[Dovecot] Building dovecot with SSL support on Solaris
Hi all,
I'm just trying to build dovecot-1.0.alpha3 on a Solaris 9 machine with SSL support. No matter which options I call ./configure with - it always results in:
Install prefix ...................... : /usr/local File offsets ........................ : 64bit I/O loop method ..................... : poll File change notification method ..... : none Building with SSL support ........... : no <-- ! Building with IPv6 support .......... : yes Building with pop3 server ........... : yes Building with mail delivery agent .. : yes Building with user database modules . : static passdb passwd passwd-file checkpassword (modules) Building with password lookup modules : passwd passwd-file shadow pam checkpassword (modules)
Some more details: $ uname -a SunOS ns 5.9 Generic_117171-08 sun4u sparc SUNW,Sun-Fire-280R $ /usr/local/ssl/bin/openssl version OpenSSL 0.9.7e 25 Oct 2004
On another system, the build succeeds - including SSL support: $ uname -a SunOS excalibur 5.9 Generic_117171-08 sun4u sparc SUNW,Sun-Blade-100 $ /usr/local/ssl/bin/openssl version OpenSSL 0.9.7d 17 Mar 2004
I have tried lots of hints Google found in the mailing list archives, but none of them succeeded.
I'm looking forward to getting any further hints. If you need some further information, I will post it.
Regards & thanks in advance, Christian
-- Alle Dinge geschehen aus Notwendigkeit. Es gibt in der Natur kein Gutes und kein Schlechtes. -- Baruch de Spinoza
Hi,
I run alpha3 on Solaris 9, with openssl in /opt. Here is my configure for dovecot:
#!/usr/bin/sh
VERSION=1.0-alpha3
CC=gcc CFLAGS="-g -O" CPPFLAGS=-I/opt/openssl/include
LDFLAGS=-L/opt/openssl/lib
./configure --prefix=/opt/dovecot.$VERSION --with-ssl=openssl
--with-ssldir=/opt/openssl/ssl > configure.out
I also have /opt/openssl/lib dfined in my load path via "crle" so apps can find it. That may be your problem. My output from "crle":
[3] % crle
Configuration file [version 3]: /var/ld/ld.config Default Library Path (ELF): /usr/lib:/opt/openssl/lib:/opt/BerkeleyDB/lib:/usr/local/lib Trusted Directories (ELF): /usr/lib/secure (system default)
Command line: crle -c /var/ld/ld.config -l /usr/lib:/opt/openssl/lib:/opt/BerkeleyDB/lib:/usr/local/lib
Jeff Earickson Colby College
On Fri, 7 Oct 2005, Christian Schmidt wrote:
Date: Fri, 7 Oct 2005 15:07:07 +0200 From: Christian Schmidt christian@siebenbergen.de To: dovecot@dovecot.org Subject: [Dovecot] Building dovecot with SSL support on Solaris
Hi all,
I'm just trying to build dovecot-1.0.alpha3 on a Solaris 9 machine with SSL support. No matter which options I call ./configure with - it always results in:
Install prefix ...................... : /usr/local File offsets ........................ : 64bit I/O loop method ..................... : poll File change notification method ..... : none Building with SSL support ........... : no <-- ! Building with IPv6 support .......... : yes Building with pop3 server ........... : yes Building with mail delivery agent .. : yes Building with user database modules . : static passdb passwd passwd-file checkpassword (modules) Building with password lookup modules : passwd passwd-file shadow pam checkpassword (modules)
Some more details: $ uname -a SunOS ns 5.9 Generic_117171-08 sun4u sparc SUNW,Sun-Fire-280R $ /usr/local/ssl/bin/openssl version OpenSSL 0.9.7e 25 Oct 2004
On another system, the build succeeds - including SSL support: $ uname -a SunOS excalibur 5.9 Generic_117171-08 sun4u sparc SUNW,Sun-Blade-100 $ /usr/local/ssl/bin/openssl version OpenSSL 0.9.7d 17 Mar 2004
I have tried lots of hints Google found in the mailing list archives, but none of them succeeded.
I'm looking forward to getting any further hints. If you need some further information, I will post it.
