Re: OpenSMTPD build on OpenSSL 1.1.x

2019-08-28 Thread Reio Remma

On 28/08/2019 11:30, Gilles Chehade wrote:

OpenSSL 1.0.x is going to be supported until 2019-12-31 so this will get
solved by itself soon ;-)


Unfortunately not for CentOS 7. :D

They have a policy of not making major version upgrades during the 
lifecycle of an OS version. :(


Suspect I'll have to look at migrating everything tp CentOS 8 when that 
comes out.


Reio



Re: OpenSMTPD build on OpenSSL 1.1.x

2019-08-28 Thread Gilles Chehade
On Wed, Aug 28, 2019 at 10:55:05AM +0300, Reio Remma wrote:
> On 28/08/2019 10:44, gil...@poolp.org wrote:
> > 28 ao??t 2019 00:00 "Reio Remma"  a ??crit:
> > 
> > > On 27.08.2019 21:25, Richard Narron wrote:
> > > 
> > > > The OpenSMTPD portable version from 
> > > > https://github.com/OpenSMTPD/OpenSMTPD
> > > > works fine on Slackware64 current with OpenSSL 1.1.1c and gcc 9.2
> > > > It took me a while to get it to work though.
> > > > I first downloaded the "current" portable version from
> > > > https://opensmtpd.org/archives/opensmtpd-6.4.2p1.tar.gz
> > > > And I got errors very similar to those of Denis Fateyev on Fedora 30.
> > > > Next I downloaded the portable version from github.com
> > > > and found that autoconf had not been run and this was no good.
> > > > Finally I discovered the post on the mailing list which mentioned the
> > > > "bootstrap" script and then I was able to download and build the 
> > > > portable
> > > > version from git.
> > > > The code shows version "6.6.0-portable".
> > > > It runs fine on Slackware64 current and I'm happy that it now works with
> > > > OpenSSL 1.1
> > > > Regards,
> > > > Richard Narron
> > > Your success pushed me to try 6.6.0 on CentOS 7 with OpenSSL 1.1.1c.
> > > 
> > > Can anyone tell me if changing to -lcrypto -lssl to -l:libssl.a 
> > > -l:libcrypto.a is the correct way
> > > to get OpenSSL 1.1.1c statically compiled into OpenSMTPD? I ended up 
> > > using these (and -pthreads
> > > -ldl) and managed to build an RPM based on 6.0.3 RPM from CentOS 7.
> > > 
> > I don't know about the -l:lib notation sorry
> > 
> > Out of curiosity, why would you want ssl statically compiled into OpenSMTPD 
> > ?
> > This means that when an issue hits OpenSSL, updating OpenSSL and restarting 
> > the daemon will not be
> > enough to be back on track.
> > 
> > In addition, I'm not sure why you need -pthreads because OpenSMTPD is not 
> > multi-threaded.
> 
> Hello!
> 
> CentOS 7 has OpenSSL 1.0.2k as the max version and with OpenSSL 1.1.1c
> compiled into OpenSMTPD I can run the new OpenSMTPD version on a machine
> with CentOS 7's old OpenSSL version.
> 
> I had to add -pthreads and -ldl to pass 'make' with the static OpenSSL
> libraries. Without these I ran into errors hinting at threads and dl.
> 
> I'm a little wary of just forcibly replacing the whole OpenSSL 1.0.2k on a
> production machine. :)
> 

Understood !

OpenSSL 1.0.x is going to be supported until 2019-12-31 so this will get
solved by itself soon ;-)

-- 
Gilles Chehade @poolpOrg

https://www.poolp.orgpatreon: https://www.patreon.com/gilles



Re: OpenSMTPD build on OpenSSL 1.1.x

2019-08-28 Thread Reio Remma

On 28/08/2019 10:44, gil...@poolp.org wrote:

28 août 2019 00:00 "Reio Remma"  a écrit:


On 27.08.2019 21:25, Richard Narron wrote:


The OpenSMTPD portable version from https://github.com/OpenSMTPD/OpenSMTPD
works fine on Slackware64 current with OpenSSL 1.1.1c and gcc 9.2
It took me a while to get it to work though.
I first downloaded the "current" portable version from
https://opensmtpd.org/archives/opensmtpd-6.4.2p1.tar.gz
And I got errors very similar to those of Denis Fateyev on Fedora 30.
Next I downloaded the portable version from github.com
and found that autoconf had not been run and this was no good.
Finally I discovered the post on the mailing list which mentioned the
"bootstrap" script and then I was able to download and build the portable
version from git.
The code shows version "6.6.0-portable".
It runs fine on Slackware64 current and I'm happy that it now works with
OpenSSL 1.1
Regards,
Richard Narron

Your success pushed me to try 6.6.0 on CentOS 7 with OpenSSL 1.1.1c.

Can anyone tell me if changing to -lcrypto -lssl to -l:libssl.a -l:libcrypto.a 
is the correct way
to get OpenSSL 1.1.1c statically compiled into OpenSMTPD? I ended up using 
these (and -pthreads
-ldl) and managed to build an RPM based on 6.0.3 RPM from CentOS 7.


