Re: OpenSMTPD build on OpenSSL 1.1.x
On 28/08/2019 11:30, Gilles Chehade wrote: OpenSSL 1.0.x is going to be supported until 2019-12-31 so this will get solved by itself soon ;-) Unfortunately not for CentOS 7. :D They have a policy of not making major version upgrades during the lifecycle of an OS version. :( Suspect I'll have to look at migrating everything tp CentOS 8 when that comes out. Reio
Re: OpenSMTPD build on OpenSSL 1.1.x
On Wed, Aug 28, 2019 at 10:55:05AM +0300, Reio Remma wrote: > On 28/08/2019 10:44, gil...@poolp.org wrote: > > 28 ao??t 2019 00:00 "Reio Remma" a ??crit: > > > > > On 27.08.2019 21:25, Richard Narron wrote: > > > > > > > The OpenSMTPD portable version from > > > > https://github.com/OpenSMTPD/OpenSMTPD > > > > works fine on Slackware64 current with OpenSSL 1.1.1c and gcc 9.2 > > > > It took me a while to get it to work though. > > > > I first downloaded the "current" portable version from > > > > https://opensmtpd.org/archives/opensmtpd-6.4.2p1.tar.gz > > > > And I got errors very similar to those of Denis Fateyev on Fedora 30. > > > > Next I downloaded the portable version from github.com > > > > and found that autoconf had not been run and this was no good. > > > > Finally I discovered the post on the mailing list which mentioned the > > > > "bootstrap" script and then I was able to download and build the > > > > portable > > > > version from git. > > > > The code shows version "6.6.0-portable". > > > > It runs fine on Slackware64 current and I'm happy that it now works with > > > > OpenSSL 1.1 > > > > Regards, > > > > Richard Narron > > > Your success pushed me to try 6.6.0 on CentOS 7 with OpenSSL 1.1.1c. > > > > > > Can anyone tell me if changing to -lcrypto -lssl to -l:libssl.a > > > -l:libcrypto.a is the correct way > > > to get OpenSSL 1.1.1c statically compiled into OpenSMTPD? I ended up > > > using these (and -pthreads > > > -ldl) and managed to build an RPM based on 6.0.3 RPM from CentOS 7. > > > > > I don't know about the -l:lib notation sorry > > > > Out of curiosity, why would you want ssl statically compiled into OpenSMTPD > > ? > > This means that when an issue hits OpenSSL, updating OpenSSL and restarting > > the daemon will not be > > enough to be back on track. > > > > In addition, I'm not sure why you need -pthreads because OpenSMTPD is not > > multi-threaded. > > Hello! > > CentOS 7 has OpenSSL 1.0.2k as the max version and with OpenSSL 1.1.1c > compiled into OpenSMTPD I can run the new OpenSMTPD version on a machine > with CentOS 7's old OpenSSL version. > > I had to add -pthreads and -ldl to pass 'make' with the static OpenSSL > libraries. Without these I ran into errors hinting at threads and dl. > > I'm a little wary of just forcibly replacing the whole OpenSSL 1.0.2k on a > production machine. :) > Understood ! OpenSSL 1.0.x is going to be supported until 2019-12-31 so this will get solved by itself soon ;-) -- Gilles Chehade @poolpOrg https://www.poolp.orgpatreon: https://www.patreon.com/gilles
Re: OpenSMTPD build on OpenSSL 1.1.x
On 28/08/2019 10:44, gil...@poolp.org wrote: 28 août 2019 00:00 "Reio Remma" a écrit: On 27.08.2019 21:25, Richard Narron wrote: The OpenSMTPD portable version from https://github.com/OpenSMTPD/OpenSMTPD works fine on Slackware64 current with OpenSSL 1.1.1c and gcc 9.2 It took me a while to get it to work though. I first downloaded the "current" portable version from https://opensmtpd.org/archives/opensmtpd-6.4.2p1.tar.gz And I got errors very similar to those of Denis Fateyev on Fedora 30. Next I downloaded the portable version from github.com and found that autoconf had not been run and this was no good. Finally I discovered the post on the mailing list which mentioned the "bootstrap" script and then I was able to download and build the portable version from git. The code shows version "6.6.0-portable". It runs fine on Slackware64 current and I'm happy that it now works with OpenSSL 1.1 Regards, Richard Narron Your success pushed me to try 6.6.0 on CentOS 7 with OpenSSL 1.1.1c. Can anyone tell me if changing to -lcrypto -lssl to -l:libssl.a -l:libcrypto.a is the correct way to get OpenSSL 1.1.1c statically compiled into OpenSMTPD? I ended up using these (and -pthreads -ldl) and managed to build an RPM based on 6.0.3 RPM from CentOS 7. I don't know about the -l:lib notation sorry Out of curiosity, why would you want ssl statically compiled into OpenSMTPD ? This means that when an issue hits OpenSSL, updating OpenSSL and restarting the daemon will not be enough to be back on track. In addition, I'm not sure why you need -pthreads because OpenSMTPD is not multi-threaded. Hello! CentOS 7 has OpenSSL 1.0.2k as the max version and with OpenSSL 1.1.1c compiled into OpenSMTPD I can run the new OpenSMTPD version on a machine with CentOS 7's old OpenSSL version. I had to add -pthreads and -ldl to pass 'make' with the static OpenSSL libraries. Without these I ran into errors hinting at threads and dl. I'm a little wary of just forcibly replacing the whole OpenSSL 1.0.2k on a production machine. :) Thanks! Reio
