summaryrefslogtreecommitdiff
path: root/doc/doc-txt/openssl.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/doc-txt/openssl.txt')
-rw-r--r--doc/doc-txt/openssl.txt77
1 files changed, 77 insertions, 0 deletions
diff --git a/doc/doc-txt/openssl.txt b/doc/doc-txt/openssl.txt
new file mode 100644
index 000000000..948612711
--- /dev/null
+++ b/doc/doc-txt/openssl.txt
@@ -0,0 +1,77 @@
+OpenSSL
+=======
+
+The OpenSSL Project documents their supported releases at
+<https://www.openssl.org/policies/releasestrat.html>. The Exim
+Maintainers are unwilling to try to support Exim built with a
+version of a critical security library which is unmaintained.
+
+Thus as versions of OpenSSL become unsupported by OpenSSL, they become
+unsupported by Exim. Exim might build with older releases of OpenSSL,
+but that's risky behaviour.
+
+If your operating system vendor continues to ship an older version of
+OpenSSL and is diligently backporting security fixes, and they support
+Exim, then they will be backporting fixes to their packages of Exim too.
+If you wish to stick purely to packages of OpenSSL, then stick to
+packages of Exim too.
+
+If someone maintains "backports", that is worth exploring too.
+
+Note that a number of OSes use Exim with GnuTLS, not OpenSSL.
+
+Otherwise, assuming that your operating system has old OpenSSL, and you
+wish to use current Exim with OpenSSL, then you need to build and
+install your own, without interfering with the system libraries.
+Fortunately, this is easy.
+
+So this only applies if you build Exim yourself.
+
+
+Build
+-----
+
+Extract the current source of OpenSSL. Change into that directory.
+
+This assumes that `/opt/openssl` is not in use. If it is, pick
+something else. `/opt/exim/openssl` perhaps.
+
+ ./config --prefix=/opt/openssl --openssldir=/etc/ssl
+ enable-ssl-trace
+ make
+ make install
+
+You now have an installed OpenSSL under /opt/openssl which will not be
+used by any system programs.
+
+When you copy `src/EDITME` to `Local/Makefile` to make your build edits,
+choose the pkg-config approach in that file, but also tell Exim to add
+the relevant directory into the rpath stamped into the binary:
+
+ SUPPORT_TLS=yes
+ USE_OPENSSL_PC=openssl
+ EXTRALIBS_EXIM=-ldl -Wl,-R/opt/openssl/lib
+
+The -ldl is needed by OpenSSL 1.1+ on Linux and is not needed on most
+other platforms.
+
+Then tell pkg-config how to find the configuration files for your new
+OpenSSL install, and build Exim:
+
+ export PKG_CONFIG_PATH=/opt/openssl/lib/pkgconfig
+ make
+ sudo make install
+
+
+Variations
+----------
+
+If you are _only_ going to use the updated OpenSSL with Exim, then
+consider using a `lib` dir alongside the `bin` dir for Exim, and then on
+the `EXTRALIBS_EXIM=` line in `Local/Makefile` use:
+
+ EXTRALIBS_EXIM=-ldl -Wl,-R$ORIGIN/../lib
+
+FIXME-BEFORE-MERGE: make this work in Exim, instead of expanding the
+`$O` to `OS` whether quoted or not.
+
View Lorry Controller Status