What I do know, is ASSP needs p5-net-ssleay, there is a suspicion
that the openssl version I am working against is too old, or too
buggy, so I need to try to solve that.
Hard to say without knowing how things aren't working; I know some
software
doesn't like when you compile using one version of headers then
link against
a different version of libraries.
ASSP is a email proxy, it supports SSL and TLS mostly by using p5's
to make it all happen. The setup is Internet -> ASSP -> MTA
If I made a SSL or TLS enabled connection directly to the MTA on port
25, SSL and/or TLS will work fine.
If I make a connection to the ASSP proxy, it works some of the time.
I send a email in the command line:
`mail u...@remote-mta-machine`
This will always work
`mail u...@assp-proxy` this simply hits port 25, which is set to
proxy to the far end MTA. It fails the SSL parts entirely. Some
hosts that I send the `mail` command from work, others do not. I
subscribed to a few mailing lists, some get through, some do not.
Some addresses working and others not, that doesn't sound like an
initial
connection issue (which would implicate SSL/TLS) but something after
that.
By 'fails the SSL parts entirely' what exactly do you mean, does it
fail to
finish the initial TCP handshake, fail to verify the cert, something
else?
I wish I knew. This is hard one for me to debug. Basically, an email
from the outside world comes in, hits the proxy on port 25, and all I
see in the ASSP logs is "starting SSL connection" and "SSL connection
failed, problem with MTA?". Not exact verbiage, but the basics are the
same.
Some cases I can get this to happen with a machine I am in control of,
so I can look at the logs on that sending machine. I just get a
dropped connection, and the mail is queued up and will be tried again
later. Curiously, in 5 hours or so, they can sometimes make it through.
I can use openssl as a client, and connect to the remote far end MTA
just fine, connecting to ASSP, and I get the connection, but that is
as far as I get.
If you can see the cert (eg, by using --showcerts with s_client)
then that
sounds like SSL/TLS is working fine.
I thought so too, and those work on the machines I have access to
where I can make tests. However, letting a local delivery agent try,
and it will not work.
I know what p5's ASSP installs, and can easily tell what dependencies
I need to track down to look at. However, those depend on perl,
which was installed, and curses was installed; a lot of other things
too. Can I be reasonably confident, if any of those use openssl libs
and headers, I need not run otool on them, and do any checking?
The big problem is that for any new ports, checking linkage is a
good thing,
especially for bits that get loaded into larger programs (like perl
modules). If you aren't careful you can end up with one part
linking to the
system library and another part to the MacPorts equivalent. This
can then
lead to version mismatches and software crashing.
I checked the better part of the libs with otool, and all seems to be
in order. I went as far as installing this whole batch via CPAN, and
got the same problems as well.
Can you show me how you tried them, I was not able to get them to
work, but all I did was `perl filename` which probably was not a
valid way to test. I really do not know perl, or SSL vocabulary well
enough to properly test these out.
After it built (I have port's autoclean off so the build dir was still
available), I simply move into the top dir for p5-io-socket-ssl (the
one
with the example directory among others). From here, I ran
$ /opt/local/bin/perl5.8 example/ssl_server.pl
in one terminal and the ssl_client.pl in another, and watched those
talk
fine. Leaving the ssl_server process up, I then used
$ openssl s_client -connect localhost:9000 -showcerts -debug
to connect to the server and verify it was able to get the cert,
which it
did.
I downloaded the source in order to get the examples directory. I
then ran this
$/opt/local/bin/perl5.8 ssl_server.pl
unable to create socket: IO::Socket::INET configuration failederror:
00000000:lib(0):func(0):reason(0)
Am I doing something wrong, how were you able to get that to work?
--
Scott * If you contact me off list replace talklists@ with scott@ *
_______________________________________________
macports-dev mailing list
[email protected]
http://lists.macosforge.org/mailman/listinfo.cgi/macports-dev
