They have stated they are going to remain API compatible with 1.0.1h (or g, forget which they forked) - their new stuff is outside of libcrypto. On 11/02/2016 04:25 AM, Aki Tuomi wrote:> It does work today, I am just bit worried that it will keep on breaking > with libressl as they evolve their API. I would personally like to avoid > more ifdef hell if possible... > > Aki > > > On 02.11.2016 13:22, Michael A. Peters wrote: >> Standard way to fix it (on the LibreSSL page) is to check for >> LIBRESSL_VERSION_NUMBER - e.g. the patch attached which I think >> catches them all where needed. Note the word think. >> >> It certainly appears to be working anyway with it. >> >> On 11/02/2016 04:07 AM, Aki Tuomi wrote: >>> After doing some testing by myself, I noticed that libressl, for some >>> unknown reason, defines >>> >>> #define OPENSSL_VERSION_NUMBER 0x20000000L >>> >>> No idea why they decided to advertise that they are OpenSSL v2.0.0. A >>> local fix, if you need one, is to use >>> >>> #if OPENSSL_VERSION_NUMBER == 0x20000000L >>> #define OPENSSL_VERSION_NUMBER 0x1000100L >>> #endif >>> >>> in dcrypt-openssl.c after includes. >>> >>> Aki >>> >>> >>> On 02.11.2016 12:39, Aki Tuomi wrote: >>>> Hi! >>>> >>>> Those are used if >>>> >>>> #if OPENSSL_VERSION_NUMBER >= 0x10100000L >>>> >>>> So (your) libressl is providing this define. We compile our code using >>>> GCC and CLANG regularly, with OpenSSL v1.0.x which is the currently >>>> officially supported one. >>>> >>>> Aki >>>> >>>> >>>> On 02.11.2016 12:34, Ruga wrote: >>>>> dovecot 2.2.26.0 uses the following functions, which are not >>>>> available on libressl 2.4.3: >>>>> >>>>> HMAC_CTX_new >>>>> HMAC_CTX_free >>>>> EVP_PKEY_get0_EC_KEY >>>>> EVP_PKEY_get0_RSA >>>>> OBJ_length >>>>> EVP_MD_CTX_new >>>>> EVP_MD_CTX_free >>>>> >>>>> The result of calling a non-existent function is a runtime error, >>>>> and we do not want that on production servers. >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> There are additional problems. I recommend compiling with clang-llvm >>>>> 3.9.0 >>>>> to see them all. >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> -------- Original Message -------- >>>>> Subject: Re: v2.2.26.0 released >>>>> Local Time: 1 November 2016 7:30 PM >>>>> UTC Time: 1 November 2016 18:30 >>>>> From: aki.tuomi at dovecot.fi >>>>> To: Dovecot Mailing List <dovecot at dovecot.org>, Ruga >>>>> <ruga at protonmail.com> >>>>> >>>>> OpenSSL v1.0.1 is enough. >>>>> >>>>> Aki >>>>> >>>>>> On November 1, 2016 at 7:46 PM Ruga <ruga at protonmail.com> wrote: >>>>>> >>>>>> >>>>>> Hello, >>>>>> >>>>>> We cannot upgrade from 2.2.24, because we use libressl and the newer >>>>>> dovecot versions demand openssl v1.1. >>>>>> >>>>>> Please add the new library requirement to the INSTALL file. >>>>>> >>>>>> All the best. >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -------- Original Message -------- >>>>>> Subject: v2.2.26.0 released >>>>>> Local Time: 28 October 2016 6:51 PM >>>>>> UTC Time: 28 October 2016 16:51 >>>>>> From: tss at iki.fi >>>>>> To: dovecot-news at dovecot.org, Dovecot Mailing List >>>>>> <dovecot at dovecot.org> >>>>>> >>>>>> http://dovecot.org/releases/2.2/dovecot-2.2.26.0.tar.gz >>>>>> http://dovecot.org/releases/2.2/dovecot-2.2.26.0.tar.gz.sig >>>>>> >>>>>> v2.2.26 had a couple of nasty bugs left in it, so here's a fixup >>>>>> release. The version number is also a little bit weird, but had to >>>>>> be done this way (although 2.2.26.0.1 could have been another >>>>>> possibility). >>>>>> >>>>>> - Fixed some compiling issues. >>>>>> - auth: Fixed assert-crash when using NTLM or SKEY mechanisms and >>>>>> multiple passdbs. >>>>>> - auth: Fixed crash when exporting to auth-worker passdb extra fields >>>>>> that had empty values. >>>>>> - dsync: Fixed assert-crash in dsync_brain_sync_mailbox_deinit >>
