Dovecot 2.2.25 fails on SSL
Andreas M. Kirchwitz
amk at spamfence.net
Mon Sep 19 13:14:39 UTC 2016
Joseph Tam <jtam.home at gmail.com> wrote:
>> For every program I compile myself, I link it against my custom
>> OpenSSL library (always newest version; distributions usually tend
>> to stick with a specific version and only apply security fixes).
>
> OK, the origin of your problem becomes clearer. You can hardcode these
> paths into the executables by doing something like
>
> env CFLAGS='-I/my'ssl/include' \
> LDFLAGS='-L/your/ssl/lib -Wl,-rpath,/my/ssl/lib' \
> configure ...
Yes, exactly, that's my usual approach. I've used this as well
for building other software with custom libraries.
Unfortunately, I remember CFLAGS/LDFLAGS didn't play well with
Dovecot, so I used SSL_CFLAGS/SSL_LIBS as suggested by the
documentation and that worked well.
> I use this myself (except the -Wl part since these libs are
> symlinked to my shared library path). I think "-R/my/ssl/lib"
> might also be synonymous with -Wl,...
Based on your mail I've tried CFLAGS/LDFLAGS again, and
now Dovecot didn't even compile any longer.
I was close to giving up. But obviously, I didn't ... :-)
After some investigation I found the non-default linker option
"-Wl,--as-needed" as problem which is enabled by Dovecot for
unknown reasons.
Finally, this call to "configure" generates proper Makefile files
to build Dovecot with a custom SSL library:
env CPPFLAGS="-I/usr/local/ssl/include" LDFLAGS="-L/usr/local/ssl/lib -Wl,-R/usr/local/ssl/lib" LIBS="-Wl,--no-as-needed -lcrypto -lssl" SSL_CFLAGS="-I/usr/local/ssl/include" SSL_LIBS="-L/usr/local/ssl/lib -Wl,-R/usr/local/ssl/lib -Wl,--no-as-needed -lcrypto -lssl" ./configure --prefix=/usr/local/dovecot --with-ssl=openssl
(chances are that SSL_CFLAGS/SSL_LIBS could be removed completely
but it won't hurt)
I've read the section in the "ld" manual but still don't understand
why Dovecot enables --as-needed (never seen that before with other
software) and why it's such a big problem. But I'm no expert here.
> I don't have that problem -- I use configure to tell dovecot where to find
> my self-compiled openssl, and the resulting executables load from where I
> want.
Thanks for pointing me at the proper direction again.
Now Dovecot 2.2.25 compiles for me with a custom SSL.
I understand that this issue might not have a high priority but maybe
one of the developers could check if "--as-needed" is really needed
(as it confuses people who try to use custom libraries) and what's
the deeper meaning of SSL_CFLAGS/SSL_LIBS.
My system is a regular CentOS 6 (latest sub-release with all patches),
nothing special except for a custom SSL installation.
Greetings, Andreas
More information about the dovecot
mailing list