Dovecot 2.2.25 fails on SSL
Dear Dovecot developers!This problem already existed some years ago, has been fixed, and now it's there again in Dovecot 2.2.25 (2.2.24 was fine).
I'm running CentOS 6 with a custom OpenSSL installation in /usr/local/ssl Therefore, Dovecot is configured like this:
env SSL_CFLAGS="-I/usr/local/ssl/include" SSL_LIBS="-L/usr/local/ssl/lib -Wl,-R/usr/local/ssl/lib -lcrypto -lssl" ./configure --prefix=/usr/local/Dovecot-2.2.25 --with-ssl=openssl --with-ssldir=/usr/local/Dovecot-2.2.25/etc/dovecot/certs
With "pkg-config", the same options for SSL are provided.
"make" and "make install" run just fine, and the daemon starts without any errors. However, if a user connects on port 993 (IMAPS), Dovecot logs this failure message to syslog:
Jul 4 01:08:43 myhost dovecot: ssl-params: Fatal: Couldn't load required plugin /usr/local/Dovecot-2.2.25/lib/dovecot/libssl_iostream_openssl.so: dlopen() failed: libcrypto.so.1.0.0: cannot open shared object file: No such file or directory Jul 4 01:08:43 myhost dovecot: ssl-params: Error: child process failed with status 22784
ldd /usr/local/Dovecot-2.2.25/lib/dovecot/libssl_iostream_openssl.so linux-gate.so.1 => (0x00e8c000) libcrypto.so.1.0.0 => not found libssl.so.1.0.0 => not found librt.so.1 => /lib/librt.so.1 (0x00be4000) libc.so.6 => /lib/libc.so.6 (0x001a6000) libpthread.so.0 => /lib/libpthread.so.0 (0x003e4000) /lib/ld-linux.so.2 (0x007e7000)
ldd /usr/local/Dovecot-2.2.25/lib/dovecot/libdcrypt_openssl.so linux-gate.so.1 => (0x00dca000) libcrypto.so.1.0.0 => not found libssl.so.1.0.0 => not found librt.so.1 => /lib/librt.so.1 (0x00a7a000) libc.so.6 => /lib/libc.so.6 (0x00160000) libpthread.so.0 => /lib/libpthread.so.0 (0x0072f000) /lib/ld-linux.so.2 (0x00560000)
When comparing to Dovecot 2.2.24:
ldd /usr/local/Dovecot-2.2.24/lib/dovecot/libssl_iostream_openssl.so linux-gate.so.1 => (0x0073d000) libcrypto.so.1.0.0 => /usr/local/ssl/lib/libcrypto.so.1.0.0 (0x00b04000) libssl.so.1.0.0 => /usr/local/ssl/lib/libssl.so.1.0.0 (0x0044a000) librt.so.1 => /lib/librt.so.1 (0x00a60000) libc.so.6 => /lib/libc.so.6 (0x001e5000) libdl.so.2 => /lib/libdl.so.2 (0x003a9000) libpthread.so.0 => /lib/libpthread.so.0 (0x009d0000) /lib/ld-linux.so.2 (0x00d77000)
There's no libdcrypt_openssl.so in Dovecot 2.2.24, so I guess with the newly introduced dcrypt stuff something with SSL went wrong.
Would be great if that could be fixed so that SSL works again.
Thanks a lot in advance ... AndreasOn 04.07.2016 02:42, Andreas M. Kirchwitz wrote:
Dear Dovecot developers!
This problem already existed some years ago, has been fixed, and now it's there again in Dovecot 2.2.25 (2.2.24 was fine).
I'm running CentOS 6 with a custom OpenSSL installation in /usr/local/ssl Therefore, Dovecot is configured like this:
env SSL_CFLAGS="-I/usr/local/ssl/include" SSL_LIBS="-L/usr/local/ssl/lib -Wl,-R/usr/local/ssl/lib -lcrypto -lssl" ./configure --prefix=/usr/local/Dovecot-2.2.25 --with-ssl=openssl --with-ssldir=/usr/local/Dovecot-2.2.25/etc/dovecot/certs
With "pkg-config", the same options for SSL are provided.
