Bug#828540: sendmail: FTBFS with openssl 1.1.0
Control: tag -1 help
Hi Kurt,
maybe you can help me getting sendmail (which I'm QA maintaining for
some years now) to work with the new openssl.
On 2016-06-26 12:24, Kurt Roeckx wrote:
> https://breakpoint.cc/openssl-1.1-rebuild-2016-05-29/Attempted/sendmail_8.15.2-4_amd64-20160529-1535
> If you have problems making things work, feel free to contact us.
in debian/configure.ac we have
if test $ac_cv_header_openssl_ssl_h = yes; then
AC_CHECK_LIB(ssl, SSL_library_init,
[sm_have_tls=yes]
,[sm_have_tls=no]
,[-lcrypto])
if test $sm_have_tls != yes; then
AC_MSG_WARN([Could not find -lssl (libssl-dev)])
fi;
fi;
which fails. The whole autotools stuff is only used for the debian packaging.
That fails because SSL_library_init is now a macro instead of a function.
Maybe this check is superfluous and could just be removed.
If I do this, building fails due to some API changes:
gcc -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -fPIC -I. -I../../include -DSOCKETMAP -DMAP_REGEX -DNEWDB -DNIS -DNISPLUS -DLDAPMAP -DHASFCHMOD=1 -DHASSETRLIMIT=1 -DHASFLOCK=0 -DUSESETEUID=1 -DHASGETUSERSHELL=1 -DNETINET6 -D_PATH_SENDMAILPID=\"/var/run/sendmail/mta/sendmail.pid\" -DIP_SRCROUTE=1 -DLDAP_REFERRALS -D_FFR_LDAP_URI -D_FFR_LDAP_SETVERSION -DLDAP_DEPRECATED -DTCPWRAPPERS -DSASL -I/usr/include/sasl -DSTARTTLS -D_FFR_QUEUE_SCHED_DBG -D_FFR_SKIP_DOMAINS -D_FFR_GROUPREADABLEAUTHINFOFILE -D_FFR_DAEMON_NETUNIX -D_FFR_NO_PIPE -D_FFR_SHM_STATUS -D_FFR_RHS -D_FFR_MAIL_MACRO -D_FFR_QUEUEDELAY=1 -D_FFR_BADRCPT_SHUTDOWN -D_FFR_RESET_MACRO_GLOBALS -D_FFR_TLS_1 -D_FFR_TLS_EC -D_FFR_DEAL_WITH_ERROR_SSL -Wdate-time -D_FORTIFY_SOURCE=2 -c -o tls.o tls.c
tls.c: In function 'get_dh512':
tls.c:70:4: error: dereferencing pointer to incomplete type 'DH {aka struct dh_st}'
dh->p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL);
^
tls.c: In function 'inittls':
tls.c:929:22: warning: implicit declaration of function 'BIO_s_file_internal' [-Wimplicit-function-declaration]
crl_file = BIO_new(BIO_s_file_internal());
^
tls.c:929:22: warning: passing argument 1 of 'BIO_new' makes pointer from integer without a cast [-Wint-conversion]
In file included from /usr/include/openssl/ssl.h:48:0,
from ./sendmail.h:125,
from tls.c:11:
/usr/include/openssl/bio.h:538:6: note: expected 'const BIO_METHOD * {aka const struct bio_method_st *}' but argument is of type 'int'
BIO *BIO_new(const BIO_METHOD *type);
^
tls.c:1006:6: warning: 'RSA_generate_key' is deprecated [-Wdeprecated-declarations]
(rsa_tmp = RSA_generate_key(RSA_KEYLENGTH, RSA_F4, NULL,
^
In file included from /usr/include/openssl/rsa.h:13:0,
from /usr/include/openssl/x509.h:31,
from /usr/include/openssl/ssl.h:50,
from ./sendmail.h:125,
from tls.c:11:
/usr/include/openssl/rsa.h:193:1: note: declared here
DEPRECATEDIN_0_9_8(RSA *RSA_generate_key(int bits, unsigned long e, void
^
tls.c:1213:4: warning: 'DSA_generate_parameters' is deprecated [-Wdeprecated-declarations]
dsa = DSA_generate_parameters(bits, NULL, 0, NULL,
^
In file included from /usr/include/openssl/dh.h:13:0,
from /usr/include/openssl/dsa.h:31,
from /usr/include/openssl/x509.h:32,
from /usr/include/openssl/ssl.h:50,
from ./sendmail.h:125,
from tls.c:11:
/usr/include/openssl/dsa.h:121:1: note: declared here
DEPRECATEDIN_0_9_8(DSA *DSA_generate_parameters(int bits,
^
tls.c:1298:5: warning: implicit declaration of function 'SSL_CTX_set_tmp_rsa_callback' [-Wimplicit-function-declaration]
SSL_CTX_set_tmp_rsa_callback(*ctx, tmp_rsa_key);
^
tls.c: In function 'tmp_rsa_key':
tls.c:1747:2: warning: 'RSA_generate_key' is deprecated [-Wdeprecated-declarations]
rsa_tmp = RSA_generate_key(RSA_KEYLENGTH, RSA_F4, NULL, NULL);
^
In file included from /usr/include/openssl/rsa.h:13:0,
from /usr/include/openssl/x509.h:31,
from /usr/include/openssl/ssl.h:50,
from ./sendmail.h:125,
from tls.c:11:
/usr/include/openssl/rsa.h:193:1: note: declared here
DEPRECATEDIN_0_9_8(RSA *RSA_generate_key(int bits, unsigned long e, void
^
tls.c: In function 'x509_verify_cb':
tls.c:1974:10: error: dereferencing pointer to incomplete type 'X509_STORE_CTX {aka struct x509_store_ctx_st}'
if (ctx->error == X509_V_ERR_UNABLE_TO_GET_CRL)
^
<builtin>: recipe for target 'tls.o' failed
The file in question is sendmail/tls.c
Since I'm used to neither openssl nor the sendmail source code (and I
have no use for sendmail at all, now that it passes the piuparts
tests), I'm not going to write a patch for supporting openssl 1.1.0
along 1.0.2.
Instead I'll wait for either a new upstream release or some patch
showing up somewhere, which may mean stretch could ship without
sendmail.
Dear users of sendmail: Your help is needed in case you want to
continue using sendmail in stretch!
Andreas
Reply to: