+ no-engine
+ Don't build support for loading engines.
+
+ no-err
+ Don't compile in any error strings.
+
+ enable-external-tests
+ Enable building of integration with external test suites.
+ This is a developer option and may not work on all platforms.
+ The only supported external test suite at the current time is
+ the BoringSSL test suite. See the file test/README.external
+ for further details.
+
+ no-filenames
+ Don't compile in filename and line number information (e.g.
+ for errors and memory allocation).
+
+ enable-fuzz-libfuzzer, enable-fuzz-afl
+ Build with support for fuzzing using either libfuzzer or AFL.
+ These are developer options only. They may not work on all
+ platforms and should never be used in production environments.
+ See the file fuzz/README.md for further details.
+
+ no-gost
+ Don't build support for GOST based ciphersuites. Note that
+ if this feature is enabled then GOST ciphersuites are only
+ available if the GOST algorithms are also available through
+ loading an externally supplied engine.
+
+ no-hw-padlock
+ Don't build the padlock engine.
+
+ no-makedepend
+ Don't generate dependencies.
+
+ no-multiblock
+ Don't build support for writing multiple records in one
+ go in libssl (Note: this is a different capability to the
+ pipelining functionality).
+
+ no-nextprotoneg
+ Don't build support for the NPN TLS extension.
+
+ no-ocsp
+ Don't build support for OCSP.
+
+ no-pic
+ Don't build with support for Position Independent Code.
+
+ no-posix-io
+ Don't use POSIX IO capabilities.
+
+ no-psk
+ Don't build support for Pre-Shared Key based ciphersuites.
+
+ no-rdrand
+ Don't use hardware RDRAND capabilities.
+
+ no-rfc3779
+ Don't build support for RFC3779 ("X.509 Extensions for IP
+ Addresses and AS Identifiers")
+
+ sctp
+ Build support for SCTP
+
+ no-shared
+ Do not create shared libraries, only static ones. See "Note
+ on shared libraries" below.
+
+ no-sock
+ Don't build support for socket BIOs
+
+ no-srp
+ Don't build support for SRP or SRP based ciphersuites.
+
+ no-srtp
+ Don't build SRTP support
+
+ no-sse2
+ Exclude SSE2 code paths from 32-bit x86 assembly modules.
+ Normally SSE2 extension is detected at run-time, but the
+ decision whether or not the machine code will be executed
+ is taken solely on CPU capability vector. This means that
+ if you happen to run OS kernel which does not support SSE2
+ extension on Intel P4 processor, then your application
+ might be exposed to "illegal instruction" exception.
+ There might be a way to enable support in kernel, e.g.
+ FreeBSD kernel can be compiled with CPU_ENABLE_SSE, and
+ there is a way to disengage SSE2 code paths upon application
+ start-up, but if you aim for wider "audience" running
+ such kernel, consider no-sse2. Both the 386 and
+ no-asm options imply no-sse2.
+
+ enable-ssl-trace
+ Build with the SSL Trace capabilities (adds the "-trace"
+ option to s_client and s_server).
+
+ no-static-engine
+ Don't build the statically linked engines. This only
+ has an impact when not built "shared".
+
+ no-stdio
+ Don't use anything from the C header file "stdio.h" that
+ makes use of the "FILE" type. Only libcrypto and libssl can
+ be built in this way. Using this option will suppress
+ building the command line applications. Additionally since
+ the OpenSSL tests also use the command line applications the
+ tests will also be skipped.
+
+ no-tests
+ Don't build test programs or run any test.
+
+ no-threads
+ Don't try to build with support for multi-threaded
+ applications.
+
+ threads
+ Build with support for multi-threaded applications. Most
+ platforms will enable this by default. However if on a
+ platform where this is not the case then this will usually
+ require additional system-dependent options! See "Note on
+ multi-threading" below.
+
+ enable-tls13downgrade
+ TODO(TLS1.3): Make this enabled by default and remove the
+ option when TLSv1.3 is out of draft
+ TLSv1.3 offers a downgrade protection mechanism. This is
+ implemented but disabled by default. It should not typically
+ be enabled except for testing purposes. Otherwise this could
+ cause problems if a pre-RFC version of OpenSSL talks to an
+ RFC implementation (it will erroneously be detected as a
+ downgrade).
+
+ no-ts
+ Don't build Time Stamping Authority support.
