Re: Problem with Crypto - OpenSSL 1.1.0f - Linux 9.4 (stretch)
Dave, On Thu, May 3, 2018, at 2:02 PM, Dave C wrote: > Thanks, you solved my problem but with the path as /usr/local where I had > installed openssl to. Glad I could help. Since you said you were running Raspbian I assumed that you used the OpenSSL Debian packages which usually installs in /usr. > > > I'll probably have to stick with 5.7.3 for production for now (on Pi > Compute Module) but seeing as you did me a favour I thought I would give > 5.8 pre3 a spin for you. Perhaps I'm the first as I just got the release > notice this morning. > > All worked fine no issues to report, basic tests of my AgentX daemon (still > compiled against 5.7.3) works. Appreciate the feedback. I know the dev team would like it to be tested on as many hardware/OS platforms as possible. > > > ./configure --with-defaults --with-ldflags=-Bstatic --disable-embedded-perl > > --disable-perl-cc-checks --without-perl-modules --with-openssl=/usr/local > > > > - > > Net-SNMP configuration summary: > > - > > SNMP Versions Supported:1 2c 3 > > Building for: linux > > Net-SNMP Version: 5.8.pre3 > > Network transport support: Callback Unix Alias TCP UDP TCPIPv6 UDPIPv6 > > IPv4Base SocketBase TCPBase UDPIPv4Base UDPBase IPv6Base > > SNMPv3 Security Modules: usm > > Agent MIB code:default_modules => snmpv3mibs mibII ucd_snmp > > notification notification-log-mib target agent_mibs agentx disman/event > > disman/schedule utilities host > > MYSQL Trap Logging: unavailable > > Embedded Perl support: disabled > > SNMP Perl modules: disabled > > SNMP Python modules:disabled > > Crypto support from:crypto > > Authentication support: MD5 SHA1 SHA512 SHA384 SHA256 SHA192 > > Encryption support: DES AES > > Local DNSSEC validation:disabled > > - > > > > root@raspberrypi:~# snmpd --version > > NET-SNMP version: 5.8.pre3 > > Web: http://www.net-snmp.org/ > > Email: net-snmp-coders@lists.sourceforge.net > > root@raspberrypi:~# Hello from Pi-land > > > > > > On Fri, May 4, 2018 at 1:17 AM, Keith Mendozawrote: > > > Dave, > > Try adding --with-openssl=/usr in the call to configure on your raspberry > > pi. If you're brave you can also try 5.8pre3 from > > https://sourceforge.net/projects/net-snmp/files/net-snmp/5.8-pre-releases/ > > > > -- > > Thanks, > > Keith (pantherse) > > > > On Wed, May 2, 2018, at 7:04 PM, Dave C wrote: > > > I'm trying to build net-snmp-5.7.3 on a raspbery pi running Raspbian 9.4 > > > stretch. > > > > > > The default packages are OpenSSL 1.1.0f 25 May 2017, libssl-dev > > > 1.1.0f-3+deb9u2. > > > > > > I configure net-snmp like so, > > > > > > ./configure --with-defaults --with-ldflags=-Bstatic > > --disable-embedded-perl > > > --disable-perl-cc-checks --without-perl-modules > > > > > > And get this config output.. > > > > > > > - > > > > Net-SNMP configuration summary: > > > > - > > > > SNMP Versions Supported:1 2c 3 > > > > Building for: linux > > > > Net-SNMP Version: 5.7.3 > > > > Network transport support: Callback Unix Alias TCP UDP IPv4Base > > > > SocketBase TCPBase UDPIPv4Base UDPBase > > > > SNMPv3 Security Modules: usm > > > > Agent MIB code:default_modules => snmpv3mibs mibII > > ucd_snmp > > > > notification notification-log-mib target agent_mibs agentx disman/event > > > > disman/schedule utilities host > > > > MYSQL Trap Logging: unavailable > > > > Embedded Perl support: disabled > > > > SNMP Perl modules: disabled > > > > SNMP Python modules:disabled > > > > Crypto support from:crypto/ internal ?? > > > > Authentication support: MD5 SHA1 > > > > Encryption support: DES AES > > > > Local DNSSEC validation:disabled > > > > > > > > > However make dies at this point. > > > > > > /bin/bash ../libtool --mode=compile gcc -I../include -I. > > > > -I../snmplib -fno-strict-aliasing -g -O2 -Ulinux -Dlinux=linux -c -o > > > > keytools.lo keytools.c > > > > libtool: compile: gcc -I../include -I. -I../snmplib > > -fno-strict-aliasing > > > > -g -O2 -Ulinux -Dlinux=linux -c keytools.c -fPIC -DPIC -o > > .libs/keytools.o > > > > keytools.c: In function 'generate_Ku': > > > > keytools.c:155:25: error: dereferencing pointer to incomplete type > > > > 'EVP_MD_CTX {aka struct evp_md_ctx_st}' > > > > ctx = malloc(sizeof(*ctx)); > > > > ^~~~ > > > > keytools.c:265:9: warning: implicit declaration of function > > > > 'EVP_MD_CTX_cleanup'
