Bug 212223 - mail/postfix, mail/postfix-current: Broken build with security/libressl caused by OPENSSL_VERSION_NUMBER checks
Summary: mail/postfix, mail/postfix-current: Broken build with security/libressl cause...
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Bernard Spil
Keywords: needs-qa, patch
Depends on:
Reported: 2016-08-28 19:49 UTC by Markus Kohlmeyer
Modified: 2016-09-11 09:04 UTC (History)
3 users (show)

See Also:

buildlog postfix libressl (819.36 KB, text/plain)
2016-08-28 21:39 UTC, Markus Kohlmeyer
no flags Details
svn diff for mail/postfix (6.50 KB, patch)
2016-08-29 08:47 UTC, Bernard Spil
no flags Details | Diff
Poudriere testport log with patch applied (789.72 KB, text/plain)
2016-08-29 08:55 UTC, Bernard Spil
no flags Details
quick&dirty patch (5.46 KB, patch)
2016-08-29 18:12 UTC, Markus Kohlmeyer
no flags Details | Diff
svn diff for mail/postfix (6.50 KB, patch)
2016-08-29 19:14 UTC, Bernard Spil
brnrd: maintainer-approval? (ohauer)
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Markus Kohlmeyer 2016-08-28 19:49:11 UTC
Both Postfix ports are broken when build with LibreSSL since todays updates due to OPENSSL_VERSION_NUMBER checks introduced by Postfix to prepare for OpenSSL 1.1.0 Release compatibility.

This broke my mailservers badly (no more SSL/TLS/STARTTLS) today and i had to switch from LibreSSL back to OpenSSL and recompile a whole bunch of ports as a workaround :(
Comment 1 Bernard Spil freebsd_committer 2016-08-28 20:41:49 UTC
Hi Markus,

Is your ports tree up to date? The patches are in the ports tree as far as I know. Check for patch-src_tls_tls.h

Alternatively, can you share build logs?


Comment 2 Markus Kohlmeyer 2016-08-28 20:59:50 UTC
Hi Bernard,

yes portstree is up-to-date.
Looking at ftp://ftp.pca.dfn.de/pub/tools/net/postfix/official/postfix-3.1-patch02.gz i count at least six checks for OPENSSL_VERSION_NUMBER while the patch-src_tls_tls.h only fixes one. So there are five more to fix.

Comment 3 Bernard Spil freebsd_committer 2016-08-28 21:04:52 UTC
Just looked at some of them, not _all_ need changing... E.g. LibreSSL also added TLS_client_method...

Are you saying it builds OK but is not OK when run? What is the behaviour?
Comment 4 Markus Kohlmeyer 2016-08-28 21:18:29 UTC
After updating postfix today (build without error, linked against security/ibressl) i got messages like these in maillog everytime a user tried to sasl_auth:

Aug 28 20:15:58 devgate postfix/smtpd[74237]: warning: Digest algorithm "md5" not found
Aug 28 20:19:11 devgate postfix/submission/smtpd[87336]: warning: Digest algorithm "md5" not found

Then i found out that there was no ssl/tls working anymore, so the whole mailtrafic (incoming/outgoing) was completely unencrypted :(

I then looked at the original update-patch for postfix-3.1.2 (linked above) at postfix.org and found the OPENSSL_VERSION_NUMBER checks, which i recently fixed at the mysql57-server port.

Opened this bug asap and now hoping at a fix.
Comment 5 Markus Kohlmeyer 2016-08-28 21:23:44 UTC
grepping the source gives:

# grep -rn 'OPENSSL_VERSION_NUMBER < 0x1010' postfix-3.1.2
postfix-3.1.2/src/tls/tls.h:92:#if OPENSSL_VERSION_NUMBER < 0x10100000L
postfix-3.1.2/src/tls/tls_client.c:302:#if OPENSSL_VERSION_NUMBER < 0x10100000L
postfix-3.1.2/src/tls/tls_client.c:444:#if OPENSSL_VERSION_NUMBER < 0x10100000L
postfix-3.1.2/src/tls/tls_dane.c:2166:#if OPENSSL_VERSION_NUMBER < 0x10100000L
postfix-3.1.2/src/tls/tls_rsa.c:60:#if OPENSSL_VERSION_NUMBER < 0x10100000L
postfix-3.1.2/src/tls/tls_rsa.c:112:#if OPENSSL_VERSION_NUMBER < 0x10100000L
postfix-3.1.2/src/tls/tls_server.c:380:#if OPENSSL_VERSION_NUMBER < 0x10100000L
postfix-3.1.2/src/tls/tls_server.c:591:#if OPENSSL_VERSION_NUMBER < 0x10100000L
postfix-3.1.2/src/posttls-finger/posttls-finger.c:1514:#if defined(USE_TLS) && OPENSSL_VERSION_NUMBER < 0x10100000L
postfix-3.1.2/src/posttls-finger/posttls-finger.c:1961:#if defined(USE_TLS) && OPENSSL_VERSION_NUMBER < 0x10100000L

Comment 6 Markus Kohlmeyer 2016-08-28 21:39:42 UTC
Created attachment 174167 [details]
buildlog postfix libressl

I did a quick rebuild of postfix against libressl again to provide the requested buildlog
Comment 7 Pierre Guinoiseau 2016-08-29 00:53:36 UTC
Same issue for me.
Comment 8 Bernard Spil freebsd_committer 2016-08-29 08:47:29 UTC
Created attachment 174175 [details]
svn diff for mail/postfix

Patch to fix OPENSSL_VERSION_CHECKS where required.

The SSLv23_method to TLS_method changes are NOT required, LibreSSL implements TLS_method as well.
Comment 9 Bernard Spil freebsd_committer 2016-08-29 08:55:00 UTC
Created attachment 174176 [details]
Poudriere testport log with patch applied

Built succesful

Not checked functionally!
Comment 10 Markus Kohlmeyer 2016-08-29 09:07:36 UTC
I'll test the runtime today asap when time permits.
Comment 11 Markus Kohlmeyer 2016-08-29 09:34:13 UTC
Build is OK, but runtime fails again:

Aug 29 11:25:01 devnoip postfix/smtp[63985]: warning: Digest algorithm "md5" not found
Aug 29 11:25:01 devnoip postfix/smtp[63985]: warning: disabling TLS support
Aug 29 11:25:01 devnoip postfix/smtp[63985]: 3sN5pP1YjkzdG5f: to=<admin@domain.tld>, orig_to=<postmaster>, relay=mail.domain.tld[2a01:4f8:xxxx:yyyy::2]:587, delay=0.35, delays=0.01/0.02/0.28/0.03, dsn=5.7.0, status=bounced (host mail.domain.tld[2a01:4f8:xxxx:yyyy::2] said: 530 5.7.0 Must issue a STARTTLS command first (in reply to MAIL FROM command))
Comment 12 Markus Kohlmeyer 2016-08-29 18:12:12 UTC
Created attachment 174199 [details]
quick&dirty patch

This is a quick & dirty patch that builds and doesn't break runtime.

Not sure if this is the right way to go, but at least it currently works.

Comment 13 Bernard Spil freebsd_committer 2016-08-29 18:23:34 UTC
Hi Markus,

How is that patch different apart from checking for OPENSSL_VERSION_NUMBER == 0x2 in stead of defined(LIBRESSL_VERSION_NUMBER) ?


Comment 14 Bernard Spil freebsd_committer 2016-08-29 19:14:35 UTC
Created attachment 174202 [details]
svn diff for mail/postfix

Sorry Markus,

Checked the delta between your patch and mine and discovered grave logic errors in mine... "<1.1" AND "Libre" dowsn't match but  "<1.1" OR "Libre" will!

Attached another patch, can you please check if that's OK?
If so I can commit the changes to the tree.