I don't know about the -l:lib notation sorry

Out of curiosity, why would you want ssl statically compiled into OpenSMTPD ?
This means that when an issue hits OpenSSL, updating OpenSSL and restarting the 
daemon will not be
enough to be back on track.

In addition, I'm not sure why you need -pthreads because OpenSMTPD is not 
multi-threaded.


Hello!

CentOS 7 has OpenSSL 1.0.2k as the max version and with OpenSSL 1.1.1c 
compiled into OpenSMTPD I can run the new OpenSMTPD version on a machine 
with CentOS 7's old OpenSSL version.


I had to add -pthreads and -ldl to pass 'make' with the static OpenSSL 
libraries. Without these I ran into errors hinting at threads and dl.


I'm a little wary of just forcibly replacing the whole OpenSSL 1.0.2k on 
a production machine. :)


Thanks!
Reio



Re: OpenSMTPD build on OpenSSL 1.1.x

2019-08-28 Thread gilles
28 août 2019 00:00 "Reio Remma"  a écrit:

> On 27.08.2019 21:25, Richard Narron wrote:
> 
>> The OpenSMTPD portable version from https://github.com/OpenSMTPD/OpenSMTPD
>> works fine on Slackware64 current with OpenSSL 1.1.1c and gcc 9.2
>> It took me a while to get it to work though.
>> I first downloaded the "current" portable version from
>> https://opensmtpd.org/archives/opensmtpd-6.4.2p1.tar.gz
>> And I got errors very similar to those of Denis Fateyev on Fedora 30.
>> Next I downloaded the portable version from github.com
>> and found that autoconf had not been run and this was no good.
>> Finally I discovered the post on the mailing list which mentioned the
>> "bootstrap" script and then I was able to download and build the portable
>> version from git.
>> The code shows version "6.6.0-portable".
>> It runs fine on Slackware64 current and I'm happy that it now works with
>> OpenSSL 1.1
>> Regards,
>> Richard Narron
> 
> Your success pushed me to try 6.6.0 on CentOS 7 with OpenSSL 1.1.1c.
> 
> Can anyone tell me if changing to -lcrypto -lssl to -l:libssl.a 
> -l:libcrypto.a is the correct way
> to get OpenSSL 1.1.1c statically compiled into OpenSMTPD? I ended up using 
> these (and -pthreads
> -ldl) and managed to build an RPM based on 6.0.3 RPM from CentOS 7.
> 

I don't know about the -l:lib notation sorry

Out of curiosity, why would you want ssl statically compiled into OpenSMTPD ?
This means that when an issue hits OpenSSL, updating OpenSSL and restarting the 
daemon will not be
enough to be back on track.

In addition, I'm not sure why you need -pthreads because OpenSMTPD is not 
multi-threaded.



> The fresh RPM installed nicely on a clean CentOS 7 with their OpenSSH 1.0.2k 
> and OpenSMTPD started
> too:Aug 28 00:54:54 localhost smtpd[25943]: info: OpenSMTPD 6.6.0-portable 
> starting
> Aug 28 00:50:07 localhost smtpd[9338]: cfa3e1042696f77a mta connecting
> address=smtp://108.177.14.27:25 host=lt-in-f27.1e100.net
> Aug 28 00:50:07 localhost smtpd[9338]: cfa3e1042696f77a mta connected
> Aug 28 00:50:07 localhost smtpd[9338]: cfa3e1042696f77a mta tls
> ciphers=TLSv1.3:TLS_AES_256_GCM_SHA384:256
> Aug 28 00:50:07 localhost smtpd[9338]: cfa3e1042696f77a mta server-cert-check 
> result="success"
> Aug 28 00:50:07 localhost smtpd[9338]: cfa3e1042696f77a mta delivery 
> evpid=953ab16d13e43b2f
> from= to= rcpt=<-> 
> source="192.168.1.142"
> relay="108.177.14.27 (lt-in-f27.1e100.net)" delay=3m12
> s result="Ok" stat="250 2.0.0 OK 1566942607 w6si428635lfk.121 - gsmtp" More 
> testing will have to
> wait until tomorrow. :)
> 
> Good luck,
> Reio



Re: OpenSMTPD build on OpenSSL 1.1.x

2019-08-28 Thread gilles
Hello,

27 août 2019 20:25 "Richard Narron"  a écrit:

> The OpenSMTPD portable version from https://github.com/OpenSMTPD/OpenSMTPD
> works fine on Slackware64 current with OpenSSL 1.1.1c and gcc 9.2
> 

Yay !


> It took me a while to get it to work though.
> 
> I first downloaded the "current" portable version from
> https://opensmtpd.org/archives/opensmtpd-6.4.2p1.tar.gz
> 
> And I got errors very similar to those of Denis Fateyev on Fedora 30.
> 

Yes, our latest release was not OpenSSL 1.1 compatible, the next one which
will happen in October will be.


