Mailing List Archive: exim: dev

CentOS 5's old openssl and TLS support

Index | Next | Previous | View Threaded

tlyons at ivenue

May 20, 2012, 8:02 AM

Post #1 of 9 (768 views)
Permalink

CentOS 5's old openssl and TLS support

The addition of a new TLS capability (SNI) seems to have left CentOS 5.x
out in the cold. C5x comes with (by now a heavily patched) openssl 0.9.8e,
which does not support SNI. Quoting from
http://stackoverflow.com/questions/7340784/easy-install-pyopenssl-error :

"Support for SNI was introduced in OpenSSL 0.9.8f. Thus, pyOpenSSL 0.13
will build with OpenSSL 0.9.8f or later, but not OpenSSL 0.9.8e or earlier,
where the APIs it expects to be wrapping do not exist."

The compile fails as per the following. Ignore the ugly includes of srs
and srs/src, I do some trickery in my spec file and build these libs into
modules and package it all together.

gcc -c -O -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -I/usr/include
-I/usr/include -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
-fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -DSPF -DSRS
-fpie -DSPF -I../src -I../../src -I../src/srs/src -I../../src/srs/src
-I../../src/srs -std=gnu99 -I. -I/usr/kerberos/include tls.c
In file included from tls.c:97:
tls-openssl.c: In function 'tls_servername_cb':
tls-openssl.c:546: warning: implicit declaration of function
'SSL_get_servername'
tls-openssl.c:546: error: 'TLSEXT_NAMETYPE_host_name' undeclared (first use
in this function)
tls-openssl.c:546: error: (Each undeclared identifier is reported only once
tls-openssl.c:546: error: for each function it appears in.)
tls-openssl.c:546: warning: initialization makes pointer from integer
without a cast
tls-openssl.c:552: error: 'SSL_TLSEXT_ERR_OK' undeclared (first use in this
function)
tls-openssl.c:574: error: 'SSL_TLSEXT_ERR_NOACK' undeclared (first use in
this function)
tls-openssl.c:584: warning: implicit declaration of function
'SSL_CTX_set_tlsext_servername_callback'
tls-openssl.c:585: warning: implicit declaration of function
'SSL_CTX_set_tlsext_servername_arg'
tls-openssl.c:605: warning: implicit declaration of function
'SSL_set_SSL_CTX'
tls-openssl.c: In function 'tls_client_start':
tls-openssl.c:1244: warning: implicit declaration of function
'SSL_set_tlsext_host_name'
make[1]: *** [tls.o] Error 1
make[1]: Leaving directory
`/home/tlyons/RPM/BUILD/exim-4.80_RC2/build-Linux-x86_64'
make: *** [all] Error 2

Do we need to add some detection of openssl version or is this also going
to be a backwards incompatible change?

...Todd
--
Always code as if the guy who ends up maintaining your code will be a
violent psychopath who knows where you live. -- Martin Golding
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

pdp at exim

May 20, 2012, 4:32 PM

Post #2 of 9 (696 views)
Permalink

Re: CentOS 5's old openssl and TLS support [In reply to]

On 2012-05-20 at 08:02 -0700, Todd Lyons wrote:
> Do we need to add some detection of openssl version or is this also going
> to be a backwards incompatible change?

There's some around registering the callback but not around defining the
content, an oversight. I'll clean it up a little.

I don't have any systems without SNI support because I regard it as so
essential to current SSL usage. I wrote client-side send-SNI patches
for a few tools three years back to help improve the state of affairs.

-Phil

--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

tlyons at ivenue

May 21, 2012, 7:40 AM

Post #3 of 9 (697 views)
Permalink

Re: CentOS 5's old openssl and TLS support [In reply to]

On Sun, May 20, 2012 at 4:32 PM, Phil Pennock <pdp [at] exim> wrote:
> On 2012-05-20 at 08:02 -0700, Todd Lyons wrote:
>> Do we need to add some detection of openssl version or is this also going
>> to be a backwards incompatible change?
> There's some around registering the callback but not around defining the
> content, an oversight. I'll clean it up a little.

