dovecot - Aug 2006 - Dovecot SSL issue on Solaris 10 x64 (64-bit)

I'm having an issue with Thunderbird (and Opera) and Dovecot SSL on a  
Solaris 10.

My OS is Solaris 10 6/06 x86 (running in 64-bit mode) using ZFS (disk  
mirror) as the
filesystem for my users. Dovecot version is 1.0rc7 (logs below are from  
1.0rc6).

First the connection asks if the SSL-certificate should be accepted,  
accepting it
seems to work but then nothing happens. Thunderbird is quite silent, not  
always displays
an error message, it just seems that there are no emails to download.

It works fine in Mac OS X Mail.app with POP3s and IMAPs (both SSL).
But not for Thunderbird (1.5.0.5) and Opera (latest).

Setting "verbose_ssl=yes" and "auth_debug=yes" in the
configuration gives
this error
 from a Thunderbird login:
Aug 16 14:16:28 credo dovecot: [ID 107833 mail.warning] pop3-login:  
SSL_accept() failed: error:140D308A:SSL  
routines:TLS1_SETUP_KEY_BLOCK:cipher or hash unavailable [85.225.200.123]
Aug 16 14:16:28 credo dovecot: [ID 107833 mail.info] pop3-login:  
Disconnected: rip=85.225.200.123, lip=195.198.174.212, TLS
Aug 16 14:16:29 credo dovecot: [ID 107833 mail.warning] pop3-login:  
SSL_accept() failed: error:140D308A:SSL  
routines:TLS1_SETUP_KEY_BLOCK:cipher or hash unavailable [85.225.200.123]
Aug 16 14:16:29 credo dovecot: [ID 107833 mail.info] pop3-login:  
Disconnected: rip=85.225.200.123, lip=195.198.174.212, TLS

It seems to be that the OpenSSL installed with Solaris 10 is abit
"broken"
or missing
the cryptographic procotols needed. (at least from what I've read on the  
Internet)
Strange that it works fine with Mail.app on Mac OS X.

So, I installed the latest OpenSSL, compiled, tested and installed.
(no problems occured)

Back to compiling Dovecot, used this oneliner to point it to the new  
OpenSSL (and my compile settings):
env PKG_CONFIG_PATH=/usr/local/ssl/lib/pkgconfig ./configure  
--sysconfdir=/usr/local/etc --with-ssldir=/usr/local/etc/ssl

Worked!
bash-3.00$ egrep "^SSL_" config.log
SSL_CFLAGS='-I/usr/local/ssl/include  '
SSL_LIBS='-L/usr/local/ssl/lib -lssl -lcrypto -lsocket -lnsl -ldl  '

But gives this error message when I compile:
  gcc -std=gnu99 -g -O2 -Wall -W -Wmissing-prototypes  
-Wmissing-declarations -Wpointer-arith -Wchar-subscripts -Wformat=2  
-Wbad-function-cast -I/usr/local/ssl/include -o ssl-build-param  
ssl-init-main.o ssl-init-openssl.o ssl-init-gnutls.o  ../lib/liblib.a  
-L/usr/local/ssl/lib -lssl -lcrypto -ldl -lsocket -lnsl -lrt -lsendfile
ld: warning: file /usr/local/ssl/lib/libcrypto.a(dh_asn1.o): wrong ELF  
class: ELFCLASS64
Undefined                       first referenced
symbol                             in file
DH_generate_parameters              ssl-init-openssl.o
ERR_get_error                       ssl-init-openssl.o
ERR_error_string_n                  ssl-init-openssl.o
i2d_DHparams                        ssl-init-openssl.o
ld: fatal: Symbol referencing errors. No output written to ssl-build-param
collect2: ld returned 1 exit status
*** Error code 1
make: Fatal error: Command failed for target `ssl-build-param'
Current working directory /home/nollan/work2/dovecot-1.0.rc7/src/master
*** Error code 1
The following command caused the error:
(error message removed to save space, can include if requested)

It seems that the Thunderbird/Opera SSL problem will be solved with a new  
OpenSSL.
But I seem to have problems getting Dovecot to compile with the new  
OpenSSL (64-bit issue?).

