| 1 |
-----BEGIN PGP SIGNED MESSAGE----- |
| 2 |
Hash: SHA1 |
| 3 |
|
| 4 |
Duncan wrote: |
| 5 |
|
| 6 |
> Hamish Marson posted <434ED1A4.3060006@××××××××××××××.com>, |
| 7 |
> excerpted below, on Thu, 13 Oct 2005 22:29:08 +0100: |
| 8 |
> |
| 9 |
>> tarting with '/etc/init.d/courier-imap-ssl start' the script runs |
| 10 |
>> but exits with |
| 11 |
>> |
| 12 |
>> * Starting courier-imapd over SSL... [ !! |
| 13 |
>> ] |
| 14 |
>> |
| 15 |
>> |
| 16 |
>> Inserting a few set -x's in scripts I find that the script runs |
| 17 |
>> to completion OK, and even looks like it's trying to start |
| 18 |
>> courier, but there's nothing started & no error. |
| 19 |
>> |
| 20 |
>> Now I could live with that, because starting it by hand it will |
| 21 |
>> run. But when anything connects (e.g. openssl s_client -connect |
| 22 |
>> <host>:993) gives me |
| 23 |
>> |
| 24 |
>> hamish@ballbreaker:~$ openssl s_client -connect damned:993 |
| 25 |
>> CONNECTED(00000003) write:errno=104 |
| 26 |
>> |
| 27 |
>> on the client and in the mail log I get |
| 28 |
>> |
| 29 |
>> Oct 13 21:28:44 [imapd-ssl] couriertls: connect: |
| 30 |
>> error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number |
| 31 |
>> |
| 32 |
>> Anyone know what's gone wrong? I've removed courier-imap, |
| 33 |
>> re-installed openssl, reinstalled courier-imap, (tried it with & |
| 34 |
>> without pam), but nothing. |
| 35 |
> |
| 36 |
> |
| 37 |
> I'm /not/ an authority on SSL and am only repeating here a couple |
| 38 |
> things that seem to "click" with your problem descripion, but... |
| 39 |
> |
| 40 |
> 1) You don't mention versions of the various packages, but I |
| 41 |
> happened to note entries for openssl-0.9.8 in the changelog, and |
| 42 |
> was only getting 0.9.7g-r1 to install, even tho I'm on ~amd64, so |
| 43 |
> happened to investigate. Trying an emerge -p =openssl-0.9.8 results |
| 44 |
> in: |
| 45 |
> |
| 46 |
|
| 47 |
I have |
| 48 |
|
| 49 |
damned ~ # emerge -pv openssl |
| 50 |
|
| 51 |
These are the packages that I would merge, in order: |
| 52 |
|
| 53 |
Calculating dependencies ...done! |
| 54 |
[ebuild R ] dev-libs/openssl-0.9.7g-r1 -bindist -emacs -test -zlib |
| 55 |
|
| 56 |
So 0.9.7g installed. It seems to work. e.g. I can use the openssl |
| 57 |
client to connect to ssl sites and it all goes hunky dory. |
| 58 |
|
| 59 |
|
| 60 |
> Calculating dependencies !!! All ebuilds that could satisfy |
| 61 |
> "=openssl-0.9.8a" have been masked. !!! One of the following masked |
| 62 |
> packages is required to complete your request: - |
| 63 |
> dev-libs/openssl-0.9.8a (masked by: package.mask, -* keyword) # |
| 64 |
> Martin Schlemmer <azarah@g.o> (05 Jul 2005) # Masked for |
| 65 |
> testing, as it breaks api |
| 66 |
> |
| 67 |
> So 0.9.8* is masked, due to API breakage. Even if you have |
| 68 |
> 0.9.7something merged, it's possible you somehow have a new |
| 69 |
> courier-imap that would (haven't checked, just speculating, here) |
| 70 |
> possibly also be masked, or maybe /should/ be masked, if it now |
| 71 |
> works with the new SSL API that matches the masked openssl. |
| 72 |
> |
| 73 |
|
| 74 |
My courier is |
| 75 |
|
| 76 |
damned ~ # emerge -pv courier-authlib courier-imap |
| 77 |
|
| 78 |
These are the packages that I would merge, in order: |
| 79 |
|
| 80 |
Calculating dependencies ...done! |
| 81 |
