So, let’s say you have a Ubuntu or Debian server, using one or more of Nginx, Postfix, and Dovecot, and you’d like to have them link to OpenSSL 1.1.x instead of the default OpenSSL (as of Ubuntu 17.04, it’s version 1.0.2g). (Reasons may include wanting to use modern ciphers such as ChaCha20, or trying out support for the most recent TLS 1.3 draft. Also, if you want to try out LibreSSL instead of OpenSSL 1.1, please check out the previous post.)
So, here’s a relatively simple way, that doesn’t change the system’s default OpenSSL (believe me, that wouldn’t be a good idea, unless you recompiled everything):
Install dependencies:
Install OpenSSL 1.1.x:
- download the latest 1.1.x source from www.openssl.org
- compile and install it with:
Install Nginx:
- edit nginx-<version>/debian/rules: add
–with-openssl=/usr/local/src/openssl-
to the beginning of the common_configure_flags option (note that that’s the source directory you used to compile OpenSSL 1.1.x, not where you installed it to);
- install the required packages in the parent directory with “dpkg -i ” (do dpkg -l | grep nginx to see which you have installed; typically you’ll want to install the newly created versions of those);
Done! You can now play around with the Mozilla TLS Guide to add support for modern ciphers to your Nginx’s configuration, and use SSLLabs’s SSL Server Test tool to check if they are correctly enabled.
Install Postfix:
It’s just like Nginx (replacing “nginx” with “postfix” in every command / directory name, of course), except that the changes to debian/rules are these:
- find -DHAS_SSL, add -I/usr/include/openssl11/include/openssl in front of it;
- find AUXLIBS += , add -L/usr/local/openssl11/lib in front of it
- find the line with dh_shlibdeps -a, add –dpkg-shlibdeps-params=–ignore-missing-info to it
- don’t forget the apt-mark hold postfix* at the end.
Install Dovecot:
Again, use the Nginx instructions, using “dovecot” instead of “nginx” everywhere, except that the changes to debian/rules should be:
- after the line:
export DEB_BUILD_MAINT_OPTIONS=hardening=+all
add:
export SSL_CFLAGS=-I/usr/local/openssl11/include export SSL_LIBS=-L/usr/local/openssl11/lib -lssl -lcrypto
- after the section:
override_dh_makeshlibs: # Do not add an ldconfig trigger; none of the dovecot shared libraries # are public. dh_makeshlibs -n
add:
override_dh_shlibdeps: dh_shlibdeps --dpkg-shlibdeps-params=--ignore-missing-info
NOTE: the indentation in the second line needs to be a tab, don’t use spaces.
Again, remember to apt-mark hold dovecot* after installation.
How to check if your new installations of Postfix and/or Dovecot are using OpenSSL 1.1.x instead of the default OpenSSL 1.0.x? You could use ldd to check what SSL / TLS libraries your binaries and/or libraries link to, but the best way is probably to use a tool such as sslscan, which you can use to check what ciphers your SMTP, IMAP, etc. support (including with STARTTLS). If you see ChaCha20 in there, everything is fine. 🙂
If you ever want to go back to “normal” versions of these servers, just do apt-mark unhold nginx* (for instance).