| 1 |
Hamish Marson posted <434ED1A4.3060006@××××××××××××××.com>, excerpted |
| 2 |
below, on Thu, 13 Oct 2005 22:29:08 +0100: |
| 3 |
|
| 4 |
> tarting with '/etc/init.d/courier-imap-ssl start' the script runs but |
| 5 |
> exits with |
| 6 |
> |
| 7 |
> * Starting courier-imapd over SSL... [ !! ] |
| 8 |
> |
| 9 |
> |
| 10 |
> Inserting a few set -x's in scripts I find that the script runs to |
| 11 |
> completion OK, and even looks like it's trying to start courier, but |
| 12 |
> there's nothing started & no error. |
| 13 |
> |
| 14 |
> Now I could live with that, because starting it by hand it will run. But |
| 15 |
> when anything connects (e.g. openssl s_client -connect <host>:993) gives |
| 16 |
> me |
| 17 |
> |
| 18 |
> hamish@ballbreaker:~$ openssl s_client -connect damned:993 |
| 19 |
> CONNECTED(00000003) |
| 20 |
> write:errno=104 |
| 21 |
> |
| 22 |
> on the client and in the mail log I get |
| 23 |
> |
| 24 |
> Oct 13 21:28:44 [imapd-ssl] couriertls: connect: error:1408F10B:SSL |
| 25 |
> routines:SSL3_GET_RECORD:wrong version number |
| 26 |
> |
| 27 |
> Anyone know what's gone wrong? I've removed courier-imap, re-installed |
| 28 |
> openssl, reinstalled courier-imap, (tried it with & without pam), but |
| 29 |
> nothing. |
| 30 |
|
| 31 |
I'm /not/ an authority on SSL and am only repeating here a couple things |
| 32 |
that seem to "click" with your problem descripion, but... |
| 33 |
|
| 34 |
1) You don't mention versions of the various packages, but I happened to |
| 35 |
note entries for openssl-0.9.8 in the changelog, and was only getting |
| 36 |
0.9.7g-r1 to install, even tho I'm on ~amd64, so happened to investigate. |
| 37 |
Trying an emerge -p =openssl-0.9.8 results in: |
| 38 |
|
| 39 |
Calculating dependencies |
| 40 |
!!! All ebuilds that could satisfy "=openssl-0.9.8a" have been masked. |
| 41 |
!!! One of the following masked packages is required to complete your request: |
| 42 |
- dev-libs/openssl-0.9.8a (masked by: package.mask, -* keyword) |
| 43 |
# Martin Schlemmer <azarah@g.o> (05 Jul 2005) |
| 44 |
# Masked for testing, as it breaks api |
| 45 |
|
| 46 |
So 0.9.8* is masked, due to API breakage. Even if you have |
| 47 |
0.9.7something merged, it's possible you somehow have a new courier-imap |
| 48 |
that would (haven't checked, just speculating, here) possibly also be |
| 49 |
masked, or maybe /should/ be masked, if it now works with the new SSL API |
| 50 |
that matches the masked openssl. |
| 51 |
|
| 52 |
2) There's a recent GLSA (Gentoo Linux Security Advisory) on OpenSSL, |
| 53 |
dated October 12. In brief, it was possible under certain circumstances |
| 54 |
to force it to fallback to SSL 2.0 instead of using the more secure SSL |
| 55 |
3.0. The workaround was to ensure SSL 2.0 was disabled, if possible, to |
| 56 |
prevent fallback to it. Here's the vunerability table: |
| 57 |
|
| 58 |
------------------------------------------------------------------- |
| 59 |
Package / Vulnerable / Unaffected |
| 60 |
------------------------------------------------------------------- |
| 61 |
1 dev-libs/openssl < 0.9.8-r1 >= 0.9.8-r1 |
| 62 |
*>= 0.9.7h |
| 63 |
*>= 0.9.7g-r1 |
| 64 |
*>= 0.9.7e-r2 |
| 65 |
|
| 66 |
So... it's possible that either you have the new openssl but that your |
| 67 |
older version of courier-imap only does ssl v2, or that you have a new |
| 68 |
courier-imap that refuses to fall back to v2, and an older ssl that's |
| 69 |
somehow doing v2 only, no v3. |
| 70 |
|
| 71 |
Besides checking your versions against the above, try running |
| 72 |
revdep-rebuild (don't forget to put the -p in it the first time to see how |
| 73 |
many packages it wants to rebuild, there could be quite a few...) to see |
| 74 |
if you've anything that doesn't match up properly. You may also want to |
| 75 |
run emerge -pN (N being the short form of --newuse), to see if all your |
| 76 |
merges are upto date with your latest USE flags settings (again, don't |
| 77 |
forget that -p the first time...). Finally, run emerge depclean -p, and |
| 78 |
see what it might want to remove. Note that in some cases this last one |
| 79 |
makes mistakes, particularly if you have something compiled with USE flags |
| 80 |
that included something you now have turned off in your USE flags. |
| 81 |
However, as the warning states, as long as you use common sense and add |
| 82 |
the stuff you /know/ you want to keep to your world file, anything else |
| 83 |
removed that's needed, should be fixable by simply remerging the package |
| 84 |
that broke after the depclean. (Also, there's significantly /less/ |
| 85 |
potential for broken packages, if you've already updated your merged |
| 86 |
packages to match your current USE flags, using the --newuse step above, |
| 87 |
thus the reason I listed it first.) |
| 88 |
|
| 89 |
If after the above steps it's still giving problems, there's a chance you |
| 90 |
have old libraries left on the system, that emerge /should/ have cleaned |
| 91 |
up but didn't for some reason. Run ldd on the involved executables, and |
| 92 |
see what libraries they are loading, first making sure they can find all |
| 93 |
needed libraries, then, starting with the ssl and crypto libs, ensure that |
| 94 |
the libs it is finding aren't orphan, by running equery belongs |
| 95 |
<path/library> on them and verifying that portage links them to a package |
| 96 |
(again, paying special attention to any it says belong to the openssl |
| 97 |
package, ensuring the version agrees with what you believe you have |
| 98 |
merged. If there are any libraries ldd said it would load, that don't |
| 99 |
belong to a package, move/rename them temporarily, with a view to |
| 100 |
removing them entirely if nothing breaks. (Likewise, any that belong to an |
| 101 |
obsolete package, emerge -C the old package, keeping in mind multi-slots |
| 102 |
such as gtk and gtk2, where two versions of the package are /supposed/ to |
| 103 |
be merged, but this shouldn't occur if you've done the depclean step above.) |
| 104 |
|
| 105 |
If after all that, you /still/ have problems, then it's time for some |
| 106 |
SERIOUS troubleshooting, and possibly bug filing. However, I expect the |
| 107 |
problem should be solved by this point, likely well before it. |
| 108 |
|
| 109 |
-- |
| 110 |
Duncan - List replies preferred. No HTML msgs. |
| 111 |
"Every nonfree program has a lord, a master -- |
| 112 |
and if you use the program, he is your master." Richard Stallman in |
| 113 |
http://www.linuxdevcenter.com/pub/a/linux/2004/12/22/rms_interview.html |
| 114 |
|
| 115 |
|
| 116 |
-- |
| 117 |
gentoo-amd64@g.o mailing list |
Archives