> Next I downloaded the portable version from github.com
> and found that autoconf had not been run and this was no good.
> 
> Finally I discovered the post on the mailing list which mentioned the
> "bootstrap" script and then I was able to download and build the portable
> version from git.
> 

That's because this is the development branch, we run the boostrap script
when we perform a release.

In October, all you'll have to do is download the tarball from the website,
like you did with 6.4.2p1, and it will work for OpenSSL 1.1


> The code shows version "6.6.0-portable".
> 
> It runs fine on Slackware64 current and I'm happy that it now works with
> OpenSSL 1.1
> 

Neat



Re: OpenSMTPD build on OpenSSL 1.1.x

2019-08-28 Thread Reio Remma

On 28/08/2019 01:00, Reio Remma wrote:
The fresh RPM installed nicely on a clean CentOS 7 with their OpenSSH 
1.0.2k and OpenSMTPD started too:

Aug 28 00:50:07 localhost smtpd[9338]: cfa3e1042696f77a mta delivery evpid=953ab16d13e43b2f 
from=  to=  rcpt=<-> source="192.168.1.142" 
relay="108.177.14.27 (lt-in-f27.1e100.net)" delay=3m12
s result="Ok" stat="250 2.0.0 OK  1566942607 w6si428635lfk.121 - gsmtp"


Funnily this sole test e-mail managed to get us Spamhaus banned due to 
using localhost.localdomain. :D


Good luck,
Reio


Re: OpenSMTPD build on OpenSSL 1.1.x

2019-08-27 Thread Reio Remma

On 27.08.2019 21:25, Richard Narron wrote:

The OpenSMTPD portable version from https://github.com/OpenSMTPD/OpenSMTPD
works fine on Slackware64 current with OpenSSL 1.1.1c and gcc 9.2

It took me a while to get it to work though.

I first downloaded the "current" portable version from
https://opensmtpd.org/archives/opensmtpd-6.4.2p1.tar.gz

And I got errors very similar to those of Denis Fateyev on Fedora 30.

Next I downloaded the portable version from github.com
and found that autoconf had not been run and this was no good.

Finally I discovered the post on the mailing list which mentioned the
"bootstrap" script and then I was able to download and build the portable
version from git.

The code shows version "6.6.0-portable".

It runs fine on Slackware64 current and I'm happy that it now works with
OpenSSL 1.1

Regards,
Richard Narron


Your success pushed me to try 6.6.0 on CentOS 7 with OpenSSL 1.1.1c.

Can anyone tell me if changing to -lcrypto -lssl to -l:libssl.a 
-l:libcrypto.a is the correct way to get OpenSSL 1.1.1c statically 
compiled into OpenSMTPD? I ended up using these (and -pthreads -ldl) and 
managed to build an RPM based on 6.0.3 RPM from CentOS 7.


The fresh RPM installed nicely on a clean CentOS 7 with their OpenSSH 
1.0.2k and OpenSMTPD started too:


Aug 28 00:54:54 localhost smtpd[25943]: info: OpenSMTPD 6.6.0-portable starting
Aug 28 00:50:07 localhost smtpd[9338]: cfa3e1042696f77a mta connecting 
address=smtp://108.177.14.27:25 host=lt-in-f27.1e100.net
Aug 28 00:50:07 localhost smtpd[9338]: cfa3e1042696f77a mta connected
Aug 28 00:50:07 localhost smtpd[9338]: cfa3e1042696f77a mta tls 
ciphers=TLSv1.3:TLS_AES_256_GCM_SHA384:256
Aug 28 00:50:07 localhost smtpd[9338]: cfa3e1042696f77a mta server-cert-check 
result="success"
Aug 28 00:50:07 localhost smtpd[9338]: cfa3e1042696f77a mta delivery evpid=953ab16d13e43b2f 
from= to= rcpt=<-> source="192.168.1.142" 
relay="108.177.14.27 (lt-in-f27.1e100.net)" delay=3m12
s result="Ok" stat="250 2.0.0 OK  1566942607 w6si428635lfk.121 - gsmtp"

More testing will have to wait until tomorrow. :)

Good luck,
Reio


Re: OpenSMTPD build on OpenSSL 1.1.x

2019-08-27 Thread Richard Narron
The OpenSMTPD portable version from https://github.com/OpenSMTPD/OpenSMTPD
works fine on Slackware64 current with OpenSSL 1.1.1c and gcc 9.2

It took me a while to get it to work though.

I first downloaded the "current" portable version from
https://opensmtpd.org/archives/opensmtpd-6.4.2p1.tar.gz

And I got errors very similar to those of Denis Fateyev on Fedora 30.

Next I downloaded the portable version from github.com
and found that autoconf had not been run and this was no good.

Finally I discovered the post on the mailing list which mentioned the
"bootstrap" script and then I was able to download and build the portable
version from git.

The code shows version "6.6.0-portable".