Re: OpenSMTPD build on OpenSSL 1.1.x
28 août 2019 00:00 "Reio Remma" a écrit: > On 27.08.2019 21:25, Richard Narron wrote: > >> The OpenSMTPD portable version from https://github.com/OpenSMTPD/OpenSMTPD >> works fine on Slackware64 current with OpenSSL 1.1.1c and gcc 9.2 >> It took me a while to get it to work though. >> I first downloaded the "current" portable version from >> https://opensmtpd.org/archives/opensmtpd-6.4.2p1.tar.gz >> And I got errors very similar to those of Denis Fateyev on Fedora 30. >> Next I downloaded the portable version from github.com >> and found that autoconf had not been run and this was no good. >> Finally I discovered the post on the mailing list which mentioned the >> "bootstrap" script and then I was able to download and build the portable >> version from git. >> The code shows version "6.6.0-portable". >> It runs fine on Slackware64 current and I'm happy that it now works with >> OpenSSL 1.1 >> Regards, >> Richard Narron > > Your success pushed me to try 6.6.0 on CentOS 7 with OpenSSL 1.1.1c. > > Can anyone tell me if changing to -lcrypto -lssl to -l:libssl.a > -l:libcrypto.a is the correct way > to get OpenSSL 1.1.1c statically compiled into OpenSMTPD? I ended up using > these (and -pthreads > -ldl) and managed to build an RPM based on 6.0.3 RPM from CentOS 7. > I don't know about the -l:lib notation sorry Out of curiosity, why would you want ssl statically compiled into OpenSMTPD ? This means that when an issue hits OpenSSL, updating OpenSSL and restarting the daemon will not be enough to be back on track. In addition, I'm not sure why you need -pthreads because OpenSMTPD is not multi-threaded. > The fresh RPM installed nicely on a clean CentOS 7 with their OpenSSH 1.0.2k > and OpenSMTPD started > too:Aug 28 00:54:54 localhost smtpd[25943]: info: OpenSMTPD 6.6.0-portable > starting > Aug 28 00:50:07 localhost smtpd[9338]: cfa3e1042696f77a mta connecting > address=smtp://108.177.14.27:25 host=lt-in-f27.1e100.net > Aug 28 00:50:07 localhost smtpd[9338]: cfa3e1042696f77a mta connected > Aug 28 00:50:07 localhost smtpd[9338]: cfa3e1042696f77a mta tls > ciphers=TLSv1.3:TLS_AES_256_GCM_SHA384:256 > Aug 28 00:50:07 localhost smtpd[9338]: cfa3e1042696f77a mta server-cert-check > result="success" > Aug 28 00:50:07 localhost smtpd[9338]: cfa3e1042696f77a mta delivery > evpid=953ab16d13e43b2f > from= to= rcpt=<-> > source="192.168.1.142" > relay="108.177.14.27 (lt-in-f27.1e100.net)" delay=3m12 > s result="Ok" stat="250 2.0.0 OK 1566942607 w6si428635lfk.121 - gsmtp" More > testing will have to > wait until tomorrow. :) > > Good luck, > Reio
Re: OpenSMTPD build on OpenSSL 1.1.x
Hello, 27 août 2019 20:25 "Richard Narron" a écrit: > The OpenSMTPD portable version from https://github.com/OpenSMTPD/OpenSMTPD > works fine on Slackware64 current with OpenSSL 1.1.1c and gcc 9.2 > Yay ! > It took me a while to get it to work though. > > I first downloaded the "current" portable version from > https://opensmtpd.org/archives/opensmtpd-6.4.2p1.tar.gz > > And I got errors very similar to those of Denis Fateyev on Fedora 30. > Yes, our latest release was not OpenSSL 1.1 compatible, the next one which will happen in October will be. > Next I downloaded the portable version from github.com > and found that autoconf had not been run and this was no good. > > Finally I discovered the post on the mailing list which mentioned the > "bootstrap" script and then I was able to download and build the portable > version from git. > That's because this is the development branch, we run the boostrap script when we perform a release. In October, all you'll have to do is download the tarball from the website, like you did with 6.4.2p1, and it will work for OpenSSL 1.1 > The code shows version "6.6.0-portable". > > It runs fine on Slackware64 current and I'm happy that it now works with > OpenSSL 1.1 > Neat
Re: OpenSMTPD build on OpenSSL 1.1.x
