0x10001)
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:
請把「server.key」文件備份起來,記住只有在安全的地方才能輸入口令。
用伺服器的RSA私人密匙創建Certificate Signing Request(CSR)
[root@deep]# openssl req -new -key server.key -out server.csr
Enter PEM pass phrase:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ., the field will be left blank.
-----
Country Name (2 letter code) [CA]:
State or Province Name (full name) [Quebec]:
Locality Name (eg, city) [Montreal]:
Organization Name (eg, company) [Open Network Architecture]:
Organizational Unit Name (eg, section) [Internet Department]:
Common Name (eg, YOUR name) [www.openarch.com]:
Email Address [admin@openarch.com]:
Please enter the following extra attributes
to be sent with your certificate request
A challenge password []:.
An optional company name []:.
現在可以把這個CSR(Certificate Signing Request)發送給認證機構(Certifying Authority, CA),讓它簽訂這個CSR。CSR被簽訂之後,就成為真正的證書(Certificate),可以被Apache使用。有下面兩種選擇。第一:可以讓商業的CA,如:Verisign或Thawte簽訂CSR。通常需要在Web上登記CSR,然後支付簽訂所需的費用,接著等待簽訂后的證書,最後收到證書把它存成server.crt文件。第二:可以用自己的CA來簽訂證書。下面介紹如何用自己的CA簽訂CSR。
首先確信當OpenSSL提示輸入「CommonName」的時候,輸入伺服器的FQDN(Fully Qualified Domain Name,完全合格的域名)。例如:如果要為今後用http://www.mydomain.com訪問的站點創建CSR,在這裡就需要輸入www.mydomain.com。
為自己的CA創建RSA私人密匙
[root@deep]# openssl genrsa -des3 -out ca.key 1024
Generating RSA private key, 1024 bit long modulus
...........................+++++
............................................+++++
e is 65537 (0x10001)
Enter PEM pass phrase:
備份好ca.key文件。注意只有在安全的地方才能輸入口令。
用CA的RSA密匙創建自我簽訂的證書(x509 結構)
[root@deep]# openssl req -new -x509 -days 365 -key ca.key -out ca.crt
Enter PEM pass phrase:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ., the field will be left blank.
-----
Country Name (2 letter code) [CA]:
State or Province Name (full name) [Quebec]:
Locality Name (eg, city) [Montreal]:
Organization Name (eg, company) [Open Network Architecture]:
Organizational Unit Name (eg, section) [Internet Department]:CA Marketing
Common Name (eg, YOUR name) [www.openarch.com]:
Email Address [admin@openarch.com]:
[root@deep]# mv server.key private/
[root@deep]# mv ca.key private/
[root@deep]# mv ca.crt certs/
注意:當使用「-x509」參數的時候,「req」命令創建了自我簽訂的證書。
簽訂一個證書請求(用自己的CA)
準備一個用於簽訂證書的腳本是必須的,因為「openssl ca」命令有一些很怪的要求而且在默認情況下OpenSSL的配置不是很容易就可以直接使用「openssl ca」。這就需要一個名為「sign.sh」的腳本文件,解開「floppy.tgz」之後就可以在相應的目錄中找到。用這個腳本完成簽訂。
現在用這個CA簽訂伺服器的CSR,這樣就能為Apache伺服器創建真正的SSL證書(假定你已經有了「server.csr」這個文件)。
[root@deep]# /usr/bin/sign.sh server.csr
Using configuration from ca.config
Enter PEM pass phrase:
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName :PRINTABLE:CA
stateOrProvinceName :PRINTABLE:Quebec
localityName :PRINTABLE:Montreal
organizationName :PRINTABLE:Open Network Architecture
organizationalUnitName :PRINTABLE:Internet Department
commonName :PRINTABLE:www.openarch.com
emailAddress :IA5STRING:admin@openarch.com
Certificate is to be certified until Dec 1 14:59:29 2000 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
CA verifying: server.crt <-> CA cert
server.crt: OK
上面的命令簽訂了CSR並把結果存成「server.crt」文件。
[root@deep]# mv server.crt certs/
現在有兩個文件:「server.key」和「server.crt」。可以在Apache的配置文件「httpd.conf」文件中加上:
SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key
「server.csr」文件可以不要了。
[root@deep]# rm -f server.csr
安裝到系統中的文件
> /etc/ssl
> /etc/ssl/crl
> /etc/ssl/certs
> /etc/ssl/private
> /etc/ssl/openssl.cnf
> /usr/bin/openssl
> /usr/bin/c_rehash
> /usr/bin/sign.sh
> /usr/bin/c_hash
> /usr/bin/c_info
> /usr/bin/c_issuer
> /usr/bin/c_name
> /usr/bin/der_chop
> /usr/include/openssl
> /usr/include/openssl/e_os.h
> /usr/include/openssl/e_os2.h
> /usr/include/openssl/crypto.h
> /usr/include/openssl/tmdiff.h
> /usr/include/openssl/opensslv.h
> /usr/include/openssl/opensslconf.h
> /usr/include/openssl/ebcdic.h
> /usr/include/openssl/md2.h
> /usr/include/openssl/md5.h
> /usr/include/openssl/sha.h
> /usr/include/openssl/mdc2.h
> /usr/include/openssl/hmac.h
> /usr/include/openssl/ripemd.h
> /usr/include/openssl/des.h
> /usr/include/openssl/rc2.h
> /usr/include/openssl/rc4.h
> /usr/include/openssl/rc5.h
> /usr/include/openssl/idea.h
> /usr/include/openssl/blowfish.h
> /usr/include/openssl/cast.h
> /usr/include/openssl/bn.h
> /usr/include/openssl/rsa.h
> /usr/include/openssl/dsa.h
> /usr/include/openssl/dh.h
> /usr/include/openssl/buffer.h
> /usr/include/openssl/bio.h
> /usr/include/openssl/stack.h
> /usr/include/openssl/safestack.h
> /usr/include/openssl/lhash.h
> /usr/include/openssl/rand.h
> /usr/include/openssl/err.h
> /usr/include/openssl/objects.h
> /usr/include/openssl/evp.h
> /usr/include/openssl/asn1.h
> /usr/include/openssl/asn1_mac.h
> /usr/include/openssl/pem.h
> /usr/include/openssl/pem2.h
> /usr/include/openssl/x509.h
> /usr/include/openssl/x509_vfy.h
> /usr/include/openssl/x509v3.h
> /usr/include/openssl/conf.h
> /usr/include/openssl/txt_db.h
> /usr/include/openssl/pkcs7.h
> /usr/include/openssl/pkcs12.h
> /usr/include/openssl/comp.h
> /usr/include/openssl/ssl.h
> /usr/include/openssl/ssl2.h
> /usr/include/openssl/ssl3.h
> /usr/include/openssl/ssl23.h
> /usr/include/openssl/tls1.h
> /usr/include/openssl/rsaref.h
> /usr/lib/libcrypto.a
> /usr/lib/libssl.a
> /usr/lib/libRSAglue.a
> /var/lock/subsys/named