It runs fine on Slackware64 current and I'm happy that it now works with
OpenSSL 1.1

Regards,
Richard Narron




Re: OpenSMTPD build on OpenSSL 1.1.x

2019-08-20 Thread Gilles Chehade
On Fri, Aug 16, 2019 at 03:38:43AM +0600, Denis Fateyev wrote:
> Hello Gilles,
> 
> You are right, I tried "opensmtpd-6.4.2p1.tar.gz" release for some reasons,
> and it was failing to build.
> 
> The latest checkout from portable branch is fine, and doesn't bring any
> build issues anymore, it's great!
> I will test it for a while with some use cases.
> 
> 
> Out of curiosity, I have also tried it with openssl-1.0.2k (RHEL7) , and as
> expected it's failing.
> Mostly related to RSA methods. Just to note:
> https://kojipkgs.fedoraproject.org//work/tasks/2547/37062547/build.log
> 

yeah, the problem is described here:

https://poolp.org/posts/2019-07-27/july-2019-report-tons-of-smtpd-work-mostly/


long story short, the same code can't build for both 1.0.z and 1.1.z, to
support both requires using two different APIs.

it is technically doable but 1.0.z will be EOL a month or so after we'll
release our next major version so the work isn't worth it.


-- 
Gilles Chehade @poolpOrg

https://www.poolp.orgpatreon: https://www.patreon.com/gilles



Re: OpenSMTPD build on OpenSSL 1.1.x

2019-08-15 Thread Gilles Chehade
Hu, this doesn't look like latest checkout from portable, can you double
check ?

Le mer. 14 août 2019 à 22:17, Denis Fateyev  a écrit :

> Hello Gilles,
>
> Tried to rebuild on Fedora 30, but got compile errors (providing below
> with warnings in case if you find them useful):
> --- < cut here > ---
> gcc -DHAVE_CONFIG_H -I. -I../..  -I../../smtpd -I../../openbsd-compat
> -I../../openbsd-compat/err_h -I../../openbsd-compat/paths_h -I.
> -I/usr/include  -DSMTPD_CONFDIR=\"/etc/opensmtpd\"
> -DPATH_CHROOT=\"/var/empty/smtpd\" -DPATH_SMTPCTL=\"/usr/sbin/smtpctl\"
> -DPATH_MAILLOCAL=\"/usr/libexec/opensmtpd/mail.local\"
> -DPATH_LIBEXEC=\"/usr/libexec/opensmtpd\" -DHAVE_CONFIG_H -DIO_SSL
> -DCA_FILE=\"/etc/pki/tls/cert.pem\" -O2 -g -pipe -Wall
> -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS
> -fexceptions -fstack-protector-strong -grecord-gcc-switches
> -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1
> -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic
> -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection
>  -fPIC -DPIC -Wall -Wpointer-arith -Wuninitialized -Wsign-compare
> -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign
> -Wno-unused-result -fno-strict-aliasing -fno-builtin-memset -D_BSD_SOURCE
> -D_DEFAULT_SOURCE  -D_GNU_SOURCE -DNEED_EVENT_ASR_RUN -c -o
> ../../smtpd/smtpd-ca.o `test -f '../../smtpd/ca.c' || echo
> './'`../../smtpd/ca.c
> ../../smtpd/aliases.c: In function 'aliases_get':
> ../../smtpd/aliases.c:56:23: warning: variable 'userbase' set but not used
> [-Wunused-but-set-variable]
>56 |  struct table*userbase = NULL;
>   |   ^~~~
> ../../smtpd/aliases.c: In function 'aliases_virtual_get':
> ../../smtpd/aliases.c:114:23: warning: variable 'userbase' set but not
> used [-Wunused-but-set-variable]
>   114 |  struct table*userbase = NULL;
>   |   ^~~~
> gcc -DHAVE_CONFIG_H -I. -I../..  -I../../smtpd -I../../openbsd-compat
> -I../../openbsd-compat/err_h -I../../openbsd-compat/paths_h -I.
> -I/usr/include  -DSMTPD_CONFDIR=\"/etc/opensmtpd\"
> -DPATH_CHROOT=\"/var/empty/smtpd\" -DPATH_SMTPCTL=\"/usr/sbin/smtpctl\"
> -DPATH_MAILLOCAL=\"/usr/libexec/opensmtpd/mail.local\"
> -DPATH_LIBEXEC=\"/usr/libexec/opensmtpd\" -DHAVE_CONFIG_H -DIO_SSL
> -DCA_FILE=\"/etc/pki/tls/cert.pem\" -O2 -g -pipe -Wall
> -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS
> -fexceptions -fstack-protector-strong -grecord-gcc-switches
> -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1
> -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic
> -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection
>  -fPIC -DPIC -Wall -Wpointer-arith -Wuninitialized -Wsign-compare
> -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign
> -Wno-unused-result -fno-strict-aliasing -fno-builtin-memset -D_BSD_SOURCE
> -D_DEFAULT_SOURCE  -D_GNU_SOURCE -DNEED_EVENT_ASR_RUN -c -o
> ../../smtpd/smtpd-compress_backend.o `test -f
> '../../smtpd/compress_backend.c' || echo './'`../../smtpd/compress_backend.c
> ../../smtpd/ca.c: In function 'ca_X509_verify':
> ../../smtpd/ca.c:204:47: error: dereferencing pointer to incomplete type
> 'X509_STORE_CTX' {aka 'struct x509_store_ctx_st'}
>   204 |*errstr = X509_verify_cert_error_string(xsc->error);
>   |   ^~
> ../../smtpd/ca.c: At top level:
> ../../smtpd/ca.c:307:1: error: variable 'rsae_method' has initializer but
> incomplete type
>   307 | static RSA_METHOD rsae_method = {
>   | ^~
> ../../smtpd/ca.c:308:2: warning: excess elements in struct initializer
>   308 |  "RSA privsep engine",
>   |  ^~~~
> ../../smtpd/ca.c:308:2: note: (near initialization for 'rsae_method')
> ../../smtpd/ca.c:309:2: warning: excess elements in struct initializer
>   309 |  rsae_pub_enc,
>   |  ^~~~
> ../../smtpd/ca.c:309:2: note: (near initialization for 'rsae_method')
> ../../smtpd/ca.c:310:2: warning: excess elements in struct initializer
>   310 |  rsae_pub_dec,
>   |  ^~~~
> ../../smtpd/ca.c:310:2: note: (near initialization for 'rsae_method')
> ../../smtpd/ca.c:311:2: warning: excess elements in struct initializer
>   311 |  rsae_priv_enc,
>   |  ^
> ../../smtpd/ca.c:311:2: note: (near initialization for 'rsae_method')
> ../../smtpd/ca.c:312:2: warning: excess elements in struct initializer
>   312 |  rsae_priv_dec,
>   |  ^
> ../../smtpd/ca.c:312:2: note: (near initialization for 'rsae_method')
> ../../smtpd/ca.c:313:2: warning: excess elements in struct initializer
>   313 |  rsae_mod_exp,
>   |  ^~~~
> ../../smtpd/ca.c:313:2: note: (near initialization for 'rsae_method')
> ../../smtpd/ca.c:314:2: warning: excess elements in struct initializer
>   314 |  rsae_bn_mod_exp,
>   |  ^~~
> ../../smtpd/ca.c:314:2: note: (near initialization for 