On 28/08/2019 01:00, Reio Remma wrote: The fresh RPM installed nicely on a clean CentOS 7 with their OpenSSH 1.0.2k and OpenSMTPD started too: Aug 28 00:50:07 localhost smtpd[9338]: cfa3e1042696f77a mta delivery evpid=953ab16d13e43b2f from= to= rcpt=<-> source="192.168.1.142" relay="108.177.14.27 (lt-in-f27.1e100.net)" delay=3m12 s result="Ok" stat="250 2.0.0 OK 1566942607 w6si428635lfk.121 - gsmtp" Funnily this sole test e-mail managed to get us Spamhaus banned due to using localhost.localdomain. :D Good luck, Reio
Re: OpenSMTPD build on OpenSSL 1.1.x
On 27.08.2019 21:25, Richard Narron wrote: The OpenSMTPD portable version from https://github.com/OpenSMTPD/OpenSMTPD works fine on Slackware64 current with OpenSSL 1.1.1c and gcc 9.2 It took me a while to get it to work though. I first downloaded the "current" portable version from https://opensmtpd.org/archives/opensmtpd-6.4.2p1.tar.gz And I got errors very similar to those of Denis Fateyev on Fedora 30. Next I downloaded the portable version from github.com and found that autoconf had not been run and this was no good. Finally I discovered the post on the mailing list which mentioned the "bootstrap" script and then I was able to download and build the portable version from git. The code shows version "6.6.0-portable". It runs fine on Slackware64 current and I'm happy that it now works with OpenSSL 1.1 Regards, Richard Narron Your success pushed me to try 6.6.0 on CentOS 7 with OpenSSL 1.1.1c. Can anyone tell me if changing to -lcrypto -lssl to -l:libssl.a -l:libcrypto.a is the correct way to get OpenSSL 1.1.1c statically compiled into OpenSMTPD? I ended up using these (and -pthreads -ldl) and managed to build an RPM based on 6.0.3 RPM from CentOS 7. The fresh RPM installed nicely on a clean CentOS 7 with their OpenSSH 1.0.2k and OpenSMTPD started too: Aug 28 00:54:54 localhost smtpd[25943]: info: OpenSMTPD 6.6.0-portable starting Aug 28 00:50:07 localhost smtpd[9338]: cfa3e1042696f77a mta connecting address=smtp://108.177.14.27:25 host=lt-in-f27.1e100.net Aug 28 00:50:07 localhost smtpd[9338]: cfa3e1042696f77a mta connected Aug 28 00:50:07 localhost smtpd[9338]: cfa3e1042696f77a mta tls ciphers=TLSv1.3:TLS_AES_256_GCM_SHA384:256 Aug 28 00:50:07 localhost smtpd[9338]: cfa3e1042696f77a mta server-cert-check result="success" Aug 28 00:50:07 localhost smtpd[9338]: cfa3e1042696f77a mta delivery evpid=953ab16d13e43b2f from= to= rcpt=<-> source="192.168.1.142" relay="108.177.14.27 (lt-in-f27.1e100.net)" delay=3m12 s result="Ok" stat="250 2.0.0 OK 1566942607 w6si428635lfk.121 - gsmtp" More testing will have to wait until tomorrow. :) Good luck, Reio
Re: OpenSMTPD build on OpenSSL 1.1.x
The OpenSMTPD portable version from https://github.com/OpenSMTPD/OpenSMTPD works fine on Slackware64 current with OpenSSL 1.1.1c and gcc 9.2 It took me a while to get it to work though. I first downloaded the "current" portable version from https://opensmtpd.org/archives/opensmtpd-6.4.2p1.tar.gz And I got errors very similar to those of Denis Fateyev on Fedora 30. Next I downloaded the portable version from github.com and found that autoconf had not been run and this was no good. Finally I discovered the post on the mailing list which mentioned the "bootstrap" script and then I was able to download and build the portable version from git. The code shows version "6.6.0-portable". It runs fine on Slackware64 current and I'm happy that it now works with OpenSSL 1.1 Regards, Richard Narron
Re: OpenSMTPD build on OpenSSL 1.1.x
On Fri, Aug 16, 2019 at 03:38:43AM +0600, Denis Fateyev wrote: > Hello Gilles, > > You are right, I tried "opensmtpd-6.4.2p1.tar.gz" release for some reasons, > and it was failing to build. > > The latest checkout from portable branch is fine, and doesn't bring any > build issues anymore, it's great! > I will test it for a while with some use cases. > > > Out of curiosity, I have also tried it with openssl-1.0.2k (RHEL7) , and as > expected it's failing. > Mostly related to RSA methods. Just to note: > https://kojipkgs.fedoraproject.org//work/tasks/2547/37062547/build.log > yeah, the problem is described here: https://poolp.org/posts/2019-07-27/july-2019-report-tons-of-smtpd-work-mostly/ long story short, the same code can't build for both 1.0.z and 1.1.z, to support both requires using two different APIs. it is technically doable but 1.0.z will be EOL a month or so after we'll release our next major version so the work isn't worth it. -- Gilles Chehade @poolpOrg https://www.poolp.orgpatreon: https://www.patreon.com/gilles
Re: OpenSMTPD build on OpenSSL 1.1.x
Hu, this doesn't look like latest checkout from portable, can you double
check ?