[ebuild R ] net-libs/courier-authlib-0.57-r1 +berkdb +crypt |
| 82 |
- -debug -gdbm -ldap +mysql -pam* -postgres 0 kB |
| 83 |
[ebuild R ] net-mail/courier-imap-4.0.4 +berkdb -debug -fam -gdbm |
| 84 |
- -ipv6 -nls (-selinux) 0 kB |
| 85 |
|
| 86 |
Total size of downloads: 0 kB |
| 87 |
|
| 88 |
|
| 89 |
> 2) There's a recent GLSA (Gentoo Linux Security Advisory) on |
| 90 |
> OpenSSL, dated October 12. In brief, it was possible under certain |
| 91 |
> circumstances to force it to fallback to SSL 2.0 instead of using |
| 92 |
> the more secure SSL 3.0. The workaround was to ensure SSL 2.0 was |
| 93 |
> disabled, if possible, to prevent fallback to it. Here's the |
| 94 |
> vunerability table: |
| 95 |
> |
| 96 |
> ------------------------------------------------------------------- |
| 97 |
> Package / Vulnerable / Unaffected |
| 98 |
> ------------------------------------------------------------------- |
| 99 |
> 1 dev-libs/openssl < 0.9.8-r1 >= |
| 100 |
> 0.9.8-r1 *>= 0.9.7h *>= 0.9.7g-r1 *>= 0.9.7e-r2 |
| 101 |
> |
| 102 |
> So... it's possible that either you have the new openssl but that |
| 103 |
> your older version of courier-imap only does ssl v2, or that you |
| 104 |
> have a new courier-imap that refuses to fall back to v2, and an |
| 105 |
> older ssl that's somehow doing v2 only, no v3. |
| 106 |
> |
| 107 |
> Besides checking your versions against the above, try running |
| 108 |
> revdep-rebuild (don't forget to put the -p in it the first time to |
| 109 |
> see how many packages it wants to rebuild, there could be quite a |
| 110 |
> few...) to see |
| 111 |
|
| 112 |
|
| 113 |
No packages listed... It found lots of old stuff in /usr/local/src |
| 114 |
that I hadn't cleaned up in a while. Some more in various filesystems |
| 115 |
I copied across from older installations. But nothig in the actual OS |
| 116 |
itself. Nothing in the path or libpath. (And it was only XOrg & Scotty |
| 117 |
anyway). |
| 118 |
|
| 119 |
> if you've anything that doesn't match up properly. You may also |
| 120 |
> want to run emerge -pN (N being the short form of --newuse), to see |
| 121 |
> if all your merges are upto date with your latest USE flags |
| 122 |
> settings (again, don't |
| 123 |
|
| 124 |
|
| 125 |
Now here's where it starts to get interesting... CounterContinent |
| 126 |
interesting at that. |
| 127 |
|
| 128 |
damned ~ # emerge -pN world |
| 129 |
>>> --newuse implies --update... adding --update to options. |
| 130 |
|
| 131 |
These are the packages that I would merge, in order: |
| 132 |
|
| 133 |
Calculating world dependencies ...done! |
| 134 |
[blocks B ] dev-php/mod_php (is blocking dev-lang/php-5.0.5-r1) |
| 135 |
[blocks B ] dev-php/php (is blocking dev-lang/php-5.0.5-r1) |
| 136 |
[blocks B ] dev-php/mod_php (is blocking dev-php/PEAR-PEAR-1.3.6-r1) |
| 137 |
[blocks B ] dev-php/php (is blocking dev-php/PEAR-PEAR-1.3.6-r1) |
| 138 |
[blocks B ] <=dev-php/PEAR-PEAR-1.3.5-r1 (is blocking |
| 139 |
dev-php/PEAR-PEAR-1.3.6-r1) |
| 140 |
[blocks B ] =kde-base/kdebase-kioslaves-3.4* (is blocking |
| 141 |
kde-base/kdebase-3.4.3) |
| 142 |
[blocks B ] =kde-base/khotkeys-3.4* (is blocking |
| 143 |
kde-base/kdebase-3.4.3) |
| 144 |
[blocks B ] =kde-base/konqueror-3.4* (is blocking |
| 145 |
kde-base/kdebase-3.4.3) |
| 146 |
[blocks B ] =kde-base/kdesu-3.4* (is blocking kde-base/kdebase-3.4.3) |
| 147 |
