Re: OpenSMTPD 7.3.0p0 rc1 -- please test!
On 2023/06/06 09:45:09 -0700, Andi Vajda wrote: > > On Tue, 6 Jun 2023, Omar Polo wrote: > > > Hello, > > > > thanks for testing! > > > > Regarding the build failure when using LibreSSL, I can reproduce on > > OpenBSD: it's because the bundled libtls is meant to be used with > > OpenSSL. I'll take a look at having it build with LibreSSL too but > > that's more a quality-check rather than a priority since LibreSSL > > already ships libtls (or it should be.) > > Building with libressl was a supported configuration before. building with libressl is still a supported configuration. There's a bug in the configure script that's not obvious to me right now, plus some deficiencies of our portable layer on NetBSD. I'll need to fire up a vm and investigate. Will probably release a RC3 once fixed, depending on how big the changes are. > I don't think > it must necessarily be supported for this release but the valid combos of > (libtls, openssl, libressl) supported by opensmtpd must be made explicit as > the current situation is a bit confusing for the non SSL expert: >- opensmtpd can be built with openssl 1.1.1 >- opensmtpd can be built with openssl 3.x >- opensmtpd can be built with libressl (or could in 6.8.0p2) >- opensmtpd bundles libtls and that must be used with openssl 3 >- libressl bundles libtls > I'm confused ;-) I agree, unfortunately it's pretty confusing! The idea would be either - openssl 1.1 or 3.x, with or without libretls - libressl BUT since of a regression of libretls 3.7.0 on OpenSSL 3, for the time being it is - openssl 1.1, with or without libretls - openssl 3.x AND MUST USE --with-bundled-libtls - libressl I've mailed the developer of libretls but haven't heard back yet. A fix for this issue was committed to libressl and it's part of the 3.8.0 release, so I guess that libretls will get it anyway sooner or later. I haven't add any clever checks to the configure since this is not trivial and I don't like clever checks. I'll try to make it as clear as possible in the release changelog that the bundled libtls MUST be used with OpenSSL 3.x. If you end up building with libretls and OpenSSL 3.X you'll find out very soon that it doesn't work: all the TLS connection will fail during the handshake. Furthermore, with the next release of libretls (no idea when) this issue will be solved. > > What's interesting is why the configure is not picking up libtls from > > your LibreSSL installation. Probably you can 'force' it by setting > > CFLAGS/LDFLAGS pointing at the local libressl installation, but it > > shouldn't be necessary. Can you please share (off-list) the > > config.log? > > Mailed off-list. Thank you for all the info! Unfortunately other than noticing a couple of things that *must* be fixed in the portable layer before the release, I wasn't able to understand the root of the issues. It'll be a perfect excuse to play a bit with NetBSD however :-)
Re: OpenSMTPD 7.3.0p0 rc1 -- please test!
On Tue, 6 Jun 2023, Omar Polo wrote: Hello, thanks for testing! Regarding the build failure when using LibreSSL, I can reproduce on OpenBSD: it's because the bundled libtls is meant to be used with OpenSSL. I'll take a look at having it build with LibreSSL too but that's more a quality-check rather than a priority since LibreSSL already ships libtls (or it should be.) Building with libressl was a supported configuration before. I don't think it must necessarily be supported for this release but the valid combos of (libtls, openssl, libressl) supported by opensmtpd must be made explicit as the current situation is a bit confusing for the non SSL expert: - opensmtpd can be built with openssl 1.1.1 - opensmtpd can be built with openssl 3.x - opensmtpd can be built with libressl (or could in 6.8.0p2) - opensmtpd bundles libtls and that must be used with openssl 3 - libressl bundles libtls I'm confused ;-) What's interesting is why the configure is not picking up libtls from your LibreSSL installation. Probably you can 'force' it by setting CFLAGS/LDFLAGS pointing at the local libressl installation, but it shouldn't be necessary. Can you please share (off-list) the config.log? Mailed off-list. On 2023/06/05 15:20:38 -0700, Andi Vajda wrote: On Mon, 5 Jun 2023, Andi Vajda wrote: The build succeeds but running a debug session: sudo ./local/sbin/smtpd -f `pwd`/smtpd.conf -dv fails. I'm not sure how much of my debug logs is appropriate to post here but I could try to build with openssl 3 next ? Same problem with smtpd built with openssl 3.3.1: build succeeds, smtpd.conf is validated OK when running with -n but when I start a debug session with -dv, the server starts but eventually fails but is not saying much about what is failing. It looks like a child process is terminating: warn: lost child: dispatcher terminated; signal 11 I also tried without --with-libevent=/usr/pkg (and yes, I did not forget to stop my 6.8.0p2 server first) This also shouldn't happen. Is signal 11 SIGSEGV on NetBSD too? Can you share the config.log of this configuration too and smtpd complete log? Do you also get a core file? A backtrace would be incredibly useful. Yes, this is all happening on NetBSD. I'm also mailing you the config.log for this config off-list. I'm also mailing you the log output of my crashing smtpd off-list. I see no coredumps locally or in /var/crash. Do you know how to get a core file ? I have ulimit -c return 'unlimited'. I ran smtpd in gdb to try to get a stacktrace but it's a child process that is crashing and gdb didn't tell me much about it. Andi.. Thank you! Omar Polo
Re: OpenSMTPD 7.3.0p0 rc1 -- please test!
Hello, thanks for testing! Regarding the build failure when using LibreSSL, I can reproduce on OpenBSD: it's because the bundled libtls is meant to be used with OpenSSL. I'll take a look at having it build with LibreSSL too but that's more a quality-check rather than a priority since LibreSSL already ships libtls (or it should be.) What's interesting is why the configure is not picking up libtls from your LibreSSL installation. Probably you can 'force' it by setting CFLAGS/LDFLAGS pointing at the local libressl installation, but it shouldn't be necessary. Can you please share (off-list) the config.log? On 2023/06/05 15:20:38 -0700, Andi Vajda wrote: > > On Mon, 5 Jun 2023, Andi Vajda wrote: > > > The build succeeds but running a debug session: > > sudo ./local/sbin/smtpd -f `pwd`/smtpd.conf -dv > > > > fails. I'm not sure how much of my debug logs is appropriate to post here > > but > > I could try to build with openssl 3 next ? > > Same problem with smtpd built with openssl 3.3.1: build succeeds, smtpd.conf > is validated OK when running with -n but when I start a debug session with > -dv, the server starts but eventually fails but is not saying much about > what is failing. It looks like a child process is terminating: >warn: lost child: dispatcher terminated; signal 11 > I also tried without --with-libevent=/usr/pkg > (and yes, I did not forget to stop my 6.8.0p2 server first) This also shouldn't happen. Is signal 11 SIGSEGV on NetBSD too? Can you share the config.log of this configuration too and smtpd complete log? Do you also get a core file? A backtrace would be incredibly useful. Thank you! Omar Polo
