Re: Dovecot 2.2.25 fails on SSL

2016-09-29 Thread Aki Tuomi 

> On September 30, 2016 at 3:26 AM "Andreas M. Kirchwitz"  
> wrote:
> 
> 
> Joseph Tam  wrote:
> 
> >>> OK, the origin of your problem becomes clearer.  You can hardcode these
> >>> paths into the executables by doing something like
> >>>
> >>>   env CFLAGS='-I/my'ssl/include' \
> >>>   LDFLAGS='-L/your/ssl/lib -Wl,-rpath,/my/ssl/lib' \
> >>>   configure ...
> >>
> >> Based on your mail I've tried CFLAGS/LDFLAGS again, and
> >> now Dovecot didn't even compile any longer.
> >
> > I don't use the same OS as you, but what errors dis you get?
> 
> To be exact here, it's not the compiler but the linker failing
> (of course, the whole problem is about the linking process).
> 
> With "--as-needed", the crypto/ssl libraries are not linked at all with
> the object files. I don't quite understand why it doesn't fall back to
> the system crypto/ssl libraries because they are in the default pathes
> with all other libraries. (That's basically what most other software
> packages do if my custom pathes for "-L" "-Wl,-R" somehow get ignored
> in the building process.)
> 
> IMHO, the unusual option "--as-needed" should be removed. There seems
> to be no benefit but it basically keeps Dovecot to be linked against
> any custom-specified library.
> 
> Maybe it's just a problem with RHEL/CentOS 6 and the GCC that ships
> with it. I'm compiling a lot of software myself and link it against
> my custom OpenSSL. Never had this problem before, otherwise I would
> have known to specify "-Wl,--no-as-needed" to reverse ld's behavior
> to the default.
> 
> Well, at least I've learned something new. :-)
> 
>   Regards, Andreas

Hi, 

The as-needed issue has been hopefully fixed in 
https://github.com/dovecot/core/commit/f49f1c5fa6a9a55a194e5ada042df134907278f4

Aki

Re: Dovecot 2.2.25 fails on SSL

2016-09-29 Thread Andreas M. Kirchwitz 
Joseph Tam  wrote:

>>> OK, the origin of your problem becomes clearer.  You can hardcode these
>>> paths into the executables by doing something like
>>>
>>> env CFLAGS='-I/my'ssl/include' \
>>> LDFLAGS='-L/your/ssl/lib -Wl,-rpath,/my/ssl/lib' \
>>> configure ...
>>
>> Based on your mail I've tried CFLAGS/LDFLAGS again, and
>> now Dovecot didn't even compile any longer.
>
> I don't use the same OS as you, but what errors dis you get?

To be exact here, it's not the compiler but the linker failing
(of course, the whole problem is about the linking process).

With "--as-needed", the crypto/ssl libraries are not linked at all with
the object files. I don't quite understand why it doesn't fall back to
the system crypto/ssl libraries because they are in the default pathes
with all other libraries. (That's basically what most other software
packages do if my custom pathes for "-L" "-Wl,-R" somehow get ignored
in the building process.)

IMHO, the unusual option "--as-needed" should be removed. There seems
to be no benefit but it basically keeps Dovecot to be linked against
any custom-specified library.

Maybe it's just a problem with RHEL/CentOS 6 and the GCC that ships
with it. I'm compiling a lot of software myself and link it against
my custom OpenSSL. Never had this problem before, otherwise I would
have known to specify "-Wl,--no-as-needed" to reverse ld's behavior
to the default.

Well, at least I've learned something new. :-)

Regards, Andreas

Re: Dovecot 2.2.25 fails on SSL

2016-09-19 Thread Joseph Tam 

"Andreas M. Kirchwitz"  writes:


OK, the origin of your problem becomes clearer.  You can hardcode these
paths into the executables by doing something like

env CFLAGS='-I/my'ssl/include' \
LDFLAGS='-L/your/ssl/lib -Wl,-rpath,/my/ssl/lib' \
configure ...


Based on your mail I've tried CFLAGS/LDFLAGS again, and
now Dovecot didn't even compile any longer.


I don't use the same OS as you, but what errors dis you get?

