Re: OpenSMTPD 7.3.0p0 rc1 -- please test!
On Fri, 9 Jun 2023, Omar Polo wrote: Sorry for the delay, I was able to build the release 7.3 branch on NetBSD 9.3 with libressl 3.7.3 and with openssl 3.1.1. Both configurations appear to work ! Thank you for the fixes ! Andi.. On 2023/06/05 15:20:38 -0700, Andi Vajda wrote: On Mon, 5 Jun 2023, Andi Vajda wrote: The build succeeds but running a debug session: sudo ./local/sbin/smtpd -f `pwd`/smtpd.conf -dv fails. I'm not sure how much of my debug logs is appropriate to post here but I could try to build with openssl 3 next ? Same problem with smtpd built with openssl 3.3.1: build succeeds, smtpd.conf is validated OK when running with -n but when I start a debug session with -dv, the server starts but eventually fails but is not saying much about what is failing. It looks like a child process is terminating: warn: lost child: dispatcher terminated; signal 11 I also tried without --with-libevent=/usr/pkg (and yes, I did not forget to stop my 6.8.0p2 server first) I've fixed both issues. The crash at runtime was due to a missing -D_OPENBSD_SOURCE. The TL;DR is that the configure script managed to find functions like reallocarray (linking works) but the prototypes are hidden behind a #ifdef _OPENBSD_SOURCE on NetBSD. The compiler then assumed these returned an `int' and... yeah. The build failure with libressl was due to a wrong order in the configure script: libtls is searched *before* --with-libssl is handled. I've committed a fix both in the master and in the release-7.3 branch, but no new RC. Can you verify it works for you too? You should ignore the tarball and checkout the branch release-7.3 from the git repository. Thanks! Omar Polo
Re: OpenSMTPD 7.3.0p0 rc1 -- please test!
Sorry for the delay, On 2023/06/05 15:20:38 -0700, Andi Vajda wrote: > > On Mon, 5 Jun 2023, Andi Vajda wrote: > > > The build succeeds but running a debug session: > > sudo ./local/sbin/smtpd -f `pwd`/smtpd.conf -dv > > > > fails. I'm not sure how much of my debug logs is appropriate to post here > > but > > I could try to build with openssl 3 next ? > > Same problem with smtpd built with openssl 3.3.1: build succeeds, smtpd.conf > is validated OK when running with -n but when I start a debug session with > -dv, the server starts but eventually fails but is not saying much about > what is failing. It looks like a child process is terminating: >warn: lost child: dispatcher terminated; signal 11 > I also tried without --with-libevent=/usr/pkg > (and yes, I did not forget to stop my 6.8.0p2 server first) I've fixed both issues. The crash at runtime was due to a missing -D_OPENBSD_SOURCE. The TL;DR is that the configure script managed to find functions like reallocarray (linking works) but the prototypes are hidden behind a #ifdef _OPENBSD_SOURCE on NetBSD. The compiler then assumed these returned an `int' and... yeah. The build failure with libressl was due to a wrong order in the configure script: libtls is searched *before* --with-libssl is handled. I've committed a fix both in the master and in the release-7.3 branch, but no new RC. Can you verify it works for you too? You should ignore the tarball and checkout the branch release-7.3 from the git repository. Thanks! Omar Polo
Re: OpenSMTPD 7.3.0p0 rc1 -- please test!
On Sun, 4 Jun 2023, Omar Polo wrote: > Haven't noticed that there isn't a way to force the usage of the > bundled libasr. I've added the configure knob --with-bundled-libasr > and included it in the release-7.3 branch (no new RC this time though) I just tested my June 4 snapshot on a Slackware 15.0 32-bit (Intel Pentium 4) and it runs fine.
Re: OpenSMTPD 7.3.0p0 rc1 -- please test!