Is this possibly one more of those functions that needs a little detection
wrapping?

gcc -c -O -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -I/usr/include
-I/usr/include -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
-fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -DSPF -DSRS
-fpie -DSPF -I../src -I../../src -I../src/srs/src -I../../src/srs/src
-I../../src/srs -std=gnu99 -I. -I/usr/kerberos/include tls.c
In file included from tls.c:97:
tls-openssl.c: In function 'tls_client_start':
tls-openssl.c:1261: warning: implicit declaration of function
'SSL_set_tlsext_host_name'
tls.c: At top level:
tls-openssl.c:49: warning: 'ctx_sni' defined but not used

That results in the link error below:

gcc -o exim -pie acl.o child.o crypt16.o daemon.o dbfn.o debug.o deliver.o
directory.o dns.o drtables.o enq.o exim.o expand.o filter.o filtertest.o
globals.o dkim.o header.o host.o ip.o log.o lss.o match.o moan.o os.o
parse.o queue.o rda.o readconf.o receive.o retry.o rewrite.o rfc2047.o
route.o search.o sieve.o smtp_in.o smtp_out.o spool_in.o spool_out.o
store.o string.o tls.o tod.o transport.o tree.o verify.o lookups/lf_quote.o
lookups/lf_check_file.o lookups/lf_sqlperform.o local_scan.o perl.o
malware.o mime.o regex.o spam.o spool_mbox.o demime.o bmi_spam.o spf.o
srs.o dcc.o version.o \
routers/routers.a transports/transports.a lookups/lookups.a \
auths/auths.a pdkim/pdkim.a \
-lresolv -lnsl -lcrypt -lm \
-lpam -ldl -lwrap -ldb -lldap -llber -lsqlite3 -L/usr/lib64/mysql
-lmysqlclient -lpq -lsasl2 \
-Wl,-E -Wl,-rpath,/usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi/CORE
/usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi/auto/DynaLoader/DynaLoader.a
-L/usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi/CORE -lperl -lresolv
-lnsl -ldl -lm -lcrypt -lutil -lpthread -lc -L/usr/kerberos/lib64 -lssl
-lcrypto -ldl -lz -lpcre -lspf2 -lsrs_alt -L../src -lcompat
tls.o: In function `tls_client_start':
/home/tlyons/RPM/BUILD/exim-4.80_RC4/build-Linux-x86_64/tls-openssl.c:1261:
undefined reference to `SSL_set_tlsext_host_name'
collect2: ld returned 1 exit status
make[1]: *** [exim] Error 1
make[1]: Leaving directory
`/home/tlyons/RPM/BUILD/exim-4.80_RC4/build-Linux-x86_64'
make: *** [all] Error 2

...Todd
--
Always code as if the guy who ends up maintaining your code will be a
violent psychopath who knows where you live. -- Martin Golding
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

pdp at exim

May 21, 2012, 6:57 PM

Post #4 of 9 (688 views)
Permalink

Re: CentOS 5's old openssl and TLS support [In reply to]

On 2012-05-21 at 07:40 -0700, Todd Lyons wrote:
> On Sun, May 20, 2012 at 4:32 PM, Phil Pennock <pdp [at] exim> wrote:
> > On 2012-05-20 at 08:02 -0700, Todd Lyons wrote:
> >> Do we need to add some detection of openssl version or is this also going
> >> to be a backwards incompatible change?
> > There's some around registering the callback but not around defining the
> > content, an oversight. I'll clean it up a little.
>
> Is this possibly one more of those functions that needs a little detection
> wrapping?

It's the client-side sending of SNI.