[blocks B ] =kde-base/kdialog-3.4* (is blocking |
| 148 |
kde-base/kdebase-3.4.3) |
| 149 |
[blocks B ] =kde-base/kcminit-3.4* (is blocking |
| 150 |
kde-base/kdebase-3.4.3) |
| 151 |
[blocks B ] =kde-base/khelpcenter-3.4* (is blocking |
| 152 |
kde-base/kdebase-3.4.3) |
| 153 |
[blocks B ] =kde-base/kdebase-data-3.4* (is blocking |
| 154 |
kde-base/kdebase-3.4.3) |
| 155 |
[blocks B ] =kde-base/kdm-3.4* (is blocking kde-base/kdebase-3.4.3) |
| 156 |
[blocks B ] =kde-base/kcontrol-3.4* (is blocking |
| 157 |
kde-base/kdebase-3.4.3) |
| 158 |
[blocks B ] =kde-base/libkonq-3.4* (is blocking |
| 159 |
kde-base/kdebase-3.4.3) |
| 160 |
[blocks B ] media-libs/libungif (is blocking |
| 161 |
media-libs/giflib-4.1.3-r2) |
| 162 |
[blocks B ] app-cdr/dvdrtools (is blocking |
| 163 |
app-cdr/cdrtools-2.01.01_alpha01-r2) |
| 164 |
[blocks B ] =kde-base/kdebase-3.4* (is blocking |
| 165 |
kde-base/konqueror-3.4.3) |
| 166 |
[blocks B ] =kde-base/kdebase-3.4* (is blocking |
| 167 |
kde-base/libkonq-3.4.3) |
| 168 |
[blocks B ] =kde-base/kdebase-3.4* (is blocking |
| 169 |
kde-base/kdebase-kioslaves-3.4.3) |
| 170 |
[blocks B ] =kde-base/kdebase-3.4* (is blocking |
| 171 |
kde-base/kdebase-data-3.4.3) |
| 172 |
[blocks B ] =kde-base/kdebase-3.4* (is blocking |
| 173 |
kde-base/khotkeys-3.4.3) |
| 174 |
[blocks B ] =kde-base/kdebase-3.4* (is blocking |
| 175 |
kde-base/khelpcenter-3.4.3) |
| 176 |
[blocks B ] =kde-base/kdebase-3.4* (is blocking |
| 177 |
kde-base/kcontrol-3.4.3) |
| 178 |
[blocks B ] =kde-base/kdebase-3.4* (is blocking kde-base/kdm-3.4.3) |
| 179 |
[ebuild U ] sys-apps/coreutils-5.3.0-r2 [5.3.0-r1] |
| 180 |
[ebuild U ] dev-lang/perl-5.8.7-r1 [5.8.7] |
| 181 |
[ebuild U ] dev-lang/python-2.4.2 [2.4.1-r1] |
| 182 |
|
| 183 |
A few blockers... Well I've seen that before. Except that it's |
| 184 |
claiming kdebase is a blocker. And I don't have kdebase installed. |
| 185 |
|
| 186 |
damned ~ # emerge -pv --unmerge kdebase |
| 187 |
|
| 188 |
>>> These are the packages that I would unmerge: |
| 189 |
|
| 190 |
- --- Couldn't find kdebase to unmerge. |
| 191 |
|
| 192 |
>>> unmerge: No packages selected for removal. |
| 193 |
|
| 194 |
damned ~ # grep kdebase /var/lib/portage/world |
| 195 |
damned ~ # |
| 196 |
|
| 197 |
|
| 198 |
|
| 199 |
> forget that -p the first time...). Finally, run emerge depclean |
| 200 |
> -p, and see what it might want to remove. Note that in some cases |
| 201 |
> this last one makes mistakes, particularly if you have something |
| 202 |
> compiled with USE flags that included something you now have turned |
| 203 |
> off in your USE flags. However, as the warning states, as long as |
| 204 |
> you use common sense and add the stuff you /know/ you want to keep |
| 205 |
> to your world file, anything else removed that's needed, should be |
| 206 |
> fixable by simply remerging the package that broke after the |
| 207 |
> depclean. (Also, there's significantly /less/ potential for broken |
| 208 |
> packages, if you've already updated your merged packages to match |
| 209 |
> your current USE flags, using the --newuse step above, thus the |
| 210 |
> reason I listed it first.) |
| 211 |
> |
| 212 |
> If after the above steps it's still giving problems, there's a |
| 213 |
> chance you have old libraries left on the system, that emerge |
| 214 |
> /should/ have cleaned up but didn't for some reason. Run ldd on |