Le mer. 14 août 2019 à 22:17, Denis Fateyev a écrit :
> Hello Gilles,
>
> Tried to rebuild on Fedora 30, but got compile errors (providing below
> with warnings in case if you find them useful):
> --- < cut here > ---
> gcc -DHAVE_CONFIG_H -I. -I../.. -I../../smtpd -I../../openbsd-compat
> -I../../openbsd-compat/err_h -I../../openbsd-compat/paths_h -I.
> -I/usr/include -DSMTPD_CONFDIR=\"/etc/opensmtpd\"
> -DPATH_CHROOT=\"/var/empty/smtpd\" -DPATH_SMTPCTL=\"/usr/sbin/smtpctl\"
> -DPATH_MAILLOCAL=\"/usr/libexec/opensmtpd/mail.local\"
> -DPATH_LIBEXEC=\"/usr/libexec/opensmtpd\" -DHAVE_CONFIG_H -DIO_SSL
> -DCA_FILE=\"/etc/pki/tls/cert.pem\" -O2 -g -pipe -Wall
> -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS
> -fexceptions -fstack-protector-strong -grecord-gcc-switches
> -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1
> -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic
> -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection
> -fPIC -DPIC -Wall -Wpointer-arith -Wuninitialized -Wsign-compare
> -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign
> -Wno-unused-result -fno-strict-aliasing -fno-builtin-memset -D_BSD_SOURCE
> -D_DEFAULT_SOURCE -D_GNU_SOURCE -DNEED_EVENT_ASR_RUN -c -o
> ../../smtpd/smtpd-ca.o `test -f '../../smtpd/ca.c' || echo
> './'`../../smtpd/ca.c
> ../../smtpd/aliases.c: In function 'aliases_get':
> ../../smtpd/aliases.c:56:23: warning: variable 'userbase' set but not used
> [-Wunused-but-set-variable]
>56 | struct table*userbase = NULL;
> | ^~~~
> ../../smtpd/aliases.c: In function 'aliases_virtual_get':
> ../../smtpd/aliases.c:114:23: warning: variable 'userbase' set but not
> used [-Wunused-but-set-variable]
> 114 | struct table*userbase = NULL;
> | ^~~~
> gcc -DHAVE_CONFIG_H -I. -I../.. -I../../smtpd -I../../openbsd-compat
> -I../../openbsd-compat/err_h -I../../openbsd-compat/paths_h -I.
> -I/usr/include -DSMTPD_CONFDIR=\"/etc/opensmtpd\"
> -DPATH_CHROOT=\"/var/empty/smtpd\" -DPATH_SMTPCTL=\"/usr/sbin/smtpctl\"
> -DPATH_MAILLOCAL=\"/usr/libexec/opensmtpd/mail.local\"
> -DPATH_LIBEXEC=\"/usr/libexec/opensmtpd\" -DHAVE_CONFIG_H -DIO_SSL
> -DCA_FILE=\"/etc/pki/tls/cert.pem\" -O2 -g -pipe -Wall
> -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS
> -fexceptions -fstack-protector-strong -grecord-gcc-switches
> -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1
> -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic
> -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection
> -fPIC -DPIC -Wall -Wpointer-arith -Wuninitialized -Wsign-compare
> -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign
> -Wno-unused-result -fno-strict-aliasing -fno-builtin-memset -D_BSD_SOURCE
> -D_DEFAULT_SOURCE -D_GNU_SOURCE -DNEED_EVENT_ASR_RUN -c -o
> ../../smtpd/smtpd-compress_backend.o `test -f
> '../../smtpd/compress_backend.c' || echo './'`../../smtpd/compress_backend.c
> ../../smtpd/ca.c: In function 'ca_X509_verify':
> ../../smtpd/ca.c:204:47: error: dereferencing pointer to incomplete type
> 'X509_STORE_CTX' {aka 'struct x509_store_ctx_st'}
> 204 |*errstr = X509_verify_cert_error_string(xsc->error);
> | ^~
> ../../smtpd/ca.c: At top level:
> ../../smtpd/ca.c:307:1: error: variable 'rsae_method' has initializer but
> incomplete type
> 307 | static RSA_METHOD rsae_method = {
> | ^~
> ../../smtpd/ca.c:308:2: warning: excess elements in struct initializer
> 308 | "RSA privsep engine",
> | ^~~~
> ../../smtpd/ca.c:308:2: note: (near initialization for 'rsae_method')
> ../../smtpd/ca.c:309:2: warning: excess elements in struct initializer
> 309 | rsae_pub_enc,
> | ^~~~
> ../../smtpd/ca.c:309:2: note: (near initialization for 'rsae_method')