"make" and "make install" run just fine, and the daemon starts without any errors. However, if a user connects on port 993 (IMAPS), Dovecot logs this failure message to syslog:
Jul 4 01:08:43 myhost dovecot: ssl-params: Fatal: Couldn't load required plugin /usr/local/Dovecot-2.2.25/lib/dovecot/libssl_iostream_openssl.so: dlopen() failed: libcrypto.so.1.0.0: cannot open shared object file: No such file or directory Jul 4 01:08:43 myhost dovecot: ssl-params: Error: child process failed with status 22784
ldd /usr/local/Dovecot-2.2.25/lib/dovecot/libssl_iostream_openssl.so linux-gate.so.1 => (0x00e8c000) libcrypto.so.1.0.0 => not found libssl.so.1.0.0 => not found librt.so.1 => /lib/librt.so.1 (0x00be4000) libc.so.6 => /lib/libc.so.6 (0x001a6000) libpthread.so.0 => /lib/libpthread.so.0 (0x003e4000) /lib/ld-linux.so.2 (0x007e7000)
ldd /usr/local/Dovecot-2.2.25/lib/dovecot/libdcrypt_openssl.so linux-gate.so.1 => (0x00dca000) libcrypto.so.1.0.0 => not found libssl.so.1.0.0 => not found librt.so.1 => /lib/librt.so.1 (0x00a7a000) libc.so.6 => /lib/libc.so.6 (0x00160000) libpthread.so.0 => /lib/libpthread.so.0 (0x0072f000) /lib/ld-linux.so.2 (0x00560000)
When comparing to Dovecot 2.2.24:
ldd /usr/local/Dovecot-2.2.24/lib/dovecot/libssl_iostream_openssl.so linux-gate.so.1 => (0x0073d000) libcrypto.so.1.0.0 => /usr/local/ssl/lib/libcrypto.so.1.0.0 (0x00b04000) libssl.so.1.0.0 => /usr/local/ssl/lib/libssl.so.1.0.0 (0x0044a000) librt.so.1 => /lib/librt.so.1 (0x00a60000) libc.so.6 => /lib/libc.so.6 (0x001e5000) libdl.so.2 => /lib/libdl.so.2 (0x003a9000) libpthread.so.0 => /lib/libpthread.so.0 (0x009d0000) /lib/ld-linux.so.2 (0x00d77000)
There's no libdcrypt_openssl.so in Dovecot 2.2.24, so I guess with the newly introduced dcrypt stuff something with SSL went wrong.
Would be great if that could be fixed so that SSL works again.
Thanks a lot in advance ... Andreas
Hi!
Thank you for your report, we'll look into it!
Aki Tuomi Dovecot oy
On 04.07.2016 02:42, Andreas M. Kirchwitz wrote:
Dear Dovecot developers!
This problem already existed some years ago, has been fixed, and now it's there again in Dovecot 2.2.25 (2.2.24 was fine).
I'm running CentOS 6 with a custom OpenSSL installation in /usr/local/ssl Therefore, Dovecot is configured like this:
env SSL_CFLAGS="-I/usr/local/ssl/include" SSL_LIBS="-L/usr/local/ssl/lib -Wl,-R/usr/local/ssl/lib -lcrypto -lssl" ./configure --prefix=/usr/local/Dovecot-2.2.25 --with-ssl=openssl --with-ssldir=/usr/local/Dovecot-2.2.25/etc/dovecot/certs
With "pkg-config", the same options for SSL are provided.