Re: 5.8 testing status
On Thu, 3 May 2018 14:32:40 -0400 Bill wrote: BF> > On Wed, 2 May 2018 11:08:44 -0400 Bill wrote: BF> > BF> I just filed BF> > BF> https://sourceforge.net/p/net-snmp/bugs/2864/ : BF> > BF> "clientaddr" doesn't work to set the source address for BF> > BF> traps any more. (And given that the code path is the BF> > BF> same, I suspect it doesn't work for client requests BF> > BF> either). This is a regression against 5.7.3; that code BF> > BF> has been restructured so it's not surprising that BF> > BF> something has changed. BF> > BF> > I think the fix you found looks right. Does it work in your BF> > testing? BF> BF> Yes, and v6 needs the same fix, and it looks like there are BF> other calls to the address parsers that make the wrong BF> assumption about the return value. I have an idea about adding BF> tests for traps, so that we could test "clientaddr" and the BF> "trapsink" family of session creations with their "-s" BF> arguments, but I don't know how to invoke the other BF> mechanisms. Although, maybe a unit test would be better for BF> this, to invoke the transport creation with clientaddr set, or BF> with seession.localaddr set, or by setting ->source in the BF> transport config, and making sure that the expected value is BF> filled in in the returned session. I'm probably not going to hold up rc1 for this, but fixing other address parsers handling of the return code is something I'd vote for allowing after rc1. Robert -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Net-snmp-coders mailing list Net-snmp-coders@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
Re: RFC: "-@" command line argument to set clientaddr per request/session
On Thu, 3 May 2018 14:29:09 -0400 Bill wrote: BF> On Thu, May 3, 2018 at 1:07 PM, Robert Story BF>wrote: BF> Depends on at what level you are looking at the functionality. BF> -@ would set session.localaddr, which is a little different BF> than setting clientaddr. Can you be more specific about the difference? I don't see a localaddr field in the netsnmp_session structure. I'm inclined to say it's too late, it being the day before rc1, and it mainly being a feature for testing. I like the idea of unit tests (mentioned in another thread). Robert -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Net-snmp-coders mailing list Net-snmp-coders@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
Re: Net-SNMP 5.8.pre3 available
On Thu, 3 May 2018 21:48:50 +0100 Stuart wrote: SH> On 2018-04-27, Robert Storywrote: SH> > We're closing in on a final release. The current plan is to SH> > have release candidate 1 next week. SH> SH> Is it planned to address SH> https://sourceforge.net/p/net-snmp/bugs/2831/ before release or SH> are distro packagers going to need to patch the other programs SH> to cope? Thank you for bringing this to my attention. I will look into this. Robert -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Net-snmp-coders mailing list Net-snmp-coders@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
Re: Problem with Crypto - OpenSSL 1.1.0f - Linux 9.4 (stretch)
Thanks, you solved my problem but with the path as /usr/local where I had installed openssl to. I'll probably have to stick with 5.7.3 for production for now (on Pi Compute Module) but seeing as you did me a favour I thought I would give 5.8 pre3 a spin for you. Perhaps I'm the first as I just got the release notice this morning. All worked fine no issues to report, basic tests of my AgentX daemon (still compiled against 5.7.3) works. ./configure --with-defaults --with-ldflags=-Bstatic --disable-embedded-perl > --disable-perl-cc-checks --without-perl-modules --with-openssl=/usr/local - > Net-SNMP configuration summary: > - > SNMP Versions Supported:1 2c 3 > Building for: linux > Net-SNMP Version: 5.8.pre3 > Network transport support: Callback Unix Alias TCP UDP TCPIPv6 UDPIPv6 > IPv4Base SocketBase TCPBase UDPIPv4Base UDPBase IPv6Base > SNMPv3 Security Modules: usm > Agent MIB code:default_modules => snmpv3mibs mibII ucd_snmp > notification notification-log-mib target agent_mibs agentx disman/event > disman/schedule utilities host > MYSQL