> ../../smtpd/ca.c:310:2: warning: excess elements in struct initializer
> 310 | rsae_pub_dec,
> | ^~~~
> ../../smtpd/ca.c:310:2: note: (near initialization for 'rsae_method')
> ../../smtpd/ca.c:311:2: warning: excess elements in struct initializer
> 311 | rsae_priv_enc,
> | ^
> ../../smtpd/ca.c:311:2: note: (near initialization for 'rsae_method')
> ../../smtpd/ca.c:312:2: warning: excess elements in struct initializer
> 312 | rsae_priv_dec,
> | ^
> ../../smtpd/ca.c:312:2: note: (near initialization for 'rsae_method')
> ../../smtpd/ca.c:313:2: warning: excess elements in struct initializer
> 313 | rsae_mod_exp,
> | ^~~~
> ../../smtpd/ca.c:313:2: note: (near initialization for 'rsae_method')
> ../../smtpd/ca.c:314:2: warning: excess elements in struct initializer
> 314 | rsae_bn_mod_exp,
> | ^~~
> ../../smtpd/ca.c:314:2: note: (near initialization for 'rsae_meth
Re: OpenSMTPD build on OpenSSL 1.1.x
On 8/14/19 3:43 PM, Harald Dunkel wrote:
>
> This is Debian sid (amd64), including openssl version 1.1.1c .
> Here is the list of packages providing shared objects for smtpd:
>
> ||/ Name VersionArchitecture Description
> +++--==--===
> ii libasr0 1.0.2-2+b1 amd64asynchronous DNS
> resolver
> ii libaudit1:amd64 1:2.8.5-2 amd64Dynamic library for
> security auditing
> ii libc6:amd64 2.28-10amd64GNU C Library:
> Shared libraries
> ii libcap-ng0:amd64 0.7.9-2amd64An alternate POSIX
> capabilities library
> ii libdb5.3:amd64 5.3.28+dfsg1-0.6 amd64Berkeley v5.3
> Database Libraries [runtime]
> ii libevent-2.1-6:amd64 2.1.8-stable-4 amd64Asynchronous event
> notification library
> ii libpam0g:amd64 1.3.1-5amd64Pluggable
> Authentication Modules library
> ii libssl1.1:amd64 1.1.1c-1 amd64Secure Sockets Layer
> toolkit - shared libraries
> ii zlib1g:amd64 1:1.2.11.dfsg-1+b1 amd64compression library
> - runtime
>
PS: compiler version:
{harri@cecil:~ (master) 502} gcc -v
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-linux-gnu/8/lto-wrapper
OFFLOAD_TARGET_NAMES=nvptx-none
OFFLOAD_TARGET_DEFAULT=1
Target: x86_64-linux-gnu
Configured with: ../src/configure -v --with-pkgversion='Debian 8.3.0-19'
--with-bugurl=file:///usr/share/doc/gcc-8/README.Bugs
--enable-languages=c,ada,c++,go,brig,d,fortran,objc,obj-c++ --prefix=/usr
--with-gcc-major-version-only --program-suffix=-8
--program-prefix=x86_64-linux-gnu-
--enable-shared --enable-linker-build-id --libexecdir=/usr/lib
--without-included-gettext --enable-threads=posix --libdir=/usr/lib
--enable-nls --enable-bootstrap --enable-clocale=gnu --enable-libstdcxx-debug
--enable-libstdcxx-time=yes --with-default-libstdcxx-abi=new
--enable-gnu-unique-object
--disable-vtable-verify --enable-libmpx --enable-plugin --enable-default-pie
--with-system-zlib --with-target-system-zlib --enable-objc-gc=auto
--enable-multiarch --disable-werror --with-arch-32=i686 --with-abi=m64
--with-multilib-list=m32,m64,mx32 --enable-multilib --with-tune=generic
--enable-offload-targets=nvptx-none --without-cuda-driver
--enable-checking=release --build=x86_64-linux-gnu --host=x86_64-linux-gnu
--target=x86_64-linux-gnu --with-build-config=bootstrap-lto --enable-link-mutex
Thread model: posix
gcc version 8.3.0 (Debian 8.3.0-19)
Regards
Harri
Re: OpenSMTPD build on OpenSSL 1.1.x
>
> ../../smtpd/ca.c: In function 'ca_X509_verify':
> ../../smtpd/ca.c:204:47: error: dereferencing pointer to incomplete type
> 'X509_STORE_CTX' {aka 'struct x509_store_ctx_st'}
> 204 |*errstr = X509_verify_cert_error_string(xsc->error);
>
This can be fixed in "smtpd/ca.c" with:
- *errstr = X509_verify_cert_error_string(xsc->error);
+ *errstr = X509_verify_cert_error_string(X509_STORE_CTX_get_error(xsc));
But as for rsae-specific, it should be more complicated.
