Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 312517 - dev-libs/openssl-0.9.8n breaks net-mail/cyrus-imapd-2.3.14-r3 in some configurations
Summary: dev-libs/openssl-0.9.8n breaks net-mail/cyrus-imapd-2.3.14-r3 in some configu...
Status: RESOLVED TEST-REQUEST
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Tobias Scherbaum (RETIRED)
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2010-03-31 21:33 UTC by Mike Nerone
Modified: 2010-07-30 18:59 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mike Nerone 2010-03-31 21:33:06 UTC 
As is discussed at various places (e.g. http://rt.openssl.org/Ticket/Display.html?id=2197 , http://osdir.com/ml/debian-bugs-dist/2010-03/msg07956.html), openssl-0.9.8n requires a call to OpenSSL_add_all_algorithms() prior to use of a certificate utilizing a SHA256 hash. cyrus-imapd doesn't contain this call, so fails in TLS configurations. Log excerpt:

Mar 31 16:09:31 sagan master[4665]: about to exec /usr/lib/cyrus/imapd
Mar 31 16:09:31 sagan imaps[4665]: executed
Mar 31 16:09:31 sagan imaps[4665]: accepted connection
Mar 31 16:09:31 sagan imaps[4665]: imapd:Loading hard-coded DH parameters
Mar 31 16:09:31 sagan imaps[4665]: unknown message digest algorithm in SSL_accept() -> fail
Mar 31 16:09:31 sagan imaps[4665]: imaps TLS negotiation failed: hostname_and_ip_obfuscated
Mar 31 16:09:31 sagan imaps[4665]: Fatal error: tls_start_servertls() failed
Mar 31 16:09:31 sagan master[4631]: process 4665 exited, status 75
Mar 31 16:09:31 sagan master[4631]: service imaps pid 4665 in BUSY state: terminated abnormally

A work-around that worked for me is to comment out my "tls_ca_path" config in /etc/imapd.conf, so my guess is that one of the CA certificates has such a hash (I have one private CA cert in there, so it might be my own - I haven't checked).

Note to users: if you use client certificate authentication (fortunately for me, I don't), then commenting out that config will break it.

# emerge --info
Portage 2.1.7.17 (hardened/linux/x86/10.0, gcc-3.4.6, glibc-2.10.1-r1, 2.6.28-hardened-r9 i686)
=================================================================                              
System uname: Linux-2.6.28-hardened-r9-i686-Pentium_III_-Coppermine-with-gentoo-1.12.13        
Timestamp of tree: Wed, 31 Mar 2010 15:45:01 +0000                                             
app-shells/bash:     4.0_p37                                                                   
dev-java/java-config: 2.1.10                                                                   
dev-lang/python:     2.6.4-r1                                                                  
dev-python/pycrypto: 2.1.0_beta1                                                               
sys-apps/baselayout: 1.12.13                                                                   
sys-apps/sandbox:    1.6-r2                                                                    
sys-devel/autoconf:  2.63-r1                                                                   
sys-devel/automake:  1.9.6-r3, 1.10.3, 1.11.1                                                  
sys-devel/binutils:  2.18-r3                                                                   
sys-devel/gcc:       3.4.6-r2                                                                  
sys-devel/gcc-config: 1.4.1                                                                    
sys-devel/libtool:   2.2.6b                                                                    
virtual/os-headers:  2.6.30-r1                                                                 
ACCEPT_KEYWORDS="x86"                                                                          
ACCEPT_LICENSE="* -@EULA dlj-1.1"                                                              
CBUILD="i686-pc-linux-gnu"                                                                     
CFLAGS="-O2 -march=pentium3 -fomit-frame-pointer -fforce-addr -pipe"                           
CHOST="i686-pc-linux-gnu"                                                                      
CONFIG_PROTECT="/etc /opt/openfire/resources/security/"                                        
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/eselect/postgresql /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-O2 -march=pentium3 -fomit-frame-pointer -fforce-addr -pipe"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS=" --with-bdeps y"
FEATURES="assume-digests buildpkg collision-protect distlocks fail-clean fixpackages news parallel-fetch protect-owned sandbox sfperms strict unmerge-logs unmerge-orphans userfetch userpriv userpriv_fakeroot usersandbox verify-rdepend"
GENTOO_MIRRORS="http://distfiles.gentoo.org"
LANG="en_US.UTF-8"
LC_ALL="en_US.UTF-8"
LDFLAGS="-Wl,-O1"
LINGUAS="en en_US"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/var/lib/layman/sunrise /var/lib/layman/webapps-experimental /var/lib/layman/nerone"
SYNC="rsync://portage.nerone.org/gentoo-portage"
USE="acl amr apache2 bash-completion branding bzip2 clamav cli cracklib crypt curl cxx dri encode expat faac faad ffmpeg flash ftp gd gif glib gmp gnutls hardened headless iconv idn imagemagick imap innodb ithreads java jikes jpeg lame mcal memlimit mmap mmx modules mudflap mysql ncurses nerone-overlay-master netpbm network-cron nls nntp nptl nptlonly ogg openfire pam pcre php pic pie png postgres pppd python readline reflection sasl schroedinger semantic-desktop session spell spl sse ssl subversion symlink sysfs syslog taglib threads threadsafe tiff truetype unicode urandom vhosts vim-syntax vorbis webdav wps x264 x86 xattr xcb xml xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1     emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m       maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="alias auth_basic authn_alias authn_default authn_file authz_default authz_groupfile authz_host authz_user autoindex dav dav_fs dir env include info log_config mime mime_magic negotiation proxy proxy_http rewrite setenvif status unique_id" APACHE2_MPMS="event" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en en_US" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="apm ark chips cirrus cyrix dummy fbdev glint i128 i740 intel         mach64 mga neomagic nsc nv r128 radeon rendition s3 s3virge savage  siliconmotion sis sisusb tdfx tga trident tseng v4l vesa via vmware     voodoo"
Unset:  CPPFLAGS, CTARGET, FFLAGS, INSTALL_MASK, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 1 Tobias Scherbaum (RETIRED) gentoo-dev 2010-07-30 16:04:45 UTC 
iirc this has been fixed with newer openssl versions, please test and report back if this problem still occurs.
Comment 2 Mike Nerone 2010-07-30 18:59:53 UTC 
Fix confirmed. Thanks!

Am I supposed to mark this bug resolved? I'll leave it to you in this case since I don't know.