v2.2.26.0 released

Michael A. Peters mpeters at domblogger.net
Wed Nov 2 12:24:00 UTC 2016


Indeed, which is why I use it.

But it also is in the minority which is why I find it acceptable for 
FLOSS projects like dovecot to elect to only un-officially support 
LibreSSL via a community maintained patch.

One of the reasons why OpenSSL was forked is because they were trying to 
support so many platforms that it made the code a real mess. Don't want 
the same to happen to another project because of it.

Especially with places like github that make it easy for members of the 
community to create and maintain such a patch, it may be the best option 
if the project itself doesn't have someone who can officially maintain 
LibreSSL support.

On 11/02/2016 05:08 AM, Ruga wrote:
> libressl is a leaner and safer openssl
>
> Sent from ProtonMail Mobile
>
>
> On Wed, Nov 2, 2016 at 12:39 PM, Michael A. Peters <'mpeters at domblogger.net'> wrote:
> IMHO it would be acceptable to have a LibreSSL patch that is maintained
> by the people who want it.
>
> It's free software, and that kind of is the point of Open Source.
>
> On 11/02/2016 04:36 AM, Michael A. Peters wrote:
>> They have stated they are going to remain API compatible with 1.0.1h (or
>> g, forget which they forked) - their new stuff is outside of libcrypto.
>>
>> On 11/02/2016 04:25 AM, Aki Tuomi wrote:
>>> It does work today, I am just bit worried that it will keep on breaking
>>> with libressl as they evolve their API. I would personally like to avoid
>>> more ifdef hell if possible...
>>>
>>> Aki
>>>
>>>
>>> On 02.11.2016 13:22, Michael A. Peters wrote:
>>>> Standard way to fix it (on the LibreSSL page) is to check for
>>>> LIBRESSL_VERSION_NUMBER - e.g. the patch attached which I think
>>>> catches them all where needed. Note the word think.
>>>>
>>>> It certainly appears to be working anyway with it.
>>>>
>>>> On 11/02/2016 04:07 AM, Aki Tuomi wrote:
>>>>> After doing some testing by myself, I noticed that libressl, for some
>>>>> unknown reason, defines
>>>>>
>>>>> #define OPENSSL_VERSION_NUMBER 0x20000000L
>>>>>
>>>>> No idea why they decided to advertise that they are OpenSSL v2.0.0. A
>>>>> local fix, if you need one, is to use
>>>>>
>>>>> #if OPENSSL_VERSION_NUMBER == 0x20000000L
>>>>> #define OPENSSL_VERSION_NUMBER 0x1000100L
>>>>> #endif
>>>>>
>>>>> in dcrypt-openssl.c after includes.
>>>>>
>>>>> Aki
>>>>>
>>>>>
>>>>> On 02.11.2016 12:39, Aki Tuomi wrote:
>>>>>> Hi!
>>>>>>
>>>>>> Those are used if
>>>>>>
>>>>>> #if OPENSSL_VERSION_NUMBER >= 0x10100000L
>>>>>>
>>>>>> So (your) libressl is providing this define. We compile our code using
>>>>>> GCC and CLANG regularly, with OpenSSL v1.0.x which is the currently
>>>>>> officially supported one.
>>>>>>
>>>>>> Aki
>>>>>>
>>>>>>
>>>>>> On 02.11.2016 12:34, Ruga wrote:
>>>>>>> dovecot 2.2.26.0 uses the following functions, which are not
>>>>>>> available on libressl 2.4.3:
>>>>>>>
>>>>>>> HMAC_CTX_new
>>>>>>> HMAC_CTX_free
>>>>>>> EVP_PKEY_get0_EC_KEY
>>>>>>> EVP_PKEY_get0_RSA
>>>>>>> OBJ_length
>>>>>>> EVP_MD_CTX_new
>>>>>>> EVP_MD_CTX_free
>>>>>>>
>>>>>>> The result of calling a non-existent function is a runtime error,
>>>>>>> and we do not want that on production servers.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> There are additional problems. I recommend compiling with clang-llvm
>>>>>>> 3.9.0
>>>>>>> to see them all.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> -------- Original Message --------
>>>>>>> Subject: Re: v2.2.26.0 released
>>>>>>> Local Time: 1 November 2016 7:30 PM
>>>>>>> UTC Time: 1 November 2016 18:30
>>>>>>> From: aki.tuomi at dovecot.fi
>>>>>>> To: Dovecot Mailing List <dovecot at dovecot.org>, Ruga
>>>>>>> <ruga at protonmail.com>
>>>>>>>
>>>>>>> OpenSSL v1.0.1 is enough.
>>>>>>>
>>>>>>> Aki
>>>>>>>
>>>>>>>> On November 1, 2016 at 7:46 PM Ruga <ruga at protonmail.com> wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>> Hello,
>>>>>>>>
>>>>>>>> We cannot upgrade from 2.2.24, because we use libressl and the newer
>>>>>>>> dovecot versions demand openssl v1.1.
>>>>>>>>
>>>>>>>> Please add the new library requirement to the INSTALL file.
>>>>>>>>
>>>>>>>> All the best.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> -------- Original Message --------
>>>>>>>> Subject: v2.2.26.0 released
>>>>>>>> Local Time: 28 October 2016 6:51 PM
>>>>>>>> UTC Time: 28 October 2016 16:51
>>>>>>>> From: tss at iki.fi
>>>>>>>> To: dovecot-news at dovecot.org, Dovecot Mailing List
>>>>>>>> <dovecot at dovecot.org>
>>>>>>>>
>>>>>>>> http://dovecot.org/releases/2.2/dovecot-2.2.26.0.tar.gz
>>>>>>>> http://dovecot.org/releases/2.2/dovecot-2.2.26.0.tar.gz.sig
>>>>>>>>
>>>>>>>> v2.2.26 had a couple of nasty bugs left in it, so here's a fixup
>>>>>>>> release. The version number is also a little bit weird, but had to
>>>>>>>> be done this way (although 2.2.26.0.1 could have been another
>>>>>>>> possibility).
>>>>>>>>
>>>>>>>> - Fixed some compiling issues.
>>>>>>>> - auth: Fixed assert-crash when using NTLM or SKEY mechanisms and
>>>>>>>> multiple passdbs.
>>>>>>>> - auth: Fixed crash when exporting to auth-worker passdb extra
>>>>>>>> fields
>>>>>>>> that had empty values.
>>>>>>>> - dsync: Fixed assert-crash in dsync_brain_sync_mailbox_deinit
>>> >



More information about the dovecot mailing list