Similar issue as https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=208584?! cc -O2 -pipe -fstack-protector -fno-strict-aliasing -I/usr/local/include -I/usr/kerberos/include -I/usr/include -L/usr/local/lib -Wl,-rpath,/usr/local/lib -fstack-protector -L/usr/local/lib -L/usr/lib -o fetchmail socket.o getpass.o fetchmail.o env.o idle.o options.o daemon.o driver.o transact.o sink.o smtp.o idlist.o uid.o mxget.o md5ify.o cram.o gssapi.o opie.o interface.o netrc.o unmime.o conf.o checkalias.o lock.o rcfile_l.o rcfile_y.o norm_charmap.o pop3.o imap.o etrn.o odmr.o rpa.o libfm.a /usr/local/lib/libintl.so -Wl,-rpath -Wl,/usr/local/lib -lopie -lcrypt -lkvm -lcom_err -lssl -lcrypto -L/usr/lib -lgssapi -lgssapi_krb5 -lheimntlm -lkrb5 -lhx509 -lcom_err -lcrypto -lasn1 -lwind -lheimbase -lroken -lcrypt -pthread /usr/bin/ld: warning: libcrypto.so.7, needed by /usr/lib/libgssapi_krb5.so, may conflict with libcrypto.so.37 /usr/bin/ld: warning: libcrypto.so.7, needed by /usr/lib/libgssapi_krb5.so, may conflict with libcrypto.so.37 socket.o: In function `SSLOpen': socket.c:(.text+0x128a): undefined reference to `SSLv3_client_method' cc: error: linker command failed with exit code 1 (use -v to see invocation) gmake[4]: *** [Makefile:700: fetchmail] Error 1 gmake[4]: Leaving directory '/usr/ports/mail/fetchmail/work/fetchmail-6.3.26' gmake[3]: *** [Makefile:1176: all-recursive] Error 1 gmake[3]: Leaving directory '/usr/ports/mail/fetchmail/work/fetchmail-6.3.26' gmake[2]: *** [Makefile:591: all] Error 2 gmake[2]: Leaving directory '/usr/ports/mail/fetchmail/work/fetchmail-6.3.26' ===> Compilation failed unexpectedly. Try to set MAKE_JOBS_UNSAFE=yes and rebuild before reporting the failure to the maintainer. *** Error code 1 Stop. make[1]: stopped in /usr/ports/mail/fetchmail *** Error code 1 Stop. make: stopped in /usr/ports/mail/fetchmail ** Command failed [exit code 1]: /usr/bin/script -qa /tmp/portupgrade20160608-4401-dolnj5 env UPGRADE_TOOL=portupgrade UPGRADE_PORT=fetchmail-6.3.26_2 UPGRADE_PORT_VER=6.3.26_2 make ** Fix the problem and try again. ** Listing the failed packages (-:ignored / *:skipped / !:failed) ! mail/fetchmail (fetchmail-6.3.26_2) (linker error)
The warning you report is both expected and harmless. It does not cause the error, which is: socket.o: In function `SSLOpen': socket.c:(.text+0x128a): undefined reference to `SSLv3_client_method' This is the same error that was fixed with the update to fetchmail in fetchmail-6.3.26_3: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=209596 Is your ports tree up to date? Or, by chance, are you following the quarterly branch?
