Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#78879 - opensmtpd crashes when establishing ssl connection
Attached to Project:
Arch Linux
Opened by grmat (grmat) - Saturday, 24 June 2023, 12:44 GMT
Last edited by T.J. Townsend (blakkheim) - Saturday, 24 June 2023, 20:36 GMT
Opened by grmat (grmat) - Saturday, 24 June 2023, 12:44 GMT
Last edited by T.J. Townsend (blakkheim) - Saturday, 24 June 2023, 20:36 GMT
|
DetailsDescription:
After updating to opensmtpd 7.3.0p0-1, smtpd keeps crashing when trying to connect to via TLS. For both, incoming and outgoing mail. Steps to reproduce: - install smtpd, libressl - run server with sample conf, containing: # SMTPS (465) listen on x.x.x.x smtps pki [domain] # SMTP+STARTTLS (25) listen on x.x.x.x tls-require pki [domain] # submission (587) listen on x.x.x.x port submission tls-require pki [domain] auth filter rspamd - try to receive or send mails - try establishing only a ssl connection with openssl: `openssl s_client -quiet -starttls smtp -crlf -connect [domain]:25` For me, it doesn't crash, when building against openssl instead of libressl (in PKGBUILD:) - --with-cflags='-I/usr/include/libressl -L/usr/lib/libressl -Wl,-rpath=/usr/lib/libressl' + --with-cflags='-I/usr/include/libssl -L/usr/lib/libssl -Wl,-rpath=/usr/lib/libssl' Sorry, I have no stack trace. Why is it built against libressl in the first place? |
This task depends upon
LibreSSL seems to be recommended as per https://github.com/OpenSMTPD/OpenSMTPD/releases/tag/7.3.0p0.
The release notes also state that "LibreTLS 3.7.0 has a known regression with OpenSSL 3+, so please use the bundled one using the --with-bundled-libtls configure flag until it is updated." Should that flag be added?
OpenSMTPD is developed by OpenBSD, which is where LibreSSL comes from. The release notes say the following:
"This release builds with LibreSSL, or OpenSSL > 1.1.1 optionally with
LibreTLS.
LibreTLS 3.7.0 has a known regression with OpenSSL 3+, so please use
the bundled one using the --with-bundled-libtls configure flag until
it is updated.
It's preferable to depend on LibreSSL as OpenSMTPD is written and tested
with that dependency. OpenSSL library is considered as a best effort
target TLS library and provided as a commodity, LibreSSL has become our
target TLS library."
I'll be glad to try temporarily building with OpenSSL and the bundled libtls for a short-term fix. Could you please report this upstream with a stack trace?
- OpenSSL + LibreTLS
- LibreSSL
The release notes lead me to believe that "--with-bundled-libtls" is only for building with OpenSSL (which we're not doing currently) and is only a temporary workaround for a bug in LibreTLS. Despite the name, LibreTLS not related to LibreSSL.
To work around the apparent LibreSSL bug described in this report, we could switch to a combination of OpenSSL + LibreTLS as in the diff attached. If OP is fine with that and can report the actual bug upstream, that's what I'd like to do for the moment.
+1 to the approach you proposed. Thank you!
> OpenSSL library is considered as a best effort target TLS library and provided as a commodity
That's the reason why I thought might be fair to ship along with libssl. But I'm not into that, so forget about it.
> It's in extra-testing now. grmat please give it a try if you would.
LGTM.