Trap Logging: unavailable > Embedded Perl support: disabled > SNMP Perl modules: disabled > SNMP Python modules:disabled > Crypto support from:crypto > Authentication support: MD5 SHA1 SHA512 SHA384 SHA256 SHA192 > Encryption support: DES AES > Local DNSSEC validation:disabled > - root@raspberrypi:~# snmpd --version > NET-SNMP version: 5.8.pre3 > Web: http://www.net-snmp.org/ > Email: net-snmp-coders@lists.sourceforge.net > root@raspberrypi:~# Hello from Pi-land On Fri, May 4, 2018 at 1:17 AM, Keith Mendozawrote: > Dave, > Try adding --with-openssl=/usr in the call to configure on your raspberry > pi. If you're brave you can also try 5.8pre3 from > https://sourceforge.net/projects/net-snmp/files/net-snmp/5.8-pre-releases/ > > -- > Thanks, > Keith (pantherse) > > On Wed, May 2, 2018, at 7:04 PM, Dave C wrote: > > I'm trying to build net-snmp-5.7.3 on a raspbery pi running Raspbian 9.4 > > stretch. > > > > The default packages are OpenSSL 1.1.0f 25 May 2017, libssl-dev > > 1.1.0f-3+deb9u2. > > > > I configure net-snmp like so, > > > > ./configure --with-defaults --with-ldflags=-Bstatic > --disable-embedded-perl > > --disable-perl-cc-checks --without-perl-modules > > > > And get this config output.. > > > > > - > > > Net-SNMP configuration summary: > > > - > > > SNMP Versions Supported:1 2c 3 > > > Building for: linux > > > Net-SNMP Version: 5.7.3 > > > Network transport support: Callback Unix Alias TCP UDP IPv4Base > > > SocketBase TCPBase UDPIPv4Base UDPBase > > > SNMPv3 Security Modules: usm > > > Agent MIB code:default_modules => snmpv3mibs mibII > ucd_snmp > > > notification notification-log-mib target agent_mibs agentx disman/event > > > disman/schedule utilities host > > > MYSQL Trap Logging: unavailable > > > Embedded Perl support: disabled > > > SNMP Perl modules: disabled > > > SNMP Python modules:disabled > > > Crypto support from:crypto/ internal ?? > > > Authentication support: MD5 SHA1 > > > Encryption support: DES AES > > > Local DNSSEC validation:disabled > > > > > > However make dies at this point. > > > > /bin/bash ../libtool --mode=compile gcc -I../include -I. > > > -I../snmplib -fno-strict-aliasing -g -O2 -Ulinux -Dlinux=linux -c -o > > > keytools.lo keytools.c > > > libtool: compile: gcc -I../include -I. -I../snmplib > -fno-strict-aliasing > > > -g -O2 -Ulinux -Dlinux=linux -c keytools.c -fPIC -DPIC -o > .libs/keytools.o > > > keytools.c: In function 'generate_Ku': > > > keytools.c:155:25: error: dereferencing pointer to incomplete type > > > 'EVP_MD_CTX {aka struct evp_md_ctx_st}' > > > ctx = malloc(sizeof(*ctx)); > > > ^~~~ > > > keytools.c:265:9: warning: implicit declaration of function > > > 'EVP_MD_CTX_cleanup' [-Wimplicit-function-declaration] > > > EVP_MD_CTX_cleanup(ctx); > > > ^~ > > > Makefile:98: recipe for target 'keytools.lo' failed > > > make[1]: *** [keytools.lo] Error 1 > > > make[1]: Leaving directory '/root/net-snmp-5.7.3/snmplib' > > > Makefile:656: recipe for target 'subdirs' failed > > > make: *** [subdirs] Error 1 > > > > > > So the first question is what's wrong with the above ? > > > > > > I have an Ubuntu box where I build net-snmp fine with crypo, it runs > > OpenSSL 1.0.2g so I downgraded the Raspbery PI to 1.0.2o > > > > apt-get
Re: Net-SNMP 5.8.pre3 available
On 2018-04-27, Robert Storywrote: > We're closing in on a final release. The current plan is to have > release candidate 1 next week. Is it planned to address https://sourceforge.net/p/net-snmp/bugs/2831/ before release or are distro packagers going to need to patch the other programs to cope? Thanks. -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Net-snmp-coders mailing list Net-snmp-coders@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
Re: 5.8 testing status