Created attachment 171272 [details] Make config
Ports tree is up-to-date. [helmut@BSDHelmut1064 /usr/ports]$ uname -a FreeBSD BSDHelmut1064.charlieroot.de 10.3-RELEASE-p4 FreeBSD 10.3-RELEASE-p4 #0: Sat May 28 12:23:44 UTC 2016 root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC amd64 [helmut@BSDHelmut1064 /usr/ports]$ svn info Path: . Working Copy Root Path: /usr/ports URL: svn://svn.freebsd.org/ports/head Relative URL: ^/head Repository Root: svn://svn.freebsd.org/ports Repository UUID: 35697150-7ecd-e111-bb59-0022644237b5 Revision: 416656 Node Kind: directory Schedule: normal Last Changed Author: ale Last Changed Rev: 416656 Last Changed Date: 2016-06-10 09:09:56 +0200 (Fri, 10 Jun 2016) [helmut@BSDHelmut1064 /usr/ports]$
Created attachment 171273 [details] Previous log was incomplete
This is being caused by missing SSLv3 in OpenSSL. Have you built OpenSSL from ports with "SSLv3" disabled? There are patches to make fetchmail build with no SSLv3 support from LibreSSL or OpenSSL, which should be applied to fetchmail since SSLv3 should not be used any more: https://github.com/Sp1l/freebsd-ports/tree/master/mail/fetchmail/files CC'ing Bernard. Looks to me the patch will have to be reworked to fit code changes that occurred in the meanwhile. It looks like the upstream fixed it, but I see no official release after it: https://gitlab.com/fetchmail/fetchmail/commit/a2ae6f8d15d7caf815d7bdd13df833fd1b2af5cc
Vladimir, I would not that there is already a patch, included in fetchmail 6.3.26_3 with commit https://svnweb.freebsd.org/ports?view=revision&revision=415811 that disables SSLv3. Does this not address the issue you're raising? You are indeed correct that fetchmail 6.3.26 is the most recent stable release. The initial build log attached to this bug was for fetchmail 6.3.26_2, rather than the current version 6.3.26_3. The next two attachments are for 6.3.26_3, but I'm wondering if 'make clean' was not run in between the two? In any case, I'm not able to reproduce this failure with 'poudriere testport' on 10.3/amd64.
(In reply to Corey Halpin from comment #6) Ugh... apologies. I was confusing SSLv2 with SSLv3. I'll see if I can replicate by disabling SSLv3 in openssl from ports, and if so will look at integrating the patch you reference.
(In reply to Corey Halpin from comment #7) > I'll see if I can replicate by disabling SSLv3 in openssl from ports Yup, you will. I also confirm I did the same with all the combinations (OpenSSL with v3, without v3, LibreSSL (unconditional without)) and it failed at exactly the same spot as reported here, when *SSL was without v3. Don't have poudriere logs at the moment, but if required I'll re-run the tests.
I've just built fetchmail here without problems (my base libcrypto and libssl are LibreSSL 2.4.1) The problem you're running into is that you're running into is with GSSAPI. You cannot combine Open/LibreSSL from ports with GSSAPI from base. Set > OPTIONS_SET+= GSSAPI_HEIMDAL to solve this. Please report back if that fixes your issues. Changes for bsd.openssl.mk and Uses/gssapi.mk are in review https://reviews.freebsd.org/D5865 https://reviews.freebsd.org/D6577
I can't use libressl-devel because openntpd wants libressl: ===> Cleaning for libressl-devel-2.4.1 [helmut@BSDHelmut1064 ~]$ sudo portupgrade -f openntpd [Reading data from pkg(8) ... - 306 packages found - done] ---> Upgrading 'openntpd-6.0p1,2' to 'openntpd-6.0p1_1,2' (net/openntpd) ---> Building '/usr/ports/net/openntpd' ===> Cleaning for openntpd-6.0p1_1,2 ===> Options unchanged ===> License ISCL accepted by the user ===> openntpd-6.0p1_1,2 depends on file: /usr/local/sbin/pkg - found ===> Fetching all distfiles required by openntpd-6.0p1_1,2 for building ===> Extracting for openntpd-6.0p1_1,2 => SHA256 Checksum OK for openntpd-6.0p1.tar.gz. ===> Patching for openntpd-6.0p1_1,2 ===> Applying FreeBSD patches for openntpd-6.0p1_1,2 ===> openntpd-6.0p1_1,2 depends on file: /usr/local/lib/libcrypto.so.37 - not found ===> Options unchanged ===> libressl-2.3.6 conflicts with installed package(s): libressl-devel-2.4.1 They install files into the same place. You may want to stop build with Ctrl + C. ^C** Command failed [exit code 2]: /usr/bin/script -qa /tmp/portupgrade20160611-58064-n7jcpv env UPGRADE_TOOL=portupgrade UPGRADE_PORT=openntpd-6.0p1,2 UPGRADE_PORT_VER=6.0p1,2 make ** Fix the problem and try again. ** Listing the failed packages (-:ignored / *:skipped / !:failed) ! net/openntpd (openntpd-6.0p1,2) (interrupted by user) [helmut@BSDHelmut1064 ~]$
The same should work with regular security/libressl. If you need to, open a separate bug for the conflict when building OpenNTPd please.
