So, let’s say you have a Ubuntu or Debian server, using one or more of Nginx, Postfix, and Dovecot, and you’d like to have them link to LibreSSL instead of the default OpenSSL. (I won’t go much into the possible reasons for it; maybe you’re bothered because modern distros are still sticking with OpenSSL 1.0.x, which is ancient and doesn’t support modern ciphers such as ChaCha20, or you trust the OpenBSD developers more than you trust the OpenSSL ones, or — and there’s nothing wrong with that — you want to do it just for fun. You could also use OpenSSL 1.1.x — check out this (very similar) post.)
So, here’s a relatively simple way, that doesn’t change the system’s default OpenSSL (believe me, that wouldn’t be a good idea, unless you recompiled everything):
- download the latest portable source from www.libressl.org
- compile and install it with:
- edit nginx-<version>/debian/rules: add
to the beginning of the common_configure_flags option (note that that’s the source directory you used to compile LibreSSL, not where you installed it to);
- install the required packages in the parent directory with “dpkg -i ” (do dpkg -l | grep nginx to see which you have installed; typically you’ll want to install the newly created versions of those);
Done! You can now play around with the Mozilla TLS Guide to add support for modern ciphers to your Nginx’s configuration, and use SSLLabs’s SSL Server Test tool to check if they are correctly enabled.
It’s just like Nginx (replacing “nginx” with “postfix” in every command / directory name, of course), except that the changes to debian/rules are these:
- find -DHAS_SSL, add -I/usr/include/libressl/include/openssl in front of it;
- find AUXLIBS += , add -L/usr/local/libressl/lib in front of it
- find the line with dh_shlibdeps -a, add –dpkg-shlibdeps-params=–ignore-missing-info to it
- don’t forget the apt-mark hold postfix* at the end.
Again, use the Nginx instructions, using “dovecot” instead of “nginx” everywhere, except that the changes to debian/rules should be:
- after the line:
export SSL_CFLAGS=-I/usr/local/libressl/include export SSL_LIBS=-L/usr/local/libressl/lib -lssl -lcrypto
- after the section:
override_dh_makeshlibs: # Do not add an ldconfig trigger; none of the dovecot shared libraries # are public. dh_makeshlibs -n
override_dh_shlibdeps: dh_shlibdeps --dpkg-shlibdeps-params=--ignore-missing-info
NOTE: the indentation in the second line needs to be a tab, don’t use spaces.
Again, remember to apt-mark hold dovecot* after installation.
How to check if your new installations of Postfix and/or Dovecot are using LibreSSL instead of the default OpenSSL? You could use ldd to check what SSL / TLS libraries your binaries and/or libraries link to, but the best way is probably to use a tool such as sslscan, which you can use to check what ciphers your SMTP, IMAP, etc. support (including with STARTTLS). If you see ChaCha20 in there, everything is fine. 🙂
If you ever want to go back to “normal” versions of these servers, just do apt-mark unhold nginx* (for instance).
I’ve also added /usr/local/libressl/bin to the beginning of my PATH environment variable, so that the LibreSSL binaries are used by default (e.g. to generate keys, CSRs, etc.), although this isn’t necessary for Nginx, etc. to work.