[pfx] Re: Fwd: Re: ssl update needs rebuilds

2024-06-08 Thread Steffen Nurpmeso via Postfix-users 
Viktor Dukhovni via Postfix-users wrote in
 :
 |On Sat, Jun 08, 2024 at 07:12:01PM -0400, Wietse Venema via Postfix-users \
 |wrote:
 |>>|>   Jun  7 23:41:16 outwall/smtpd[19222]: warning: run-time library \
 |>>|>   vs. compile-time header version mismatch: OpenSSL 3.3.0 may not \
 |>>|>   be compatible with OpenSSL 3.2.0
 |>>  ...
 |>>|[.] OpenSSL 3.2.0 and 3.3.0
 |>>|are ABI and API compatible. I would not expect to see a warning or
 |>>|error. See >|\
 |>>|tml>.
 |> 
 |> Some irrelevant background: that document covers OpenSSL 3.0 and
 |> later (earlier releases use a different versioning scheme).
 |
 |Correct.  OpenSSL 3.0 updated the ABI contract to more closely align
 |with other "more typical" projects.  Hence the SONAMEs of OpenSSL 3.x
 |libraries  (libssl and libcrypto) now just end in ".so.3" with the minor
 |number absent, which is how the reporter ended up being able to run with
 |a newer library.
 |
 |While newer minor numbers are compatible, older minor numbers may be
 |lacking newly introduced functions.  We could consider skipping the
 |warning for 3.x onward, so long as the minor version is not older than
 |expected.

That sounds cool.

--steffen
|
|Der Kragenbaer,The moon bear,
|der holt sich munter   he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Fwd: Re: ssl update needs rebuilds

2024-06-08 Thread Steffen Nurpmeso via Postfix-users 
Wietse Venema via Postfix-users wrote in
 <4vxyjs1khtzj...@spike.porcupine.org>:
 |>  ...
 |>|>   Jun  7 23:41:16 outwall/smtpd[19222]: warning: run-time library \
 |>|>   vs. compile-time header version mismatch: OpenSSL 3.3.0 may not \
 |>|>   be compatible with OpenSSL 3.2.0
 |>  ...
 |>|[.] OpenSSL 3.2.0 and 3.3.0
 |>|are ABI and API compatible. I would not expect to see a warning or
 |>|error. See |tml>.
 |
 |Some irrelevant background: that document covers OpenSSL 3.0 and
 |later (earlier releases use a different versioning scheme).
 |
 |>|From the document under Minor Release:
 |>|
 |>|A minor release is indicated by changing the second number of the
 |>|version. A minor release can, and generally will, introduce new
 |>|features. However both the API and ABI will be preserved.
 |
 |That same document says under "Patch release":
 |
 |A patch release is indicated by changing the final number of
 |the version. A patch release will only contain bug and security
 |fixes. Both the API and ABI will remain compatible across patch
 |releases.
 |
 |Note that only the text for "Patch release" promises that the "Both
 |the API and ABI will remain compatible".

Hm, you have read the page, and i think Jeffrey is right in noting
that, effectively, the postfix log message is technically false.

However i also think the OpenSSL page is very confusing, as you
correctly point out, since

  For example, a program built with OpenSSL release 3.0.1 will be
  able to run with OpenSSL 3.1.0 but might not be able to take
  advantage of new features without modification.

how could a program compiled for 3.0.1 use features at all which
were introduced with a later minor version.
Btw they also say it *could* happen also here, with the same
"Exceptions to these rules require a vote by the OMC." clause they
use for API/ABI breakage for minor releases.

 |Based on that, Postfix will not complain when the build-time and
 |run-time versions differ only in the Patch release number.

Yes, i know what it does, since i think i now have opened the
third issue on AlpineLinux, all in all, (this time i only reopened
the last one, that much is plain), in order to reduce the lengthy
log overhead (my logs rotate after 200 kilobytes).

 |> This is postfix.  I must say, out of my head i have no idea
 |> whether it has always been like that for minor releases for one,
 |> and whether that is also true for LibreSSL, and the other SSL
 |> libraries that postfix possibly works with.  And AlpineLinux did
 |> use LibreSSL for some time in the past.
 |
 |Postfix 3.6 and later prety-much require OpenSSL.

I like and use the config stuff whenever possible, and support the
generalized config file support (i even think it was me who
sparked the idea), it is a bit sad it is not overall supported..
(Despite the terrible syntax, wouldn't it be tremendous if all
servers of a box could be TLS-configured via this single file;
then again, today, each and every one is boxed, and noone wants to
reveal secrets of the others, heh, well, but i for one still like
the idea very much, and support even user application support, at
least as a generic default template picked up like that.)
That is, i have not looked how you have implemented it in postfix,
and then there is Viktor who sails on hardcore paths in this area.

Btw, for the MUA i maintain, i have two "log obsoleted"
mechanisms, one generic for marked variables, or that

  #define n_OBSOLETE(X) \
  do if(!su_state_has(su_STATE_REPRODUCIBLE) && !ok_blook(quiet)){\
 static boole su_CONCAT(a__warned__, __LINE__);\
 if(!su_CONCAT(a__warned__, __LINE__)){\
su_CONCAT(a__warned__, __LINE__) = TRU1;\
n_err("%s: %s\n", _("Obsoletion warning"), X);\
 }\
  }while(0)
  #define n_OBSOLETE2(X,Y) \
  do if(!su_state_has(su_STATE_REPRODUCIBLE) && !ok_blook(quiet)){\
 static boole su_CONCAT(a__warned__, __LINE__);\
 if(!su_CONCAT(a__warned__, __LINE__)){\
su_CONCAT(a__warned__, __LINE__) = TRU1;\
n_err("%s: %s: %s\n", _("Obsoletion warning"), X, Y);\
 }\
  }while(0)

I hate it and dream of the day all these terrible things have
vanished.