On 2023/06/06 09:45:09 -0700, Andi Vajda wrote: > > On Tue, 6 Jun 2023, Omar Polo wrote: > > > Hello, > > > > thanks for testing! > > > > Regarding the build failure when using LibreSSL, I can reproduce on > > OpenBSD: it's because the bundled libtls is meant to be used with > > OpenSSL. I'll take a look at having it build with LibreSSL too but > > that's more a quality-check rather than a priority since LibreSSL > > already ships libtls (or it should be.) > > Building with libressl was a supported configuration before. building with libressl is still a supported configuration. There's a bug in the configure script that's not obvious to me right now, plus some deficiencies of our portable layer on NetBSD. I'll need to fire up a vm and investigate. Will probably release a RC3 once fixed, depending on how big the changes are. > I don't think > it must necessarily be supported for this release but the valid combos of > (libtls, openssl, libressl) supported by opensmtpd must be made explicit as > the current situation is a bit confusing for the non SSL expert: >- opensmtpd can be built with openssl 1.1.1 >- opensmtpd can be built with openssl 3.x >- opensmtpd can be built with libressl (or could in 6.8.0p2) >- opensmtpd bundles libtls and that must be used with openssl 3 >- libressl bundles libtls > I'm confused ;-) I agree, unfortunately it's pretty confusing! The idea would be either - openssl 1.1 or 3.x, with or without libretls - libressl BUT since of a regression of libretls 3.7.0 on OpenSSL 3, for the time being it is - openssl 1.1, with or without libretls - openssl 3.x AND MUST USE --with-bundled-libtls - libressl I've mailed the developer of libretls but haven't heard back yet. A fix for this issue was committed to libressl and it's part of the 3.8.0 release, so I guess that libretls will get it anyway sooner or later. I haven't add any clever checks to the configure since this is not trivial and I don't like clever checks. I'll try to make it as clear as possible in the release changelog that the bundled libtls MUST be used with OpenSSL 3.x. If you end up building with libretls and OpenSSL 3.X you'll find out very soon that it doesn't work: all the TLS connection will fail during the handshake. Furthermore, with the next release of libretls (no idea when) this issue will be solved. > > What's interesting is why the configure is not picking up libtls from > > your LibreSSL installation. Probably you can 'force' it by setting > > CFLAGS/LDFLAGS pointing at the local libressl installation, but it > > shouldn't be necessary. Can you please share (off-list) the > > config.log? > > Mailed off-list. Thank you for all the info! Unfortunately other than noticing a couple of things that *must* be fixed in the portable layer before the release, I wasn't able to understand the root of the issues. It'll be a perfect excuse to play a bit with NetBSD however :-)
Re: OpenSMTPD 7.3.0p0 rc1 -- please test!
On Tue, 6 Jun 2023, Omar Polo wrote: Hello, thanks for testing! Regarding the build failure when using LibreSSL, I can reproduce on OpenBSD: it's because the bundled libtls is meant to be used with OpenSSL. I'll take a look at having it build with LibreSSL too but that's more a quality-check rather than a priority since LibreSSL already ships libtls (or it should be.) Building with libressl was a supported configuration before. I don't think it must necessarily be supported for this release but the valid combos of (libtls, openssl, libressl) supported by opensmtpd must be made explicit as the current situation is a bit confusing for the non SSL expert: - opensmtpd can be built with openssl 1.1.1 - opensmtpd can be built with openssl 3.x - opensmtpd can be built with libressl (or could in 6.8.0p2) - opensmtpd bundles libtls and that must be used with openssl 3 - libressl bundles libtls I'm confused ;-) What's interesting is why the configure is not picking up libtls from your LibreSSL installation. Probably you can 'force' it by setting CFLAGS/LDFLAGS