Bug 210130 - mail/fetchmail: Build fails, undefined reference to `SSLv3_client_method'
Summary: mail/fetchmail: Build fails, undefined reference to `SSLv3_client_method'
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Bernard Spil
URL:
Keywords: easy, patch, patch-ready
Depends on:
Blocks:
 
Reported: 2016-06-08 09:44 UTC by Helmut Ritter
Modified: 2016-06-21 06:16 UTC (History)
3 users (show)

See Also:
chalpin: maintainer-feedback+


Attachments
Make config (26.69 KB, text/plain)
2016-06-10 15:44 UTC, Helmut Ritter
no flags Details
Previous log was incomplete (28.25 KB, text/plain)
2016-06-10 15:52 UTC, Helmut Ritter
no flags Details
Proposed patch (3.85 KB, patch)
2016-06-19 20:07 UTC, Corey Halpin
no flags Details | Diff
Proposed patch v2 (3.40 KB, patch)
2016-06-19 21:10 UTC, Corey Halpin
no flags Details | Diff
Proposed patch v3 (3.65 KB, patch)
2016-06-19 22:07 UTC, Corey Halpin
chalpin: maintainer-approval+
Details | Diff
svn diff for mail/fetchmail (7.67 KB, patch)
2016-06-20 18:23 UTC, Bernard Spil
chalpin: maintainer-approval+
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Helmut Ritter 2016-06-08 09:44:47 UTC
Similar issue as https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=208584?!

cc  -O2 -pipe  -fstack-protector -fno-strict-aliasing -I/usr/local/include -I/usr/kerberos/include -I/usr/include  -L/usr/local/lib -Wl,-rpath,/usr/local/lib -fstack-protector -L/usr/local/lib -L/usr/lib -o fetchmail socket.o getpass.o fetchmail.o env.o idle.o options.o daemon.o driver.o transact.o sink.o smtp.o idlist.o uid.o mxget.o md5ify.o cram.o gssapi.o opie.o interface.o netrc.o unmime.o conf.o checkalias.o lock.o rcfile_l.o rcfile_y.o norm_charmap.o  pop3.o imap.o etrn.o odmr.o  rpa.o   libfm.a /usr/local/lib/libintl.so -Wl,-rpath -Wl,/usr/local/lib   -lopie -lcrypt  -lkvm -lcom_err  -lssl -lcrypto  -L/usr/lib -lgssapi -lgssapi_krb5 -lheimntlm -lkrb5 -lhx509 -lcom_err -lcrypto -lasn1 -lwind -lheimbase -lroken -lcrypt -pthread
/usr/bin/ld: warning: libcrypto.so.7, needed by /usr/lib/libgssapi_krb5.so, may conflict with libcrypto.so.37
/usr/bin/ld: warning: libcrypto.so.7, needed by /usr/lib/libgssapi_krb5.so, may conflict with libcrypto.so.37
socket.o: In function `SSLOpen':
socket.c:(.text+0x128a): undefined reference to `SSLv3_client_method'
cc: error: linker command failed with exit code 1 (use -v to see invocation)
gmake[4]: *** [Makefile:700: fetchmail] Error 1
gmake[4]: Leaving directory '/usr/ports/mail/fetchmail/work/fetchmail-6.3.26'
gmake[3]: *** [Makefile:1176: all-recursive] Error 1
gmake[3]: Leaving directory '/usr/ports/mail/fetchmail/work/fetchmail-6.3.26'
gmake[2]: *** [Makefile:591: all] Error 2
gmake[2]: Leaving directory '/usr/ports/mail/fetchmail/work/fetchmail-6.3.26'
===> Compilation failed unexpectedly.
Try to set MAKE_JOBS_UNSAFE=yes and rebuild before reporting the failure to
the maintainer.
*** Error code 1

