1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA1 |
3 |
|
4 |
Duncan wrote: |
5 |
|
6 |
> Hamish Marson posted <434ED1A4.3060006@××××××××××××××.com>, |
7 |
> excerpted below, on Thu, 13 Oct 2005 22:29:08 +0100: |
8 |
> |
9 |
>> tarting with '/etc/init.d/courier-imap-ssl start' the script runs |
10 |
>> but exits with |
11 |
>> |
12 |
>> * Starting courier-imapd over SSL... [ !! |
13 |
>> ] |
14 |
>> |
15 |
>> |
16 |
>> Inserting a few set -x's in scripts I find that the script runs |
17 |
>> to completion OK, and even looks like it's trying to start |
18 |
>> courier, but there's nothing started & no error. |
19 |
>> |
20 |
>> Now I could live with that, because starting it by hand it will |
21 |
>> run. But when anything connects (e.g. openssl s_client -connect |
22 |
>> <host>:993) gives me |
23 |
>> |
24 |
>> hamish@ballbreaker:~$ openssl s_client -connect damned:993 |
25 |
>> CONNECTED(00000003) write:errno=104 |
26 |
>> |
27 |
>> on the client and in the mail log I get |
28 |
>> |
29 |
>> Oct 13 21:28:44 [imapd-ssl] couriertls: connect: |
30 |
>> error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number |
31 |
>> |
32 |
>> Anyone know what's gone wrong? I've removed courier-imap, |
33 |
>> re-installed openssl, reinstalled courier-imap, (tried it with & |
34 |
>> without pam), but nothing. |
35 |
> |
36 |
> |
37 |
> I'm /not/ an authority on SSL and am only repeating here a couple |
38 |
> things that seem to "click" with your problem descripion, but... |
39 |
> |
40 |
> 1) You don't mention versions of the various packages, but I |
41 |
> happened to note entries for openssl-0.9.8 in the changelog, and |
42 |
> was only getting 0.9.7g-r1 to install, even tho I'm on ~amd64, so |
43 |
> happened to investigate. Trying an emerge -p =openssl-0.9.8 results |
44 |
> in: |
45 |
> |
46 |
|
47 |
I have |
48 |
|
49 |
damned ~ # emerge -pv openssl |
50 |
|
51 |
These are the packages that I would merge, in order: |
52 |
|
53 |
Calculating dependencies ...done! |
54 |
[ebuild R ] dev-libs/openssl-0.9.7g-r1 -bindist -emacs -test -zlib |
55 |
|
56 |
So 0.9.7g installed. It seems to work. e.g. I can use the openssl |
57 |
client to connect to ssl sites and it all goes hunky dory. |
58 |
|
59 |
|
60 |
> Calculating dependencies !!! All ebuilds that could satisfy |
61 |
> "=openssl-0.9.8a" have been masked. !!! One of the following masked |
62 |
> packages is required to complete your request: - |
63 |
> dev-libs/openssl-0.9.8a (masked by: package.mask, -* keyword) # |
64 |
> Martin Schlemmer <azarah@g.o> (05 Jul 2005) # Masked for |
65 |
> testing, as it breaks api |
66 |
> |
67 |
> So 0.9.8* is masked, due to API breakage. Even if you have |
68 |
> 0.9.7something merged, it's possible you somehow have a new |
69 |
> courier-imap that would (haven't checked, just speculating, here) |
70 |
> possibly also be masked, or maybe /should/ be masked, if it now |
71 |
> works with the new SSL API that matches the masked openssl. |
72 |
> |
73 |
|
74 |
My courier is |
75 |
|
76 |
damned ~ # emerge -pv courier-authlib courier-imap |
77 |
|
78 |
These are the packages that I would merge, in order: |
79 |
|
80 |
Calculating dependencies ...done! |
81 |
[ebuild R ] net-libs/courier-authlib-0.57-r1 +berkdb +crypt |