pointing at the local libressl installation, but it shouldn't be necessary. Can you please share (off-list) the config.log? Mailed off-list. On 2023/06/05 15:20:38 -0700, Andi Vajda wrote: On Mon, 5 Jun 2023, Andi Vajda wrote: The build succeeds but running a debug session: sudo ./local/sbin/smtpd -f `pwd`/smtpd.conf -dv fails. I'm not sure how much of my debug logs is appropriate to post here but I could try to build with openssl 3 next ? Same problem with smtpd built with openssl 3.3.1: build succeeds, smtpd.conf is validated OK when running with -n but when I start a debug session with -dv, the server starts but eventually fails but is not saying much about what is failing. It looks like a child process is terminating: warn: lost child: dispatcher terminated; signal 11 I also tried without --with-libevent=/usr/pkg (and yes, I did not forget to stop my 6.8.0p2 server first) This also shouldn't happen. Is signal 11 SIGSEGV on NetBSD too? Can you share the config.log of this configuration too and smtpd complete log? Do you also get a core file? A backtrace would be incredibly useful. Yes, this is all happening on NetBSD. I'm also mailing you the config.log for this config off-list. I'm also mailing you the log output of my crashing smtpd off-list. I see no coredumps locally or in /var/crash. Do you know how to get a core file ? I have ulimit -c return 'unlimited'. I ran smtpd in gdb to try to get a stacktrace but it's a child process that is crashing and gdb didn't tell me much about it. Andi.. Thank you! Omar Polo
Re: OpenSMTPD 7.3.0p0 rc1 -- please test!
Hello, thanks for testing! Regarding the build failure when using LibreSSL, I can reproduce on OpenBSD: it's because the bundled libtls is meant to be used with OpenSSL. I'll take a look at having it build with LibreSSL too but that's more a quality-check rather than a priority since LibreSSL already ships libtls (or it should be.) What's interesting is why the configure is not picking up libtls from your LibreSSL installation. Probably you can 'force' it by setting CFLAGS/LDFLAGS pointing at the local libressl installation, but it shouldn't be necessary. Can you please share (off-list) the config.log? On 2023/06/05 15:20:38 -0700, Andi Vajda wrote: > > On Mon, 5 Jun 2023, Andi Vajda wrote: > > > The build succeeds but running a debug session: > > sudo ./local/sbin/smtpd -f `pwd`/smtpd.conf -dv > > > > fails. I'm not sure how much of my debug logs is appropriate to post here > > but > > I could try to build with openssl 3 next ? > > Same problem with smtpd built with openssl 3.3.1: build succeeds, smtpd.conf > is validated OK when running with -n but when I start a debug session with > -dv, the server starts but eventually fails but is not saying much about > what is failing. It looks like a child process is terminating: >warn: lost child: dispatcher terminated; signal 11 > I also tried without --with-libevent=/usr/pkg > (and yes, I did not forget to stop my 6.8.0p2 server first) This also shouldn't happen. Is signal 11 SIGSEGV on NetBSD too? Can you share the config.log of this configuration too and smtpd complete log? Do you also get a core file? A backtrace would be incredibly useful. Thank you! Omar Polo
Re: OpenSMTPD 7.3.0p0 rc1 -- please test!
On Mon, 5 Jun 2023, Andi Vajda wrote: The build succeeds but running a debug session: sudo ./local/sbin/smtpd -f `pwd`/smtpd.conf -dv fails. I'm not sure how much of my debug logs is appropriate to post here but I could try to build with openssl 3 next ? Same problem with smtpd built with openssl 3.3.1: build succeeds, smtpd.conf is validated OK when running with -n but when I start a debug session with -dv, the server starts but eventually fails but is not saying much about what is failing. It looks like a child process is terminating: warn: lost child: dispatcher terminated; signal 11 I also tried without --with-libevent=/usr/pkg (and yes, I did not forget to stop my 6.8.0p2 server first) Andi.. Andi..
Re: OpenSMTPD 7.3.0p0 rc1 -- please test!