IMHO it would be acceptable to have a LibreSSL patch that is maintained by the people who want it. It's free software, and that kind of is the point of Open Source. On 11/02/2016 04:36 AM, Michael A. Peters wrote:> They have stated they are going to remain API compatible with 1.0.1h (or > g, forget which they forked) - their new stuff is outside of libcrypto. > > On 11/02/2016 04:25 AM, Aki Tuomi wrote: >> It does work today, I am just bit worried that it will keep on breaking >> with libressl as they evolve their API. I would personally like to avoid >> more ifdef hell if possible... >> >> Aki >> >> >> On 02.11.2016 13:22, Michael A. Peters wrote: >>> Standard way to fix it (on the LibreSSL page) is to check for >>> LIBRESSL_VERSION_NUMBER - e.g. the patch attached which I think >>> catches them all where needed. Note the word think. >>> >>> It certainly appears to be working anyway with it. >>> >>> On 11/02/2016 04:07 AM, Aki Tuomi wrote: >>>> After doing some testing by myself, I noticed that libressl, for some >>>> unknown reason, defines >>>> >>>> #define OPENSSL_VERSION_NUMBER 0x20000000L >>>> >>>> No idea why they decided to advertise that they are OpenSSL v2.0.0. A >>>> local fix, if you need one, is to use >>>> >>>> #if OPENSSL_VERSION_NUMBER == 0x20000000L >>>> #define OPENSSL_VERSION_NUMBER 0x1000100L >>>> #endif >>>> >>>> in dcrypt-openssl.c after includes. >>>> >>>> Aki >>>> >>>> >>>> On 02.11.2016 12:39, Aki Tuomi wrote: >>>>> Hi! >>>>> >>>>> Those are used if >>>>> >>>>> #if OPENSSL_VERSION_NUMBER >= 0x10100000L >>>>> >>>>> So (your) libressl is providing this define. We compile our code using >>>>> GCC and CLANG regularly, with OpenSSL v1.0.x which is the currently >>>>> officially supported one. >>>>> >>>>> Aki >>>>> >>>>> >>>>> On 02.11.2016 12:34, Ruga wrote: >>>>>> dovecot 2.2.26.0 uses the following functions, which are not >>>>>> available on libressl 2.4.3: >>>>>> >>>>>> HMAC_CTX_new >>>>>> HMAC_CTX_free >>>>>> EVP_PKEY_get0_EC_KEY >>>>>> EVP_PKEY_get0_RSA >>>>>> OBJ_length >>>>>> EVP_MD_CTX_new >>>>>> EVP_MD_CTX_free >>>>>> >>>>>> The result of calling a non-existent function is a runtime error, >>>>>> and we do not want that on production servers. >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> There are additional problems. I recommend compiling with clang-llvm >>>>>> 3.9.0 >>>>>> to see them all. >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -------- Original Message -------- >>>>>> Subject: Re: v2.2.26.0 released >>>>>> Local Time: 1 November 2016 7:30 PM >>>>>> UTC Time: 1 November 2016 18:30 >>>>>> From: aki.tuomi at dovecot.fi >>>>>> To: Dovecot Mailing List <dovecot at dovecot.org>, Ruga >>>>>> <ruga at protonmail.com> >>>>>> >>>>>> OpenSSL v1.0.1 is enough. >>>>>> >>>>>> Aki >>>>>> >>>>>>> On November 1, 2016 at 7:46 PM Ruga <ruga at protonmail.com> wrote: >>>>>>> >>>>>>> >>>>>>> Hello, >>>>>>> >>>>>>> We cannot upgrade from 2.2.24, because we use libressl and the newer >>>>>>> dovecot versions demand openssl v1.1. >>>>>>> >>>>>>> Please add the new library requirement to the INSTALL file. >>>>>>> >>>>>>> All the best. >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> -------- Original Message -------- >>>>>>> Subject: v2.2.26.0 released >>>>>>> Local Time: 28 October 2016 6:51 PM >>>>>>> UTC Time: 28 October 2016 16:51 >>>>>>> From: tss at iki.fi >>>>>>> To: dovecot-news at dovecot.org, Dovecot Mailing List >>>>>>> <dovecot at dovecot.org> >>>>>>> >>>>>>> http://dovecot.org/releases/2.2/dovecot-2.2.26.0.tar.gz >>>>>>> http://dovecot.org/releases/2.2/dovecot-2.2.26.0.tar.gz.sig >>>>>>> >>>>>>> v2.2.26 had a couple of nasty bugs left in it, so here's a fixup >>>>>>> release. The version number is also a little bit weird, but had to >>>>>>> be done this way (although 2.2.26.0.1 could have been another >>>>>>> possibility). >>>>>>> >>>>>>> - Fixed some compiling issues. >>>>>>> - auth: Fixed assert-crash when using NTLM or SKEY mechanisms and >>>>>>> multiple passdbs. >>>>>>> - auth: Fixed crash when exporting to auth-worker passdb extra >>>>>>> fields >>>>>>> that had empty values. >>>>>>> - dsync: Fixed assert-crash in dsync_brain_sync_mailbox_deinit >>>
