Dovecot 2.2.25 fails on SSL
Dear Dovecot developers!This problem already existed some years ago, has been fixed, and now it's there again in Dovecot 2.2.25 (2.2.24 was fine).
I'm running CentOS 6 with a custom OpenSSL installation in /usr/local/ssl Therefore, Dovecot is configured like this:
env SSL_CFLAGS="-I/usr/local/ssl/include" SSL_LIBS="-L/usr/local/ssl/lib -Wl,-R/usr/local/ssl/lib -lcrypto -lssl" ./configure --prefix=/usr/local/Dovecot-2.2.25 --with-ssl=openssl --with-ssldir=/usr/local/Dovecot-2.2.25/etc/dovecot/certs
With "pkg-config", the same options for SSL are provided.
"make" and "make install" run just fine, and the daemon starts without any errors. However, if a user connects on port 993 (IMAPS), Dovecot logs this failure message to syslog:
Jul 4 01:08:43 myhost dovecot: ssl-params: Fatal: Couldn't load required plugin /usr/local/Dovecot-2.2.25/lib/dovecot/libssl_iostream_openssl.so: dlopen() failed: libcrypto.so.1.0.0: cannot open shared object file: No such file or directory Jul 4 01:08:43 myhost dovecot: ssl-params: Error: child process failed with status 22784
ldd /usr/local/Dovecot-2.2.25/lib/dovecot/libssl_iostream_openssl.so linux-gate.so.1 => (0x00e8c000) libcrypto.so.1.0.0 => not found libssl.so.1.0.0 => not found librt.so.1 => /lib/librt.so.1 (0x00be4000) libc.so.6 => /lib/libc.so.6 (0x001a6000) libpthread.so.0 => /lib/libpthread.so.0 (0x003e4000) /lib/ld-linux.so.2 (0x007e7000)
ldd /usr/local/Dovecot-2.2.25/lib/dovecot/libdcrypt_openssl.so linux-gate.so.1 => (0x00dca000) libcrypto.so.1.0.0 => not found libssl.so.1.0.0 => not found librt.so.1 => /lib/librt.so.1 (0x00a7a000) libc.so.6 => /lib/libc.so.6 (0x00160000) libpthread.so.0 => /lib/libpthread.so.0 (0x0072f000) /lib/ld-linux.so.2 (0x00560000)
When comparing to Dovecot 2.2.24:
ldd /usr/local/Dovecot-2.2.24/lib/dovecot/libssl_iostream_openssl.so linux-gate.so.1 => (0x0073d000) libcrypto.so.1.0.0 => /usr/local/ssl/lib/libcrypto.so.1.0.0 (0x00b04000) libssl.so.1.0.0 => /usr/local/ssl/lib/libssl.so.1.0.0 (0x0044a000) librt.so.1 => /lib/librt.so.1 (0x00a60000) libc.so.6 => /lib/libc.so.6 (0x001e5000) libdl.so.2 => /lib/libdl.so.2 (0x003a9000) libpthread.so.0 => /lib/libpthread.so.0 (0x009d0000) /lib/ld-linux.so.2 (0x00d77000)
There's no libdcrypt_openssl.so in Dovecot 2.2.24, so I guess with the newly introduced dcrypt stuff something with SSL went wrong.
Would be great if that could be fixed so that SSL works again.
Thanks a lot in advance ... AndreasAki Tuomi <aki.tuomi@dovecot.fi> wrote:
Sorry for the late answer. (Away from computers. :-)
Tried the attached patch, applies fine, compiles fine, but the ssl/crypto libraries are still not found.
The additional "$(SSL_LIBS)" in both "Makefile.am" files doesn't properly make it into the resulting "Makefile" files. After "configure" is done, the resulting "Makefile" files are exactly the same in the original 2.2.25 version and patched 2.2.25 version (I guess they *should* contain the additional SSL libraries somewhere).
Just let me know if there's more I can try (no longer away from computers, so response time is faster :-)
Sorry for the bad news ... AndreasAki Tuomi <aki.tuomi@dovecot.fi> wrote:
Well, then it leaves only option of using /etc/ld.so.conf so basically add your libssl location there.
That's not a working solution and not the purpose of /etc/ld.so.conf.
Currently, this is a real-life security issue in Dovecot 2.2.25, because it compiles fine but then - to the user - silently fails to use SSL. The user who doesn't know better reconfigures his client and all security is gone. :-(
Custom SSL worked fine in Dovecot 2.2.24, so obviously it can be made to work. The question is just where to add the proper options, or maybe "configure" is broken in some way.
I'm happy to try out more patches until the proper solution is found. I've already tried adding SSL libs in various locations during the build process but it hast always the same result that it never gets past "configure".
Greetings, Andreas
participants (3)
-
Aki Tuomi
-
Andreas M. Kirchwitz
-
Andreas M. Kirchwitz