Hi Omar, Thank you for doing this ! More below... On Wed, 31 May 2023, Omar Polo wrote: It's been a while since the last OpenSMTPD-portable release, but here we are. After syncing the portable repository with OpenBSD, plus various miscellaneous portable tweaks, I've talked with Gilles and we both agree it's finally time for a release. I intend to release OpenSMTPD 7.3.0p0 in the next few weeks, around mid June, so I would appreciate if you could give the rc1 a try and confirm that it works as expected. You can find a distribution tarball here, or checkout the release-7.3 branch: https://github.com/OpenSMTPD/OpenSMTPD/releases/download/7.3.0p0-rc1/opensmtpd-7.3.0p0-rc1.tar.gz I tried to build opensmtpd-7.3.0p0-rc2 on NetBSD 9.3 like I did with opensmtpd 6.8.0p2, with libressl: - I first upgraded my libressl build from 3.2.3 to 3.7.3, the latest - then I ran configure as I did for 6.8.0p2: ./configure --prefix=`pwd`/local --with-libssl=/home/vajda/libressl-3.7.3/local --with-libevent=/usr/pkg --with-path-CAfile=/usr/pkg/etc/openssl/certs/ca.crt --with-path-queue=`pwd`/local/var/spool/smtpd --with-path-empty=`pwd`/local/var/empty --with-path-mbox=`pwd`/local/var/mbox --with-path-socket=`pwd`/local/var/run --with-path-pidfile=`pwd`/local/var/run - make then failed with this error: ld: ../../openbsd-compat/libopenbsd.a(by_mem.o): in function `X509_LOOKUP_mem': by_mem.c:(.text+0x1b): undefined reference to `X509_LOOKUP_meth_new' ld: by_mem.c:(.text+0x3d): undefined reference to `X509_LOOKUP_meth_set_ctrl' ld: ../../openbsd-compat/libopenbsd.a(by_mem.o): in function `by_mem_ctrl': by_mem.c:(.text+0x136): undefined reference to `X509_LOOKUP_get_store' ld: by_mem.c:(.text+0x176): undefined reference to `X509_LOOKUP_get_store' Trying with openssl 1.1.1u built from pkgsrc instead: ./configure --prefix=`pwd`/local --with-libssl=/usr/pkg --with-libevent=/usr/pkg --with-path-CAfile=/usr/pkg/etc/openssl/certs/ca.crt --with-path-queue=`pwd`/local/var/spool/smtpd --with-path-empty=`pwd`/local/var/empty --with-path-mbox=`pwd`/local/var/mbox --with-path-socket=`pwd`/local/var/run --with-path-pidfile=`pwd`/local/var/run The build succeeds but running a debug session: sudo ./local/sbin/smtpd -f `pwd`/smtpd.conf -dv fails. I'm not sure how much of my debug logs is appropriate to post here but I could try to build with openssl 3 next ? Andi..
Re: OpenSMTPD 7.3.0p0 rc1 -- please test!
Op 05-06-2023 om 12:52 schreef Omar Polo: On 2023/06/04 11:40:34 +0200, Frank de Bruijn wrote: I built 7.3.0p0 rc2 on Debian Bookworm and it seems to work ok so far. Just one thing: I had to change my smtpd.conf, because starting initially failed with: smtpd: invalid listen option: pki required for tls/smtps My smtpd.conf has four pki sets, because the server serves several domains. Up to now, I never needed to use pki in a listen directive, as OpenSMTPD would pick the correct pki depending on the hostname. It appears this no longer works. Is that a bug or a deliberate change? This was changed in OpenBSD 6.9, from the changelog: Ah, ok. We 'portable users' never got past 6.8. :-) If the latter, what to do now? For the tests, I used one of the pkis in the listen directive, but I really need all four of them. Would specifying them all work? Yes, it's possible to specify more than one `pki' per `listen' directive. Thanks! That should allow me to create a more serious test setup. Regards, Frank
Re: OpenSMTPD 7.3.0p0 rc1 -- please test!