Stop.
make[1]: stopped in /usr/ports/mail/fetchmail
*** Error code 1

Stop.
make: stopped in /usr/ports/mail/fetchmail
** Command failed [exit code 1]: /usr/bin/script -qa /tmp/portupgrade20160608-4401-dolnj5 env UPGRADE_TOOL=portupgrade UPGRADE_PORT=fetchmail-6.3.26_2 UPGRADE_PORT_VER=6.3.26_2 make
** Fix the problem and try again.
** Listing the failed packages (-:ignored / *:skipped / !:failed)
        ! mail/fetchmail (fetchmail-6.3.26_2)   (linker error)
Comment 1 Corey Halpin 2016-06-08 12:02:34 UTC
The warning you report is both expected and harmless. It does not cause the error, which is:

socket.o: In function `SSLOpen':
socket.c:(.text+0x128a): undefined reference to `SSLv3_client_method'

This is the same error that was fixed with the update to fetchmail in fetchmail-6.3.26_3:
  https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=209596

Is your ports tree up to date? Or, by chance, are you following the quarterly branch?
Comment 2 Helmut Ritter 2016-06-10 15:44:24 UTC
Created attachment 171272 [details]
Make config
Comment 3 Helmut Ritter 2016-06-10 15:45:13 UTC
Ports tree is up-to-date.

[helmut@BSDHelmut1064 /usr/ports]$ uname -a
FreeBSD BSDHelmut1064.charlieroot.de 10.3-RELEASE-p4 FreeBSD 10.3-RELEASE-p4 #0: Sat May 28 12:23:44 UTC 2016     root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  amd64
[helmut@BSDHelmut1064 /usr/ports]$ svn info
Path: .
Working Copy Root Path: /usr/ports
URL: svn://svn.freebsd.org/ports/head
Relative URL: ^/head
Repository Root: svn://svn.freebsd.org/ports
Repository UUID: 35697150-7ecd-e111-bb59-0022644237b5
Revision: 416656
Node Kind: directory
Schedule: normal
Last Changed Author: ale
Last Changed Rev: 416656
Last Changed Date: 2016-06-10 09:09:56 +0200 (Fri, 10 Jun 2016)

[helmut@BSDHelmut1064 /usr/ports]$
Comment 4 Helmut Ritter 2016-06-10 15:52:47 UTC
Created attachment 171273 [details]
Previous log was incomplete
Comment 5 VK freebsd_triage 2016-06-10 18:26:03 UTC
This is being caused by missing SSLv3 in OpenSSL. Have you built OpenSSL from ports with "SSLv3" disabled?

There are patches to make fetchmail build with no SSLv3 support from LibreSSL or OpenSSL, which should be applied to fetchmail since SSLv3 should not be used any more:

https://github.com/Sp1l/freebsd-ports/tree/master/mail/fetchmail/files

CC'ing Bernard. Looks to me the patch will have to be reworked to fit code changes that occurred in the meanwhile.

It looks like the upstream fixed it, but I see no official release after it:

https://gitlab.com/fetchmail/fetchmail/commit/a2ae6f8d15d7caf815d7bdd13df833fd1b2af5cc
Comment 6 Corey Halpin 2016-06-10 19:46:07 UTC
Vladimir, 

I would not that there is already a patch, included in fetchmail 6.3.26_3 with commit https://svnweb.freebsd.org/ports?view=revision&revision=415811 that disables SSLv3.  Does this not address the issue you're raising?

You are indeed correct that fetchmail 6.3.26 is the most recent stable release.

The initial build log attached to this bug was for fetchmail 6.3.26_2, rather than the current version 6.3.26_3.  The next two attachments are for 6.3.26_3, but I'm wondering if 'make clean' was not run in between the two?  In any case, I'm not able to reproduce this failure with 'poudriere testport' on 10.3/amd64.
Comment 7 Corey Halpin 2016-06-10 19:52:24 UTC
(In reply to Corey Halpin from comment #6)

Ugh... apologies. I was confusing SSLv2 with SSLv3.  I'll see if I can replicate by disabling SSLv3 in openssl from ports, and if so will look at integrating the patch you reference.
Comment 8 VK freebsd_triage 2016-06-10 20:04:26 UTC
(In reply to Corey Halpin from comment #7)
> I'll see if I can replicate by disabling SSLv3 in openssl from ports

Yup, you will. I also confirm I did the same with all the combinations (OpenSSL with v3, without v3, LibreSSL (unconditional without)) and it failed at exactly the same spot as reported here, when *SSL was without v3. Don't have poudriere logs at the moment, but if required I'll re-run the tests.
Comment 9 Bernard Spil freebsd_committer 2016-06-10 21:03:18 UTC
I've just built fetchmail here without problems (my base libcrypto and libssl are LibreSSL 2.4.1)

The problem you're running into is that you're running into is with GSSAPI. You cannot combine Open/LibreSSL from ports with GSSAPI from base. Set 

> OPTIONS_SET+= GSSAPI_HEIMDAL

to solve this. Please report back if that fixes your issues.

