Created attachment 171906 [details] Build Log uname -a: FreeBSD scorpio.seibercom.net 11.0-CURRENT FreeBSD 11.0-CURRENT #0 r296485: Tue Mar 8 07:04:36 UTC 2016 root@releng2.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC amd64 I am unable to upgrade to the latest version of "fetchmail" It continually terminates with this message: cc -I/usr/include -O2 -pipe -fstack-protector -fno-strict-aliasing -I/usr/local/include -I/usr/kerberos/include -I/usr/include -L/usr/lib -L/usr/local/lib -Wl,-rpath,/usr/local/lib -fstack-protector -L/usr/local/lib -L/usr/lib -o fetchmail socket.o getpass.o fetchmail.o env.o idle.o options.o daemon.o driver.o transact.o sink.o smtp.o idlist.o uid.o mxget.o md5ify.o cram.o gssapi.o opie.o interface.o netrc.o unmime.o conf.o checkalias.o lock.o rcfile_l.o rcfile_y.o norm_charmap.o pop3.o imap.o etrn.o odmr.o rpa.o libfm.a /usr/local/lib/libintl.so -Wl,-rpath -Wl,/usr/local/lib -lopie -lcrypt -lkrb5 -lgssapi -lgssapi_krb5 -lkvm -lcom_err -lssl -lcrypto -L/usr/lib -lgssapi -lgssapi_krb5 -lheimntlm -lkrb5 -lhx509 -lcom_err -lcrypto -lasn1 -lwind -lheimbase -lroken -lcrypt -pthread socket.o: In function `SSLOpen': socket.c:(.text+0x11fd): undefined reference to `SSLv2_client_method' cc: error: linker command failed with exit code 1 (use -v to see invocation) gmake[4]: *** [Makefile:700: fetchmail] Error 1 gmake[4]: Leaving directory '/usr/ports/mail/fetchmail/work/fetchmail-6.3.26' gmake[3]: *** [Makefile:1176: all-recursive] Error 1 gmake[3]: Leaving directory '/usr/ports/mail/fetchmail/work/fetchmail-6.3.26' gmake[2]: *** [Makefile:591: all] Error 2 gmake[2]: Leaving directory '/usr/ports/mail/fetchmail/work/fetchmail-6.3.26' *** Error code 1 Stop. make[1]: stopped in /usr/ports/mail/fetchmail *** Error code 1 The complete build log is attached.
Early in your configure output, it says: configure: Enabling OpenSSL support in /usr/local. Could you provide more information on which SSL library you are using? However, your compiler line includes -I/usr/kerberos/include, which makes me think that you're attempting to mix GSSAPI from base with an SSL library from ports. That is known to be problematic, and patches are in review to update the USES=gssapi framework to prevent that combination: https://reviews.freebsd.org/D5865 If that is the issue, then it can be worked around by selecting the MIT implementation for GSSAPI in 'make config' or by setting the following in your make.conf: OPTIONS_UNSET+= GSSAPI_BASE OPTIONS_SET+= GSSAPI_MIT (If you're using OpenSSL from ports, then you can probably also select HEIMDAL if you prefer it to MIT. If you're using LibreSSL, that won't currently work. See https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=198527 )
(In reply to Corey Halpin from comment #1) Yes, I am using OpenSSL from ports. The "fetchmail" config I was using is the default one for the port. I disabled "GSSAPI" and the port built perfectly. Perhaps "GSSAPI_NONE" should be the default setting until this problem is corrected.
(In reply to Gerard Seibert from comment #2) Disabling GSSAPI by default would remove functionality from the version in packages, requiring anyone who needs that functionality to build from ports. I'd rather not pull the rug out from users in that way, especially when a fix for the ports infrastructure to resolve this problem is currently in progress.
I think the right way forward is to rip out SSLv2 support from fetchmail, which I have already done in the upstream Git branch "legacy_64" that I plan to release 6.4.0 from later, and what I had already done for Debian five years ago, but hadn't released that at the time. The references are in FreeBSD Bugzilla Bug #212055. It's not a duplicate nor a "Depends on" in the strict sense, so I'm setting "See Also" instead.
Hi, Can we close this?
I think we can - the SSLv2 and v3 issues should be fixed since r415811 (disabling SSLv2 altogether), r417187 (trapping this at run-time, and also missing SSLv3), r420788 (trapping incompatible base GSSAPI vs. ports OPENSSL). I tried to provoke the error, but either the build rid would complain about GSSAPI_BASE, or the build would pass. I have allowed myself to commit r469628 without running it through Corey Halpin's approval to make the build compatible with openssl-devel, no functional change (the "SSL does not know SSLv2" test is now more thorough, see files/patch-socket.c)