libressl is a leaner and safer openssl Sent from ProtonMail Mobile On Wed, Nov 2, 2016 at 12:39 PM, Michael A. Peters <'mpeters at domblogger.net'> wrote: IMHO it would be acceptable to have a LibreSSL patch that is maintained by the people who want it. It's free software, and that kind of is the point of Open Source. On 11/02/2016 04:36 AM, Michael A. Peters wrote:> They have stated they are going to remain API compatible with 1.0.1h (or > g, forget which they forked) - their new stuff is outside of libcrypto. > > On 11/02/2016 04:25 AM, Aki Tuomi wrote: >> It does work today, I am just bit worried that it will keep on breaking >> with libressl as they evolve their API. I would personally like to avoid >> more ifdef hell if possible... >> >> Aki >> >> >> On 02.11.2016 13:22, Michael A. Peters wrote: >>> Standard way to fix it (on the LibreSSL page) is to check for >>> LIBRESSL_VERSION_NUMBER - e.g. the patch attached which I think >>> catches them all where needed. Note the word think. >>> >>> It certainly appears to be working anyway with it. >>> >>> On 11/02/2016 04:07 AM, Aki Tuomi wrote: >>>> After doing some testing by myself, I noticed that libressl, for some >>>> unknown reason, defines >>>> >>>> #define OPENSSL_VERSION_NUMBER 0x20000000L >>>> >>>> No idea why they decided to advertise that they are OpenSSL v2.0.0. A >>>> local fix, if you need one, is to use >>>> >>>> #if OPENSSL_VERSION_NUMBER == 0x20000000L >>>> #define OPENSSL_VERSION_NUMBER 0x1000100L >>>> #endif >>>> >>>> in dcrypt-openssl.c after includes. >>>> >>>> Aki >>>> >>>> >>>> On 02.11.2016 12:39, Aki Tuomi wrote: >>>>> Hi! >>>>> >>>>> Those are used if >>>>> >>>>> #if OPENSSL_VERSION_NUMBER >= 0x10100000L >>>>> >>>>> So (your) libressl is providing this define. We compile our code using >>>>> GCC and CLANG regularly, with OpenSSL v1.0.x which is the currently >>>>> officially supported one. >>>>> >>>>> Aki >>>>> >>>>> >>>>> On 02.11.2016 12:34, Ruga wrote: >>>>>> dovecot 2.2.26.0 uses the following functions, which are not >>>>>> available on libressl 2.4.3: >>>>>> >>>>>> HMAC_CTX_new >>>>>> HMAC_CTX_free >>>>>> EVP_PKEY_get0_EC_KEY >>>>>> EVP_PKEY_get0_RSA >>>>>> OBJ_length >>>>>> EVP_MD_CTX_new >>>>>> EVP_MD_CTX_free >>>>>> >>>>>> The result of calling a non-existent function is a runtime error, >>>>>> and we do not want that on production servers. >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> There are additional problems. I recommend compiling with clang-llvm >>>>>> 3.9.0 >>>>>> to see them all. >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -------- Original Message -------- >>>>>> Subject: Re: v2.2.26.0 released >>>>>> Local Time: 1 November 2016 7:30 PM >>>>>> UTC Time: 1 November 2016 18:30 >>>>>> From: aki.tuomi at dovecot.fi >>>>>> To: Dovecot Mailing List <dovecot at dovecot.org>, Ruga >>>>>> <ruga at protonmail.com> >>>>>> >>>>>> OpenSSL v1.0.1 is enough. >>>>>> >>>>>> Aki >>>>>> >>>>>>> On November 1, 2016 at 7:46 PM Ruga <ruga at protonmail.com> wrote: >>>>>>> >>>>>>> >>>>>>> Hello, >>>>>>> >>>>>>> We cannot upgrade from 2.2.24, because we use libressl and the newer >>>>>>> dovecot versions demand openssl v1.1. >>>>>>> >>>>>>> Please add the new library requirement to the INSTALL file. >>>>>>> >>>>>>> All the best. >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> -------- Original Message -------- >>>>>>> Subject: v2.2.26.0 released >>>>>>> Local Time: 28 October 2016 6:51 PM >>>>>>> UTC Time: 28 October 2016 16:51 >>>>>>> From: tss at iki.fi >>>>>>> To: dovecot-news at dovecot.org, Dovecot Mailing List >>>>>>> <dovecot at dovecot.org> >>>>>>> >>>>>>> http://dovecot.org/releases/2.2/dovecot-2.2.26.0.tar.gz >>>>>>> http://dovecot.org/releases/2.2/dovecot-2.2.26.0.tar.gz.sig >>>>>>> >>>>>>> v2.2.26 had a couple of nasty bugs left in it, so here's a fixup >>>>>>> release. The version number is also a little bit weird, but had to >>>>>>> be done this way (although 2.2.26.0.1 could have been another >>>>>>> possibility). >>>>>>> >>>>>>> - Fixed some compiling issues. >>>>>>> - auth: Fixed assert-crash when using NTLM or SKEY mechanisms and >>>>>>> multiple passdbs. >>>>>>> - auth: Fixed crash when exporting to auth-worker passdb extra >>>>>>> fields >>>>>>> that had empty values. >>>>>>> - dsync: Fixed assert-crash in dsync_brain_sync_mailbox_deinit >>>