Changes for bsd.openssl.mk and Uses/gssapi.mk are in review
https://reviews.freebsd.org/D5865
https://reviews.freebsd.org/D6577
Comment 10 Helmut Ritter 2016-06-11 11:50:47 UTC
I can't use libressl-devel because openntpd wants libressl:

===>  Cleaning for libressl-devel-2.4.1
[helmut@BSDHelmut1064 ~]$ sudo portupgrade -f openntpd
[Reading data from pkg(8) ... - 306 packages found - done]
--->  Upgrading 'openntpd-6.0p1,2' to 'openntpd-6.0p1_1,2' (net/openntpd)
--->  Building '/usr/ports/net/openntpd'
===>  Cleaning for openntpd-6.0p1_1,2
===> Options unchanged
===>  License ISCL accepted by the user
===>   openntpd-6.0p1_1,2 depends on file: /usr/local/sbin/pkg - found
===> Fetching all distfiles required by openntpd-6.0p1_1,2 for building
===>  Extracting for openntpd-6.0p1_1,2
=> SHA256 Checksum OK for openntpd-6.0p1.tar.gz.
===>  Patching for openntpd-6.0p1_1,2
===>  Applying FreeBSD patches for openntpd-6.0p1_1,2
===>   openntpd-6.0p1_1,2 depends on file: /usr/local/lib/libcrypto.so.37 - not found
===> Options unchanged

===>  libressl-2.3.6 conflicts with installed package(s):
      libressl-devel-2.4.1

      They install files into the same place.
      You may want to stop build with Ctrl + C.
^C** Command failed [exit code 2]: /usr/bin/script -qa /tmp/portupgrade20160611-58064-n7jcpv env UPGRADE_TOOL=portupgrade UPGRADE_PORT=openntpd-6.0p1,2 UPGRADE_PORT_VER=6.0p1,2 make
** Fix the problem and try again.
** Listing the failed packages (-:ignored / *:skipped / !:failed)
        ! net/openntpd (openntpd-6.0p1,2)       (interrupted by user)
[helmut@BSDHelmut1064 ~]$
Comment 11 Bernard Spil freebsd_committer 2016-06-11 13:09:09 UTC
The same should work with regular security/libressl.

If you need to, open a separate bug for the conflict when building OpenNTPd please.
Comment 12 Corey Halpin 2016-06-19 20:07:39 UTC
Created attachment 171580 [details]
Proposed patch

In my testing, OPTIONS_SET+= GSSAPI_HEIMDAL was not sufficient to resolve the issue.  This was for two reasons.  First, the fetchmail port wasn't ever updated to use USES=gssapi.  Second, there was a reference in fetchmail's own socket.c to SSLv3_client_method().

In the attached patch, I've remedied the first issue and integrated the relevant part of the patch Vladimir referenced, which removes the reference in socket.c.

With this patch applied, portlint has no complaints and fetchmail passes 'poudriere testport' on 9.3, 10.1, and 10.3 (all amd64) using base OpenSSL, ports OpenSSL, ports OpenSSL with SSL v2 and v3 disabled, and LibreSSL.

For the builds involving ports, the following was used in make.conf to avoid the issue Bernard points out with mixing GSSAPI from ports and base:
OPTIONS_UNSET+= GSSAPI_BASE
OPTIONS_SET+= GSSAPI_MIT

I used GSSAPI_MIT because I encountered a build failure with security/heimdal when using LibreSSL (reported as 210392).
Comment 13 Bernard Spil freebsd_committer 2016-06-19 20:41:57 UTC
That looks pretty solid! Thanks!

I'd however change this slightly wrt the SSLv2/SSLv3 detection. Doesn't require any configure.ac patch.