Joseph Tam

Re: Dovecot 2.2.25 fails on SSL

2016-09-19 Thread Andreas M. Kirchwitz 
Joseph Tam  wrote:

>> For every program I compile myself, I link it against my custom
>> OpenSSL library (always newest version; distributions usually tend
>> to stick with a specific version and only apply security fixes).
>
> OK, the origin of your problem becomes clearer.  You can hardcode these
> paths into the executables by doing something like
>
>   env CFLAGS='-I/my'ssl/include' \
>   LDFLAGS='-L/your/ssl/lib -Wl,-rpath,/my/ssl/lib' \
>   configure ...

Yes, exactly, that's my usual approach. I've used this as well
for building other software with custom libraries.

Unfortunately, I remember CFLAGS/LDFLAGS didn't play well with
Dovecot, so I used SSL_CFLAGS/SSL_LIBS as suggested by the
documentation and that worked well.

> I use this myself (except the -Wl part since these libs are
> symlinked to my shared library path).  I think "-R/my/ssl/lib"
> might also be synonymous with -Wl,...

Based on your mail I've tried CFLAGS/LDFLAGS again, and
now Dovecot didn't even compile any longer.

I was close to giving up. But obviously, I didn't ... :-)

After some investigation I found the non-default linker option
"-Wl,--as-needed" as problem which is enabled by Dovecot for
unknown reasons.

Finally, this call to "configure" generates proper Makefile files
to build Dovecot with a custom SSL library:

env CPPFLAGS="-I/usr/local/ssl/include" LDFLAGS="-L/usr/local/ssl/lib 
-Wl,-R/usr/local/ssl/lib" LIBS="-Wl,--no-as-needed -lcrypto -lssl" 
SSL_CFLAGS="-I/usr/local/ssl/include" SSL_LIBS="-L/usr/local/ssl/lib 
-Wl,-R/usr/local/ssl/lib -Wl,--no-as-needed -lcrypto -lssl" ./configure 
--prefix=/usr/local/dovecot --with-ssl=openssl

(chances are that SSL_CFLAGS/SSL_LIBS could be removed completely
but it won't hurt)

I've read the section in the "ld" manual but still don't understand
why Dovecot enables --as-needed (never seen that before with other
software) and why it's such a big problem. But I'm no expert here.

> I don't have that problem -- I use configure to tell dovecot where to find
> my self-compiled openssl, and the resulting executables load from where I
> want.

Thanks for pointing me at the proper direction again.
Now Dovecot 2.2.25 compiles for me with a custom SSL.

I understand that this issue might not have a high priority but maybe
one of the developers could check if "--as-needed" is really needed
(as it confuses people who try to use custom libraries) and what's
the deeper meaning of SSL_CFLAGS/SSL_LIBS.

My system is a regular CentOS 6 (latest sub-release with all patches),
nothing special except for a custom SSL installation.

Greetings, Andreas

Re: Dovecot 2.2.25 fails on SSL

2016-09-08 Thread Joseph Tam 

Andreas M. Kirchwitz writes:


You can also affect where shared libraries are loaded using the
LD_LIBRARY_PATH environment variable.  Try adding

LD_LIBARY_PATH=/location/of/libdir; export LD_LIBARY_PATH

to your service boot scripts.


Thanks for the advice. It's fine for a temporary working around
problems (like this one, so you're absolutely right :-)

However, no program should require that for regular use because
you never know exactly if somebody in the chain of executed code
removes certain environment variables. And also the opposite way,
if Dovecot runs external programs, those might not play well
with an existing LD_LIBARY_PATH and incompatible SSL libraries.


Sure,  I understand this, but it's handy in lots of cases where you
need to loading from an alternate location.  Not everyone has access
to resource to recompile.


For every program I compile myself, I link it against my custom
OpenSSL library (always newest version; distributions usually tend
to stick with a specific version and only apply security fixes).


OK, the origin of your problem becomes clearer.  You can hardcode these
paths into the executables by doing something like

env CFLAGS='-I/my'ssl/include' \
LDFLAGS='-L/your/ssl/lib -Wl,-rpath,/my/ssl/lib' \
configure ...

I use this myself (except the -Wl part since these libs are
symlinked to my shared library path).  I think "-R/my/ssl/lib"
might also be synonymous with -Wl,...