P.S.: i did not respond in another thread, this is the postfix
list and not my one, but it contained these paragraphs that i now
include nonetheless while i am here:

   |Google wants your smtp_helo_name (default: $myhostname) to have an SPF
   |policy.
  
  I had my SPF record deleted for at least a month, without just any
  problems; i had DKIM, then.  Thereafter some German server gave
  "550 [SPF]", and though i complained i reinstantiated the SPF
  record (which has ~all, so i do not understand how this can be
  useful, but so it is).
  
  However, if i recall correctly he said he cannot DKIM sign, so
  there is nothing at all to identify his server even on hop one.

and

  P.S.: i will no longer post it here, but i had released v0.6.2 of
  s

[pfx] Re: Fwd: Re: ssl update needs rebuilds

2024-06-08 Thread Viktor Dukhovni via Postfix-users 
On Sat, Jun 08, 2024 at 07:12:01PM -0400, Wietse Venema via Postfix-users wrote:

> >  |>   Jun  7 23:41:16 outwall/smtpd[19222]: warning: run-time library \
> >  |>   vs. compile-time header version mismatch: OpenSSL 3.3.0 may not \
> >  |>   be compatible with OpenSSL 3.2.0
> >  ...
> >  |[.] OpenSSL 3.2.0 and 3.3.0
> >  |are ABI and API compatible. I would not expect to see a warning or
> >  |error. See  >  |tml>.
> 
> Some irrelevant background: that document covers OpenSSL 3.0 and
> later (earlier releases use a different versioning scheme).

Correct.  OpenSSL 3.0 updated the ABI contract to more closely align
with other "more typical" projects.  Hence the SONAMEs of OpenSSL 3.x
libraries  (libssl and libcrypto) now just end in ".so.3" with the minor
number absent, which is how the reporter ended up being able to run with
a newer library.

While newer minor numbers are compatible, older minor numbers may be
lacking newly introduced functions.  We could consider skipping the
warning for 3.x onward, so long as the minor version is not older than
expected.

-- 
Viktor.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Fwd: Re: ssl update needs rebuilds

2024-06-08 Thread Wietse Venema via Postfix-users 
>  ...
>  |>   Jun  7 23:41:16 outwall/smtpd[19222]: warning: run-time library \
>  |>   vs. compile-time header version mismatch: OpenSSL 3.3.0 may not \
>  |>   be compatible with OpenSSL 3.2.0
>  ...
>  |[.] OpenSSL 3.2.0 and 3.3.0
>  |are ABI and API compatible. I would not expect to see a warning or
>  |error. See   |tml>.

Some irrelevant background: that document covers OpenSSL 3.0 and
later (earlier releases use a different versioning scheme).

>  |From the document under Minor Release:
>  |
>  |A minor release is indicated by changing the second number of the
>  |version. A minor release can, and generally will, introduce new
>  |features. However both the API and ABI will be preserved.

That same document says under "Patch release":

A patch release is indicated by changing the final number of
the version. A patch release will only contain bug and security
fixes. Both the API and ABI will remain compatible across patch
releases.

Note that only the text for "Patch release" promises that the "Both
the API and ABI will remain compatible".

Based on that, Postfix will not complain when the build-time and
run-time versions differ only in the Patch release number.

> This is postfix.  I must say, out of my head i have no idea
> whether it has always been like that for minor releases for one,
> and whether that is also true for LibreSSL, and the other SSL
> libraries that postfix possibly works with.  And AlpineLinux did
> use LibreSSL for some time in the past.

Postfix 3.6 and later prety-much require OpenSSL.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Fwd: Re: ssl update needs rebuilds

2024-06-08 Thread Steffen Nurpmeso via Postfix-users 
Jeffrey Walton (who is noloader at gmail) pointed out an
interesting point regarding some postfix log message that can be
seen on AlpineLinux edge (again).

--- Forwarded from Steffen Nurpmeso  ---
Date: Sat, 08 Jun 2024 02:44:46 +0200
Author: Steffen Nurpmeso 
...
Subject: Re: ssl update needs rebuilds
...

Jeffrey Walton wrote in
 :
 |On Fri, Jun 7, 2024 at 8:21 PM Steffen Nurpmeso  wrote:
 ...
 |> I also still get
 ...
 |>   Jun  7 23:41:16 outwall/smtpd[19222]: warning: run-time library \
 |>   vs. compile-time header version mismatch: OpenSSL 3.3.0 may not \
 |>   be compatible with OpenSSL 3.2.0
 ...
 |[.] OpenSSL 3.2.0 and 3.3.0
 |are ABI and API compatible. I would not expect to see a warning or
 |error. See .
 |
 |>From the document under Minor Release:
 |
 |A minor release is indicated by changing the second number of the
 |version. A minor release can, and generally will, introduce new
 |features. However both the API and ABI will be preserved.

This is postfix.  I must say, out of my head i have no idea
whether it has always been like that for minor releases for one,
and whether that is also true for LibreSSL, and the other SSL
libraries that postfix possibly works with.  And AlpineLinux did
use LibreSSL for some time in the past.
...
- End forward <20240608004446.W3sYGTD2@steffen%sdaoden.eu>

--steffen
|
|Der Kragenbaer,The moon bear,
|der holt sich munter   he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org