On 2023/06/04 11:40:34 +0200, Frank de Bruijn wrote: > I built 7.3.0p0 rc2 on Debian Bookworm and it seems to work ok so far. > Just one thing: I had to change my smtpd.conf, because starting > initially failed with: > > smtpd: invalid listen option: pki required for tls/smtps > > My smtpd.conf has four pki sets, because the server serves several > domains. Up to now, I never needed to use pki in a listen directive, as > OpenSMTPD would pick the correct pki depending on the hostname. > > It appears this no longer works. Is that a bug or a deliberate change? This was changed in OpenBSD 6.9, from the changelog: : Change the way SNI works in smtpd.conf(5). TLS listeners may be : configured with multiple certificates. The matching is based on the : names included in these certificates. I forgot to go thru the various releases and mention the changes in the changelog. Will try to remember to do that for the release' changelog. > If the latter, what to do now? For the tests, I used one of the pkis in > the listen directive, but I really need all four of them. Would > specifying them all work? Yes, it's possible to specify more than one `pki' per `listen' directive. Thanks for testing! Omar Polo
Re: OpenSMTPD 7.3.0p0 rc1 -- please test!
On Sun, 4 Jun 2023, Omar Polo wrote: > On 2023/06/03 09:08:05 -0700, Richard Narron wrote: > > In order to use the bundled libasr, I had to uninstall my existing libasr > > slackware build (port). > > > > It would be nice to have a --with-bundled-libasr option for the build. > > Then It could ignore an existing installed libasr. > > Haven't noticed that there isn't a way to force the usage of the > bundled libasr. I've added the configure knob --with-bundled-libasr > and included it in the release-7.3 branch (no new RC this time though) > Thanks for the fix! The --with-bundled-libasr option works well. If I use it it ignores an existing libasr library. If I don't use it, and don't have a libasr library then it uses the bundled libasr anyway. To Build it I downloaded the OpenSMTPD.zip, unpacked it and then ran the "bootstrap" script which calls autoconf. It looks good and runs fine so far.
Re: OpenSMTPD 7.3.0p0 rc1 -- please test!
I built 7.3.0p0 rc2 on Debian Bookworm and it seems to work ok so far. Just one thing: I had to change my smtpd.conf, because starting initially failed with: smtpd: invalid listen option: pki required for tls/smtps My smtpd.conf has four pki sets, because the server serves several domains. Up to now, I never needed to use pki in a listen directive, as OpenSMTPD would pick the correct pki depending on the hostname. It appears this no longer works. Is that a bug or a deliberate change? If the latter, what to do now? For the tests, I used one of the pkis in the listen directive, but I really need all four of them. Would specifying them all work? Regards, Frank
Re: OpenSMTPD 7.3.0p0 rc1 -- please test!
On 2023/06/03 09:08:05 -0700, Richard Narron wrote: > In order to use the bundled libasr, I had to uninstall my existing libasr > slackware build (port). > > It would be nice to have a --with-bundled-libasr option for the build. > Then It could ignore an existing installed libasr. Haven't noticed that there isn't a way to force the usage of the bundled libasr. I've added the configure knob --with-bundled-libasr and included it in the release-7.3 branch (no new RC this time though) > So far it looks good. I will keep testing. Thanks!
Re: OpenSMTPD 7.3.0p0 rc1 -- please test!
On Sat, 3 Jun 2023, Omar Polo wrote: > To stay on the safe side for this release I've re-added > --with-path-CAfile. Please note that it only has effect when building > the bundled libtls, as otherwise I don't have control over what > tls_default_ca_cert_file() returns. > > It's in the just-relased rc2, which also updates the bundled libasr > and so addresses OpenBSD 7.2 errata #22. > Thanks for the good work! I'm using the --with-path-CAfile configure option. I set --with-bundled-libtls even though the build automatically uses the bundled libtls because I do not have another libtls installed. In order to use the bundled libasr, I had to uninstall my existing libasr slackware build (port). It would be nice to have a --with-bundled-libasr option for the build. Then It could ignore an existing installed libasr. So far it looks good. I will keep testing.