"make" and "make install" run just fine, and the daemon starts without any errors. However, if a user connects on port 993 (IMAPS), Dovecot logs this failure message to syslog:
Jul 4 01:08:43 myhost dovecot: ssl-params: Fatal: Couldn't load required plugin /usr/local/Dovecot-2.2.25/lib/dovecot/libssl_iostream_openssl.so: dlopen() failed: libcrypto.so.1.0.0: cannot open shared object file: No such file or directory Jul 4 01:08:43 myhost dovecot: ssl-params: Error: child process failed with status 22784
ldd /usr/local/Dovecot-2.2.25/lib/dovecot/libssl_iostream_openssl.so linux-gate.so.1 => (0x00e8c000) libcrypto.so.1.0.0 => not found libssl.so.1.0.0 => not found librt.so.1 => /lib/librt.so.1 (0x00be4000) libc.so.6 => /lib/libc.so.6 (0x001a6000) libpthread.so.0 => /lib/libpthread.so.0 (0x003e4000) /lib/ld-linux.so.2 (0x007e7000)
ldd /usr/local/Dovecot-2.2.25/lib/dovecot/libdcrypt_openssl.so linux-gate.so.1 => (0x00dca000) libcrypto.so.1.0.0 => not found libssl.so.1.0.0 => not found librt.so.1 => /lib/librt.so.1 (0x00a7a000) libc.so.6 => /lib/libc.so.6 (0x00160000) libpthread.so.0 => /lib/libpthread.so.0 (0x0072f000) /lib/ld-linux.so.2 (0x00560000)
When comparing to Dovecot 2.2.24:
ldd /usr/local/Dovecot-2.2.24/lib/dovecot/libssl_iostream_openssl.so linux-gate.so.1 => (0x0073d000) libcrypto.so.1.0.0 => /usr/local/ssl/lib/libcrypto.so.1.0.0 (0x00b04000) libssl.so.1.0.0 => /usr/local/ssl/lib/libssl.so.1.0.0 (0x0044a000) librt.so.1 => /lib/librt.so.1 (0x00a60000) libc.so.6 => /lib/libc.so.6 (0x001e5000) libdl.so.2 => /lib/libdl.so.2 (0x003a9000) libpthread.so.0 => /lib/libpthread.so.0 (0x009d0000) /lib/ld-linu222222x.so.2 (0x00d77000)
There's no libdcrypt_openssl.so in Dovecot 2.2.24, so I guess with the newly introduced dcrypt stuff something with SSL went wrong.
Would be great if that could be fixed so that SSL works again.
Thanks a lot in advance ... Andreas
Hi!
Can you try the attached patch out?
Aki Tuomi Dovecot oy
Aki Tuomi aki.tuomi@dovecot.fi wrote:
ldd /usr/local/Dovecot-2.2.25/lib/dovecot/libssl_iostream_openssl.so linux-gate.so.1 => (0x00e8c000) libcrypto.so.1.0.0 => not found libssl.so.1.0.0 => not found librt.so.1 => /lib/librt.so.1 (0x00be4000) libc.so.6 => /lib/libc.so.6 (0x001a6000) libpthread.so.0 => /lib/libpthread.so.0 (0x003e4000) /lib/ld-linux.so.2 (0x007e7000)
ldd /usr/local/Dovecot-2.2.25/lib/dovecot/libdcrypt_openssl.so linux-gate.so.1 => (0x00dca000) libcrypto.so.1.0.0 => not found libssl.so.1.0.0 => not found librt.so.1 => /lib/librt.so.1 (0x00a7a000) libc.so.6 => /lib/libc.so.6 (0x00160000) libpthread.so.0 => /lib/libpthread.so.0 (0x0072f000) /lib/ld-linux.so.2 (0x00560000)
There's no libdcrypt_openssl.so in Dovecot 2.2.24, so I guess with the newly introduced dcrypt stuff something with SSL went wrong.
Would be great if that could be fixed so that SSL works again.
Can you try the attached patch out?
Sorry for the late answer. (Away from computers. :-)
Tried the attached patch, applies fine, compiles fine, but the ssl/crypto libraries are still not found.
The additional "$(SSL_LIBS)" in both "Makefile.am" files doesn't properly make it into the resulting "Makefile" files. After "configure" is done, the resulting "Makefile" files are exactly the same in the original 2.2.25 version and patched 2.2.25 version (I guess they *should* contain the additional SSL libraries somewhere).
