Commit | Line | Data |
---|---|---|
2eec84ca PP |
1 | OpenSSL |
2 | ======= | |
3 | ||
4 | The OpenSSL Project documents their supported releases at | |
5 | <https://www.openssl.org/policies/releasestrat.html>. The Exim | |
6 | Maintainers are unwilling to try to support Exim built with a | |
7 | version of a critical security library which is unmaintained. | |
8 | ||
9 | Thus as versions of OpenSSL become unsupported by OpenSSL, they become | |
10 | unsupported by Exim. Exim might build with older releases of OpenSSL, | |
11 | but that's risky behaviour. | |
12 | ||
13 | If your operating system vendor continues to ship an older version of | |
14 | OpenSSL and is diligently backporting security fixes, and they support | |
15 | Exim, then they will be backporting fixes to their packages of Exim too. | |
16 | If you wish to stick purely to packages of OpenSSL, then stick to | |
17 | packages of Exim too. | |
18 | ||
19 | If someone maintains "backports", that is worth exploring too. | |
20 | ||
21 | Note that a number of OSes use Exim with GnuTLS, not OpenSSL. | |
22 | ||
23 | Otherwise, assuming that your operating system has old OpenSSL, and you | |
24 | wish to use current Exim with OpenSSL, then you need to build and | |
25 | install your own, without interfering with the system libraries. | |
26 | Fortunately, this is easy. | |
27 | ||
28 | So this only applies if you build Exim yourself. | |
29 | ||
30 | ||
31 | Build | |
32 | ----- | |
33 | ||
34 | Extract the current source of OpenSSL. Change into that directory. | |
35 | ||
36 | This assumes that `/opt/openssl` is not in use. If it is, pick | |
37 | something else. `/opt/exim/openssl` perhaps. | |
38 | ||
39 | ./config --prefix=/opt/openssl --openssldir=/etc/ssl | |
40 | enable-ssl-trace | |
41 | make | |
42 | make install | |
43 | ||
44 | You now have an installed OpenSSL under /opt/openssl which will not be | |
45 | used by any system programs. | |
46 | ||
47 | When you copy `src/EDITME` to `Local/Makefile` to make your build edits, | |
48 | choose the pkg-config approach in that file, but also tell Exim to add | |
49 | the relevant directory into the rpath stamped into the binary: | |
50 | ||
51 | SUPPORT_TLS=yes | |
52 | USE_OPENSSL_PC=openssl | |
53 | EXTRALIBS_EXIM=-ldl -Wl,-rpath,/opt/openssl/lib | |
54 | ||
55 | The -ldl is needed by OpenSSL 1.1+ on Linux and is not needed on most | |
56 | other platforms. | |
57 | ||
58 | Then tell pkg-config how to find the configuration files for your new | |
59 | OpenSSL install, and build Exim: | |
60 | ||
61 | export PKG_CONFIG_PATH=/opt/openssl/lib/pkgconfig | |
62 | make | |
63 | sudo make install | |
64 | ||
65 | ||
66 | Confirming | |
67 | ---------- | |
68 | ||
69 | Run: | |
70 | ||
71 | exim -d-all+expand --version | |
72 | ||
73 | and look for the `Library version: OpenSSL:` lines. | |
74 | ||
75 | To look at the libraries _probably_ found by the linker, use: | |
76 | ||
77 | ldd $(which exim) # most platforms | |
78 | otool -L $(which exim) # MacOS | |
79 | ||
80 | although that does not correclty handle restrictions imposed upon | |
81 | executables which are setuid. | |
82 | ||
83 | If the `chrpath` package is installed, then: | |
84 | ||
85 | chrpath -l $(which exim) | |
86 | ||
87 | will show the DT_RPATH stamped into the binary. | |
88 | ||
89 | ||
90 | Very Advanced | |
91 | ------------- | |
92 | ||
93 | You can not use $ORIGIN for portably packing OpenSSL in with Exim with | |
94 | normal Exim builds, because Exim is installed setuid which causes the | |
95 | runtime linker to ignore $ORIGIN in DT_RPATH. | |
96 | ||
97 | _If_ following the steps for a non-setuid Exim, _then_ you can use: | |
98 | ||
99 | EXTRALIBS_EXIM=-ldl '-Wl,-rpath,$$ORIGIN/../lib' | |
100 | ||
101 | The doubled `$$` is needed for the make(1) layer and the quotes needed | |
102 | for the shell invoked by make(1) for calling the linker. | |
103 | ||
104 | Note that this is sufficiently far outside normal that the build-system | |
105 | doesn't support it by default; you'll want to drop a symlink to the lib | |
106 | directory into the Exim release top-level directory, so that lib exists | |
107 | as a sibling to the build-$platform directory. | |
108 |