I remember an old openssl-1.1.x compat patch, where RSA methods were
explicitly defined.
---
wbr, Denis.
Re: OpenSMTPD build on OpenSSL 1.1.x
Hello Gilles,
Tried to rebuild on Fedora 30, but got compile errors (providing below with
warnings in case if you find them useful):
--- < cut here > ---
gcc -DHAVE_CONFIG_H -I. -I../.. -I../../smtpd -I../../openbsd-compat
-I../../openbsd-compat/err_h -I../../openbsd-compat/paths_h -I.
-I/usr/include -DSMTPD_CONFDIR=\"/etc/opensmtpd\"
-DPATH_CHROOT=\"/var/empty/smtpd\" -DPATH_SMTPCTL=\"/usr/sbin/smtpctl\"
-DPATH_MAILLOCAL=\"/usr/libexec/opensmtpd/mail.local\"
-DPATH_LIBEXEC=\"/usr/libexec/opensmtpd\" -DHAVE_CONFIG_H -DIO_SSL
-DCA_FILE=\"/etc/pki/tls/cert.pem\" -O2 -g -pipe -Wall
-Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS
-fexceptions -fstack-protector-strong -grecord-gcc-switches
-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1
-specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic
-fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection
-fPIC -DPIC -Wall -Wpointer-arith -Wuninitialized -Wsign-compare
-Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign
-Wno-unused-result -fno-strict-aliasing -fno-builtin-memset -D_BSD_SOURCE
-D_DEFAULT_SOURCE -D_GNU_SOURCE -DNEED_EVENT_ASR_RUN -c -o
../../smtpd/smtpd-ca.o `test -f '../../smtpd/ca.c' || echo
'./'`../../smtpd/ca.c
../../smtpd/aliases.c: In function 'aliases_get':
../../smtpd/aliases.c:56:23: warning: variable 'userbase' set but not used
[-Wunused-but-set-variable]
56 | struct table*userbase = NULL;
| ^~~~
../../smtpd/aliases.c: In function 'aliases_virtual_get':
../../smtpd/aliases.c:114:23: warning: variable 'userbase' set but not used
[-Wunused-but-set-variable]
114 | struct table*userbase = NULL;
| ^~~~
gcc -DHAVE_CONFIG_H -I. -I../.. -I../../smtpd -I../../openbsd-compat
-I../../openbsd-compat/err_h -I../../openbsd-compat/paths_h -I.
-I/usr/include -DSMTPD_CONFDIR=\"/etc/opensmtpd\"
-DPATH_CHROOT=\"/var/empty/smtpd\" -DPATH_SMTPCTL=\"/usr/sbin/smtpctl\"
-DPATH_MAILLOCAL=\"/usr/libexec/opensmtpd/mail.local\"
-DPATH_LIBEXEC=\"/usr/libexec/opensmtpd\" -DHAVE_CONFIG_H -DIO_SSL
-DCA_FILE=\"/etc/pki/tls/cert.pem\" -O2 -g -pipe -Wall
-Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS
-fexceptions -fstack-protector-strong -grecord-gcc-switches
-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1
-specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic
-fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection
-fPIC -DPIC -Wall -Wpointer-arith -Wuninitialized -Wsign-compare
-Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign
-Wno-unused-result -fno-strict-aliasing -fno-builtin-memset -D_BSD_SOURCE
-D_DEFAULT_SOURCE -D_GNU_SOURCE -DNEED_EVENT_ASR_RUN -c -o
../../smtpd/smtpd-compress_backend.o `test -f
'../../smtpd/compress_backend.c' || echo './'`../../smtpd/compress_backend.c
../../smtpd/ca.c: In function 'ca_X509_verify':
../../smtpd/ca.c:204:47: error: dereferencing pointer to incomplete type
'X509_STORE_CTX' {aka 'struct x509_store_ctx_st'}
204 |*errstr = X509_verify_cert_error_string(xsc->error);
| ^~
../../smtpd/ca.c: At top level:
../../smtpd/ca.c:307:1: error: variable 'rsae_method' has initializer but
incomplete type
307 | static RSA_METHOD rsae_method = {
| ^~
../../smtpd/ca.c:308:2: warning: excess elements in struct initializer
308 | "RSA privsep engine",
| ^~~~
../../smtpd/ca.c:308:2: note: (near initialization for 'rsae_method')
../../smtpd/ca.c:309:2: warning: excess elements in struct initializer
309 | rsae_pub_enc,
| ^~~~
../../smtpd/ca.c:309:2: note: (near initialization for 'rsae_method')
../../smtpd/ca.c:310:2: warning: excess elements in struct initializer
310 | rsae_pub_dec,
| ^~~~
../../smtpd/ca.c:310:2: note: (near initialization for 'rsae_method')
../../smtpd/ca.c:311:2: warning: excess elements in struct initializer
311 | rsae_priv_enc,
| ^
../../smtpd/ca.c:311:2: note: (near initialization for 'rsae_method')
../../smtpd/ca.c:312:2: warning: excess elements in struct initializer
312 | rsae_priv_dec,
| ^
../../smtpd/ca.c:312:2: note: (near initialization for 'rsae_method')
../../smtpd/ca.c:313:2: warning: excess elements in struct initializer