Just let me know if there's more I can try (no longer away from computers, so response time is faster :-)
Sorry for the bad news ... AndreasOn September 2, 2016 at 4:56 AM "Andreas M. Kirchwitz" amk@spamfence.net wrote:
Aki Tuomi aki.tuomi@dovecot.fi wrote:
ldd /usr/local/Dovecot-2.2.25/lib/dovecot/libssl_iostream_openssl.so linux-gate.so.1 => (0x00e8c000) libcrypto.so.1.0.0 => not found libssl.so.1.0.0 => not found librt.so.1 => /lib/librt.so.1 (0x00be4000) libc.so.6 => /lib/libc.so.6 (0x001a6000) libpthread.so.0 => /lib/libpthread.so.0 (0x003e4000) /lib/ld-linux.so.2 (0x007e7000)
ldd /usr/local/Dovecot-2.2.25/lib/dovecot/libdcrypt_openssl.so linux-gate.so.1 => (0x00dca000) libcrypto.so.1.0.0 => not found libssl.so.1.0.0 => not found librt.so.1 => /lib/librt.so.1 (0x00a7a000) libc.so.6 => /lib/libc.so.6 (0x00160000) libpthread.so.0 => /lib/libpthread.so.0 (0x0072f000) /lib/ld-linux.so.2 (0x00560000)
There's no libdcrypt_openssl.so in Dovecot 2.2.24, so I guess with the newly introduced dcrypt stuff something with SSL went wrong.
Would be great if that could be fixed so that SSL works again.
Can you try the attached patch out?
Sorry for the late answer. (Away from computers. :-)
Tried the attached patch, applies fine, compiles fine, but the ssl/crypto libraries are still not found.
The additional "$(SSL_LIBS)" in both "Makefile.am" files doesn't properly make it into the resulting "Makefile" files. After "configure" is done, the resulting "Makefile" files are exactly the same in the original 2.2.25 version and patched 2.2.25 version (I guess they *should* contain the additional SSL libraries somewhere).
Just let me know if there's more I can try (no longer away from computers, so response time is faster :-)
Sorry for the bad news ... Andreas
Well, then it leaves only option of using /etc/ld.so.conf
so basically add your libssl location there.
Aki
Aki Tuomi aki.tuomi@dovecot.fi wrote:
Well, then it leaves only option of using /etc/ld.so.conf so basically add your libssl location there.
That's not a working solution and not the purpose of /etc/ld.so.conf.
Currently, this is a real-life security issue in Dovecot 2.2.25, because it compiles fine but then - to the user - silently fails to use SSL. The user who doesn't know better reconfigures his client and all security is gone. :-(
Custom SSL worked fine in Dovecot 2.2.24, so obviously it can be made to work. The question is just where to add the proper options, or maybe "configure" is broken in some way.
I'm happy to try out more patches until the proper solution is found. I've already tried adding SSL libs in various locations during the build process but it hast always the same result that it never gets past "configure".
Greetings, AndreasOn September 2, 2016 at 5:35 PM "Andreas M. Kirchwitz" amk@spamfence.net wrote:
Aki Tuomi aki.tuomi@dovecot.fi wrote:
Well, then it leaves only option of using /etc/ld.so.conf so basically add your libssl location there.
That's not a working solution and not the purpose of /etc/ld.so.conf.
Currently, this is a real-life security issue in Dovecot 2.2.25, because it compiles fine but then - to the user - silently fails to use SSL. The user who doesn't know better reconfigures his client and all security is gone. :-(
Custom SSL worked fine in Dovecot 2.2.24, so obviously it can be made to work. The question is just where to add the proper options, or maybe "configure" is broken in some way.
I'm happy to try out more patches until the proper solution is found. I've already tried adding SSL libs in various locations during the build process but it hast always the same result that it never gets past "configure".
Greetings, Andreas
I tried various ways but wasn't able to get it to work. I can see if it can be fixed but it can take a while.
Aki
participants (3)
-
Aki Tuomi
-
Andreas M. Kirchwitz
-
Andreas M. Kirchwitz