82 |
- -debug -gdbm -ldap +mysql -pam* -postgres 0 kB |
83 |
[ebuild R ] net-mail/courier-imap-4.0.4 +berkdb -debug -fam -gdbm |
84 |
- -ipv6 -nls (-selinux) 0 kB |
85 |
|
86 |
Total size of downloads: 0 kB |
87 |
|
88 |
|
89 |
> 2) There's a recent GLSA (Gentoo Linux Security Advisory) on |
90 |
> OpenSSL, dated October 12. In brief, it was possible under certain |
91 |
> circumstances to force it to fallback to SSL 2.0 instead of using |
92 |
> the more secure SSL 3.0. The workaround was to ensure SSL 2.0 was |
93 |
> disabled, if possible, to prevent fallback to it. Here's the |
94 |
> vunerability table: |
95 |
> |
96 |
> ------------------------------------------------------------------- |
97 |
> Package / Vulnerable / Unaffected |
98 |
> ------------------------------------------------------------------- |
99 |
> 1 dev-libs/openssl < 0.9.8-r1 >= |
100 |
> 0.9.8-r1 *>= 0.9.7h *>= 0.9.7g-r1 *>= 0.9.7e-r2 |
101 |
> |
102 |
> So... it's possible that either you have the new openssl but that |
103 |
> your older version of courier-imap only does ssl v2, or that you |
104 |
> have a new courier-imap that refuses to fall back to v2, and an |
105 |
> older ssl that's somehow doing v2 only, no v3. |
106 |
> |
107 |
> Besides checking your versions against the above, try running |
108 |
> revdep-rebuild (don't forget to put the -p in it the first time to |
109 |
> see how many packages it wants to rebuild, there could be quite a |
110 |
> few...) to see |
111 |
|
112 |
|
113 |
No packages listed... It found lots of old stuff in /usr/local/src |
114 |
that I hadn't cleaned up in a while. Some more in various filesystems |
115 |
I copied across from older installations. But nothig in the actual OS |
116 |
itself. Nothing in the path or libpath. (And it was only XOrg & Scotty |
117 |
anyway). |
118 |
|
119 |
> if you've anything that doesn't match up properly. You may also |
120 |
> want to run emerge -pN (N being the short form of --newuse), to see |
121 |
> if all your merges are upto date with your latest USE flags |
122 |
> settings (again, don't |
123 |
|
124 |
|
125 |
Now here's where it starts to get interesting... CounterContinent |
126 |
interesting at that. |
127 |
|
128 |
damned ~ # emerge -pN world |
129 |
>>> --newuse implies --update... adding --update to options. |
130 |
|
131 |
These are the packages that I would merge, in order: |
132 |
|
133 |
Calculating world dependencies ...done! |
134 |
[blocks B ] dev-php/mod_php (is blocking dev-lang/php-5.0.5-r1) |
135 |
[blocks B ] dev-php/php (is blocking dev-lang/php-5.0.5-r1) |
136 |
[blocks B ] dev-php/mod_php (is blocking dev-php/PEAR-PEAR-1.3.6-r1) |
137 |
[blocks B ] dev-php/php (is blocking dev-php/PEAR-PEAR-1.3.6-r1) |
138 |
[blocks B ] <=dev-php/PEAR-PEAR-1.3.5-r1 (is blocking |
139 |
dev-php/PEAR-PEAR-1.3.6-r1) |
140 |
[blocks B ] =kde-base/kdebase-kioslaves-3.4* (is blocking |
141 |
kde-base/kdebase-3.4.3) |
142 |
[blocks B ] =kde-base/khotkeys-3.4* (is blocking |
143 |
kde-base/kdebase-3.4.3) |
144 |
[blocks B ] =kde-base/konqueror-3.4* (is blocking |
145 |
kde-base/kdebase-3.4.3) |
146 |
[blocks B ] =kde-base/kdesu-3.4* (is blocking kde-base/kdebase-3.4.3) |
147 |