Created attachment 171580 [details] Proposed patch In my testing, OPTIONS_SET+= GSSAPI_HEIMDAL was not sufficient to resolve the issue. This was for two reasons. First, the fetchmail port wasn't ever updated to use USES=gssapi. Second, there was a reference in fetchmail's own socket.c to SSLv3_client_method(). In the attached patch, I've remedied the first issue and integrated the relevant part of the patch Vladimir referenced, which removes the reference in socket.c. With this patch applied, portlint has no complaints and fetchmail passes 'poudriere testport' on 9.3, 10.1, and 10.3 (all amd64) using base OpenSSL, ports OpenSSL, ports OpenSSL with SSL v2 and v3 disabled, and LibreSSL. For the builds involving ports, the following was used in make.conf to avoid the issue Bernard points out with mixing GSSAPI from ports and base: OPTIONS_UNSET+= GSSAPI_BASE OPTIONS_SET+= GSSAPI_MIT I used GSSAPI_MIT because I encountered a build failure with security/heimdal when using LibreSSL (reported as 210392).
That looks pretty solid! Thanks! I'd however change this slightly wrt the SSLv2/SSLv3 detection. Doesn't require any configure.ac patch. -#if HAVE_DECL_SSLV2_CLIENT_METHOD + 0 > 0 +#ifndef OPENSSL_NO_SSL2 -#if HAVE_DECL_SSLV3_CLIENT_METHOD + 0 > 0 +#ifndef OPENSSL_NO_SSL3_METHOD These are defined with the regular openssl/libressl includes. e.g. from /usr/local/include/openssl/opensslfeatures.h # define OPENSSL_NO_SSL2 # define OPENSSL_NO_SSL3 # define OPENSSL_NO_SSL3_METHOD These are consistent between OpenSSL and LibreSSL
Created attachment 171581 [details] Proposed patch v2 revise based on feedback; portlint is still happy, as are the set of 'poudriere testport' runs mentioned for v1 of the patch.
Comment on attachment 171581 [details] Proposed patch v2 You may want to swap ifdef for ifndef for this to work as you'd expect :x
Created attachment 171583 [details] Proposed patch v3 What I was aiming for with the #ifdefs in fetchmail.c was to mimic what upstream did in this commit: https://gitlab.com/fetchmail/fetchmail/commit/a2ae6f8d15d7caf815d7bdd13df833fd1b2af5cc If I'm understanding it correctly, it will display +SSL in the version string when SSL with all its variants is supported +SSL-SSLv2 when SSL is supported except v2, and +SSL-SSLv2-SSLv3 when SSL is supported without v2 or v3. Which is all well and good, except that none of it works without including ssl.h. I've added that in the attached.
Comment on attachment 171583 [details] Proposed patch v3 Excellent! Please flag the patch maintainer-approval(+) to have the PR appear in the "Maintainer approved" saved search! Also note for the future patches you attach for ports you maintain, please flag them like that. ;)
(In reply to Vladimir Krstulja from comment #17) Done! I'll (try to) remember to do this in the future, thank you. )I'm still not entirely used to bugzilla.)
Back to the pool for a committer to pick up...
Created attachment 171620 [details] svn diff for mail/fetchmail Hi Corey, Please review this patch. This contains your changes to build without SSLv3. Additionally this aligns the port with the current ports framework - Remove pkg-install pkg-deinstall - Use pkg-plist keywords for ownership/mode - Options-ify more Let me know if this is OK to commit Thanks, Bernard Spil (brnrd@)
Comment on attachment 171620 [details] svn diff for mail/fetchmail This looks excellent, thank you!
A commit references this bug: Author: brnrd Date: Tue Jun 21 06:14:42 UTC 2016 New revision: 417187 URL: https://svnweb.freebsd.org/changeset/ports/417187 Log: mail/fetchmail: Fix build without SSLv3 - Fix build with OpenSSL 1.1 and LibreSSL - Stop using pkg-install/pkg-deinstall scripts - Use pkg-plist keywords - Use GSSAPI ports framework - Change X11, POP2 options to use options framework PR: 210130 Submitted by: freebsd-ports@charlieroot.de Reviewed by: Corey Halpin <chalpin@cs.wisc.edu> (maintainer) Approved by: Corey Halpin <chalpin@cs.wisc.edu> (maintainer) Changes: head/mail/fetchmail/Makefile head/mail/fetchmail/files/patch-fetchmail.c head/mail/fetchmail/files/patch-socket.c head/mail/fetchmail/files/pkg-deinstall.in head/mail/fetchmail/files/pkg-install.in head/mail/fetchmail/pkg-plist