Dovecot is the only package I know of where there are like a thousand
places to put additional libs in the Makefile.am files, but most of
them are totally ignored by configure.


I don't have that problem -- I use configure to tell dovecot where to find
my self-compiled openssl, and the resulting executables load from where I
want.

Joseph Tam

Re: Dovecot 2.2.25 fails on SSL

2016-09-05 Thread Edgar Pettijohn 
Do you have multiple OpenSSL's installed?

Sent from my iPhone

> On Sep 5, 2016, at 10:38 PM, Michael A. Peters  wrote:
> 
> 
> 
>> On 09/02/2016 12:50 PM, Joseph Tam wrote:
>> Aki Tuomi wrote:
>> 
>> ldd /usr/local/Dovecot-2.2.25/lib/dovecot/libdcrypt_openssl.so
>>linux-gate.so.1 =>  (0x00dca000)
>>libcrypto.so.1.0.0 => not found
>> ...
>>> 
>>> Well, then it leaves only option of using /etc/ld.so.conf
>>> so basically add your libssl location there.
>> 
>> You can also affect where shared libraries are loaded using the
>> LD_LIBRARY_PATH environment variable.  Try adding
>> 
>>LD_LIBARY_PATH=/location/of/libdir; export LD_LIBARY_PATH
>> 
>> to your service boot scripts.
> 
> would an rpath solve the problem?
> 
> I believe chrpath command can probably be used to set the rpath if it isn't 
> set at compile time.

Re: Dovecot 2.2.25 fails on SSL

2016-09-05 Thread Michael A. Peters 



On 09/02/2016 12:50 PM, Joseph Tam wrote:

Aki Tuomi wrote:


ldd /usr/local/Dovecot-2.2.25/lib/dovecot/libdcrypt_openssl.so
linux-gate.so.1 =>  (0x00dca000)
libcrypto.so.1.0.0 => not found
...


Well, then it leaves only option of using /etc/ld.so.conf
so basically add your libssl location there.


You can also affect where shared libraries are loaded using the
LD_LIBRARY_PATH environment variable.  Try adding

LD_LIBARY_PATH=/location/of/libdir; export LD_LIBARY_PATH

to your service boot scripts.


would an rpath solve the problem?

I believe chrpath command can probably be used to set the rpath if it 
isn't set at compile time.

Re: Dovecot 2.2.25 fails on SSL

2016-09-05 Thread Andreas M. Kirchwitz 
Joseph Tam  wrote:

> You can also affect where shared libraries are loaded using the
> LD_LIBRARY_PATH environment variable.  Try adding
>
>   LD_LIBARY_PATH=/location/of/libdir; export LD_LIBARY_PATH
>
> to your service boot scripts.

Thanks for the advice. It's fine for a temporary working around
problems (like this one, so you're absolutely right :-)

However, no program should require that for regular use because
you never know exactly if somebody in the chain of executed code
removes certain environment variables. And also the opposite way,
if Dovecot runs external programs, those might not play well
with an existing LD_LIBARY_PATH and incompatible SSL libraries.

For every program I compile myself, I link it against my custom
OpenSSL library (always newest version; distributions usually tend
to stick with a specific version and only apply security fixes).
For most packages (eg, Exim, Apache HTTP, BIND, INN, OpenSSH,
Mutt, wget etc.) it pretty straightforward. Even if not, usually
I can find a quick solution myself.

Dovecot is the only package I know of where there are like a thousand
places to put additional libs in the Makefile.am files, but most of
them are totally ignored by configure. And even if I modify the
Makefile files after configure, again most of the additional options
get ignored. Never seen it that complicated.

As Dovecot is my favorite IMAP daemon, there's no way I'm giving up. :-)

I'm totally confident that the developers will find a good solution.
And I'm happy to test every patch they come up with.

Greetings, Andreas

Re: Dovecot 2.2.25 fails on SSL

2016-09-02 Thread Joseph Tam 

Aki Tuomi wrote:


ldd /usr/local/Dovecot-2.2.25/lib/dovecot/libdcrypt_openssl.so
linux-gate.so.1 =>  (0x00dca000)
libcrypto.so.1.0.0 => not found
...


Well, then it leaves only option of using /etc/ld.so.conf
so basically add your libssl location there.