+
+ enable-ubsan
+ Build with the Undefined Behaviour sanitiser. This is a
+ developer option only. It may not work on all platforms and
+ should never be used in production environments. It will only
+ work when used with gcc or clang and should be used in
+ conjunction with the "-DPEDANTIC" option (or the
+ --strict-warnings option).
+
+ no-ui
+ Don't build with the "UI" capability (i.e. the set of
+ features enabling text based prompts).
+
+ enable-unit-test
+ Enable additional unit test APIs. This should not typically
+ be used in production deployments.
+
+ enable-weak-ssl-ciphers
+ Build support for SSL/TLS ciphers that are considered "weak"
+ (e.g. RC4 based ciphersuites).
+
+ zlib
+ Build with support for zlib compression/decompression.
+
+ zlib-dynamic
+ Like "zlib", but has OpenSSL load the zlib library
+ dynamically when needed. This is only supported on systems
+ where loading of shared libraries is supported.
+
+ 386
+ In 32-bit x86 builds, when generating assembly modules,
+ use the 80386 instruction set only (the default x86 code
+ is more efficient, but requires at least a 486). Note:
+ This doesn't affect code generated by compiler, you're
+ likely to complement configuration command line with
+ suitable compiler-specific option.
+
+ enable-tls1_3
+ TODO(TLS1.3): Make this enabled by default
+ Build support for TLS1.3. Note: This is a WIP feature and
+ only a single draft version is supported. Implementations
+ of different draft versions will negotiate TLS 1.2 instead
+ of (draft) TLS 1.3. Use with caution!!
+
+ no-<prot>
+ Don't build support for negotiating the specified SSL/TLS
+ protocol (one of ssl, ssl3, tls, tls1, tls1_1, tls1_2, dtls,
+ dtls1 or dtls1_2). If "no-tls" is selected then all of tls1,
+ tls1_1 and tls1_2 are disabled. Similarly "no-dtls" will
+ disable dtls1 and dtls1_2. The "no-ssl" option is synonymous
+ with "no-ssl3". Note this only affects version negotiation.
+ OpenSSL will still provide the methods for applications to
+ explicitly select the individual protocol versions.
+
+ no-<prot>-method
+ As for no-<prot> but in addition do not build the methods for
+ applications to explicitly select individual protocol
+ versions.
+
+ enable-<alg>
+ Build with support for the specified algorithm, where <alg>
+ is one of: md2 or rc5.
+
+ no-<alg>
+ Build without support for the specified algorithm, where
+ <alg> is one of: bf, blake2, camellia, cast, chacha, cmac,
+ des, dh, dsa, ecdh, ecdsa, idea, md4, mdc2, ocb, poly1305,
+ rc2, rc4, rmd160, scrypt, seed, siphash, sm3, sm4 or
+ whirlpool. The "ripemd" algorithm is deprecated and if used
+ is synonymous with rmd160.
+
+ -Dxxx, lxxx, -Lxxx, -Wl, -rpath, -R, -framework, -static
+ These system specific options will be recognised and
+ passed through to the compiler to allow you to define
+ preprocessor symbols, specify additional libraries, library
+ directories or other compiler options. It might be worth
+ noting that some compilers generate code specifically for
+ processor the compiler currently executes on. This is not
+ necessarily what you might have in mind, since it might be
+ unsuitable for execution on other, typically older,
+ processor. Consult your compiler documentation.
+
+ -xxx, +xxx
+ Additional options that are not otherwise recognised are
+ passed through as they are to the compiler as well. Again,
+ consult your compiler documentation.
+
+ VAR=value
+ Assignment if environment variable for Configure. These
+ work just like normal environment variable assignments,
+ but are supported on all platforms and are confined to
+ the configuration scripts only. These assignments override
+ the corresponding value in the inherited environment, if
+ there is one.
+
+ reconf
+ reconfigure
+ Reconfigure from earlier data. This fetches the previous
+ command line options and environment from data saved in
+ "configdata.pm", and runs the configuration process again,
+ using these options and environment.
+ Note: NO other option is permitted together with "reconf".
+ This means that you also MUST use "./Configure" (or
+ what corresponds to that on non-Unix platforms) directly
+ to invoke this option.
+ Note: The original configuration saves away values for ALL
+ environment variables that were used, and if they weren't
+ defined, they are still saved away with information that
+ they weren't originally defined. This information takes
+ precedence over environment variables that are defined
+ when reconfiguring.