| 215 |
> the involved executables, and see what libraries they are loading, |
| 216 |
> first making sure they can find all needed libraries, then, |
| 217 |
> starting with the ssl and crypto libs, ensure that the libs it is |
| 218 |
> finding aren't orphan, by running equery belongs <path/library> on |
| 219 |
> them and verifying that portage links them to a package (again, |
| 220 |
> paying special attention to any it says belong to the openssl |
| 221 |
|
| 222 |
|
| 223 |
Well. ldd says it's using my new versions of libssl and libcrypto |
| 224 |
(Among other things). e.g. |
| 225 |
|
| 226 |
damned ~ # ldd /usr/sbin/couriertls |
| 227 |
libssl.so.0.9.7 => /usr/lib/libssl.so.0.9.7 (0x00002aaaaabc1000) |
| 228 |
libcrypto.so.0.9.7 => /usr/lib/libcrypto.so.0.9.7 |
| 229 |
(0x00002aaaaacf8000) |
| 230 |
libc.so.6 => /lib/libc.so.6 (0x00002aaaaaf3b000) |
| 231 |
libdl.so.2 => /lib/libdl.so.2 (0x00002aaaab160000) |
| 232 |
/lib64/ld-linux-x86-64.so.2 (0x00002aaaaaaab000) |
| 233 |
damned ~ # ls -l /lib64/ld-linux-x86-64.so.2 |
| 234 |
lrwxrwxrwx 1 root root 11 Oct 14 23:37 /lib64/ld-linux-x86-64.so.2 -> |
| 235 |
ld-2.3.5.so |
| 236 |
damned ~ # ls -l /lib/libdl.so.2 |
| 237 |
lrwxrwxrwx 1 root root 14 Oct 14 23:37 /lib/libdl.so.2 -> libdl-2.3.5.so |
| 238 |
damned ~ # ls -l /lib/libc.so.6 |
| 239 |
lrwxrwxrwx 1 root root 13 Oct 14 23:37 /lib/libc.so.6 -> libc-2.3.5.so |
| 240 |
damned ~ # ls -l /usr/lib/libcrypto.so.0.9.7 |
| 241 |
- -r-xr-xr-x 1 root root 1328968 Oct 15 00:52 /usr/lib/libcrypto.so.0.9.7 |
| 242 |
damned ~ # ls -l /usr/lib/libssl.so.0.9.7 |
| 243 |
- -r-xr-xr-x 1 root root 223920 Oct 15 00:52 /usr/lib/libssl.so.0.9.7 |
| 244 |
damned ~ # |
| 245 |
|
| 246 |
|
| 247 |
|
| 248 |
> package, ensuring the version agrees with what you believe you have |
| 249 |
> merged. If there are any libraries ldd said it would load, that |
| 250 |
> don't belong to a package, move/rename them temporarily, with a |
| 251 |
> view to removing them entirely if nothing breaks. (Likewise, any |
| 252 |
> that belong to an obsolete package, emerge -C the old package, |
| 253 |
> keeping in mind multi-slots such as gtk and gtk2, where two |
| 254 |
> versions of the package are /supposed/ to be merged, but this |
| 255 |
> shouldn't occur if you've done the depclean step above.) |
| 256 |
> |
| 257 |
> If after all that, you /still/ have problems, then it's time for |
| 258 |
> some SERIOUS troubleshooting, and possibly bug filing. However, I |
| 259 |
> expect the problem should be solved by this point, likely well |
| 260 |
> before it. |
| 261 |
> |
| 262 |
I downgraded courier-imap to 4.0.1 (Stable version according to the |
| 263 |
package database). Same thing. Urg! |
| 264 |
|
| 265 |
Is it possible to get courier to log a bit more detail? I can fix |
| 266 |
things IF the damn thing logs why it's doing stuff. Not getting logs & |
| 267 |
flying blind just frustrates me. |
| 268 |
|
| 269 |
H |
| 270 |
|
| 271 |
|
| 272 |
-----BEGIN PGP SIGNATURE----- |
| 273 |
Version: GnuPG v1.4.1 (GNU/Linux) |
| 274 |
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org |
| 275 |
|
| 276 |
iD8DBQFDUMoH/3QXwQQkZYwRAgkRAKDTD69xzx+KIxlM52NM0PKkPSF1SwCeMvx6 |
| 277 |
wXqxv7fxRAHtNbSZPvWxErE= |
| 278 |
=FgQ8 |
| 279 |
-----END PGP SIGNATURE----- |
| 280 |
|
| 281 |
-- |
| 282 |
gentoo-amd64@g.o mailing list |
Archives