You can also affect where shared libraries are loaded using the
LD_LIBRARY_PATH environment variable.  Try adding

LD_LIBARY_PATH=/location/of/libdir; export LD_LIBARY_PATH

to your service boot scripts.

Joseph Tam

Re: Dovecot 2.2.25 fails on SSL

2016-09-02 Thread Andreas M. Kirchwitz 
Aki Tuomi  wrote:

> Well, then it leaves only option of using /etc/ld.so.conf
> so basically add your libssl location there.

That's not a working solution and not the purpose of /etc/ld.so.conf.

Currently, this is a real-life security issue in Dovecot 2.2.25,
because it compiles fine but then - to the user - silently fails
to use SSL. The user who doesn't know better reconfigures his
client and all security is gone. :-(

Custom SSL worked fine in Dovecot 2.2.24, so obviously it can be
made to work. The question is just where to add the proper options,
or maybe "configure" is broken in some way.

I'm happy to try out more patches until the proper solution is
found. I've already tried adding SSL libs in various locations
during the build process but it hast always the same result
that it never gets past "configure".

Greetings, Andreas

Re: Dovecot 2.2.25 fails on SSL

2016-09-02 Thread Aki Tuomi 

> On September 2, 2016 at 5:35 PM "Andreas M. Kirchwitz"  
> wrote:
> 
> 
> Aki Tuomi  wrote:
> 
> > Well, then it leaves only option of using /etc/ld.so.conf
> > so basically add your libssl location there.
> 
> That's not a working solution and not the purpose of /etc/ld.so.conf.
> 
> Currently, this is a real-life security issue in Dovecot 2.2.25,
> because it compiles fine but then - to the user - silently fails
> to use SSL. The user who doesn't know better reconfigures his
> client and all security is gone. :-(
> 
> Custom SSL worked fine in Dovecot 2.2.24, so obviously it can be
> made to work. The question is just where to add the proper options,
> or maybe "configure" is broken in some way.
> 
> I'm happy to try out more patches until the proper solution is
> found. I've already tried adding SSL libs in various locations
> during the build process but it hast always the same result
> that it never gets past "configure".
> 
>   Greetings, Andreas

I tried various ways but wasn't able to get it to work. I can see if it can be 
fixed but it can take a while.

Aki

Re: Dovecot 2.2.25 fails on SSL

2016-09-02 Thread Aki Tuomi 

> On September 2, 2016 at 4:56 AM "Andreas M. Kirchwitz"  
> wrote:
> 
> 
> Aki Tuomi  wrote:
> 
> >> ldd /usr/local/Dovecot-2.2.25/lib/dovecot/libssl_iostream_openssl.so
> >> linux-gate.so.1 =>  (0x00e8c000)
> >> libcrypto.so.1.0.0 => not found
> >> libssl.so.1.0.0 => not found
> >> librt.so.1 => /lib/librt.so.1 (0x00be4000)
> >> libc.so.6 => /lib/libc.so.6 (0x001a6000)
> >> libpthread.so.0 => /lib/libpthread.so.0 (0x003e4000)
> >> /lib/ld-linux.so.2 (0x007e7000)
> >>
> >> ldd /usr/local/Dovecot-2.2.25/lib/dovecot/libdcrypt_openssl.so
> >> linux-gate.so.1 =>  (0x00dca000)
> >> libcrypto.so.1.0.0 => not found
> >> libssl.so.1.0.0 => not found
> >> librt.so.1 => /lib/librt.so.1 (0x00a7a000)
> >> libc.so.6 => /lib/libc.so.6 (0x0016)
> >> libpthread.so.0 => /lib/libpthread.so.0 (0x0072f000)
> >> /lib/ld-linux.so.2 (0x0056)
> >>
> >> There's no libdcrypt_openssl.so in Dovecot 2.2.24, so I guess
> >> with the newly introduced dcrypt stuff something with SSL went wrong.
> >>
> >> Would be great if that could be fixed so that SSL works again.
> >
> > Can you try the attached patch out?
> 
> Sorry for the late answer. (Away from computers. :-)
> 
> Tried the attached patch, applies fine, compiles fine,
> but the ssl/crypto libraries are still not found.
> 
> The additional "$(SSL_LIBS)" in both "Makefile.am" files
> doesn't properly make it into the resulting "Makefile" files.
> After "configure" is done, the resulting "Makefile" files are
> exactly the same in the original 2.2.25 version and patched
> 2.2.25 version (I guess they *should* contain the additional
> SSL libraries somewhere).
> 
> Just let me know if there's more I can try (no longer away
> from computers, so response time is faster :-)
> 
>   Sorry for the bad news ... Andreas

Well, then it leaves only option of using /etc/ld.so.conf

so basically add your libssl location there.