Anyone got any hints on what I should do?


With Regards,
Patric

I've managed to compile it at least on Solaris 10 64-bit sparc. You're 
right, the Sun OpenSSL package is pretty broken, so I used our own 
(version 0.9.8b) compiled with the Sun included gcc (3.4.3)

./config --prefix=/opt/RDGopnssl --openssldir=/opt/RDGopnssl --shared 
no-rc5 no-idea no-mdc2

and Dovecot (actually 1.0rc5) compiled with

CFLAGS="-I/opt/RDGopnssl/include -L/opt/RDGopnssl/lib -g -O2" \
./configure --prefix=/opt/RDGdovect --with-ssl=openssl

which gives a binary with libraries:-

env LD_LIBRARY_PATH=/opt/RDGopnssl/lib ldd src/imap-login/imap-login
         libssl.so.0.9.8 =>       /opt/RDGopnssl/lib/libssl.so.0.9.8
         libcrypto.so.0.9.8 =>    /opt/RDGopnssl/lib/libcrypto.so.0.9.8
         libsocket.so.1 =>        /lib/libsocket.so.1
         libnsl.so.1 =>   /lib/libnsl.so.1
         librt.so.1 =>    /lib/librt.so.1
         libsendfile.so.1 =>      /lib/libsendfile.so.1
         libc.so.1 =>     /lib/libc.so.1
         libdl.so.1 =>    /lib/libdl.so.1
         libgcc_s.so.1 =>         /usr/sfw/lib/libgcc_s.so.1
         libmp.so.2 =>    /lib/libmp.so.2
         libmd5.so.1 =>   /lib/libmd5.so.1
         libscf.so.1 =>   /lib/libscf.so.1
         libaio.so.1 =>   /lib/libaio.so.1
         libdoor.so.1 =>  /lib/libdoor.so.1
         libuutil.so.1 =>         /lib/libuutil.so.1
         libm.so.2 =>     /lib/libm.so.2
         /platform/SUNW,Ultra-5_10/lib/libc_psr.so.1
         /platform/SUNW,Ultra-5_10/lib/libmd5_psr.so.1

 From what you say below, I'd guess that you're linking OpenSSL 
statically and it's finding a 32-bit version of libcrypto.a (or possibly 
a 32-bit Dovecot and a 64-bit libcrypto.a)

(For the record, I've tested it on 64-bit Solaris 8 but not Solaris 10 yet.)