[blocks B ] =kde-base/kdialog-3.4* (is blocking |
148 |
kde-base/kdebase-3.4.3) |
149 |
[blocks B ] =kde-base/kcminit-3.4* (is blocking |
150 |
kde-base/kdebase-3.4.3) |
151 |
[blocks B ] =kde-base/khelpcenter-3.4* (is blocking |
152 |
kde-base/kdebase-3.4.3) |
153 |
[blocks B ] =kde-base/kdebase-data-3.4* (is blocking |
154 |
kde-base/kdebase-3.4.3) |
155 |
[blocks B ] =kde-base/kdm-3.4* (is blocking kde-base/kdebase-3.4.3) |
156 |
[blocks B ] =kde-base/kcontrol-3.4* (is blocking |
157 |
kde-base/kdebase-3.4.3) |
158 |
[blocks B ] =kde-base/libkonq-3.4* (is blocking |
159 |
kde-base/kdebase-3.4.3) |
160 |
[blocks B ] media-libs/libungif (is blocking |
161 |
media-libs/giflib-4.1.3-r2) |
162 |
[blocks B ] app-cdr/dvdrtools (is blocking |
163 |
app-cdr/cdrtools-2.01.01_alpha01-r2) |
164 |
[blocks B ] =kde-base/kdebase-3.4* (is blocking |
165 |
kde-base/konqueror-3.4.3) |
166 |
[blocks B ] =kde-base/kdebase-3.4* (is blocking |
167 |
kde-base/libkonq-3.4.3) |
168 |
[blocks B ] =kde-base/kdebase-3.4* (is blocking |
169 |
kde-base/kdebase-kioslaves-3.4.3) |
170 |
[blocks B ] =kde-base/kdebase-3.4* (is blocking |
171 |
kde-base/kdebase-data-3.4.3) |
172 |
[blocks B ] =kde-base/kdebase-3.4* (is blocking |
173 |
kde-base/khotkeys-3.4.3) |
174 |
[blocks B ] =kde-base/kdebase-3.4* (is blocking |
175 |
kde-base/khelpcenter-3.4.3) |
176 |
[blocks B ] =kde-base/kdebase-3.4* (is blocking |
177 |
kde-base/kcontrol-3.4.3) |
178 |
[blocks B ] =kde-base/kdebase-3.4* (is blocking kde-base/kdm-3.4.3) |
179 |
[ebuild U ] sys-apps/coreutils-5.3.0-r2 [5.3.0-r1] |
180 |
[ebuild U ] dev-lang/perl-5.8.7-r1 [5.8.7] |
181 |
[ebuild U ] dev-lang/python-2.4.2 [2.4.1-r1] |
182 |
|
183 |
A few blockers... Well I've seen that before. Except that it's |
184 |
claiming kdebase is a blocker. And I don't have kdebase installed. |
185 |
|
186 |
damned ~ # emerge -pv --unmerge kdebase |
187 |
|
188 |
>>> These are the packages that I would unmerge: |
189 |
|
190 |
- --- Couldn't find kdebase to unmerge. |
191 |
|
192 |
>>> unmerge: No packages selected for removal. |
193 |
|
194 |
damned ~ # grep kdebase /var/lib/portage/world |
195 |
damned ~ # |
196 |
|
197 |
|
198 |
|
199 |
> forget that -p the first time...). Finally, run emerge depclean |
200 |
> -p, and see what it might want to remove. Note that in some cases |
201 |
> this last one makes mistakes, particularly if you have something |
202 |
> compiled with USE flags that included something you now have turned |
203 |
> off in your USE flags. However, as the warning states, as long as |
204 |
> you use common sense and add the stuff you /know/ you want to keep |
205 |
> to your world file, anything else removed that's needed, should be |
206 |
> fixable by simply remerging the package that broke after the |
207 |
> depclean. (Also, there's significantly /less/ potential for broken |
208 |
> packages, if you've already updated your merged packages to match |
209 |
> your current USE flags, using the --newuse step above, thus the |
210 |
> reason I listed it first.) |
211 |
> |
212 |
> If after the above steps it's still giving problems, there's a |
213 |
> chance you have old libraries left on the system, that emerge |
214 |
> /should/ have cleaned up but didn't for some reason. Run ldd on |