Aki

Re: Dovecot 2.2.25 fails on SSL

2016-09-01 Thread Andreas M. Kirchwitz 
Aki Tuomi  wrote:

>> ldd /usr/local/Dovecot-2.2.25/lib/dovecot/libssl_iostream_openssl.so
>> linux-gate.so.1 =>  (0x00e8c000)
>> libcrypto.so.1.0.0 => not found
>> libssl.so.1.0.0 => not found
>> librt.so.1 => /lib/librt.so.1 (0x00be4000)
>> libc.so.6 => /lib/libc.so.6 (0x001a6000)
>> libpthread.so.0 => /lib/libpthread.so.0 (0x003e4000)
>> /lib/ld-linux.so.2 (0x007e7000)
>>
>> ldd /usr/local/Dovecot-2.2.25/lib/dovecot/libdcrypt_openssl.so
>> linux-gate.so.1 =>  (0x00dca000)
>> libcrypto.so.1.0.0 => not found
>> libssl.so.1.0.0 => not found
>> librt.so.1 => /lib/librt.so.1 (0x00a7a000)
>> libc.so.6 => /lib/libc.so.6 (0x0016)
>> libpthread.so.0 => /lib/libpthread.so.0 (0x0072f000)
>> /lib/ld-linux.so.2 (0x0056)
>>
>> There's no libdcrypt_openssl.so in Dovecot 2.2.24, so I guess
>> with the newly introduced dcrypt stuff something with SSL went wrong.
>>
>> Would be great if that could be fixed so that SSL works again.
>
> Can you try the attached patch out?

Sorry for the late answer. (Away from computers. :-)

Tried the attached patch, applies fine, compiles fine,
but the ssl/crypto libraries are still not found.

The additional "$(SSL_LIBS)" in both "Makefile.am" files
doesn't properly make it into the resulting "Makefile" files.
After "configure" is done, the resulting "Makefile" files are
exactly the same in the original 2.2.25 version and patched
2.2.25 version (I guess they *should* contain the additional
SSL libraries somewhere).

Just let me know if there's more I can try (no longer away
from computers, so response time is faster :-)