313 | rsae_mod_exp,
| ^~~~
../../smtpd/ca.c:313:2: note: (near initialization for 'rsae_method')
../../smtpd/ca.c:314:2: warning: excess elements in struct initializer
314 | rsae_bn_mod_exp,
| ^~~
../../smtpd/ca.c:314:2: note: (near initialization for 'rsae_method')
../../smtpd/ca.c:315:2: warning: excess elements in struct initializer
315 | rsae_init,
| ^
../../smtpd/ca.c:315:2: note: (near initialization for 'rsae_method')
../../smtpd/ca.c:316:2: warning: excess elements in struct initializer
316 | rsae_finish,
| ^~~
../../smtpd/ca.c
Re: OpenSMTPD build on OpenSSL 1.1.x
On 8/13/19 9:02 PM, gil...@poolp.org wrote: > 13 août 2019 12:35 "Harald Dunkel" a écrit: > >> >> Surely I don't have a highly complex EMail configuration, but >> the new version is running on my MTA and the nullclients since >> Aug 7th: No issues by now, AFAICT. Cool. >> > > Care to mention what system you are using ? :-) > This is Debian sid (amd64), including openssl version 1.1.1c . Here is the list of packages providing shared objects for smtpd: ||/ Name VersionArchitecture Description +++--==--=== ii libasr0 1.0.2-2+b1 amd64asynchronous DNS resolver ii libaudit1:amd64 1:2.8.5-2 amd64Dynamic library for security auditing ii libc6:amd64 2.28-10amd64GNU C Library: Shared libraries ii libcap-ng0:amd64 0.7.9-2amd64An alternate POSIX capabilities library ii libdb5.3:amd64 5.3.28+dfsg1-0.6 amd64Berkeley v5.3 Database Libraries [runtime] ii libevent-2.1-6:amd64 2.1.8-stable-4 amd64Asynchronous event notification library ii libpam0g:amd64 1.3.1-5amd64Pluggable Authentication Modules library ii libssl1.1:amd64 1.1.1c-1 amd64Secure Sockets Layer toolkit - shared libraries ii zlib1g:amd64 1:1.2.11.dfsg-1+b1 amd64compression library - runtime Regards Harri
Re: OpenSMTPD build on OpenSSL 1.1.x
13 août 2019 12:35 "Harald Dunkel" a écrit: > Hi folks, > > On 7/24/19 1:16 PM, Gilles Chehade wrote: > >> On Wed, Jul 24, 2019 at 10:29:34AM +0200, Harald Dunkel wrote: >> >>> I will check runtime ASAP. >> >> Great ! >> >> Keep on providing feedback please ! > > Surely I don't have a highly complex EMail configuration, but > the new version is running on my MTA and the nullclients since > Aug 7th: No issues by now, AFAICT. Cool. > Care to mention what system you are using ? :-) Gilles
Re: OpenSMTPD build on OpenSSL 1.1.x
Hi folks, On 7/24/19 1:16 PM, Gilles Chehade wrote: > On Wed, Jul 24, 2019 at 10:29:34AM +0200, Harald Dunkel wrote: > >> I will check runtime ASAP. >> > > Great ! > > Keep on providing feedback please ! > Surely I don't have a highly complex EMail configuration, but the new version is running on my MTA and the nullclients since Aug 7th: No issues by now, AFAICT. Cool. Regards Harri
Re: OpenSMTPD build on OpenSSL 1.1.x
On Wed, Jul 24, 2019 at 10:29:34AM +0200, Harald Dunkel wrote: > Hi Gilles, > > On 7/23/19 11:58 AM, Gilles Chehade wrote: > > Hello people, > > > > The portable branch of OpenSMTPD should build with OpenSSL again as long > > as your system is using >= 1.1.x > > > > This is excellent news. I highly appreciate the new portable > version. This solves a lot of problems in my environment. > great ;-) > > OpenSMTPD portable has been built and tested with Ubuntu only, please do > > provide feedback ! > > > > On a first build (Debian 9) configure returned an error > > checking if programs using libevent functions will link... no > checking openssl/opensslv.h usability... yes > checking openssl/opensslv.h presence... yes > checking for openssl/opensslv.h... yes > configure: error: *** Can't find recent LibreSSL libcrypto (see config.log > for details) *** > > > but actually libevent was missing: > > : > configure:19442: checking openssl/opensslv.h usability > configure:19442: gcc -c -g -O2 -fPIC -DPIC -Wall -Wpointer-arith > -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess > -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -fno-builtin-memset > -D_BSD_SOURCE -D_DEFAULT_SOURCE -I/usr/local/ssl/include conftest.c >&5 > configure:19442: $? = 0 > configure:19442: result: yes > configure:19442: checking openssl/opensslv.h presence > configure:19442: gcc -E -I/usr/local/ssl/include conftest.c > configure:19442: $? = 0 > configure:19442: result: yes > configure:19442: checking for openssl/opensslv.h > configure:19442: result: yes > configure:19468: gcc -o conftest -g -O2 -fPIC -DPIC -Wall -Wpointer-arith > -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess > -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -fno-builtin-memset > -D_BSD_SOURCE -D_DEFAULT_SOURCE -I/usr/local/ssl/include > -L/usr/local/ssl/lib conftest.c -lcrypto -lssl -levent -lasr -lcrypt > -lresolv >&5 > /usr/bin/ld: cannot find -levent > collect2: error: ld returned 1 exit status > : > > After installing the missing package it built fine. > This is a known issue, I'm working on simplifying the configure layer as a there is a lot of room for improvement. I have tried to tackle this multiple times but not successfully yet ;-) > I will check runtime ASAP. > Great ! Keep on providing feedback please ! -- Gilles Chehade @poolpOrg https://www.poolp.orgpatreon: https://www.patreon.com/gilles -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
Re: OpenSMTPD build on OpenSSL 1.1.x
Hi Gilles, On 7/23/19 11:58 AM, Gilles Chehade wrote: Hello people, The portable branch of OpenSMTPD should build with OpenSSL again as long as your system is using >= 1.1.x This is excellent news. I highly appreciate the new portable version. This solves a lot of problems in my environment. OpenSMTPD portable has been built and tested with Ubuntu only, please do provide feedback ! On a first build (Debian 9) configure returned an error checking if programs using libevent functions will link... no checking openssl/opensslv.h usability... yes checking openssl/opensslv.h presence... yes checking for openssl/opensslv.h... yes configure: error: *** Can't find recent LibreSSL libcrypto (see config.log for details) *** but actually libevent was missing: : configure:19442: checking openssl/opensslv.h usability configure:19442: gcc -c -g -O2 -fPIC -DPIC -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -fno-builtin-memset -D_BSD_SOURCE -D_DEFAULT_SOURCE -I/usr/local/ssl/include conftest.c >&5 configure:19442: $? = 0 configure:19442: result: yes configure:19442: checking openssl/opensslv.h presence configure:19442: gcc -E -I/usr/local/ssl/include conftest.c configure:19442: $? = 0 configure:19442: result: yes configure:19442: checking for openssl/opensslv.h configure:19442: result: yes configure:19468: gcc -o conftest -g -O2 -fPIC -DPIC -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -fno-builtin-memset -D_BSD_SOURCE -D_DEFAULT_SOURCE -I/usr/local/ssl/include -L/usr/local/ssl/lib conftest.c -lcrypto -lssl -levent -lasr -lcrypt -lresolv >&5 /usr/bin/ld: cannot find -levent collect2: error: ld returned 1 exit status : After installing the missing package it built fine. I will check runtime ASAP. Regards Harri -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
OpenSMTPD build on OpenSSL 1.1.x
Hello people, The portable branch of OpenSMTPD should build with OpenSSL again as long as your system is using >= 1.1.x Last month I committed a few things to LibreSSL which allowed me to make changes to OpenSMTPD in order to have the same code build for either one of LibreSSL and OpenSSL. Note that LibreSSL is my target, OpenSSL is only supported as long as it doesn't get in my way and make the code full of ifdefs. I think we'll be fine for the years to come as we don't bring new TLS features every four days but my goal is still to move towards libtls then write a standalone libtls wrapper for OpenSSL. Now a few things: 1- This needs testing as I'm not sure I got the autoconf layer right for all combinations of LibreSSL/OpenSSL, systems with base arc4random(), etc... 2- It's currently impossible to write an ECDSA privsep crypto engine for both LibreSSL and OpenSSL with same code as far as I know. I will get into this when time allows but until then ECDSA server certificate is only supported with LibreSSL. OpenSMTPD portable has been built and tested with Ubuntu only, please do provide feedback ! -- Gilles Chehade @poolpOrg https://www.poolp.orgpatreon: https://www.patreon.com/gilles -- You received this mail because you are subscribed to misc@opensmtpd.org To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
