1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
|
OpenSSL
=======
The OpenSSL Project documents their supported releases at
<https://www.openssl.org/policies/releasestrat.html>. The Exim
Maintainers are unwilling to try to support Exim built with a
version of a critical security library which is unmaintained.
Thus as versions of OpenSSL become unsupported by OpenSSL, they become
unsupported by Exim. Exim might build with older releases of OpenSSL,
but that's risky behaviour.
If your operating system vendor continues to ship an older version of
OpenSSL and is diligently backporting security fixes, and they support
Exim, then they will be backporting fixes to their packages of Exim too.
If you wish to stick purely to packages of OpenSSL, then stick to
packages of Exim too.
If someone maintains "backports", that is worth exploring too.
Note that a number of OSes use Exim with GnuTLS, not OpenSSL.
Otherwise, assuming that your operating system has old OpenSSL, and you
wish to use current Exim with OpenSSL, then you need to build and
install your own, without interfering with the system libraries.
Fortunately, this is easy.
So this only applies if you build Exim yourself.
Build
-----
Extract the current source of OpenSSL. Change into that directory.
This assumes that `/opt/openssl` is not in use. If it is, pick
something else. `/opt/exim/openssl` perhaps.
./config --prefix=/opt/openssl --openssldir=/etc/ssl
enable-ssl-trace
make
make install
You now have an installed OpenSSL under /opt/openssl which will not be
used by any system programs.
When you copy `src/EDITME` to `Local/Makefile` to make your build edits,
choose the pkg-config approach in that file, but also tell Exim to add
the relevant directory into the rpath stamped into the binary:
SUPPORT_TLS=yes
USE_OPENSSL_PC=openssl
EXTRALIBS_EXIM=-ldl -Wl,-R/opt/openssl/lib
The -ldl is needed by OpenSSL 1.1+ on Linux and is not needed on most
other platforms.
Then tell pkg-config how to find the configuration files for your new
OpenSSL install, and build Exim:
export PKG_CONFIG_PATH=/opt/openssl/lib/pkgconfig
make
sudo make install
Variations
----------
If you are _only_ going to use the updated OpenSSL with Exim, then
consider using a `lib` dir alongside the `bin` dir for Exim, and then on
the `EXTRALIBS_EXIM=` line in `Local/Makefile` use:
EXTRALIBS_EXIM=-ldl -Wl,-R$ORIGIN/../lib
FIXME-BEFORE-MERGE: make this work in Exim, instead of expanding the
`$O` to `OS` whether quoted or not.
|