On Thu, May 3, 2018 at 12:53 PM, Robert Storywrote: > On Wed, 2 May 2018 11:08:44 -0400 Bill wrote: > BF> I just filed https://sourceforge.net/p/net-snmp/bugs/2864/ : > BF> "clientaddr" doesn't work to set the source address for traps > BF> any more. (And given that the code path is the same, I suspect > BF> it doesn't work for client requests either). This is a > BF> regression against 5.7.3; that code has been restructured so > BF> it's not surprising that something has changed. > BF> > BF> I poked around a little and couldn't find a smoking gun. This > BF> is a showstopper for my application: we can't use 5.8 as is > BF> with this bug - but that doesn't necessarily mean that the > BF> project can't go ahead with the release, there are other needs > BF> than mine. > > I think the fix you found looks right. Does it work in your testing? Yes, and v6 needs the same fix, and it looks like there are other calls to the address parsers that make the wrong assumption about the return value. I have an idea about adding tests for traps, so that we could test "clientaddr" and the "trapsink" family of session creations with their "-s" arguments, but I don't know how to invoke the other mechanisms. Although, maybe a unit test would be better for this, to invoke the transport creation with clientaddr set, or with seession.localaddr set, or by setting ->source in the transport config, and making sure that the expected value is filled in in the returned session. Bill -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Net-snmp-coders mailing list Net-snmp-coders@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
Re: RFC: "-@" command line argument to set clientaddr per request/session
On Thu, May 3, 2018 at 1:07 PM, Robert Storywrote: > On Wed, 2 May 2018 11:49:46 -0400 Bill wrote: > BF> Is it too late to add this? This occurs to me just because it’s > BF> an easier way to test the transports’ support of clientaddr, by > BF> being able to set clientaddr dynamically via the command line, > BF> and I just noticed that this is broken in 5.8. > > This would duplicate functionality.. Pretty much any config option > can be set on the command line using '--TOKEN-VALUE'. e.g. > > > snmpget [...] --clientaddr=192.168.1.111 [...] > Depends on at what level you are looking at the functionality. -@ would set session.localaddr, which is a little different than setting clientaddr. In the sense of "how does my request look" when focusing on the snmpget invocation, it's the same. In the sense of "how do I set the local source for a trapsess", it's different. Since the v1/v2 trap sink commands have gained a "-s" argument, it might be better to call this "-s" too instead of "-@". Bill -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Net-snmp-coders mailing list Net-snmp-coders@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
Re: RFC: "-@" command line argument to set clientaddr per request/session
On Wed, 2 May 2018 11:49:46 -0400 Bill wrote: BF> Is it too late to add this? This occurs to me just because it’s BF> an easier way to test the transports’ support of clientaddr, by BF> being able to set clientaddr dynamically via the command line, BF> and I just noticed that this is broken in 5.8. This would duplicate functionality.. Pretty much any config option can be set on the command line using '--TOKEN-VALUE'. e.g. snmpget [...] --clientaddr=192.168.1.111 [...] Robert -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Net-snmp-coders mailing list Net-snmp-coders@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
Re: 5.8 testing status
On Wed, 2 May 2018 11:08:44 -0400 Bill wrote: BF> I just filed https://sourceforge.net/p/net-snmp/bugs/2864/ : BF> "clientaddr" doesn't work to set the source address for traps BF> any more. (And given that the code path is the same, I suspect BF> it doesn't work for client requests either). This is a BF> regression against 5.7.3; that code has been restructured so BF> it's not surprising that something has changed. BF> BF> I poked around a little and couldn't find a smoking gun. This BF> is a showstopper for my application: we can't use 5.8 as is BF> with this bug - but that doesn't necessarily mean that the BF> project can't go ahead with the release, there are other needs BF> than mine. I think the fix you found looks right. Does it work in your testing? -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Net-snmp-coders mailing list Net-snmp-coders@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
Re: Problem with Crypto - OpenSSL 1.1.0f - Linux 9.4 (stretch)