Comment 15 Bernard Spil freebsd_committer 2016-08-29 19:15:56 UTC
Poudriere testport log here: https://brnrd.eu/poudriere/data/103amd64-svn/2016-08-29_21h14m25s/logs/postfix-3.1.2,1.log
Comment 16 commit-hook freebsd_committer 2016-08-29 19:24:51 UTC
A commit references this bug:

Author: brnrd
Date: Mon Aug 29 19:23:50 UTC 2016
New revision: 421091
URL: https://svnweb.freebsd.org/changeset/ports/421091

  mail/postfix: Fix runtime issues with LibreSSL

    - Add LibreSSL checks to <> 1.1.0 OpenSSL checks
    - Bump portrevision

  PR:		212223
  Submitted by:	Markus Kohlmeier <rootservice@gmail.com>
  Reported by:	Markus Kohlmeier <rootservice@gmail.com>
  Approved by:	ohauer (via PR)
  MFH:		2016Q3

Comment 17 Bernard Spil freebsd_committer 2016-08-29 19:25:57 UTC
Committed as per Olli Hauer's request/approval (via email)
Comment 18 Markus Kohlmeyer 2016-08-29 19:41:32 UTC
Committed to early :(

There is a typo (missing L) in head/mail/postfix/files/patch-src_tls_tls__dane.c

And it doesn't fix the runtime problem.

I realy don't know why checking "OPENSSL_VERSION_NUMBER == 0x200000L" works and "defined(LIBRESSL_VERSION_NUMBER)" doesn't, but according to opensslv.h in LibreSSL source LibreSSL will always declare OPENSSL_VERSION_NUMBER as 0x200000L regardless of LIBRESSL_VERSION_NUMBER and some/most/all(?) other sources linking against OpenSSL/LibreSSL check currently only against OPENSSL_VERSION_NUMBER sometimes only against OPENSSL_MAJOR_VERSION (like MySQL for example).
Maybe LIBRESSL_VERSION_NUMBER is not exported (correctly) by LibreSSL or otherwise not accessible during checking/linking?
I'm not a programmer.
All i can say is, that my patch works (buildtime *and runtime*) for me and yours doesn't.

Just tell me if and how i can provide more help/info and i'll try my best. But keep in mind that i've currently only production systems, so i'm propably limited in some points.
Comment 19 Markus Kohlmeyer 2016-08-29 19:56:28 UTC
Sorry, had tested the wrong server :(

Your last/commited patch works, but the typo has to be corrected.

Sorry again.
Comment 20 commit-hook freebsd_committer 2016-08-30 05:54:39 UTC
A commit references this bug:

Author: brnrd
Date: Tue Aug 30 05:54:02 UTC 2016
New revision: 421102
URL: https://svnweb.freebsd.org/changeset/ports/421102

  mail/postfix: Fix typo in LibreSSL patch

    - Fix DANE support with LibreSSL

  PR:		212223
  Reported by:	Markus Kohlmeyer <rootservice@gmail.com>

Comment 21 commit-hook freebsd_committer 2016-08-30 06:07:42 UTC
A commit references this bug:

Author: brnrd
Date: Tue Aug 30 06:07:11 UTC 2016
New revision: 421104
URL: https://svnweb.freebsd.org/changeset/ports/421104

  mail/postfix-current: Fix runtime TLS failure with LibreSSL

     - Add LibreSSL checks to <> 1.1.0 OpenSSL checks
     - Bump portrevision

  PR:		212223
  Submitted by:	Markus Kohlmeier <rootservice@gmail.com>
  Reported by:	Markus Kohlmeier <rootservice@gmail.com>
  Approved by:	ohauer (via mail)
  MFH:		2016Q3

Comment 22 commit-hook freebsd_committer 2016-09-11 09:04:29 UTC
A commit references this bug:

Author: brnrd
Date: Sun Sep 11 09:03:27 UTC 2016
New revision: 421811
URL: https://svnweb.freebsd.org/changeset/ports/421811

  MFH: r421091

  mail/postfix: Fix runtime issues with LibreSSL

    - Add LibreSSL checks to <> 1.1.0 OpenSSL checks
    - Bump portrevision

  PR:		212223
  Submitted by:	Markus Kohlmeier <rootservice@gmail.com>
  Reported by:	Markus Kohlmeier <rootservice@gmail.com>
  Approved by:	ohauer (via PR)

  Approved by:	ports-secteam (delphij)

_U  branches/2016Q3/