Best Wishes,
Chris

Patric wrote:
> I'm having an issue with Thunderbird (and Opera) and Dovecot SSL on a 
> Solaris 10.
> 
> My OS is Solaris 10 6/06 x86 (running in 64-bit mode) using ZFS (disk 
> mirror) as the
> filesystem for my users. Dovecot version is 1.0rc7 (logs below are from 
> 1.0rc6).
<snip>
> It seems to be that the OpenSSL installed with Solaris 10 is abit 
> "broken" or missing
> the cryptographic procotols needed. (at least from what I've read on
the
> Internet)
> Strange that it works fine with Mail.app on Mac OS X.
> 
> So, I installed the latest OpenSSL, compiled, tested and installed.
> (no problems occured)
> 
> Back to compiling Dovecot, used this oneliner to point it to the new 
> OpenSSL (and my compile settings):
> env PKG_CONFIG_PATH=/usr/local/ssl/lib/pkgconfig ./configure 
> --sysconfdir=/usr/local/etc --with-ssldir=/usr/local/etc/ssl
> 
> Worked!
> bash-3.00$ egrep "^SSL_" config.log
> SSL_CFLAGS='-I/usr/local/ssl/include  '
> SSL_LIBS='-L/usr/local/ssl/lib -lssl -lcrypto -lsocket -lnsl -ldl 
'
> 
> But gives this error message when I compile:
>  gcc -std=gnu99 -g -O2 -Wall -W -Wmissing-prototypes 
> -Wmissing-declarations -Wpointer-arith -Wchar-subscripts -Wformat=2 
> -Wbad-function-cast -I/usr/local/ssl/include -o ssl-build-param 
> ssl-init-main.o ssl-init-openssl.o ssl-init-gnutls.o  ../lib/liblib.a 
> -L/usr/local/ssl/lib -lssl -lcrypto -ldl -lsocket -lnsl -lrt -lsendfile
> ld: warning: file /usr/local/ssl/lib/libcrypto.a(dh_asn1.o): wrong ELF 
> class: ELFCLASS64
> Undefined                       first referenced
> symbol                             in file
> DH_generate_parameters              ssl-init-openssl.o
> ERR_get_error                       ssl-init-openssl.o
> ERR_error_string_n                  ssl-init-openssl.o
> i2d_DHparams                        ssl-init-openssl.o
> ld: fatal: Symbol referencing errors. No output written to ssl-build-param
> collect2: ld returned 1 exit status
> *** Error code 1
> make: Fatal error: Command failed for target `ssl-build-param'
> Current working directory /home/nollan/work2/dovecot-1.0.rc7/src/master
> *** Error code 1
> The following command caused the error:
> (error message removed to save space, can include if requested)
> 
> It seems that the Thunderbird/Opera SSL problem will be solved with a 
> new OpenSSL.
> But I seem to have problems getting Dovecot to compile with the new 
> OpenSSL (64-bit issue?).
> 
> Anyone got any hints on what I should do?
> 
> 
> With Regards,
> Patric
-- 
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin,                           c.d.wakelin at reading.ac.uk
IT Services Centre, The University of Reading,  Tel: +44 (0)118 378 8439
Whiteknights, Reading, RG6 2AF, UK              Fax: +44 (0)118 975 3094

Patric,

I am currently running rc7 on both a production Solaris 9 system
and a test Solaris 10 6/06 system, both 64 bit sparc.  I am the
testee/victim on the S10 box, and my home directory is a mirrored
ZFS filesystem.  So for everything has been working great with imaps.
Err, but then we don't support Tbird either.

My two quick suggestions:

1) download a copy of Sunstudio 11 (Sun's compiler system) from Sun
and install it.  It is now free.  Then compile openssl with Sun's
C compiler instead of gcc.  See if that helps the loader issues.

In general I have had marginal success mixing code/libraries built
with different compilers.  But in my case, I have openssl built
with Sun cc and dovecot built with gcc (for core tracebacks).
Works great, go figure.

2) Make sure your SSL certs work.  Here's my "how to" notes,
gleaned from www.madboa.com/geek/openssl:

    1) How to test a new certificate:

    On the box with the new cert, launch openssl's mini-web browser:

    openssl s_server -cert /opt/openssl/ssl/certs/library.cert \
            -key /opt/openssl/ssl/private/library.key \
            -www

    (in this case for library)

    Then connect to this mini-web server via a web client:

    https://library.colby.edu:4433/

    and look at the results.

    2) Verify the chain of authority.

    a) Go to /opt/openssl/ssl/certs and make sure all of the hash links
    are there.  Type "/opt/openssl/bin/c_rehash" to create them.

If your cert chains aren't right, then this may be the source of your
issues.