Re: OpenSMTPD build on OpenSSL 1.1.x

2019-08-14 Thread Harald Dunkel
On 8/14/19 3:43 PM, Harald Dunkel wrote:
> 
> This is Debian sid (amd64), including openssl version 1.1.1c .
> Here is the list of packages providing shared objects for smtpd:
> 
> ||/ Name VersionArchitecture Description
> +++--==--===
> ii  libasr0  1.0.2-2+b1 amd64asynchronous DNS 
> resolver
> ii  libaudit1:amd64  1:2.8.5-2  amd64Dynamic library for 
> security auditing
> ii  libc6:amd64  2.28-10amd64GNU C Library: 
> Shared libraries
> ii  libcap-ng0:amd64 0.7.9-2amd64An alternate POSIX 
> capabilities library
> ii  libdb5.3:amd64   5.3.28+dfsg1-0.6   amd64Berkeley v5.3 
> Database Libraries [runtime]
> ii  libevent-2.1-6:amd64 2.1.8-stable-4 amd64Asynchronous event 
> notification library
> ii  libpam0g:amd64   1.3.1-5amd64Pluggable 
> Authentication Modules library
> ii  libssl1.1:amd64  1.1.1c-1   amd64Secure Sockets Layer 
> toolkit - shared libraries
> ii  zlib1g:amd64 1:1.2.11.dfsg-1+b1 amd64compression library 
> - runtime
> 

PS: compiler version:

{harri@cecil:~ (master) 502} gcc -v
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-linux-gnu/8/lto-wrapper
OFFLOAD_TARGET_NAMES=nvptx-none
OFFLOAD_TARGET_DEFAULT=1
Target: x86_64-linux-gnu
Configured with: ../src/configure -v --with-pkgversion='Debian 8.3.0-19' 
--with-bugurl=file:///usr/share/doc/gcc-8/README.Bugs 
--enable-languages=c,ada,c++,go,brig,d,fortran,objc,obj-c++ --prefix=/usr 
--with-gcc-major-version-only --program-suffix=-8 
--program-prefix=x86_64-linux-gnu-
--enable-shared --enable-linker-build-id --libexecdir=/usr/lib 
--without-included-gettext --enable-threads=posix --libdir=/usr/lib 
--enable-nls --enable-bootstrap --enable-clocale=gnu --enable-libstdcxx-debug 
--enable-libstdcxx-time=yes --with-default-libstdcxx-abi=new 
--enable-gnu-unique-object
--disable-vtable-verify --enable-libmpx --enable-plugin --enable-default-pie 
--with-system-zlib --with-target-system-zlib --enable-objc-gc=auto 
--enable-multiarch --disable-werror --with-arch-32=i686 --with-abi=m64 
--with-multilib-list=m32,m64,mx32 --enable-multilib --with-tune=generic
--enable-offload-targets=nvptx-none --without-cuda-driver 
--enable-checking=release --build=x86_64-linux-gnu --host=x86_64-linux-gnu 
--target=x86_64-linux-gnu --with-build-config=bootstrap-lto --enable-link-mutex
Thread model: posix
gcc version 8.3.0 (Debian 8.3.0-19)