-#if HAVE_DECL_SSLV2_CLIENT_METHOD + 0 > 0
+#ifndef OPENSSL_NO_SSL2

-#if HAVE_DECL_SSLV3_CLIENT_METHOD + 0 > 0
+#ifndef OPENSSL_NO_SSL3_METHOD

These are defined with the regular openssl/libressl includes.
e.g. from /usr/local/include/openssl/opensslfeatures.h
# define OPENSSL_NO_SSL2
# define OPENSSL_NO_SSL3
# define OPENSSL_NO_SSL3_METHOD

These are consistent between OpenSSL and LibreSSL
Comment 14 Corey Halpin 2016-06-19 21:10:15 UTC
Created attachment 171581 [details]
Proposed patch v2

revise based on feedback; portlint is still happy, as are the set of 'poudriere testport' runs mentioned for v1 of the patch.
Comment 15 Bernard Spil freebsd_committer 2016-06-19 21:18:21 UTC
Comment on attachment 171581 [details]
Proposed patch v2

You may want to swap ifdef for ifndef for this to work as you'd expect :x
Comment 16 Corey Halpin 2016-06-19 22:07:24 UTC
Created attachment 171583 [details]
Proposed patch v3

What I was aiming for with the #ifdefs in fetchmail.c was to mimic what upstream did in this commit: 
  https://gitlab.com/fetchmail/fetchmail/commit/a2ae6f8d15d7caf815d7bdd13df833fd1b2af5cc

If I'm understanding it correctly, it will display +SSL in the version string when SSL with all its variants is supported +SSL-SSLv2 when SSL is supported except v2, and +SSL-SSLv2-SSLv3 when SSL is supported without v2 or v3.

Which is all well and good, except that none of it works without including ssl.h. I've added that in the attached.
Comment 17 VK freebsd_triage 2016-06-19 22:51:57 UTC
Comment on attachment 171583 [details]
Proposed patch v3

Excellent! Please flag the patch maintainer-approval(+) to have the PR appear in the "Maintainer approved" saved search! Also note for the future patches you attach for ports you maintain, please flag them like that. ;)
Comment 18 Corey Halpin 2016-06-20 02:34:02 UTC
(In reply to Vladimir Krstulja from comment #17)

Done! I'll (try to) remember to do this in the future, thank you. )I'm still not entirely used to bugzilla.)
Comment 19 VK freebsd_triage 2016-06-20 08:21:57 UTC
Back to the pool for a committer to pick up...
Comment 20 Bernard Spil freebsd_committer 2016-06-20 18:23:54 UTC
Created attachment 171620 [details]
svn diff for mail/fetchmail

Hi Corey,

Please review this patch. This contains your changes to build without SSLv3.

Additionally this aligns the port with the current ports framework

  - Remove pkg-install pkg-deinstall
  - Use pkg-plist keywords for ownership/mode
  - Options-ify more

Let me know if this is OK to commit

Thanks, 

Bernard Spil (brnrd@)
Comment 21 Corey Halpin 2016-06-20 23:48:24 UTC
Comment on attachment 171620 [details]
svn diff for mail/fetchmail

This looks excellent, thank you!
Comment 22 commit-hook freebsd_committer 2016-06-21 06:15:16 UTC
A commit references this bug:

Author: brnrd
Date: Tue Jun 21 06:14:42 UTC 2016
New revision: 417187
URL: https://svnweb.freebsd.org/changeset/ports/417187

Log:
  mail/fetchmail: Fix build without SSLv3

    - Fix build with OpenSSL 1.1 and LibreSSL
    - Stop using pkg-install/pkg-deinstall scripts
    - Use pkg-plist keywords
    - Use GSSAPI ports framework
    - Change X11, POP2 options to use options framework

  PR:             210130
  Submitted by:	freebsd-ports@charlieroot.de
  Reviewed by:	Corey Halpin <chalpin@cs.wisc.edu> (maintainer)
  Approved by:	Corey Halpin <chalpin@cs.wisc.edu> (maintainer)

Changes:
  head/mail/fetchmail/Makefile
  head/mail/fetchmail/files/patch-fetchmail.c
  head/mail/fetchmail/files/patch-socket.c
  head/mail/fetchmail/files/pkg-deinstall.in
  head/mail/fetchmail/files/pkg-install.in
  head/mail/fetchmail/pkg-plist