Regards & thanks in advance, Christian
-- Alle Dinge geschehen aus Notwendigkeit. Es gibt in der Natur kein Gutes und kein Schlechtes. -- Baruch de Spinoza
Hello Jeff,
Jeff A. Earickson, 07.10.2005 (d.m.y):
I run alpha3 on Solaris 9, with openssl in /opt. Here is my configure for dovecot:
#!/usr/bin/sh VERSION=1.0-alpha3 CC=gcc CFLAGS="-g -O" CPPFLAGS=-I/opt/openssl/include LDFLAGS=-L/opt/openssl/lib
./configure --prefix=/opt/dovecot.$VERSION --with-ssl=openssl
--with-ssldir=/opt/openssl/ssl > configure.outI also have /opt/openssl/lib dfined in my load path via "crle" so apps can find it. That may be your problem. My output from "crle":
[3] % crle
Configuration file [version 3]: /var/ld/ld.config Default Library Path (ELF): /usr/lib:/opt/openssl/lib:/opt/BerkeleyDB/lib:/usr/local/lib Trusted Directories (ELF): /usr/lib/secure (system default)
Command line: crle -c /var/ld/ld.config -l /usr/lib:/opt/openssl/lib:/opt/BerkeleyDB/lib:/usr/local/lib
Thanks, Jeff. I gave both methods a try, but none of them succeeded.
When running my ./configure, it always claims: Building with SSL support ........... : no
During the run, the only output line concerning ssl is the following: checking for SSL_read in -lssl... no
But I think this line just tells me what I'm already aware of...
Regards, Christian Schmidt
-- Die Macht der Könige ist auf die Vernunft und auf die Torheit des Volkes gegründet - und viel mehr auf die Torheit. -- Blaise Pascal
What version of OpenSSL are you using? I had this problem and it turned out to be a problem with OpenSSL. I had originally installed OpenSSL 0.9.8 and had the same problem you are having. I had to go back to OpenSSL 0.9.7d and it worked fine with no other changes. There might be a version between 0.9.7d and 0.9.8 but I didn't check because I already had the other version on the system. There were some major changes in OpenSSL 0.9.8 and I didn't have time to sort them out so I went with an earlier version.
-- Andy
Christian Schmidt wrote:
Hi all,
I'm just trying to build dovecot-1.0.alpha3 on a Solaris 9 machine with SSL support. No matter which options I call ./configure with - it always results in:
Install prefix ...................... : /usr/local File offsets ........................ : 64bit I/O loop method ..................... : poll File change notification method ..... : none Building with SSL support ........... : no <-- ! Building with IPv6 support .......... : yes Building with pop3 server ........... : yes Building with mail delivery agent .. : yes Building with user database modules . : static passdb passwd passwd-file checkpassword (modules) Building with password lookup modules : passwd passwd-file shadow pam checkpassword (modules)
Some more details: $ uname -a SunOS ns 5.9 Generic_117171-08 sun4u sparc SUNW,Sun-Fire-280R $ /usr/local/ssl/bin/openssl version OpenSSL 0.9.7e 25 Oct 2004
On another system, the build succeeds - including SSL support: $ uname -a SunOS excalibur 5.9 Generic_117171-08 sun4u sparc SUNW,Sun-Blade-100 $ /usr/local/ssl/bin/openssl version OpenSSL 0.9.7d 17 Mar 2004
I have tried lots of hints Google found in the mailing list archives, but none of them succeeded.
I'm looking forward to getting any further hints. If you need some further information, I will post it.
Regards & thanks in advance, Christian
I'm running openssl 0.9.8 on all of my Solaris 9 and 10 systems with no problems, tied in with dovecot, openssh, sendmail, bunches of other code. Note that I've built openssl and most of these other codes with Sun's Studio 8 compiler, but I also had no problems using gcc 4.0.1 either.
Jeff Earickson Colby College
On Fri, 7 Oct 2005, Andy Cravens wrote:
Date: Fri, 07 Oct 2005 10:09:46 -0600 From: Andy Cravens acravens@uen.org To: Christian Schmidt christian@siebenbergen.de Cc: dovecot@dovecot.org Subject: Re: [Dovecot] Building dovecot with SSL support on Solaris
What version of OpenSSL are you using? I had this problem and it turned out to be a problem with OpenSSL. I had originally installed OpenSSL 0.9.8 and had the same problem you are having. I had to go back to OpenSSL 0.9.7d and it worked fine with no other changes. There might be a version between 0.9.7d and 0.9.8 but I didn't check because I already had the other version on the system. There were some major changes in OpenSSL 0.9.8 and I didn't have time to sort them out so I went with an earlier version.