Regards
Harri



Re: OpenSMTPD build on OpenSSL 1.1.x

2019-08-14 Thread Denis Fateyev
>
> ../../smtpd/ca.c: In function 'ca_X509_verify':
> ../../smtpd/ca.c:204:47: error: dereferencing pointer to incomplete type
> 'X509_STORE_CTX' {aka 'struct x509_store_ctx_st'}
>   204 |*errstr = X509_verify_cert_error_string(xsc->error);
>

This can be fixed in "smtpd/ca.c" with:
- *errstr = X509_verify_cert_error_string(xsc->error);
+ *errstr = X509_verify_cert_error_string(X509_STORE_CTX_get_error(xsc));

But as for rsae-specific, it should be more complicated.
I remember an old openssl-1.1.x compat patch, where RSA methods were
explicitly defined.

---
wbr, Denis.


Re: OpenSMTPD build on OpenSSL 1.1.x

2019-08-14 Thread Denis Fateyev
Hello Gilles,

Tried to rebuild on Fedora 30, but got compile errors (providing below with
warnings in case if you find them useful):
--- < cut here > ---
gcc -DHAVE_CONFIG_H -I. -I../..  -I../../smtpd -I../../openbsd-compat
-I../../openbsd-compat/err_h -I../../openbsd-compat/paths_h -I.
-I/usr/include  -DSMTPD_CONFDIR=\"/etc/opensmtpd\"
-DPATH_CHROOT=\"/var/empty/smtpd\" -DPATH_SMTPCTL=\"/usr/sbin/smtpctl\"
-DPATH_MAILLOCAL=\"/usr/libexec/opensmtpd/mail.local\"
-DPATH_LIBEXEC=\"/usr/libexec/opensmtpd\" -DHAVE_CONFIG_H -DIO_SSL
-DCA_FILE=\"/etc/pki/tls/cert.pem\" -O2 -g -pipe -Wall
-Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS
-fexceptions -fstack-protector-strong -grecord-gcc-switches
-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1
-specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic
-fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection
 -fPIC -DPIC -Wall -Wpointer-arith -Wuninitialized -Wsign-compare
-Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign
-Wno-unused-result -fno-strict-aliasing -fno-builtin-memset -D_BSD_SOURCE
-D_DEFAULT_SOURCE  -D_GNU_SOURCE -DNEED_EVENT_ASR_RUN -c -o
../../smtpd/smtpd-ca.o `test -f '../../smtpd/ca.c' || echo
'./'`../../smtpd/ca.c
../../smtpd/aliases.c: In function 'aliases_get':
../../smtpd/aliases.c:56:23: warning: variable 'userbase' set but not used
[-Wunused-but-set-variable]
   56 |  struct table*userbase = NULL;
  |   ^~~~
../../smtpd/aliases.c: In function 'aliases_virtual_get':
../../smtpd/aliases.c:114:23: warning: variable 'userbase' set but not used
[-Wunused-but-set-variable]
  114 |  struct table*userbase = NULL;
  |   ^~~~
gcc -DHAVE_CONFIG_H -I. -I../..  -I../../smtpd -I../../openbsd-compat
-I../../openbsd-compat/err_h -I../../openbsd-compat/paths_h -I.
-I/usr/include  -DSMTPD_CONFDIR=\"/etc/opensmtpd\"
-DPATH_CHROOT=\"/var/empty/smtpd\" -DPATH_SMTPCTL=\"/usr/sbin/smtpctl\"
-DPATH_MAILLOCAL=\"/usr/libexec/opensmtpd/mail.local\"
-DPATH_LIBEXEC=\"/usr/libexec/opensmtpd\" -DHAVE_CONFIG_H -DIO_SSL
-DCA_FILE=\"/etc/pki/tls/cert.pem\" -O2 -g -pipe -Wall
-Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS
-fexceptions -fstack-protector-strong -grecord-gcc-switches
-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1
-specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic
-fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection
 -fPIC -DPIC -Wall -Wpointer-arith -Wuninitialized -Wsign-compare
-Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign
-Wno-unused-result -fno-strict-aliasing -fno-builtin-memset -D_BSD_SOURCE
-D_DEFAULT_SOURCE  -D_GNU_SOURCE -DNEED_EVENT_ASR_RUN -c -o
../../smtpd/smtpd-compress_backend.o `test -f
'../../smtpd/compress_backend.c' || echo './'`../../smtpd/compress_backend.c
../../smtpd/ca.c: In function 'ca_X509_verify':
../../smtpd/ca.c:204:47: error: dereferencing pointer to incomplete type
'X509_STORE_CTX' {aka 'struct x509_store_ctx_st'}
  204 |*errstr = X509_verify_cert_error_string(xsc->error);
  |   ^~
../../smtpd/ca.c: At top level:
../../smtpd/ca.c:307:1: error: variable 'rsae_method' has initializer but
incomplete type
  307 | static RSA_METHOD rsae_method = {
  | ^~
../../smtpd/ca.c:308:2: warning: excess elements in struct initializer
  308 |  "RSA privsep engine",
  |  ^~~~
../../smtpd/ca.c:308:2: note: (near initialization for 'rsae_method')
../../smtpd/ca.c:309:2: warning: excess elements in struct initializer
  309 |  rsae_pub_enc,
  |  ^~~~
../../smtpd/ca.c:309:2: note: (near initialization for 'rsae_method')
../../smtpd/ca.c:310:2: warning: excess elements in struct initializer
  310 |  rsae_pub_dec,
  |  ^~~~
../../smtpd/ca.c:310:2: note: (near initialization for 'rsae_method')
../../smtpd/ca.c:311:2: warning: excess elements in struct initializer
  311 |  rsae_priv_enc,
  |  ^
../../smtpd/ca.c:311:2: note: (near initialization for 'rsae_method')
../../smtpd/ca.c:312:2: warning: excess elements in struct initializer
  312 |  rsae_priv_dec,
  |  ^
../../smtpd/ca.c:312:2: note: (near initialization for 'rsae_method')
../../smtpd/ca.c:313:2: warning: excess elements in struct initializer
  313 |  rsae_mod_exp,
  |  ^~~~
../../smtpd/ca.c:313:2: note: (near initialization for 'rsae_method')
../../smtpd/ca.c:314:2: warning: excess elements in struct initializer
  314 |  rsae_bn_mod_exp,
  |  ^~~
../../smtpd/ca.c:314:2: note: (near initialization for 'rsae_method')
../../smtpd/ca.c:315:2: warning: excess elements in struct initializer
  315 |  rsae_init,
  |  ^
../../smtpd/ca.c:315:2: note: (near initialization for 'rsae_method')
../../smtpd/ca.c:316:2: warning: excess elements in struct initializer
  316 |  rsae_finish,
  |  ^~~