Re: OpenSMTPD 7.3.0p0 rc1 -- please test!
On 2023/06/02 07:05:10 -0700, Richard Narron wrote: > [...] > If more BSD/Linux/other systems need to hardcode the CAfile, then it might > be useful to have the --with-path-CAfile To stay on the safe side for this release I've re-added --with-path-CAfile. Please note that it only has effect when building the bundled libtls, as otherwise I don't have control over what tls_default_ca_cert_file() returns. It's in the just-relased rc2, which also updates the bundled libasr and so addresses OpenBSD 7.2 errata #22. Thanks, Omar Polo
Re: OpenSMTPD 7.3.0p0 rc1 -- please test!
On Fri, 2 Jun 2023, Omar Polo wrote:
> Hello,
>
> Thanks for testing!
Thanks for all the work of upgrading OpenSMTPD compatible again!
>
> On 2023/06/01 10:35:39 -0700, Richard Narron wrote:
> > On Thu, 1 Jun 2023, Richard Narron wrote:
> >
> > > I will modify the build to remove the --with-path-CAfile
> > > configure option and add a symbolic link for /etc/ssl/cert.pem
> >
> > The symbolic link in my build is not good idea because
> > it erases the cert.pem file which may be in use by other applications.
> >
> > I am better off patching the OpenSMTPD source code instead.
> >
> > Why is the --with-path-CAfile option removed?
>
> since the last release OpenSMTPD switched to libtls and stopped to
> hardcode into itself the path to the ca file, so I removed the unused
> option.
>
> libtls (which is bundled in openbsd-compat/libtls/) uses[*] OpenSSL'
> X509_get_default_cert_file() to load the default ca file. I've tested
> and on Slackware 15 it returns "/etc/ssl/cert.pem", which is strange.
> For comparison, on Centos 7 (I had to fix a build issue there...)
> which doesn't have /etc/ssl/cert.pem too it returns
> /etc/pki/tls/cert.pem.
>
> I'm not against re-adding --with-path-CAfile, but is it something
> that's needed often on Slackware? I don't seem to find libretls
> ported, but if it'll ever be packaged it would need a similar
> treatment.
>
> [*] well, on OpenBSD it has /etc/ssl/cert.pem hardcoded. To make in
> portable I changed it to use what OpenSSL thinks it's the default,
> which is the same thing done in libretls, a version of libtls
> targetting OpenSSL instead of LibreSSL.
If more BSD/Linux/other systems need to hardcode the CAfile, then it might
be useful to have the --with-path-CAfile
But the patch for Slackware is trivial:
--- opensmtpd-7.3.0p0-rc1/openbsd-compat/libtls/tls_config.c.orig
2023-05-25 04:32:34.0 -0700
+++ opensmtpd-7.3.0p0-rc1/openbsd-compat/libtls/tls_config.c2023-06-02
05:55:31.482390836 -0700
@@ -33,7 +33,7 @@
const char *
tls_default_ca_cert_file(void)
{
- return X509_get_default_cert_file();
+ return "/etc/ssl/certs/ca-certificates.crt";
}
int
Re: OpenSMTPD 7.3.0p0 rc1 -- please test!