Dave, Try adding --with-openssl=/usr in the call to configure on your raspberry pi. If you're brave you can also try 5.8pre3 from https://sourceforge.net/projects/net-snmp/files/net-snmp/5.8-pre-releases/ -- Thanks, Keith (pantherse) On Wed, May 2, 2018, at 7:04 PM, Dave C wrote: > I'm trying to build net-snmp-5.7.3 on a raspbery pi running Raspbian 9.4 > stretch. > > The default packages are OpenSSL 1.1.0f 25 May 2017, libssl-dev > 1.1.0f-3+deb9u2. > > I configure net-snmp like so, > > ./configure --with-defaults --with-ldflags=-Bstatic --disable-embedded-perl > --disable-perl-cc-checks --without-perl-modules > > And get this config output.. > > > - > > Net-SNMP configuration summary: > > - > > SNMP Versions Supported:1 2c 3 > > Building for: linux > > Net-SNMP Version: 5.7.3 > > Network transport support: Callback Unix Alias TCP UDP IPv4Base > > SocketBase TCPBase UDPIPv4Base UDPBase > > SNMPv3 Security Modules: usm > > Agent MIB code:default_modules => snmpv3mibs mibII ucd_snmp > > notification notification-log-mib target agent_mibs agentx disman/event > > disman/schedule utilities host > > MYSQL Trap Logging: unavailable > > Embedded Perl support: disabled > > SNMP Perl modules: disabled > > SNMP Python modules:disabled > > Crypto support from:crypto/ internal ?? > > Authentication support: MD5 SHA1 > > Encryption support: DES AES > > Local DNSSEC validation:disabled > > > However make dies at this point. > > /bin/bash ../libtool --mode=compile gcc -I../include -I. > > -I../snmplib -fno-strict-aliasing -g -O2 -Ulinux -Dlinux=linux -c -o > > keytools.lo keytools.c > > libtool: compile: gcc -I../include -I. -I../snmplib -fno-strict-aliasing > > -g -O2 -Ulinux -Dlinux=linux -c keytools.c -fPIC -DPIC -o .libs/keytools.o > > keytools.c: In function 'generate_Ku': > > keytools.c:155:25: error: dereferencing pointer to incomplete type > > 'EVP_MD_CTX {aka struct evp_md_ctx_st}' > > ctx = malloc(sizeof(*ctx)); > > ^~~~ > > keytools.c:265:9: warning: implicit declaration of function > > 'EVP_MD_CTX_cleanup' [-Wimplicit-function-declaration] > > EVP_MD_CTX_cleanup(ctx); > > ^~ > > Makefile:98: recipe for target 'keytools.lo' failed > > make[1]: *** [keytools.lo] Error 1 > > make[1]: Leaving directory '/root/net-snmp-5.7.3/snmplib' > > Makefile:656: recipe for target 'subdirs' failed > > make: *** [subdirs] Error 1 > > > So the first question is what's wrong with the above ? > > > I have an Ubuntu box where I build net-snmp fine with crypo, it runs > OpenSSL 1.0.2g so I downgraded the Raspbery PI to 1.0.2o > > apt-get remove openssl > > apt-get remove libssl-dev > > cd ~ > > wget https://www.openssl.org/source/openssl-1.0.2o.tar.gz > > cd openssl... > > ./config --prefix=/usr/local --openssldir=/usr/local/openssl shared > > make > > make install > > ldconfig > > ldd $(which openssl) > > linux-vdso.so.1 (0x7ee91000) > > /usr/lib/arm-linux-gnueabihf/libarmmem.so (0x76f09000) > > libssl.so.1.0.0 => /usr/local/lib/libssl.so.1.0.0 (0x76ea4000) > > libcrypto.so.1.0.0 => /usr/local/lib/libcrypto.so.1.0.0 > > (0x76d17000) > > libdl.so.2 => /lib/arm-linux-gnueabihf/libdl.so.2 (0x76d04000) > > libc.so.6 => /lib/arm-linux-gnueabihf/libc.so.6 (0x76bc5000) > > /lib/ld-linux-armhf.so.3 (0x76f1f000) > > > > Everything seems fine but now the configuration summary shows only "Crypto > support from: Internal" > > I looked at the configure script to see how it tests for OpenSSL support > and replicated that > > #include > > char EVP_md5 (); > > int main(int argc, char *argv[]) { > > return EVP_md5 (); > > ; > > return 0; > > } > > > When I build that I get the following error showing that the EVP_md5 is > accessible and the crypto library is installed. > > # gcc t.c -lcrypto > > t.c:3:6: error: conflicting types for ‘EVP_md5’ > > char EVP_md5 (); > > ^~~ > > In file included from /usr/local/include/openssl/x509.h:73:0, > > from /usr/local/include/openssl/ssl.h:156, > > from t.c:1: > > /usr/local/include/openssl/evp.h:716:15: note: previous declaration of > > ‘EVP_md5’ was here > > const EVP_MD *EVP_md5(void); > >^~~ > > > > I'm not sure if that's the exact test that the configure script is doing > but it's just not detecting > > I hacked the configure script to force CRYPTO="crypto" but then compilation > fails elsewhere so I assume I actually have installed OpenSSL incorrectly. > > But ether-way I would prefer to fix the first problem above and link > to libssl-dev > 1.1.0f > > Thanks >