[exim.git] / doc / doc-txt / openssl.txt

OpenSSL
=======

The OpenSSL Project documents their supported releases at
<https://www.openssl.org/policies/releasestrat.html>.  The Exim
Maintainers are unwilling to try to support Exim built with a
version of a critical security library which is unmaintained.

Thus as versions of OpenSSL become unsupported by OpenSSL, they become
unsupported by Exim.  Exim might build with older releases of OpenSSL,
but that's risky behaviour.

If your operating system vendor continues to ship an older version of
OpenSSL and is diligently backporting security fixes, and they support
Exim, then they will be backporting fixes to their packages of Exim too.
If you wish to stick purely to packages of OpenSSL, then stick to
packages of Exim too.

If someone maintains "backports", that is worth exploring too.

Note that a number of OSes use Exim with GnuTLS, not OpenSSL.

Otherwise, assuming that your operating system has old OpenSSL, and you
wish to use current Exim with OpenSSL, then you need to build and
install your own, without interfering with the system libraries.
Fortunately, this is easy.

So this only applies if you build Exim yourself.


Build
-----

Extract the current source of OpenSSL.  Change into that directory.

This assumes that `/opt/openssl` is not in use.  If it is, pick
something else.  `/opt/exim/openssl` perhaps.

    ./config --prefix=/opt/openssl --openssldir=/etc/ssl
    enable-ssl-trace
    make
    make install

You now have an installed OpenSSL under /opt/openssl which will not be
used by any system programs.

When you copy `src/EDITME` to `Local/Makefile` to make your build edits,
choose the pkg-config approach in that file, but also tell Exim to add
the relevant directory into the rpath stamped into the binary:

    SUPPORT_TLS=yes
    USE_OPENSSL_PC=openssl
    EXTRALIBS_EXIM=-ldl -Wl,-rpath,/opt/openssl/lib

The -ldl is needed by OpenSSL 1.1+ on Linux and is not needed on most
other platforms.

Then tell pkg-config how to find the configuration files for your new
OpenSSL install, and build Exim:

    export PKG_CONFIG_PATH=/opt/openssl/lib/pkgconfig
    make
    sudo make install


Confirming
----------

Run:

    exim -d-all+expand --version

and look for the `Library version: OpenSSL:` lines.

To look at the libraries _probably_ found by the linker, use:

    ldd $(which exim)		# most platforms
    otool -L $(which exim)	# MacOS

although that does not correclty handle restrictions imposed upon
executables which are setuid.

If the `chrpath` package is installed, then:

    chrpath -l $(which exim)

will show the DT_RPATH stamped into the binary.


Very Advanced
-------------

You can not use $ORIGIN for portably packing OpenSSL in with Exim with
normal Exim builds, because Exim is installed setuid which causes the
runtime linker to ignore $ORIGIN in DT_RPATH.

_If_ following the steps for a non-setuid Exim, _then_ you can use:

    EXTRALIBS_EXIM=-ldl '-Wl,-rpath,$$ORIGIN/../lib'

The doubled `$$` is needed for the make(1) layer and the quotes needed
for the shell invoked by make(1) for calling the linker.

Note that this is sufficiently far outside normal that the build-system
doesn't support it by default; you'll want to drop a symlink to the lib
directory into the Exim release top-level directory, so that lib exists
as a sibling to the build-$platform directory.
Commit	Line	Data
2eec84ca PP	1	OpenSSL
	2	=======
	3
	4	The OpenSSL Project documents their supported releases at
	5	<https://www.openssl.org/policies/releasestrat.html>. The Exim
	6	Maintainers are unwilling to try to support Exim built with a
	7	version of a critical security library which is unmaintained.
	8
	9	Thus as versions of OpenSSL become unsupported by OpenSSL, they become
	10	unsupported by Exim. Exim might build with older releases of OpenSSL,
	11	but that's risky behaviour.
	12
	13	If your operating system vendor continues to ship an older version of
	14	OpenSSL and is diligently backporting security fixes, and they support
	15	Exim, then they will be backporting fixes to their packages of Exim too.
	16	If you wish to stick purely to packages of OpenSSL, then stick to
	17	packages of Exim too.
	18
	19	If someone maintains "backports", that is worth exploring too.
	20
	21	Note that a number of OSes use Exim with GnuTLS, not OpenSSL.
	22
	23	Otherwise, assuming that your operating system has old OpenSSL, and you
	24	wish to use current Exim with OpenSSL, then you need to build and
	25	install your own, without interfering with the system libraries.
	26	Fortunately, this is easy.
	27
	28	So this only applies if you build Exim yourself.
	29
	30
	31	Build
	32	-----
	33
	34	Extract the current source of OpenSSL. Change into that directory.
	35
	36	This assumes that `/opt/openssl` is not in use. If it is, pick
	37	something else. `/opt/exim/openssl` perhaps.
	38
	39	./config --prefix=/opt/openssl --openssldir=/etc/ssl
	40	enable-ssl-trace
	41	make
	42	make install
	43
	44	You now have an installed OpenSSL under /opt/openssl which will not be
	45	used by any system programs.
	46
	47	When you copy `src/EDITME` to `Local/Makefile` to make your build edits,
	48	choose the pkg-config approach in that file, but also tell Exim to add
	49	the relevant directory into the rpath stamped into the binary:
	50
	51	SUPPORT_TLS=yes
	52	USE_OPENSSL_PC=openssl
	53	EXTRALIBS_EXIM=-ldl -Wl,-rpath,/opt/openssl/lib
	54
	55	The -ldl is needed by OpenSSL 1.1+ on Linux and is not needed on most
	56	other platforms.
	57
	58	Then tell pkg-config how to find the configuration files for your new
	59	OpenSSL install, and build Exim:
	60
	61	export PKG_CONFIG_PATH=/opt/openssl/lib/pkgconfig
	62	make
	63	sudo make install
	64
65
66	Confirming
67	----------
68
69	Run:
70
71	exim -d-all+expand --version
72
73	and look for the `Library version: OpenSSL:` lines.
74
75	To look at the libraries _probably_ found by the linker, use:
76
77	ldd $(which exim) # most platforms
78	otool -L $(which exim) # MacOS
79
80	although that does not correclty handle restrictions imposed upon
81	executables which are setuid.
82
83	If the `chrpath` package is installed, then:
84
85	chrpath -l $(which exim)
86
87	will show the DT_RPATH stamped into the binary.
88
89
90	Very Advanced
91	-------------
92
93	You can not use $ORIGIN for portably packing OpenSSL in with Exim with
94	normal Exim builds, because Exim is installed setuid which causes the
95	runtime linker to ignore $ORIGIN in DT_RPATH.
96
97	_If_ following the steps for a non-setuid Exim, _then_ you can use:
98
99	EXTRALIBS_EXIM=-ldl '-Wl,-rpath,$$ORIGIN/../lib'
100
101	The doubled `$$` is needed for the make(1) layer and the quotes needed
102	for the shell invoked by make(1) for calling the linker.
103
104	Note that this is sufficiently far outside normal that the build-system
105	doesn't support it by default; you'll want to drop a symlink to the lib
106	directory into the Exim release top-level directory, so that lib exists
107	as a sibling to the build-$platform directory.
108