I'm having an issue with Thunderbird (and Opera) and Dovecot SSL on a Solaris 10. My OS is Solaris 10 6/06 x86 (running in 64-bit mode) using ZFS (disk mirror) as the filesystem for my users. Dovecot version is 1.0rc7 (logs below are from 1.0rc6). First the connection asks if the SSL-certificate should be accepted, accepting it seems to work but then nothing happens. Thunderbird is quite silent, not always displays an error message, it just seems that there are no emails to download. It works fine in Mac OS X Mail.app with POP3s and IMAPs (both SSL). But not for Thunderbird (1.5.0.5) and Opera (latest). Setting "verbose_ssl=yes" and "auth_debug=yes" in the configuration gives this error from a Thunderbird login: Aug 16 14:16:28 credo dovecot: [ID 107833 mail.warning] pop3-login: SSL_accept() failed: error:140D308A:SSL routines:TLS1_SETUP_KEY_BLOCK:cipher or hash unavailable [85.225.200.123] Aug 16 14:16:28 credo dovecot: [ID 107833 mail.info] pop3-login: Disconnected: rip=85.225.200.123, lip=195.198.174.212, TLS Aug 16 14:16:29 credo dovecot: [ID 107833 mail.warning] pop3-login: SSL_accept() failed: error:140D308A:SSL routines:TLS1_SETUP_KEY_BLOCK:cipher or hash unavailable [85.225.200.123] Aug 16 14:16:29 credo dovecot: [ID 107833 mail.info] pop3-login: Disconnected: rip=85.225.200.123, lip=195.198.174.212, TLS It seems to be that the OpenSSL installed with Solaris 10 is abit "broken" or missing the cryptographic procotols needed. (at least from what I've read on the Internet) Strange that it works fine with Mail.app on Mac OS X. So, I installed the latest OpenSSL, compiled, tested and installed. (no problems occured) Back to compiling Dovecot, used this oneliner to point it to the new OpenSSL (and my compile settings): env PKG_CONFIG_PATH=/usr/local/ssl/lib/pkgconfig ./configure --sysconfdir=/usr/local/etc --with-ssldir=/usr/local/etc/ssl Worked! bash-3.00$ egrep "^SSL_" config.log SSL_CFLAGS='-I/usr/local/ssl/include ' SSL_LIBS='-L/usr/local/ssl/lib -lssl -lcrypto -lsocket -lnsl -ldl ' But gives this error message when I compile: gcc -std=gnu99 -g -O2 -Wall -W -Wmissing-prototypes -Wmissing-declarations -Wpointer-arith -Wchar-subscripts -Wformat=2 -Wbad-function-cast -I/usr/local/ssl/include -o ssl-build-param ssl-init-main.o ssl-init-openssl.o ssl-init-gnutls.o ../lib/liblib.a -L/usr/local/ssl/lib -lssl -lcrypto -ldl -lsocket -lnsl -lrt -lsendfile ld: warning: file /usr/local/ssl/lib/libcrypto.a(dh_asn1.o): wrong ELF class: ELFCLASS64 Undefined first referenced symbol in file DH_generate_parameters ssl-init-openssl.o ERR_get_error ssl-init-openssl.o ERR_error_string_n ssl-init-openssl.o i2d_DHparams ssl-init-openssl.o ld: fatal: Symbol referencing errors. No output written to ssl-build-param collect2: ld returned 1 exit status *** Error code 1 make: Fatal error: Command failed for target `ssl-build-param' Current working directory /home/nollan/work2/dovecot-1.0.rc7/src/master *** Error code 1 The following command caused the error: (error message removed to save space, can include if requested) It seems that the Thunderbird/Opera SSL problem will be solved with a new OpenSSL. But I seem to have problems getting Dovecot to compile with the new OpenSSL (64-bit issue?). Anyone got any hints on what I should do? With Regards, Patric
Chris Wakelin
2006-Aug-26 10:38 UTC
[Dovecot] Dovecot SSL issue on Solaris 10 x64 (64-bit)
I've managed to compile it at least on Solaris 10 64-bit sparc. You're right, the Sun OpenSSL package is pretty broken, so I used our own (version 0.9.8b) compiled with the Sun included gcc (3.4.3) ./config --prefix=/opt/RDGopnssl --openssldir=/opt/RDGopnssl --shared no-rc5 no-idea no-mdc2 and Dovecot (actually 1.0rc5) compiled with CFLAGS="-I/opt/RDGopnssl/include -L/opt/RDGopnssl/lib -g -O2" \ ./configure --prefix=/opt/RDGdovect --with-ssl=openssl which gives a binary with libraries:- env LD_LIBRARY_PATH=/opt/RDGopnssl/lib ldd src/imap-login/imap-login libssl.so.0.9.8 => /opt/RDGopnssl/lib/libssl.so.0.9.8 libcrypto.so.0.9.8 => /opt/RDGopnssl/lib/libcrypto.so.0.9.8 libsocket.so.1 => /lib/libsocket.so.1 libnsl.so.1 => /lib/libnsl.so.1 librt.so.1 => /lib/librt.so.1 libsendfile.so.1 => /lib/libsendfile.so.1 libc.so.1 => /lib/libc.so.1 libdl.so.1 => /lib/libdl.so.1 libgcc_s.so.1 => /usr/sfw/lib/libgcc_s.so.1 libmp.so.2 => /lib/libmp.so.2 libmd5.so.1 => /lib/libmd5.so.1 libscf.so.1 => /lib/libscf.so.1 libaio.so.1 => /lib/libaio.so.1 libdoor.so.1 => /lib/libdoor.so.1 libuutil.so.1 => /lib/libuutil.so.1 libm.so.2 => /lib/libm.so.2 /platform/SUNW,Ultra-5_10/lib/libc_psr.so.1 /platform/SUNW,Ultra-5_10/lib/libmd5_psr.so.1 From what you say below, I'd guess that you're linking OpenSSL statically and it's finding a 32-bit version of libcrypto.a (or possibly a 32-bit Dovecot and a 64-bit libcrypto.a) (For the record, I've tested it on 64-bit Solaris 8 but not Solaris 10 yet.) Best Wishes, Chris Patric wrote:> I'm having an issue with Thunderbird (and Opera) and Dovecot SSL on a > Solaris 10. > > My OS is Solaris 10 6/06 x86 (running in 64-bit mode) using ZFS (disk > mirror) as the > filesystem for my users. Dovecot version is 1.0rc7 (logs below are from > 1.0rc6).<snip>> It seems to be that the OpenSSL installed with Solaris 10 is abit > "broken" or missing > the cryptographic procotols needed. (at least from what I've read on the > Internet) > Strange that it works fine with Mail.app on Mac OS X. > > So, I installed the latest OpenSSL, compiled, tested and installed. > (no problems occured) > > Back to compiling Dovecot, used this oneliner to point it to the new > OpenSSL (and my compile settings): > env PKG_CONFIG_PATH=/usr/local/ssl/lib/pkgconfig ./configure > --sysconfdir=/usr/local/etc --with-ssldir=/usr/local/etc/ssl > > Worked! > bash-3.00$ egrep "^SSL_" config.log > SSL_CFLAGS='-I/usr/local/ssl/include ' > SSL_LIBS='-L/usr/local/ssl/lib -lssl -lcrypto -lsocket -lnsl -ldl ' > > But gives this error message when I compile: > gcc -std=gnu99 -g -O2 -Wall -W -Wmissing-prototypes > -Wmissing-declarations -Wpointer-arith -Wchar-subscripts -Wformat=2 > -Wbad-function-cast -I/usr/local/ssl/include -o ssl-build-param > ssl-init-main.o ssl-init-openssl.o ssl-init-gnutls.o ../lib/liblib.a > -L/usr/local/ssl/lib -lssl -lcrypto -ldl -lsocket -lnsl -lrt -lsendfile > ld: warning: file /usr/local/ssl/lib/libcrypto.a(dh_asn1.o): wrong ELF > class: ELFCLASS64 > Undefined first referenced > symbol in file > DH_generate_parameters ssl-init-openssl.o > ERR_get_error ssl-init-openssl.o > ERR_error_string_n ssl-init-openssl.o > i2d_DHparams ssl-init-openssl.o > ld: fatal: Symbol referencing errors. No output written to ssl-build-param > collect2: ld returned 1 exit status > *** Error code 1 > make: Fatal error: Command failed for target `ssl-build-param' > Current working directory /home/nollan/work2/dovecot-1.0.rc7/src/master > *** Error code 1 > The following command caused the error: > (error message removed to save space, can include if requested) > > It seems that the Thunderbird/Opera SSL problem will be solved with a > new OpenSSL. > But I seem to have problems getting Dovecot to compile with the new > OpenSSL (64-bit issue?). > > Anyone got any hints on what I should do? > > > With Regards, > Patric-- --+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+- Christopher Wakelin, c.d.wakelin at reading.ac.uk IT Services Centre, The University of Reading, Tel: +44 (0)118 378 8439 Whiteknights, Reading, RG6 2AF, UK Fax: +44 (0)118 975 3094
Jeff A. Earickson
2006-Aug-26 12:48 UTC
[Dovecot] Dovecot SSL issue on Solaris 10 x64 (64-bit)
Patric, I am currently running rc7 on both a production Solaris 9 system and a test Solaris 10 6/06 system, both 64 bit sparc. I am the testee/victim on the S10 box, and my home directory is a mirrored ZFS filesystem. So for everything has been working great with imaps. Err, but then we don't support Tbird either. My two quick suggestions: 1) download a copy of Sunstudio 11 (Sun's compiler system) from Sun and install it. It is now free. Then compile openssl with Sun's C compiler instead of gcc. See if that helps the loader issues. In general I have had marginal success mixing code/libraries built with different compilers. But in my case, I have openssl built with Sun cc and dovecot built with gcc (for core tracebacks). Works great, go figure. 