openssl

[Scott Haneda]

>>>> What I do know, is ASSP needs p5-net-ssleay, there is a suspicion
>>>> that the openssl version I am working against is too old, or too
>>>> buggy, so I need to try to solve that.
>>>
>>> Hard to say without knowing how things aren't working; I know some
>>> software
>>> doesn't like when you compile using one version of headers then
>>> link against
>>> a different version of libraries.
>>
>> ASSP is a email proxy, it supports SSL and TLS mostly by using p5's
>> to make it all happen.  The setup is Internet -> ASSP -> MTA
>>
>> If I made a SSL or TLS enabled connection directly to the MTA on port
>> 25, SSL and/or TLS will work fine.
>>
>> If I make a connection to the ASSP proxy, it works some of the time.
>> I send a email in the command line:
>> `mail user at remote-mta-machine`
>> This will always work
>>
>> `mail user at assp-proxy` this simply hits port 25, which is set to
>> proxy to the far end MTA.  It fails the SSL parts entirely.  Some
>> hosts that I send the `mail` command from work, others do not. I
>> subscribed to a few mailing lists, some get through, some do not.
>
> Some addresses working and others not, that doesn't sound like an  
> initial
> connection issue (which would implicate SSL/TLS) but something after  
> that.
> By 'fails the SSL parts entirely' what exactly do you mean, does it  
> fail to
> finish the initial TCP handshake, fail to verify the cert, something  
> else?

I wish I knew.  This is hard one for me to debug.  Basically, an email  
from the outside world comes in, hits the proxy on port 25, and all I  
see in the ASSP logs is "starting SSL connection" and "SSL connection  
failed, problem with MTA?". Not exact verbiage, but the basics are the  
same.

Some cases I can get this to happen with a machine I am in control of,  
so I can look at the logs on that sending machine.  I just get a  
dropped connection, and the mail is queued up and will be tried again  
later.  Curiously, in 5 hours or so, they can sometimes make it through.

>> I can use openssl as a client, and connect to the remote far end MTA
>> just fine, connecting to ASSP, and I get the connection, but that is
>> as far as I get.
>
> If you can see the cert (eg, by using --showcerts with s_client)  
> then that
> sounds like SSL/TLS is working fine.

I thought so too, and those work on the machines I have access to  
where I can make tests.  However, letting a local delivery agent try,  
and it will not work.

>> I know what p5's ASSP installs, and can easily tell what dependencies
>> I need to track down to look at.  However, those depend on perl,
>> which was installed, and curses was installed;  a lot of other things
>> too.  Can I be reasonably confident, if any of those use openssl libs
>> and headers, I need not run otool on them, and do any checking?
>
> The big problem is that for any new ports, checking linkage is a  
> good thing,
> especially for bits that get loaded into larger programs (like perl
> modules).  If you aren't careful you can end up with one part  
> linking to the
> system library and another part to the MacPorts equivalent.  This  
> can then
> lead to version mismatches and software crashing.

I checked the better part of the libs with otool, and all seems to be  
in order. I went as far as installing this whole batch via CPAN, and  
got the same problems as well.

>> Can you show me how you tried them, I was not able to get them to
>> work, but all I did was `perl filename` which probably was not a
>> valid way to test.  I really do not know perl, or SSL vocabulary well
>> enough to properly test these out.
>
> After it built (I have port's autoclean off so the build dir was still
> available), I simply move into the top dir for p5-io-socket-ssl (the  
> one
> with the example directory among others).  From here, I ran
>
> $ /opt/local/bin/perl5.8 example/ssl_server.pl
>
> in one terminal and the ssl_client.pl in another, and watched those  
> talk
> fine.  Leaving the ssl_server process up, I then used
>
> $ openssl s_client -connect localhost:9000 -showcerts -debug
>
> to connect to the server and verify it was able to get the cert,  
> which it
> did.

I downloaded the source in order to get the examples directory.  I  
then ran this

$/opt/local/bin/perl5.8 ssl_server.pl
unable to create socket: IO::Socket::INET configuration failederror: 
00000000:lib(0):func(0):reason(0)

Am I doing something wrong, how were you able to get that to work?

-- 
Scott * If you contact me off list replace talklists@ with scott@ *