-- Andy
Christian Schmidt wrote:
Hi all,
I'm just trying to build dovecot-1.0.alpha3 on a Solaris 9 machine with SSL support. No matter which options I call ./configure with - it always results in:
Install prefix ...................... : /usr/local File offsets ........................ : 64bit I/O loop method ..................... : poll File change notification method ..... : none Building with SSL support ........... : no <-- ! Building with IPv6 support .......... : yes Building with pop3 server ........... : yes Building with mail delivery agent .. : yes Building with user database modules . : static passdb passwd passwd-file checkpassword (modules) Building with password lookup modules : passwd passwd-file shadow pam checkpassword (modules)
Some more details: $ uname -a SunOS ns 5.9 Generic_117171-08 sun4u sparc SUNW,Sun-Fire-280R $ /usr/local/ssl/bin/openssl version OpenSSL 0.9.7e 25 Oct 2004
On another system, the build succeeds - including SSL support: $ uname -a SunOS excalibur 5.9 Generic_117171-08 sun4u sparc SUNW,Sun-Blade-100 $ /usr/local/ssl/bin/openssl version OpenSSL 0.9.7d 17 Mar 2004
I have tried lots of hints Google found in the mailing list archives, but none of them succeeded.
I'm looking forward to getting any further hints. If you need some further information, I will post it.
Regards & thanks in advance, Christian
Hello Andy,
Andy Cravens, 07.10.2005 (d.m.y):
What version of OpenSSL are you using?
On the "problematic" system, we're running: $ /usr/local/ssl/bin/openssl version OpenSSL 0.9.7e 25 Oct 2004
I had this problem and it turned out to be a problem with OpenSSL. I had originally installed OpenSSL 0.9.8 and had the same problem you are having.
Ah...
I had to go back to OpenSSL 0.9.7d and it worked fine with no other changes. There might be a version between 0.9.7d and 0.9.8
Yes, there is (see above)...
but I didn't check because I already had the other version on the system. There were some major changes in OpenSSL 0.9.8 and I didn't have time to sort them out so I went with an earlier version.
OK, I'll give this a try. Thank you and have a nice weekend!
Regards, Christian Schmidt
-- Jedes Problem erlaubt zwei Standpunkte: Unseren eigenen und den falschen. -- Channing Pollock
Christian Schmidt, 07.10.2005 (d.m.y):
Andy Cravens, 07.10.2005 (d.m.y):
I had this problem and it turned out to be a problem with OpenSSL. I had originally installed OpenSSL 0.9.8 and had the same problem you are having.
I had to go back to OpenSSL 0.9.7d and it worked fine with no other changes. There might be a version between 0.9.7d and 0.9.8 but I didn't check because I already had the other version on the system. There were some major changes in OpenSSL 0.9.8 and I didn't have time to sort them out so I went with an earlier version.OK, I'll give this a try.
Didn't work, either. ./configure still reports that there is no ssl support. :-(
Regards, Christian Schmidt
-- Man idealisiert jeden, den man zum ersten Male sieht - entweder auf- oder abwärts. -- Jean Paul
Hi all,
Christian Schmidt, 07.10.2005 (d.m.y):
I'm just trying to build dovecot-1.0.alpha3 on a Solaris 9 machine with SSL support. No matter which options I call ./configure with - it always results in:
Install prefix ...................... : /usr/local File offsets ........................ : 64bit I/O loop method ..................... : poll File change notification method ..... : none Building with SSL support ........... : no <-- ! Building with IPv6 support .......... : yes Building with pop3 server ........... : yes Building with mail delivery agent .. : yes Building with user database modules . : static passdb passwd passwd-file checkpassword (modules) Building with password lookup modules : passwd passwd-file shadow pam checkpassword (modules)
I finally managed to make ./configure result in returning. Building with SSL support ........... : yes (OpenSSL)
I achieved this by adding "-ldl" to LDFLAGS. At the moment, my
configure script looks like this:
(Attention: First line may have been broken!)
#! /bin/sh
CC=gcc CFLAGS="-g -O" CPPFLAGS=-I/usr/local/ssl/include LDFLAGS='-L/usr/local/ssl/lib -ldl' ./configure
--prefix=/usr/local
--with-ssl=openssl
--with-ssldir=/usr/local/ssl/certs
As I'm not very familiar with all the stuff concerning programming etc., I don't know exactly what this option "-ldl" means. All I can say is that it refers to how the binary to be produced will be linked against libraries.
Maybe someone can drop some words on this...?
Thanks to all of you who spent some brain on my problem!
Regards, Christian
-- Smileys werden nur von Leuten verwendet die das, was sie meinen, nicht sagen, und das, was sie sagen, so nicht meinen. -- Klaus Schilling
Christian,
The -ldl means that you wish to load the library that is used to dynamically load shared libraries. If you really needed to do this then this brings up a small issue.
It is usually NOT a good idea to have openssl as a shareable library. This opens up a serious vulnerability. Take this scenario...