2) Make sure your SSL certs work. Here's my "how to" notes, gleaned from www.madboa.com/geek/openssl: 1) How to test a new certificate: On the box with the new cert, launch openssl's mini-web browser: openssl s_server -cert /opt/openssl/ssl/certs/library.cert \ -key /opt/openssl/ssl/private/library.key \ -www (in this case for library) Then connect to this mini-web server via a web client: https://library.colby.edu:4433/ and look at the results. 2) Verify the chain of authority. a) Go to /opt/openssl/ssl/certs and make sure all of the hash links are there. Type "/opt/openssl/bin/c_rehash" to create them. If your cert chains aren't right, then this may be the source of your issues. Jeff Earickson Colby College On Mon, 21 Aug 2006, Patric wrote:> Date: Mon, 21 Aug 2006 16:30:14 +0200 > From: Patric <ppaaff at gmail.com> > To: dovecot at dovecot.org > Subject: [Dovecot] Dovecot SSL issue on Solaris 10 x64 (64-bit) > > I'm having an issue with Thunderbird (and Opera) and Dovecot SSL on a Solaris > 10. > > My OS is Solaris 10 6/06 x86 (running in 64-bit mode) using ZFS (disk mirror) > as the > filesystem for my users. Dovecot version is 1.0rc7 (logs below are from > 1.0rc6). > > First the connection asks if the SSL-certificate should be accepted, > accepting it > seems to work but then nothing happens. Thunderbird is quite silent, not > always displays > an error message, it just seems that there are no emails to download. > > It works fine in Mac OS X Mail.app with POP3s and IMAPs (both SSL). > But not for Thunderbird (1.5.0.5) and Opera (latest). > > Setting "verbose_ssl=yes" and "auth_debug=yes" in the configuration gives > this error > from a Thunderbird login: > Aug 16 14:16:28 credo dovecot: [ID 107833 mail.warning] pop3-login: > SSL_accept() failed: error:140D308A:SSL routines:TLS1_SETUP_KEY_BLOCK:cipher > or hash unavailable [85.225.200.123] > Aug 16 14:16:28 credo dovecot: [ID 107833 mail.info] pop3-login: > Disconnected: rip=85.225.200.123, lip=195.198.174.212, TLS > Aug 16 14:16:29 credo dovecot: [ID 107833 mail.warning] pop3-login: > SSL_accept() failed: error:140D308A:SSL routines:TLS1_SETUP_KEY_BLOCK:cipher > or hash unavailable [85.225.200.123] > Aug 16 14:16:29 credo dovecot: [ID 107833 mail.info] pop3-login: > Disconnected: rip=85.225.200.123, lip=195.198.174.212, TLS > > It seems to be that the OpenSSL installed with Solaris 10 is abit "broken" or > missing > the cryptographic procotols needed. (at least from what I've read on the > Internet) > Strange that it works fine with Mail.app on Mac OS X. > > So, I installed the latest OpenSSL, compiled, tested and installed. > (no problems occured) > > Back to compiling Dovecot, used this oneliner to point it to the new OpenSSL > (and my compile settings): > env PKG_CONFIG_PATH=/usr/local/ssl/lib/pkgconfig ./configure > --sysconfdir=/usr/local/etc --with-ssldir=/usr/local/etc/ssl > > Worked! > bash-3.00$ egrep "^SSL_" config.log > SSL_CFLAGS='-I/usr/local/ssl/include ' > SSL_LIBS='-L/usr/local/ssl/lib -lssl -lcrypto -lsocket -lnsl -ldl ' > > But gives this error message when I compile: > gcc -std=gnu99 -g -O2 -Wall -W -Wmissing-prototypes -Wmissing-declarations > -Wpointer-arith -Wchar-subscripts -Wformat=2 -Wbad-function-cast > -I/usr/local/ssl/include -o ssl-build-param ssl-init-main.o > ssl-init-openssl.o ssl-init-gnutls.o ../lib/liblib.a -L/usr/local/ssl/lib > -lssl -lcrypto -ldl -lsocket -lnsl -lrt -lsendfile > ld: warning: file /usr/local/ssl/lib/libcrypto.a(dh_asn1.o): wrong ELF class: > ELFCLASS64 > Undefined first referenced > symbol in file > DH_generate_parameters ssl-init-openssl.o > ERR_get_error ssl-init-openssl.o > ERR_error_string_n ssl-init-openssl.o > i2d_DHparams ssl-init-openssl.o > ld: fatal: Symbol referencing errors. No output written to ssl-build-param > collect2: ld returned 1 exit status > *** Error code 1 > make: Fatal error: Command failed for target `ssl-build-param' > Current working directory /home/nollan/work2/dovecot-1.0.rc7/src/master > *** Error code 1 > The following command caused the error: > (error message removed to save space, can include if requested) > > It seems that the Thunderbird/Opera SSL problem will be solved with a new > OpenSSL. > But I seem to have problems getting Dovecot to compile with the new OpenSSL > (64-bit issue?). > > Anyone got any hints on what I should do? > > > With Regards, > Patric