Hello, Thanks for testing! On 2023/06/01 10:35:39 -0700, Richard Narron wrote: > On Thu, 1 Jun 2023, Richard Narron wrote: > > > I will modify the build to remove the --with-path-CAfile > > configure option and add a symbolic link for /etc/ssl/cert.pem > > The symbolic link in my build is not good idea because > it erases the cert.pem file which may be in use by other applications. > > I am better off patching the OpenSMTPD source code instead. > > Why is the --with-path-CAfile option removed? since the last release OpenSMTPD switched to libtls and stopped to hardcode into itself the path to the ca file, so I removed the unused option. libtls (which is bundled in openbsd-compat/libtls/) uses[*] OpenSSL' X509_get_default_cert_file() to load the default ca file. I've tested and on Slackware 15 it returns "/etc/ssl/cert.pem", which is strange. For comparison, on Centos 7 (I had to fix a build issue there...) which doesn't have /etc/ssl/cert.pem too it returns /etc/pki/tls/cert.pem. I'm not against re-adding --with-path-CAfile, but is it something that's needed often on Slackware? I don't seem to find libretls ported, but if it'll ever be packaged it would need a similar treatment. Thanks, Omar Polo [*] well, on OpenBSD it has /etc/ssl/cert.pem hardcoded. To make in portable I changed it to use what OpenSSL thinks it's the default, which is the same thing done in libretls, a version of libtls targetting OpenSSL instead of LibreSSL.
Re: OpenSMTPD 7.3.0p0 rc1 -- please test!
On Thu, 1 Jun 2023, Richard Narron wrote: > I will modify the build to remove the --with-path-CAfile > configure option and add a symbolic link for /etc/ssl/cert.pem The symbolic link in my build is not good idea because it erases the cert.pem file which may be in use by other applications. I am better off patching the OpenSMTPD source code instead. Why is the --with-path-CAfile option removed?
Re: OpenSMTPD 7.3.0p0 rc1 -- please test!
awesome work from Omar Polo, thanks for everything May 31, 2023 6:14 PM, "Omar Polo" wrote: > Hello, > > It's been a while since the last OpenSMTPD-portable release, but here > we are. After syncing the portable repository with OpenBSD, plus > various miscellaneous portable tweaks, I've talked with Gilles and we > both agree it's finally time for a release. > > I intend to release OpenSMTPD 7.3.0p0 in the next few weeks, around > mid June, so I would appreciate if you could give the rc1 a try and > confirm that it works as expected. You can find a distribution > tarball here, or checkout the release-7.3 branch: > > https://github.com/OpenSMTPD/OpenSMTPD/releases/download/7.3.0p0-rc1/opensmtpd-7.3.0p0-rc1.tar.gz > > Since last release various things changed, and some configure flags > are not present anymore (e.g. --with-path-CAfile). libbsd-overlay and > libretls are now optionally used if found. > > PLEASE NOTE: if you're building with OpenSSL 3.x please use > > $ ./configure --with-bundled-libtls > > LibreTLS 3.7.0 and previous have a regression with OpenSSL 3.x that > will always fail the TLS handshake. It has been addressed in LibreSSL > 3.8.0 and will likely be part of a future LibreTLS release, but for > the time being please avoid it. If linking against OpenSSL 1.1 it > should be fine however. See the github issue 1171 for more info: > > https://github.com/OpenSMTPD/OpenSMTPD/issues/1171 > > Thanks, > > Omar Polo
Re: OpenSMTPD 7.3.0p0 rc1 -- please test!
OpenSMTPD 7.3.0p0 rc1 builds okay on Slackware 15.0 (stable) but displays this configure warning message: configure: WARNING: unrecognized options: --with-path-CAfile Testing smtpd failed at first The program started, but stopped immediately with an error message: smtpd[10147]: info: OpenSMTPD 7.3.0-portable starting smtpd[10152]: dispatcher: tls_config_set_ca_file: failed to open CA file '/etc/ssl/cert.pem': No such file or directory smtpd[10148]: smtpd: process control socket closed Slackware 15.0 does not have an /etc/ssl/cert.pem file, but does have a ca-certificates.crt file... So I created a symbolic link from /etc/ssl/cert.pem to the ca-certificates.crt file and smtpd now starts up fine. It works with simple local email. I will modify the build to remove the --with-path-CAfile configure option and add a symbolic link for /etc/ssl/cert.pem I will keep testing and see if it breaks...