215 |
> the involved executables, and see what libraries they are loading, |
216 |
> first making sure they can find all needed libraries, then, |
217 |
> starting with the ssl and crypto libs, ensure that the libs it is |
218 |
> finding aren't orphan, by running equery belongs <path/library> on |
219 |
> them and verifying that portage links them to a package (again, |
220 |
> paying special attention to any it says belong to the openssl |
221 |
|
222 |
|
223 |
Well. ldd says it's using my new versions of libssl and libcrypto |
224 |
(Among other things). e.g. |
225 |
|
226 |
damned ~ # ldd /usr/sbin/couriertls |
227 |
libssl.so.0.9.7 => /usr/lib/libssl.so.0.9.7 (0x00002aaaaabc1000) |
228 |
libcrypto.so.0.9.7 => /usr/lib/libcrypto.so.0.9.7 |
229 |
(0x00002aaaaacf8000) |
230 |
libc.so.6 => /lib/libc.so.6 (0x00002aaaaaf3b000) |
231 |
libdl.so.2 => /lib/libdl.so.2 (0x00002aaaab160000) |
232 |
/lib64/ld-linux-x86-64.so.2 (0x00002aaaaaaab000) |
233 |
damned ~ # ls -l /lib64/ld-linux-x86-64.so.2 |
234 |
lrwxrwxrwx 1 root root 11 Oct 14 23:37 /lib64/ld-linux-x86-64.so.2 -> |
235 |
ld-2.3.5.so |
236 |
damned ~ # ls -l /lib/libdl.so.2 |
237 |
lrwxrwxrwx 1 root root 14 Oct 14 23:37 /lib/libdl.so.2 -> libdl-2.3.5.so |
238 |
damned ~ # ls -l /lib/libc.so.6 |
239 |
lrwxrwxrwx 1 root root 13 Oct 14 23:37 /lib/libc.so.6 -> libc-2.3.5.so |
240 |
damned ~ # ls -l /usr/lib/libcrypto.so.0.9.7 |
241 |
- -r-xr-xr-x 1 root root 1328968 Oct 15 00:52 /usr/lib/libcrypto.so.0.9.7 |
242 |
damned ~ # ls -l /usr/lib/libssl.so.0.9.7 |
243 |
- -r-xr-xr-x 1 root root 223920 Oct 15 00:52 /usr/lib/libssl.so.0.9.7 |
244 |
damned ~ # |
245 |
|
246 |
|
247 |
|
248 |
> package, ensuring the version agrees with what you believe you have |
249 |
> merged. If there are any libraries ldd said it would load, that |
250 |
> don't belong to a package, move/rename them temporarily, with a |
251 |
> view to removing them entirely if nothing breaks. (Likewise, any |
252 |
> that belong to an obsolete package, emerge -C the old package, |
253 |
> keeping in mind multi-slots such as gtk and gtk2, where two |
254 |
> versions of the package are /supposed/ to be merged, but this |
255 |
> shouldn't occur if you've done the depclean step above.) |
256 |
> |
257 |
> If after all that, you /still/ have problems, then it's time for |
258 |
> some SERIOUS troubleshooting, and possibly bug filing. However, I |
259 |
> expect the problem should be solved by this point, likely well |
260 |
> before it. |
261 |
> |
262 |
I downgraded courier-imap to 4.0.1 (Stable version according to the |
263 |
package database). Same thing. Urg! |
264 |
|
265 |
Is it possible to get courier to log a bit more detail? I can fix |
266 |
things IF the damn thing logs why it's doing stuff. Not getting logs & |
267 |
flying blind just frustrates me. |
268 |
|
269 |
H |
270 |
|
271 |
|
272 |
-----BEGIN PGP SIGNATURE----- |
273 |
Version: GnuPG v1.4.1 (GNU/Linux) |
274 |
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org |
275 |
|
276 |
iD8DBQFDUMoH/3QXwQQkZYwRAgkRAKDTD69xzx+KIxlM52NM0PKkPSF1SwCeMvx6 |
277 |
wXqxv7fxRAHtNbSZPvWxErE= |
278 |
=FgQ8 |
279 |
-----END PGP SIGNATURE----- |
280 |
|
281 |
-- |
282 |
gentoo-amd64@g.o mailing list |