On Sat, Feb 01, 2020 at 02:42:06PM -0500, Holden Rohrer via Exim-users wrote:
> It turns out that Debian's openssl is kind of broken, and this is a known issue
> (https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/396818).
This isn't it. It is rather outdated, against a command-line utility in
no longer used versions of OpenSSL.
> I've tried rebuilding it (and Exim), but `openssl s_client -starttls
> smtp -connect smtp.gmail.com:587` still doesn't work without
> `-CApath=/etc/ssl/certs` (which were installed by Debian's
> ca-certificates).
Is your build configured to look in /etc/ssl for certificates? Likely not.
$ openssl version -d
OPENSSLDIR: "/etc/ssl"
> For building openssl, I've tried to set a few different permutations
> of `./config --prefix=/usr --openssldir=/etc/ssl`, but I haven't
> managaged to get this working. Is this not actually a problem, and
> I've misconfigured Exim's recognition of mailserver SSL, or is it not
> recognizing the right openssl, or something?
Also make sure that Exim is linked against the same OpenSSL library
that your "openssl" command-line executable.
> I've tried both ways of including OPENSSL in Local/Makefile (with and without
> pkg-config), but neither worked. I figure this is the root of the issue, so how
> should I configure the build of Exim/openssl/some other package to handle this?
Use the OpenSSL library that comes with the OS, and place the "cert.pem"
file and "certs/" sub-directory at the location reported by the system's
"openssl version -d". On my FreeBSD system for example:
$ strings /usr/local/lib/libcrypto.so | grep /cert
/usr/local/openssl/certs
/usr/local/openssl/cert.pem
--
Viktor.