Re: OpenSMTPD build on OpenSSL 1.1.x

2019-08-14 Thread Harald Dunkel
On 8/13/19 9:02 PM, gil...@poolp.org wrote:
> 13 août 2019 12:35 "Harald Dunkel"  a écrit:
> 
>>
>> Surely I don't have a highly complex EMail configuration, but
>> the new version is running on my MTA and the nullclients since
>> Aug 7th: No issues by now, AFAICT. Cool.
>>
> 
> Care to mention what system you are using ? :-)
> 

This is Debian sid (amd64), including openssl version 1.1.1c .
Here is the list of packages providing shared objects for smtpd:

||/ Name VersionArchitecture Description
+++--==--===
ii  libasr0  1.0.2-2+b1 amd64asynchronous DNS 
resolver
ii  libaudit1:amd64  1:2.8.5-2  amd64Dynamic library for 
security auditing
ii  libc6:amd64  2.28-10amd64GNU C Library: Shared 
libraries
ii  libcap-ng0:amd64 0.7.9-2amd64An alternate POSIX 
capabilities library
ii  libdb5.3:amd64   5.3.28+dfsg1-0.6   amd64Berkeley v5.3 Database 
Libraries [runtime]
ii  libevent-2.1-6:amd64 2.1.8-stable-4 amd64Asynchronous event 
notification library
ii  libpam0g:amd64   1.3.1-5amd64Pluggable 
Authentication Modules library
ii  libssl1.1:amd64  1.1.1c-1   amd64Secure Sockets Layer 
toolkit - shared libraries
ii  zlib1g:amd64 1:1.2.11.dfsg-1+b1 amd64compression library - 
runtime


Regards
Harri



Re: OpenSMTPD build on OpenSSL 1.1.x

2019-08-13 Thread gilles
13 août 2019 12:35 "Harald Dunkel"  a écrit:

> Hi folks,
> 
> On 7/24/19 1:16 PM, Gilles Chehade wrote:
> 
>> On Wed, Jul 24, 2019 at 10:29:34AM +0200, Harald Dunkel wrote:
>> 
>>> I will check runtime ASAP.
>> 
>> Great !
>> 
>> Keep on providing feedback please !
> 
> Surely I don't have a highly complex EMail configuration, but
> the new version is running on my MTA and the nullclients since
> Aug 7th: No issues by now, AFAICT. Cool.
> 

Care to mention what system you are using ? :-)

Gilles



Re: OpenSMTPD build on OpenSSL 1.1.x

2019-08-13 Thread Harald Dunkel
Hi folks,

On 7/24/19 1:16 PM, Gilles Chehade wrote:
> On Wed, Jul 24, 2019 at 10:29:34AM +0200, Harald Dunkel wrote:
> 
>> I will check runtime ASAP.
>>
> 
> Great !
> 
> Keep on providing feedback please !
> 

Surely I don't have a highly complex EMail configuration, but
the new version is running on my MTA and the nullclients since
Aug 7th: No issues by now, AFAICT. Cool.


