1 |
Hamish Marson posted <434ED1A4.3060006@××××××××××××××.com>, excerpted |
2 |
below, on Thu, 13 Oct 2005 22:29:08 +0100: |
3 |
|
4 |
> tarting with '/etc/init.d/courier-imap-ssl start' the script runs but |
5 |
> exits with |
6 |
> |
7 |
> * Starting courier-imapd over SSL... [ !! ] |
8 |
> |
9 |
> |
10 |
> Inserting a few set -x's in scripts I find that the script runs to |
11 |
> completion OK, and even looks like it's trying to start courier, but |
12 |
> there's nothing started & no error. |
13 |
> |
14 |
> Now I could live with that, because starting it by hand it will run. But |
15 |
> when anything connects (e.g. openssl s_client -connect <host>:993) gives |
16 |
> me |
17 |
> |
18 |
> hamish@ballbreaker:~$ openssl s_client -connect damned:993 |
19 |
> CONNECTED(00000003) |
20 |
> write:errno=104 |
21 |
> |
22 |
> on the client and in the mail log I get |
23 |
> |
24 |
> Oct 13 21:28:44 [imapd-ssl] couriertls: connect: error:1408F10B:SSL |
25 |
> routines:SSL3_GET_RECORD:wrong version number |
26 |
> |
27 |
> Anyone know what's gone wrong? I've removed courier-imap, re-installed |
28 |
> openssl, reinstalled courier-imap, (tried it with & without pam), but |
29 |
> nothing. |
30 |
|
31 |
I'm /not/ an authority on SSL and am only repeating here a couple things |
32 |
that seem to "click" with your problem descripion, but... |
33 |
|
34 |
1) You don't mention versions of the various packages, but I happened to |
35 |
note entries for openssl-0.9.8 in the changelog, and was only getting |
36 |
0.9.7g-r1 to install, even tho I'm on ~amd64, so happened to investigate. |
37 |
Trying an emerge -p =openssl-0.9.8 results in: |
38 |
|
39 |
Calculating dependencies |
40 |
!!! All ebuilds that could satisfy "=openssl-0.9.8a" have been masked. |
41 |
!!! One of the following masked packages is required to complete your request: |
42 |
- dev-libs/openssl-0.9.8a (masked by: package.mask, -* keyword) |
43 |
# Martin Schlemmer <azarah@g.o> (05 Jul 2005) |
44 |
# Masked for testing, as it breaks api |
45 |
|
46 |
So 0.9.8* is masked, due to API breakage. Even if you have |
47 |
0.9.7something merged, it's possible you somehow have a new courier-imap |
48 |
that would (haven't checked, just speculating, here) possibly also be |
49 |
masked, or maybe /should/ be masked, if it now works with the new SSL API |
50 |
that matches the masked openssl. |
51 |
|
52 |
2) There's a recent GLSA (Gentoo Linux Security Advisory) on OpenSSL, |
53 |
dated October 12. In brief, it was possible under certain circumstances |
54 |
to force it to fallback to SSL 2.0 instead of using the more secure SSL |
55 |
3.0. The workaround was to ensure SSL 2.0 was disabled, if possible, to |
56 |
prevent fallback to it. Here's the vunerability table: |
57 |
|
58 |
------------------------------------------------------------------- |
59 |
Package / Vulnerable / Unaffected |
60 |
------------------------------------------------------------------- |
61 |
1 dev-libs/openssl < 0.9.8-r1 >= 0.9.8-r1 |
62 |
*>= 0.9.7h |
63 |
*>= 0.9.7g-r1 |
64 |
*>= 0.9.7e-r2 |
65 |
|
66 |
So... it's possible that either you have the new openssl but that your |
67 |
older version of courier-imap only does ssl v2, or that you have a new |
68 |
courier-imap that refuses to fall back to v2, and an older ssl that's |
69 |
somehow doing v2 only, no v3. |
70 |
|
71 |
Besides checking your versions against the above, try running |
72 |
revdep-rebuild (don't forget to put the -p in it the first time to see how |
73 |
many packages it wants to rebuild, there could be quite a few...) to see |
74 |
if you've anything that doesn't match up properly. You may also want to |
75 |
run emerge -pN (N being the short form of --newuse), to see if all your |
76 |
merges are upto date with your latest USE flags settings (again, don't |
77 |
forget that -p the first time...). Finally, run emerge depclean -p, and |
78 |
see what it might want to remove. Note that in some cases this last one |
79 |
makes mistakes, particularly if you have something compiled with USE flags |
80 |
that included something you now have turned off in your USE flags. |
81 |
However, as the warning states, as long as you use common sense and add |
82 |
the stuff you /know/ you want to keep to your world file, anything else |
83 |
removed that's needed, should be fixable by simply remerging the package |
84 |
that broke after the depclean. (Also, there's significantly /less/ |
85 |
potential for broken packages, if you've already updated your merged |
86 |
packages to match your current USE flags, using the --newuse step above, |
87 |
thus the reason I listed it first.) |
88 |
|
89 |
If after the above steps it's still giving problems, there's a chance you |
90 |
have old libraries left on the system, that emerge /should/ have cleaned |
91 |
up but didn't for some reason. Run ldd on the involved executables, and |
92 |
see what libraries they are loading, first making sure they can find all |
93 |
needed libraries, then, starting with the ssl and crypto libs, ensure that |
94 |
the libs it is finding aren't orphan, by running equery belongs |
95 |
<path/library> on them and verifying that portage links them to a package |
96 |
(again, paying special attention to any it says belong to the openssl |
97 |
package, ensuring the version agrees with what you believe you have |
98 |
merged. If there are any libraries ldd said it would load, that don't |
99 |
belong to a package, move/rename them temporarily, with a view to |
100 |
removing them entirely if nothing breaks. (Likewise, any that belong to an |
101 |
obsolete package, emerge -C the old package, keeping in mind multi-slots |
102 |
such as gtk and gtk2, where two versions of the package are /supposed/ to |
103 |
be merged, but this shouldn't occur if you've done the depclean step above.) |
104 |
|
105 |
If after all that, you /still/ have problems, then it's time for some |
106 |
SERIOUS troubleshooting, and possibly bug filing. However, I expect the |
107 |
problem should be solved by this point, likely well before it. |
108 |
|
109 |
-- |
110 |
Duncan - List replies preferred. No HTML msgs. |
111 |
"Every nonfree program has a lord, a master -- |
112 |
and if you use the program, he is your master." Richard Stallman in |
113 |
http://www.linuxdevcenter.com/pub/a/linux/2004/12/22/rms_interview.html |
114 |
|
115 |
|
116 |
-- |
117 |
gentoo-amd64@g.o mailing list |