On Sat, Mar 12, 2016 at 10:56:32AM -0800, Alice Wonder wrote:
> >I understand that your choice works for you, that's fine. Just
> >saying that for most Postfix users I'd recommend sticking with
> >OpenSSL and upgrading each of Postfix and OpenSSL as opportunities
> >arise.
>
> I understand that. Upgrading the version on OpenSSL on RHEL/CentOS systems
> is not recommended. You could install a newer version in /usr/local or /opt
> but then you have to make sure all your executables use the right one.
Yes, "as opportunities arise" might mean when upgrading to a newer
RHEL release. Note that RedHat backport OpenSSL fixes and presumably
also at least some Postfix patches.
Indeed if you want a more recent Postfix you may need to build your
own, in a non-default location in the file-system, and likewise
with OpenSSL.
On the NetBSD system that hosts my mailbox Postfix and OpenSSL are
from pkgsrc and are both more recent than those in the base system.
> Red Hat also removes most of the ECC curves from their build of OpenSSL.
Mostly for the better. Nowadays, they leave NIST's P-256, P-384
and P-521 in place, which is all you need until the new CFRG curves
become broadly available.
> Using LibreSSL for me anyway solves all those issues. I can leave the
> system OpenSSL alone and just build server packages against LibreSSL.
Understood, that's fine.
On Linux systems I manage, I install the latest OpenSSL 1.0.x into
/opt/openssl/1.0, against which I link various other software I
build and install into /opt. The library SONAMEs for the libssl
and libcrypto installed there are:
libssl-opt.so.1.0.0
libcrypto-opt.so.1.0.0
and all the exported symbols have custom version tags. These
libraries can co-exist in the same address space without conflict
with the standard libssl/libcrypto. As you might imagine, this
took a bit of effort to set up...
--
Viktor.
