Dovecot 2.2.25 fails on SSL

Andreas M. Kirchwitz amk at spamfence.net
Mon Sep 19 13:14:39 UTC 2016 

Joseph Tam <jtam.home at gmail.com> wrote:

>> For every program I compile myself, I link it against my custom
>> OpenSSL library (always newest version; distributions usually tend
>> to stick with a specific version and only apply security fixes).
>
> OK, the origin of your problem becomes clearer.  You can hardcode these
> paths into the executables by doing something like
>
>  	env	CFLAGS='-I/my'ssl/include' \
>  		LDFLAGS='-L/your/ssl/lib -Wl,-rpath,/my/ssl/lib' \
>  		configure ...

Yes, exactly, that's my usual approach. I've used this as well
for building other software with custom libraries.

Unfortunately, I remember CFLAGS/LDFLAGS didn't play well with
Dovecot, so I used SSL_CFLAGS/SSL_LIBS as suggested by the
documentation and that worked well.

> I use this myself (except the -Wl part since these libs are
> symlinked to my shared library path).  I think "-R/my/ssl/lib"
> might also be synonymous with -Wl,...

Based on your mail I've tried CFLAGS/LDFLAGS again, and
now Dovecot didn't even compile any longer.

I was close to giving up. But obviously, I didn't ... :-)

After some investigation I found the non-default linker option
"-Wl,--as-needed" as problem which is enabled by Dovecot for
unknown reasons.

Finally, this call to "configure" generates proper Makefile files
to build Dovecot with a custom SSL library:

env CPPFLAGS="-I/usr/local/ssl/include" LDFLAGS="-L/usr/local/ssl/lib -Wl,-R/usr/local/ssl/lib" LIBS="-Wl,--no-as-needed -lcrypto -lssl" SSL_CFLAGS="-I/usr/local/ssl/include" SSL_LIBS="-L/usr/local/ssl/lib -Wl,-R/usr/local/ssl/lib -Wl,--no-as-needed -lcrypto -lssl" ./configure --prefix=/usr/local/dovecot --with-ssl=openssl

(chances are that SSL_CFLAGS/SSL_LIBS could be removed completely
but it won't hurt)

I've read the section in the "ld" manual but still don't understand
why Dovecot enables --as-needed (never seen that before with other
software) and why it's such a big problem. But I'm no expert here.

> I don't have that problem -- I use configure to tell dovecot where to find
> my self-compiled openssl, and the resulting executables load from where I
> want.

Thanks for pointing me at the proper direction again.
Now Dovecot 2.2.25 compiles for me with a custom SSL.

I understand that this issue might not have a high priority but maybe
one of the developers could check if "--as-needed" is really needed
(as it confuses people who try to use custom libraries) and what's
the deeper meaning of SSL_CFLAGS/SSL_LIBS.

My system is a regular CentOS 6 (latest sub-release with all patches),
nothing special except for a custom SSL installation.

	Greetings, Andreas

More information about the dovecot mailing list