Linux 环境中构建启用 QUIC 与 Open Quantum Safe (OQS) 算法支持的 OpenSSL 3.3.0。
📦 依赖安装
📦 RHEL/CentOS 系列依赖安装
适用于 RHEL, CentOS, RockyLinux, AlmaLinux 等:
1
2
| sudo dnf groupinstall -y "Development Tools"
sudo dnf install -y git cmake ninja-build perl-core python3 openssl-devel perl-CPAN
|
如使用 CentOS 7,建议使用 devtoolset 安装 GCC 9+:
1
2
3
4
| sudo yum install -y perl-CPAN
sudo yum install -y centos-release-scl
sudo yum install -y devtoolset-9
scl enable devtoolset-9 bash
|
1
2
3
|
sudo apt update
sudo apt install -y git cmake ninja-build build-essential perl python3 cpanminus
|
🧱 准备工作目录
1
2
| export BUILD_PATH=$HOME/build-openssl-oqs
mkdir -p $BUILD_PATH && cd $BUILD_PATH
|
🔧 步骤一:构建带 QUIC 支持的 OpenSSL
1
2
3
4
5
6
7
8
9
10
| perl -MCPAN -e shell
install IPC/Cmd.pm
cd $BUILD_PATH
git clone --depth=1 --recursive -b openssl-3.3.0-quic1 https://github.com/quictls/openssl.git
cd openssl
./config --prefix=/usr/local/quictls
make -j$(nproc)
make -j$(nproc) install
|
🔒 步骤二:构建并安装 liboqs(量子加密算法)
1
2
3
4
5
6
7
8
9
10
11
| cd $BUILD_PATH
git clone --depth=1 --recursive https://github.com/open-quantum-safe/liboqs
mkdir liboqs/build && cd liboqs/build
cmake -G"Ninja" .. \
-DCMAKE_INSTALL_PREFIX=/usr/local/oqs \
-DBUILD_SHARED_LIBS=ON \
-DOPENSSL_ROOT_DIR=/usr/local/quictls
ninja
ninja install
|
🧩 步骤三:构建并安装 oqs-provider 插件
1
2
3
4
5
6
7
8
9
10
11
| cd $BUILD_PATH
git clone --depth=1 --recursive https://github.com/open-quantum-safe/oqs-provider.git
mkdir oqs-provider/build && cd oqs-provider/build
cmake .. \
-DOPENSSL_ROOT_DIR=/usr/local/quictls \
-DCMAKE_INSTALL_PREFIX=/usr/local/oqs-provider \
-DCMAKE_PREFIX_PATH=/usr/local/oqs
make -j$(nproc)
make install
|
⚙️ 步骤四:配置 OpenSSL 加载 oqs provider
创建配置文件 /etc/ssl/openssl-quic.cnf:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
| openssl_conf = openssl_init
[openssl_init]
providers = provider_sect
ssl_conf = ssl_sect
[provider_sect]
default = default_sect
oqs = oqs_sect
[default_sect]
activate = 1
[oqs_sect]
activate = 1
module = /usr/local/quictls/lib64/ossl-modules/oqsprovider.so
[ssl_sect]
system_default = system_default_sect
[system_default_sect]
|
🧪 验证安装
设置环境变量
1
2
3
| export OPENSSL_CONF=/etc/ssl/openssl-quic.cnf
export OPENSSL_MODULES=/usr/local/quictls/lib64/ossl-modules
export LD_LIBRARY_PATH=/usr/local/quictls/lib64:$LD_LIBRARY_PATH
|
验证 provider 是否加载
1
2
3
| OPENSSL_CONF=/etc/ssl/openssl-quic.cnf \
LD_LIBRARY_PATH=/usr/local/quictls/lib64:$LD_LIBRARY_PATH \
/usr/local/quictls/bin/openssl list -providers
|
输出应包含:
1
2
3
| Providers:
default
oqs
|
查看支持的算法:
1
2
3
| OPENSSL_CONF=/etc/ssl/openssl-quic.cnf \
LD_LIBRARY_PATH=/usr/local/quictls/lib64:$LD_LIBRARY_PATH \
/usr/local/quictls/bin/openssl list -public-key-algorithms
|
🧹 卸载(可选)
1
2
| sudo rm -rf /usr/local/quictls /usr/local/oqs /usr/local/oqs-provider
sudo rm /etc/ssl/openssl-quic.cnf
|
📌 附录:自动配置环境(可选)
将以下内容添加到 .bashrc 或 .zshrc:
1
2
3
| export OPENSSL_CONF=/etc/ssl/openssl-quic.cnf
export OPENSSL_MODULES=/usr/local/quictls/lib64/ossl-modules
export LD_LIBRARY_PATH=/usr/local/quictls/lib64:$LD_LIBRARY_PATH
|
本指南适用于开发和测试基于 OpenSSL + OQS 的后量子加密通信(例如 TLS/QUIC)。
🛠️ Systemd 服务配置示例(环境变量)
如果你希望使用带 OQS 的 OpenSSL 与 NGINX 或其他服务集成,需在 systemd unit 文件中配置环境变量:
例如编辑 /etc/systemd/system/nginx.service.d/openssl-oqs.conf:
例如编辑 /lib/systemd/system/nginx.service.d/openssl-oqs.conf:
1
2
3
4
| [Service]
Environment="OPENSSL_CONF=/etc/ssl/openssl-quic.cnf"
Environment="OPENSSL_MODULES=/usr/local/quictls/lib64/ossl-modules"
Environment="LD_LIBRARY_PATH=/usr/local/quictls/lib64:$LD_LIBRARY_PATH"
|
然后重新加载并重启:
1
2
3
| sudo systemctl daemon-reexec
sudo systemctl daemon-reload
sudo systemctl restart nginx
|
🌐 NGINX TLS 配置:支持 OQS KEM Group(ssl_ecdh_curve)
编辑 nginx.conf 或对应 TLS server 配置段:
1
| ssl_ecdh_curve X25519MLKEM768:SecP384r1MLKEM1024:SecP256r1MLKEM768:X25519:P-384:P-256;
|
确保 NGINX 启动环境带有正确的 OpenSSL 路径与配置。
注意:需使用编译时链接 quictls OpenSSL 的 NGINX 版本,或者通过动态链接指定库路径。