Jeff Earickson
Colby College

On Mon, 21 Aug 2006, Patric wrote:
> Date: Mon, 21 Aug 2006 16:30:14 +0200
> From: Patric <ppaaff at gmail.com>
> To: dovecot at dovecot.org
> Subject: [Dovecot] Dovecot SSL issue on Solaris 10 x64 (64-bit)
> 
> I'm having an issue with Thunderbird (and Opera) and Dovecot SSL on a
Solaris
> 10.
>
> My OS is Solaris 10 6/06 x86 (running in 64-bit mode) using ZFS (disk
mirror)
> as the
> filesystem for my users. Dovecot version is 1.0rc7 (logs below are from 
> 1.0rc6).
>
> First the connection asks if the SSL-certificate should be accepted, 
> accepting it
> seems to work but then nothing happens. Thunderbird is quite silent, not 
> always displays
> an error message, it just seems that there are no emails to download.
>
> It works fine in Mac OS X Mail.app with POP3s and IMAPs (both SSL).
> But not for Thunderbird (1.5.0.5) and Opera (latest).
>
> Setting "verbose_ssl=yes" and "auth_debug=yes" in the
configuration gives
> this error
> from a Thunderbird login:
> Aug 16 14:16:28 credo dovecot: [ID 107833 mail.warning] pop3-login: 
> SSL_accept() failed: error:140D308A:SSL
routines:TLS1_SETUP_KEY_BLOCK:cipher
> or hash unavailable [85.225.200.123]
> Aug 16 14:16:28 credo dovecot: [ID 107833 mail.info] pop3-login: 
> Disconnected: rip=85.225.200.123, lip=195.198.174.212, TLS
> Aug 16 14:16:29 credo dovecot: [ID 107833 mail.warning] pop3-login: 
> SSL_accept() failed: error:140D308A:SSL
routines:TLS1_SETUP_KEY_BLOCK:cipher
> or hash unavailable [85.225.200.123]
> Aug 16 14:16:29 credo dovecot: [ID 107833 mail.info] pop3-login: 
> Disconnected: rip=85.225.200.123, lip=195.198.174.212, TLS
>
> It seems to be that the OpenSSL installed with Solaris 10 is abit
"broken" or
> missing
> the cryptographic procotols needed. (at least from what I've read on
the
> Internet)
> Strange that it works fine with Mail.app on Mac OS X.
>
> So, I installed the latest OpenSSL, compiled, tested and installed.
> (no problems occured)
>
> Back to compiling Dovecot, used this oneliner to point it to the new
OpenSSL
> (and my compile settings):
> env PKG_CONFIG_PATH=/usr/local/ssl/lib/pkgconfig ./configure 
> --sysconfdir=/usr/local/etc --with-ssldir=/usr/local/etc/ssl
>
> Worked!
> bash-3.00$ egrep "^SSL_" config.log
> SSL_CFLAGS='-I/usr/local/ssl/include  '
> SSL_LIBS='-L/usr/local/ssl/lib -lssl -lcrypto -lsocket -lnsl -ldl 
'
>
> But gives this error message when I compile:
> gcc -std=gnu99 -g -O2 -Wall -W -Wmissing-prototypes -Wmissing-declarations 
> -Wpointer-arith -Wchar-subscripts -Wformat=2 -Wbad-function-cast 
> -I/usr/local/ssl/include -o ssl-build-param ssl-init-main.o 
> ssl-init-openssl.o ssl-init-gnutls.o  ../lib/liblib.a -L/usr/local/ssl/lib 
> -lssl -lcrypto -ldl -lsocket -lnsl -lrt -lsendfile
> ld: warning: file /usr/local/ssl/lib/libcrypto.a(dh_asn1.o): wrong ELF
class:
> ELFCLASS64
> Undefined                       first referenced
> symbol                             in file
> DH_generate_parameters              ssl-init-openssl.o
> ERR_get_error                       ssl-init-openssl.o
> ERR_error_string_n                  ssl-init-openssl.o
> i2d_DHparams                        ssl-init-openssl.o
> ld: fatal: Symbol referencing errors. No output written to ssl-build-param
> collect2: ld returned 1 exit status
> *** Error code 1
> make: Fatal error: Command failed for target `ssl-build-param'
> Current working directory /home/nollan/work2/dovecot-1.0.rc7/src/master
> *** Error code 1
> The following command caused the error:
> (error message removed to save space, can include if requested)
>
> It seems that the Thunderbird/Opera SSL problem will be solved with a new 
> OpenSSL.
> But I seem to have problems getting Dovecot to compile with the new OpenSSL
> (64-bit issue?).
>
> Anyone got any hints on what I should do?
>
>
> With Regards,
> Patric