Regards
Harri



Re: OpenSMTPD build on OpenSSL 1.1.x

2019-07-24 Thread Gilles Chehade
On Wed, Jul 24, 2019 at 10:29:34AM +0200, Harald Dunkel wrote:
> Hi Gilles,
> 
> On 7/23/19 11:58 AM, Gilles Chehade wrote:
> > Hello people,
> > 
> > The portable branch of OpenSMTPD should build with OpenSSL again as long
> > as your system is using >= 1.1.x
> > 
> 
> This is excellent news. I highly appreciate the new portable
> version. This solves a lot of problems in my environment.
> 

great ;-)


> > OpenSMTPD portable has been built and tested with Ubuntu only, please do
> > provide feedback !
> > 
> 
> On a first build (Debian 9) configure returned an error
> 
> checking if programs using libevent functions will link... no
> checking openssl/opensslv.h usability... yes
> checking openssl/opensslv.h presence... yes
> checking for openssl/opensslv.h... yes
> configure: error: *** Can't find recent LibreSSL libcrypto (see config.log 
> for details) ***
> 
> 
> but actually libevent was missing:
> 
> :
> configure:19442: checking openssl/opensslv.h usability
> configure:19442: gcc -c -g -O2  -fPIC -DPIC -Wall -Wpointer-arith 
> -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess 
> -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -fno-builtin-memset 
> -D_BSD_SOURCE -D_DEFAULT_SOURCE  -I/usr/local/ssl/include  conftest.c >&5
> configure:19442: $? = 0
> configure:19442: result: yes
> configure:19442: checking openssl/opensslv.h presence
> configure:19442: gcc -E -I/usr/local/ssl/include  conftest.c
> configure:19442: $? = 0
> configure:19442: result: yes
> configure:19442: checking for openssl/opensslv.h
> configure:19442: result: yes
> configure:19468: gcc -o conftest -g -O2  -fPIC -DPIC -Wall -Wpointer-arith 
> -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess 
> -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -fno-builtin-memset 
> -D_BSD_SOURCE -D_DEFAULT_SOURCE  -I/usr/local/ssl/include  
> -L/usr/local/ssl/lib  conftest.c -lcrypto -lssl -levent -lasr -lcrypt 
> -lresolv  >&5
> /usr/bin/ld: cannot find -levent
> collect2: error: ld returned 1 exit status
> :
> 
> After installing the missing package it built fine.
> 

This is a known issue, I'm working on simplifying the configure layer as
a there is a lot of room for improvement.

I have tried to tackle this multiple times but not successfully yet ;-)


> I will check runtime ASAP.
> 

Great !

Keep on providing feedback please !

-- 
Gilles Chehade @poolpOrg

https://www.poolp.orgpatreon: https://www.patreon.com/gilles

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: OpenSMTPD build on OpenSSL 1.1.x

2019-07-24 Thread Harald Dunkel

Hi Gilles,

On 7/23/19 11:58 AM, Gilles Chehade wrote:

Hello people,

The portable branch of OpenSMTPD should build with OpenSSL again as long
as your system is using >= 1.1.x



This is excellent news. I highly appreciate the new portable
version. This solves a lot of problems in my environment.



OpenSMTPD portable has been built and tested with Ubuntu only, please do
provide feedback !



On a first build (Debian 9) configure returned an error

checking if programs using libevent functions will link... no
checking openssl/opensslv.h usability... yes
checking openssl/opensslv.h presence... yes
checking for openssl/opensslv.h... yes
configure: error: *** Can't find recent LibreSSL libcrypto (see config.log for 
details) ***


but actually libevent was missing:

:
configure:19442: checking openssl/opensslv.h usability
configure:19442: gcc -c -g -O2  -fPIC -DPIC -Wall -Wpointer-arith -Wuninitialized 
-Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign 
-Wno-unused-result -fno-strict-aliasing -fno-builtin-memset -D_BSD_SOURCE 
-D_DEFAULT_SOURCE  -I/usr/local/ssl/include  conftest.c >&5
configure:19442: $? = 0
configure:19442: result: yes
configure:19442: checking openssl/opensslv.h presence
configure:19442: gcc -E -I/usr/local/ssl/include  conftest.c
configure:19442: $? = 0
configure:19442: result: yes
configure:19442: checking for openssl/opensslv.h
configure:19442: result: yes
configure:19468: gcc -o conftest -g -O2  -fPIC -DPIC -Wall -Wpointer-arith 
-Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess 
-Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -fno-builtin-memset 
-D_BSD_SOURCE -D_DEFAULT_SOURCE  -I/usr/local/ssl/include  -L/usr/local/ssl/lib  
conftest.c -lcrypto -lssl -levent -lasr -lcrypt -lresolv  >&5
/usr/bin/ld: cannot find -levent
collect2: error: ld returned 1 exit status
:

After installing the missing package it built fine.

I will check runtime ASAP.


Regards
Harri


--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org