Sorry for the bad news ... Andreas

Re: Dovecot 2.2.25 fails on SSL

2016-08-08 Thread Aki Tuomi 


On 04.07.2016 02:42, Andreas M. Kirchwitz wrote:
>   Dear Dovecot developers!
>
> This problem already existed some years ago, has been fixed,
> and now it's there again in Dovecot 2.2.25 (2.2.24 was fine).
>
> I'm running CentOS 6 with a custom OpenSSL installation in /usr/local/ssl
> Therefore, Dovecot is configured like this:
>
> env SSL_CFLAGS="-I/usr/local/ssl/include" SSL_LIBS="-L/usr/local/ssl/lib 
> -Wl,-R/usr/local/ssl/lib -lcrypto -lssl" ./configure 
> --prefix=/usr/local/Dovecot-2.2.25 --with-ssl=openssl 
> --with-ssldir=/usr/local/Dovecot-2.2.25/etc/dovecot/certs
>
> With "pkg-config", the same options for SSL are provided.
>
> "make" and "make install" run just fine, and the daemon starts
> without any errors. However, if a user connects on port 993 (IMAPS),
> Dovecot logs this failure message to syslog:
>
> Jul  4 01:08:43 myhost dovecot: ssl-params: Fatal: Couldn't load required 
> plugin /usr/local/Dovecot-2.2.25/lib/dovecot/libssl_iostream_openssl.so: 
> dlopen() failed: libcrypto.so.1.0.0: cannot open shared object file: No such 
> file or directory
> Jul  4 01:08:43 myhost dovecot: ssl-params: Error: child process failed with 
> status 22784
>
> ldd /usr/local/Dovecot-2.2.25/lib/dovecot/libssl_iostream_openssl.so
> linux-gate.so.1 =>  (0x00e8c000)
> libcrypto.so.1.0.0 => not found
> libssl.so.1.0.0 => not found
> librt.so.1 => /lib/librt.so.1 (0x00be4000)
> libc.so.6 => /lib/libc.so.6 (0x001a6000)
> libpthread.so.0 => /lib/libpthread.so.0 (0x003e4000)
> /lib/ld-linux.so.2 (0x007e7000)
>
> ldd /usr/local/Dovecot-2.2.25/lib/dovecot/libdcrypt_openssl.so
> linux-gate.so.1 =>  (0x00dca000)
> libcrypto.so.1.0.0 => not found
> libssl.so.1.0.0 => not found
> librt.so.1 => /lib/librt.so.1 (0x00a7a000)
> libc.so.6 => /lib/libc.so.6 (0x0016)
> libpthread.so.0 => /lib/libpthread.so.0 (0x0072f000)
> /lib/ld-linux.so.2 (0x0056)
>
> When comparing to Dovecot 2.2.24:
>
> ldd /usr/local/Dovecot-2.2.24/lib/dovecot/libssl_iostream_openssl.so
> linux-gate.so.1 =>  (0x0073d000)
> libcrypto.so.1.0.0 => /usr/local/ssl/lib/libcrypto.so.1.0.0 
> (0x00b04000)
> libssl.so.1.0.0 => /usr/local/ssl/lib/libssl.so.1.0.0 (0x0044a000)
> librt.so.1 => /lib/librt.so.1 (0x00a6)
> libc.so.6 => /lib/libc.so.6 (0x001e5000)
> libdl.so.2 => /lib/libdl.so.2 (0x003a9000)
> libpthread.so.0 => /lib/libpthread.so.0 (0x009d)
> /lib/ld-linu22x.so.2 (0x00d77000)
>
> There's no libdcrypt_openssl.so in Dovecot 2.2.24, so I guess
> with the newly introduced dcrypt stuff something with SSL went wrong.
>
> Would be great if that could be fixed so that SSL works again.
>
>   Thanks a lot in advance ... Andreas

Hi!

Can you try the attached patch out?

---
Aki Tuomi
Dovecot oy
From e20fab54f9ff0aa220a8147d82497606788f Mon Sep 17 00:00:00 2001
From: Aki Tuomi 
Date: Mon, 8 Aug 2016 15:31:50 +0300
Subject: [PATCH] OpenSSL: link against OpenSSL libs explicitly

---
 src/lib-dcrypt/Makefile.am   | 1 +
 src/lib-ssl-iostream/Makefile.am | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/lib-dcrypt/Makefile.am b/src/lib-dcrypt/Makefile.am
index 62c4625..fefb3ed 100644
--- a/src/lib-dcrypt/Makefile.am
+++ b/src/lib-dcrypt/Makefile.am
@@ -18,6 +18,7 @@ if BUILD_OPENSSL
 pkglib_LTLIBRARIES += libdcrypt_openssl.la
 libdcrypt_openssl_la_SOURCES = dcrypt-openssl.c dcrypt.c
 libdcrypt_openssl_la_LDFLAGS = -module -avoid-version -shared ../lib-ssl-iostream/libdovecot_openssl_common.la ../lib/liblib.la
+libdcrypt_openssl_la_LIBADD = $(SSL_LIBS)
 libdcrypt_openssl_la_DEPENDENCIES = ../lib-ssl-iostream/libdovecot_openssl_common.la ../lib/liblib.la
 libdcrypt_openssl_la_CFLAGS = $(AM_CPPFLAGS) \
 	-DDCRYPT_MODULE_DIR=\"$(pkglibdir)\"
diff --git a/src/lib-ssl-iostream/Makefile.am b/src/lib-ssl-iostream/Makefile.am
index 769de87..86555d5 100644
--- a/src/lib-ssl-iostream/Makefile.am
+++ b/src/lib-ssl-iostream/Makefile.am
@@ -16,7 +16,7 @@ libdovecot_openssl_common_la_SOURCES = \
 	dovecot-openssl-common.c
 
 libssl_iostream_openssl_la_LDFLAGS = -module -avoid-version
-libssl_iostream_openssl_la_LIBADD = libdovecot_openssl_common.la
+libssl_iostream_openssl_la_LIBADD = libdovecot_openssl_common.la $(SSL_LIBS)
 libssl_iostream_openssl_la_SOURCES = \
 	iostream-openssl.c \
 	iostream-openssl-common.c \
-- 
2.1.4

Re: Dovecot 2.2.25 fails on SSL

2016-07-11 Thread Aki Tuomi 


On 04.07.2016 02:42, Andreas M. Kirchwitz wrote:
>   Dear Dovecot developers!
>
> This problem already existed some years ago, has been fixed,
> and now it's there again in Dovecot 2.2.25 (2.2.24 was fine).
>
> I'm running CentOS 6 with a custom OpenSSL installation in /usr/local/ssl
> Therefore, Dovecot is configured like this:
>
> env SSL_CFLAGS="-I/usr/local/ssl/include" SSL_LIBS="-L/usr/local/ssl/lib 
> -Wl,-R/usr/local/ssl/lib -lcrypto -lssl" ./configure 
> --prefix=/usr/local/Dovecot-2.2.25 --with-ssl=openssl 
> --with-ssldir=/usr/local/Dovecot-2.2.25/etc/dovecot/certs
>
> With "pkg-config", the same options for SSL are provided.
>
> "make" and "make install" run just fine, and the daemon starts
> without any errors. However, if a user connects on port 993 (IMAPS),
> Dovecot logs this failure message to syslog:
>
> Jul  4 01:08:43 myhost dovecot: ssl-params: Fatal: Couldn't load required 
> plugin /usr/local/Dovecot-2.2.25/lib/dovecot/libssl_iostream_openssl.so: 
> dlopen() failed: libcrypto.so.1.0.0: cannot open shared object file: No such 
> file or directory
> Jul  4 01:08:43 myhost dovecot: ssl-params: Error: child process failed with 
> status 22784
>
> ldd /usr/local/Dovecot-2.2.25/lib/dovecot/libssl_iostream_openssl.so
> linux-gate.so.1 =>  (0x00e8c000)
> libcrypto.so.1.0.0 => not found
> libssl.so.1.0.0 => not found
> librt.so.1 => /lib/librt.so.1 (0x00be4000)
> libc.so.6 => /lib/libc.so.6 (0x001a6000)
> libpthread.so.0 => /lib/libpthread.so.0 (0x003e4000)
> /lib/ld-linux.so.2 (0x007e7000)
>
> ldd /usr/local/Dovecot-2.2.25/lib/dovecot/libdcrypt_openssl.so
> linux-gate.so.1 =>  (0x00dca000)
> libcrypto.so.1.0.0 => not found
> libssl.so.1.0.0 => not found
> librt.so.1 => /lib/librt.so.1 (0x00a7a000)
> libc.so.6 => /lib/libc.so.6 (0x0016)
> libpthread.so.0 => /lib/libpthread.so.0 (0x0072f000)
> /lib/ld-linux.so.2 (0x0056)
>
> When comparing to Dovecot 2.2.24:
>
> ldd /usr/local/Dovecot-2.2.24/lib/dovecot/libssl_iostream_openssl.so
> linux-gate.so.1 =>  (0x0073d000)
> libcrypto.so.1.0.0 => /usr/local/ssl/lib/libcrypto.so.1.0.0 
> (0x00b04000)
> libssl.so.1.0.0 => /usr/local/ssl/lib/libssl.so.1.0.0 (0x0044a000)
> librt.so.1 => /lib/librt.so.1 (0x00a6)
> libc.so.6 => /lib/libc.so.6 (0x001e5000)
> libdl.so.2 => /lib/libdl.so.2 (0x003a9000)
> libpthread.so.0 => /lib/libpthread.so.0 (0x009d)
> /lib/ld-linux.so.2 (0x00d77000)
>
> There's no libdcrypt_openssl.so in Dovecot 2.2.24, so I guess
> with the newly introduced dcrypt stuff something with SSL went wrong.
>
> Would be great if that could be fixed so that SSL works again.
>
>   Thanks a lot in advance ... Andreas

Hi!

Thank you for your report, we'll look into it!

---
Aki Tuomi
Dovecot oy