A person manages to gain root privedges. He replaces the openssl shareable library with a hacked version (say with a backdoor). In doing so, he's circumvented every program that uses openssl for security and gained full access via lots of entry points (web services, ssh services, etc.).
My suggestion is to build a static openssl library and then you won't need to add the -ldl option.
Gary
Christian Schmidt wrote:
Hi all,
Christian Schmidt, 07.10.2005 (d.m.y):
I'm just trying to build dovecot-1.0.alpha3 on a Solaris 9 machine with SSL support. No matter which options I call ./configure with - it always results in:
Install prefix ...................... : /usr/local File offsets ........................ : 64bit I/O loop method ..................... : poll File change notification method ..... : none Building with SSL support ........... : no <-- ! Building with IPv6 support .......... : yes Building with pop3 server ........... : yes Building with mail delivery agent .. : yes Building with user database modules . : static passdb passwd passwd-file checkpassword (modules) Building with password lookup modules : passwd passwd-file shadow pam checkpassword (modules)
I finally managed to make ./configure result in returning. Building with SSL support ........... : yes (OpenSSL)
I achieved this by adding "-ldl" to LDFLAGS. At the moment, my configure script looks like this: (Attention: First line may have been broken!) #! /bin/sh CC=gcc CFLAGS="-g -O" CPPFLAGS=-I/usr/local/ssl/include LDFLAGS='-L/usr/local/ssl/lib -ldl' ./configure
--prefix=/usr/local
--with-ssl=openssl
--with-ssldir=/usr/local/ssl/certsAs I'm not very familiar with all the stuff concerning programming etc., I don't know exactly what this option "-ldl" means. All I can say is that it refers to how the binary to be produced will be linked against libraries.
Maybe someone can drop some words on this...?
Thanks to all of you who spent some brain on my problem!
Regards, Christian
Gary Gendel wrote:
Christian,
The -ldl means that you wish to load the library that is used to dynamically load shared libraries. If you really needed to do this then this brings up a small issue.
It is usually NOT a good idea to have openssl as a shareable library. This opens up a serious vulnerability. Take this scenario...
A person manages to gain root privedges. He replaces the openssl shareable library with a hacked version (say with a backdoor). In doing so, he's circumvented every program that uses openssl for security and gained full access via lots of entry points (web services, ssh services, etc.).
Well, if someone can gain root privileges you have a much bigger issue than him just replacing the openssl library (for example, him replacing the dovecot binaries). Objection overruled!
-- Magnus Holmgren holmgren@lysator.liu.se
On 2005-10-09 13:29:27 -0400, Gary Gendel wrote:
The -ldl means that you wish to load the library that is used to dynamically load shared libraries. If you really needed to do this then this brings up a small issue.
It is usually NOT a good idea to have openssl as a shareable library. This opens up a serious vulnerability. Take this scenario...
A person manages to gain root privedges. He replaces the openssl shareable library with a hacked version (say with a backdoor). In doing so, he's circumvented every program that uses openssl for security and gained full access via lots of entry points (web services, ssh services, etc.).
My suggestion is to build a static openssl library and then you won't need to add the -ldl option.
ok ... now lets take some stuff into account. linking statically means:
- you need to recompile dovecot if you update openssl.
- you neet to remember that.
about the bad scenario.... what pretends hacking the libc? what the hell should we hack openssl here? we already have root. what pretends us from hacking the dovecot binary too after we hacked the libopenssl?
so far so long i take the ease of maintainance and link dynamically.
so long
marcusHello Gary & all the other contributors,
Gary Gendel, 09.10.2005 (d.m.y):
The -ldl means that you wish to load the library that is used to dynamically load shared libraries.
Ah, I see.
Do you have an idea why this is necessary on one of my Solaris systems, but not on the other?
If you really needed to do this then this brings up a small issue.
It is usually NOT a good idea to have openssl as a shareable library. This opens up a serious vulnerability. Take this scenario...
A person manages to gain root privedges. He replaces the openssl shareable library with a hacked version (say with a backdoor). In doing so, he's circumvented every program that uses openssl for security and gained full access via lots of entry points (web services, ssh services, etc.).
My suggestion is to build a static openssl library and then you won't need to add the -ldl option.
I'll consider that.
Thanks to all of you!!
Regards, Christian
-- Was nützt es ein schönes Schwein zu sein, wenn man ein menschliches Gesicht hat.
participants (7)
-
Andy Cravens
-
Christian Schmidt
-
Christian Schmidt
-
Gary Gendel
-
Jeff A. Earickson
-
Magnus Holmgren
-
Marcus Rueckert