Control: tag -1 help Hi Kurt,
maybe you can help me getting sendmail (which I'm QA maintaining for some years now) to work with the new openssl. On 2016-06-26 12:24, Kurt Roeckx wrote: > https://breakpoint.cc/openssl-1.1-rebuild-2016-05-29/Attempted/sendmail_8.15.2-4_amd64-20160529-1535 > If you have problems making things work, feel free to contact us. in debian/configure.ac we have if test $ac_cv_header_openssl_ssl_h = yes; then AC_CHECK_LIB(ssl, SSL_library_init, [sm_have_tls=yes] ,[sm_have_tls=no] ,[-lcrypto]) if test $sm_have_tls != yes; then AC_MSG_WARN([Could not find -lssl (libssl-dev)]) fi; fi; which fails. The whole autotools stuff is only used for the debian packaging. That fails because SSL_library_init is now a macro instead of a function. Maybe this check is superfluous and could just be removed. If I do this, building fails due to some API changes: gcc -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -fPIC -I. -I../../include -DSOCKETMAP -DMAP_REGEX -DNEWDB -DNIS -DNISPLUS -DLDAPMAP -DHASFCHMOD=1 -DHASSETRLIMIT=1 -DHASFLOCK=0 -DUSESETEUID=1 -DHASGETUSERSHELL=1 -DNETINET6 -D_PATH_SENDMAILPID=\"/var/run/sendmail/mta/sendmail.pid\" -DIP_SRCROUTE=1 -DLDAP_REFERRALS -D_FFR_LDAP_URI -D_FFR_LDAP_SETVERSION -DLDAP_DEPRECATED -DTCPWRAPPERS -DSASL -I/usr/include/sasl -DSTARTTLS -D_FFR_QUEUE_SCHED_DBG -D_FFR_SKIP_DOMAINS -D_FFR_GROUPREADABLEAUTHINFOFILE -D_FFR_DAEMON_NETUNIX -D_FFR_NO_PIPE -D_FFR_SHM_STATUS -D_FFR_RHS -D_FFR_MAIL_MACRO -D_FFR_QUEUEDELAY=1 -D_FFR_BADRCPT_SHUTDOWN -D_FFR_RESET_MACRO_GLOBALS -D_FFR_TLS_1 -D_FFR_TLS_EC -D_FFR_DEAL_WITH_ERROR_SSL -Wdate-time -D_FORTIFY_SOURCE=2 -c -o tls.o tls.c tls.c: In function 'get_dh512': tls.c:70:4: error: dereferencing pointer to incomplete type 'DH {aka struct dh_st}' dh->p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL); ^ tls.c: In function 'inittls': tls.c:929:22: warning: implicit declaration of function 'BIO_s_file_internal' [-Wimplicit-function-declaration] crl_file = BIO_new(BIO_s_file_internal()); ^ tls.c:929:22: warning: passing argument 1 of 'BIO_new' makes pointer from integer without a cast [-Wint-conversion] In file included from /usr/include/openssl/ssl.h:48:0, from ./sendmail.h:125, from tls.c:11: /usr/include/openssl/bio.h:538:6: note: expected 'const BIO_METHOD * {aka const struct bio_method_st *}' but argument is of type 'int' BIO *BIO_new(const BIO_METHOD *type); ^ tls.c:1006:6: warning: 'RSA_generate_key' is deprecated [-Wdeprecated-declarations] (rsa_tmp = RSA_generate_key(RSA_KEYLENGTH, RSA_F4, NULL, ^ In file included from /usr/include/openssl/rsa.h:13:0, from /usr/include/openssl/x509.h:31, from /usr/include/openssl/ssl.h:50, from ./sendmail.h:125, from tls.c:11: /usr/include/openssl/rsa.h:193:1: note: declared here DEPRECATEDIN_0_9_8(RSA *RSA_generate_key(int bits, unsigned long e, void ^ tls.c:1213:4: warning: 'DSA_generate_parameters' is deprecated [-Wdeprecated-declarations] dsa = DSA_generate_parameters(bits, NULL, 0, NULL, ^ In file included from /usr/include/openssl/dh.h:13:0, from /usr/include/openssl/dsa.h:31, from /usr/include/openssl/x509.h:32, from /usr/include/openssl/ssl.h:50, from ./sendmail.h:125, from tls.c:11: /usr/include/openssl/dsa.h:121:1: note: declared here DEPRECATEDIN_0_9_8(DSA *DSA_generate_parameters(int bits, ^ tls.c:1298:5: warning: implicit declaration of function 'SSL_CTX_set_tmp_rsa_callback' [-Wimplicit-function-declaration] SSL_CTX_set_tmp_rsa_callback(*ctx, tmp_rsa_key); ^ tls.c: In function 'tmp_rsa_key': tls.c:1747:2: warning: 'RSA_generate_key' is deprecated [-Wdeprecated-declarations] rsa_tmp = RSA_generate_key(RSA_KEYLENGTH, RSA_F4, NULL, NULL); ^ In file included from /usr/include/openssl/rsa.h:13:0, from /usr/include/openssl/x509.h:31, from /usr/include/openssl/ssl.h:50, from ./sendmail.h:125, from tls.c:11: /usr/include/openssl/rsa.h:193:1: note: declared here DEPRECATEDIN_0_9_8(RSA *RSA_generate_key(int bits, unsigned long e, void ^ tls.c: In function 'x509_verify_cb': tls.c:1974:10: error: dereferencing pointer to incomplete type 'X509_STORE_CTX {aka struct x509_store_ctx_st}' if (ctx->error == X509_V_ERR_UNABLE_TO_GET_CRL) ^ <builtin>: recipe for target 'tls.o' failed The file in question is sendmail/tls.c Since I'm used to neither openssl nor the sendmail source code (and I have no use for sendmail at all, now that it passes the piuparts tests), I'm not going to write a patch for supporting openssl 1.1.0 along 1.0.2. Instead I'll wait for either a new upstream release or some patch showing up somewhere, which may mean stretch could ship without sendmail. Dear users of sendmail: Your help is needed in case you want to continue using sendmail in stretch! Andreas