Try this.

diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index eeab9c1..ebc5a62 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -46,7 +46,9 @@ static BOOL verify_callback_called = FALSE;
static const uschar *sid_ctx = US"exim";

static SSL_CTX *ctx = NULL;
+#ifdef EXIM_HAVE_OPENSSL_TLSEXT
static SSL_CTX *ctx_sni = NULL;
+#endif
static SSL *ssl = NULL;

static char ssl_errstring[256];
@@ -1257,8 +1259,14 @@ if (sni)
tls_sni = NULL;
else
{
+#ifdef EXIM_HAVE_OPENSSL_TLSEXT
DEBUG(D_tls) debug_printf("Setting TLS SNI \"%s\"\n", tls_sni);
SSL_set_tlsext_host_name(ssl, tls_sni);
+#else
+ DEBUG(D_tls)
+ debug_printf("OpenSSL at build-time lacked SNI support, ignoring \"%s\"\n",
+ tls_sni);
+#endif
}
}

--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

A.C.Aitchison at dpmms

May 22, 2012, 4:00 AM

Post #5 of 9 (681 views)
Permalink

Re: CentOS 5's old openssl and TLS support [In reply to]

On Mon, 21 May 2012, Phil Pennock wrote:

> On 2012-05-21 at 07:40 -0700, Todd Lyons wrote:
>> On Sun, May 20, 2012 at 4:32 PM, Phil Pennock <pdp [at] exim> wrote:
>>> On 2012-05-20 at 08:02 -0700, Todd Lyons wrote:
>>>> Do we need to add some detection of openssl version or is this also going
>>>> to be a backwards incompatible change?
>>> There's some around registering the callback but not around defining the
>>> content, an oversight. I'll clean it up a little.
>>
>> Is this possibly one more of those functions that needs a little detection
>> wrapping?
>
> It's the client-side sending of SNI.
>
> Try this.
>
> diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
> index eeab9c1..ebc5a62 100644

This patch does the trick on Scientific Linux 5 too.
Thanks.

> --- a/src/src/tls-openssl.c
> +++ b/src/src/tls-openssl.c
> @@ -46,7 +46,9 @@ static BOOL verify_callback_called = FALSE;
> static const uschar *sid_ctx = US"exim";
>
> static SSL_CTX *ctx = NULL;
> +#ifdef EXIM_HAVE_OPENSSL_TLSEXT
> static SSL_CTX *ctx_sni = NULL;
> +#endif
> static SSL *ssl = NULL;
>
> static char ssl_errstring[256];
> @@ -1257,8 +1259,14 @@ if (sni)
> tls_sni = NULL;
> else
> {
> +#ifdef EXIM_HAVE_OPENSSL_TLSEXT
> DEBUG(D_tls) debug_printf("Setting TLS SNI \"%s\"\n", tls_sni);
> SSL_set_tlsext_host_name(ssl, tls_sni);
> +#else
> + DEBUG(D_tls)
> + debug_printf("OpenSSL at build-time lacked SNI support, ignoring \"%s\"\n",
> + tls_sni);
> +#endif
> }
> }

--
Dr. Andrew C. Aitchison Computer Officer, DPMMS, Cambridge
A.C.Aitchison [at] dpmms http://www.dpmms.cam.ac.uk/~werdna

--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

tlyons at ivenue

May 22, 2012, 7:27 AM

Post #6 of 9 (678 views)
Permalink

Re: CentOS 5's old openssl and TLS support [In reply to]

On Mon, May 21, 2012 at 6:57 PM, Phil Pennock <pdp [at] exim> wrote:

>> >> Do we need to add some detection of openssl version or is this also going
>> >> to be a backwards incompatible change?
>> > There's some around registering the callback but not around defining the
>> > content, an oversight. �I'll clean it up a little.
>> Is this possibly one more of those functions that needs a little detection
>> wrapping?
> It's the client-side sending of SNI.

Yes, the patch worked properly. It's built and packaged, I am rolling
it out on test servers and one live server to see how it works (using
openssl, so not testing the new gnutls code paths).

...Todd
--
Always code as if the guy who ends up maintaining your code will be a
violent psychopath who knows where you live. -- Martin Golding

--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

tlyons at ivenue

Feb 2, 2013, 8:43 PM

Post #7 of 9 (369 views)
Permalink

Re: CentOS 5's old openssl and TLS support [In reply to]

I am building master on a CentOS 5.8 machine, and it's having this sni
build error again. The following patch is in master and did fix it
for me originally, but I think some things have been added or changed
somewhere, so it's having the sni build problem again.

On Mon, May 21, 2012 at 6:57 PM, Phil Pennock <pdp [at] exim> wrote:

> It's the client-side sending of SNI.
> Try this.
> diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
> index eeab9c1..ebc5a62 100644
> --- a/src/src/tls-openssl.c
> +++ b/src/src/tls-openssl.c
> @@ -46,7 +46,9 @@ static BOOL verify_callback_called = FALSE;
> static const uschar *sid_ctx = US"exim";
>
> static SSL_CTX *ctx = NULL;
> +#ifdef EXIM_HAVE_OPENSSL_TLSEXT
> static SSL_CTX *ctx_sni = NULL;
> +#endif
> static SSL *ssl = NULL;
>
> static char ssl_errstring[256];
> @@ -1257,8 +1259,14 @@ if (sni)
> tls_sni = NULL;
> else
> {
> +#ifdef EXIM_HAVE_OPENSSL_TLSEXT
> DEBUG(D_tls) debug_printf("Setting TLS SNI \"%s\"\n", tls_sni);
> SSL_set_tlsext_host_name(ssl, tls_sni);
> +#else
> + DEBUG(D_tls)
> + debug_printf("OpenSSL at build-time lacked SNI support, ignoring \"%s\"\n",
> + tls_sni);
> +#endif

gcc tls.c
gcc -c -O -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -I/usr/include
-I/usr/include -DSPF -DSRS -DSPF -I../src -I../../src
-I../src/srs/src -I../../src/srs/src -I../../src/srs -I.
-I/usr/kerberos/include tls.c
In file included from tls.c:97:
tls-openssl.c: In function ‘tls_client_start’:
tls-openssl.c:1375: error: ‘tls_sni’ undeclared (first use in this function)
tls-openssl.c:1375: error: (Each undeclared identifier is reported only once
tls-openssl.c:1375: error: for each function it appears in.)
make: *** [tls.o] Error 1

It's the last part of that patch above (the #else part), so the
variable tls_sni doesn't exist. Grepping through the code, I see
this:

expand.c: { "tls_sni", vtype_stringptr, &tls_in.sni },

So it makes me think that line 1375 should be referencing tls_in.sni,
not tls_sni. Sound about right?

...Todd

--
The total budget at all receivers for solving senders' problems is $0.
If you want them to accept your mail and manage it the way you want,
send it the way the spec says to. --John Levine

--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

pdp at exim

Feb 2, 2013, 9:13 PM

Post #8 of 9 (372 views)
Permalink

Re: CentOS 5's old openssl and TLS support [In reply to]

On 2013-02-02 at 20:43 -0800, Todd Lyons wrote:
> I am building master on a CentOS 5.8 machine, and it's having this sni
> build error again. The following patch is in master and did fix it
> for me originally, but I think some things have been added or changed
> somewhere, so it's having the sni build problem again.

Pull now. Commit 02d9264 should fix this.

It's pushed live to master without my even bothering to see if it
compiles, or figuring out how to hack my build to be sure that a compile
would use this #ifdef branch of the code.

Changed "tls_sni" to "tls_out.sni" to match the other #ifdef branch.

If I've screwed up, shout.

-Phil

--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

tlyons at ivenue

Feb 2, 2013, 9:31 PM

Post #9 of 9 (367 views)
Permalink

Re: CentOS 5's old openssl and TLS support [In reply to]

On Sat, Feb 2, 2013 at 9:13 PM, Phil Pennock <pdp [at] exim> wrote:
> Pull now. Commit 02d9264 should fix this.
> Changed "tls_sni" to "tls_out.sni" to match the other #ifdef branch.

I figured that out too by comparing the flow of the old code to the
flow of the new code It became obvious that a variable renaming was
all that was necessary. Glad to see that we ended up with the same
conclusion.

> If I've screwed up, shout.

Nope, it's right on.

...Todd

--
The total budget at all receivers for solving senders' problems is $0.
If you want them to accept your mail and manage it the way you want,
send it the way the spec says to. --John Levine

--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads