Author Message

SamuliSuominen









Joined: 30 Sep 2005

Posts: 2133

Location: Finland Retired DevJoined: 30 Sep 2005Posts: 2133Location: Finland

Posted: Mon Jul 12, 2010 10:56 am Post subject: Brace for impact: OpenSSL 1.x in ~arch

Time has come to test OpenSSL 1.0.0 for ~arch inclusion.



Read the instructions from the old thread, just replace media-libs/libpng with dev-libs/openssl and apply. The bug to link new bugs against is



[1]



Thanks! I asked back in March for users to help testing new libpng, and few responded [1] but not nearly as many I've hoped for.Time has come to test OpenSSL 1.0.0 for ~arch inclusion.Read the instructions from the old thread, just replace media-libs/libpng with dev-libs/openssl and apply. The bug to link new bugs against is https://bugs.gentoo.org/show_bug.cgi?id=304279 [1] https://forums.gentoo.org/viewtopic-t-818570-start-0-postdays-0-postorder-asc-highlight-libpng.html Thanks!



Last edited by SamuliSuominen on Wed Jul 14, 2010 9:00 pm; edited 2 times in total

lewis









Joined: 07 Jul 2010

Posts: 6

n00bJoined: 07 Jul 2010Posts: 6

Posted: Mon Jul 12, 2010 3:36 pm Post subject: tried the link and I get:



'304279.' is not a valid bug number nor an alias to a bug.



?

Sadako









Joined: 05 Aug 2004

Posts: 3792

Location: sleeping in the bathtub AdvocateJoined: 05 Aug 2004Posts: 3792Location: sleeping in the bathtub

Posted: Mon Jul 12, 2010 3:42 pm Post subject: lewis wrote: tried the link and I get:



'304279.' is not a valid bug number nor an alias to a bug.



?



https://bugs.gentoo.org/show_bug.cgi?id=304279



ssuominen, I'm not running ~arch, but I'd be happy to test this package on my otherwise mostly stable system, or test it in an ~arch chroot or vm if you really need testers.

_________________

"You have to invite me in" The link wasn't enclosed in [url] tags, so phpbb created the hyperlink itself, and include the period at the end in the url...ssuominen, I'm not running ~arch, but I'd be happy to test this package on my otherwise mostly stable system, or test it in an ~arch chroot or vm if you really need testers._________________

SamuliSuominen









Joined: 30 Sep 2005

Posts: 2133

Location: Finland Retired DevJoined: 30 Sep 2005Posts: 2133Location: Finland

Posted: Mon Jul 12, 2010 4:06 pm Post subject: Sadako wrote: lewis wrote: tried the link and I get:



'304279.' is not a valid bug number nor an alias to a bug.



?



https://bugs.gentoo.org/show_bug.cgi?id=304279



ssuominen, I'm not running ~arch, but I'd be happy to test this package on my otherwise mostly stable system, or test it in an ~arch chroot or vm if you really need testers. The link wasn't enclosed in [url] tags, so phpbb created the hyperlink itself, and include the period at the end in the url...ssuominen, I'm not running ~arch, but I'd be happy to test this package on my otherwise mostly stable system, or test it in an ~arch chroot or vm if you really need testers.



I've fixed the link in original post, sorry about that.

Testing for stable is not necessary yet, first we need to get packages working for ~arch.

Jaglover









Joined: 29 May 2005

Posts: 7711

Location: Saint Amant, Acadiana WatchmanJoined: 29 May 2005Posts: 7711Location: Saint Amant, Acadiana

Posted: Mon Jul 12, 2010 11:06 pm Post subject: ~amd64, emerge rebuilt 15 packages, no errors.

Etal









Joined: 15 Jul 2005

Posts: 1751

VeteranJoined: 15 Jul 2005Posts: 1751

Posted: Tue Jul 13, 2010 2:29 am Post subject: I'm having trouble with fetchmail:



Code: $ fetchmail

fetchmail: Server certificate verification error: unable to get local issuer certificate

fetchmail: This means that the root signing certificate (issued for /C=US/O=Google Inc/CN=Google Internet Authority) is not in the trusted CA certificate locations, or that c_rehash needs to be run on the certificate directory. For details, please see the documentation of --sslcertpath and --sslcertfile in the manual page.

140060031043240:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1056:

fetchmail: SSL connection failed.

fetchmail: socket error while fetching from xxxxxxxx@gmail.com@pop.gmail.com

fetchmail: Query status=2 (SOCKET)



I know there are a bunch of symlinks that have some hash-like names in the certs directory, but I'm not sure what the correct way to fix this. Re-emerging ca-certificates didn't help. Should I try running c_rehash, or is there a better way to do it using Portage?

sera









Joined: 29 Feb 2008

Posts: 1017

Location: CET Retired DevJoined: 29 Feb 2008Posts: 1017Location: CET

Posted: Tue Jul 13, 2010 1:01 pm Post subject:



ruby 1.8.7_p299 works according to bug dev-lang/ruby-1.8.7_p249:1.8::gentoo fails to build on stable amd64, 51 other packages compiled fine against openssl-1.0.0a. No apparent breakage at runtime so far.ruby 1.8.7_p299 works according to bug https://bugs.gentoo.org/show_bug.cgi?id=304427

Etal









Joined: 15 Jul 2005

Posts: 1751

VeteranJoined: 15 Jul 2005Posts: 1751

Posted: Tue Jul 13, 2010 1:24 pm Post subject: AM088 wrote: I'm having trouble with fetchmail:



Code: $ fetchmail

fetchmail: Server certificate verification error: unable to get local issuer certificate

fetchmail: This means that the root signing certificate (issued for /C=US/O=Google Inc/CN=Google Internet Authority) is not in the trusted CA certificate locations, or that c_rehash needs to be run on the certificate directory. For details, please see the documentation of --sslcertpath and --sslcertfile in the manual page.

140060031043240:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1056:

fetchmail: SSL connection failed.

fetchmail: socket error while fetching from xxxxxxxx@gmail.com@pop.gmail.com

fetchmail: Query status=2 (SOCKET)



I know there are a bunch of symlinks that have some hash-like names in the certs directory, but I'm not sure what the correct way to fix this. Re-emerging ca-certificates didn't help. Should I try running c_rehash, or is there a better way to do it using Portage?



OK, I ran: Code: # c_rehash /etc/ssl/certs/ and now fetchmail works again.

rh1









Joined: 10 Apr 2010

Posts: 501

GuruJoined: 10 Apr 2010Posts: 501

Posted: Tue Jul 13, 2010 2:30 pm Post subject: More than happy to help out.

Everything went fine for me after emerging new openssl, rebuilt 40+ packages, except for openoffice-bin. After every merge , i'd get the @preserved-rebuild message about it. Re-emeged it twice and still shows up. Will check more after work.

Etal









Joined: 15 Jul 2005

Posts: 1751

VeteranJoined: 15 Jul 2005Posts: 1751

Posted: Tue Jul 13, 2010 2:58 pm Post subject: I'm finished with the upgrade (~40 packages), and aside from the c_rehash thing, everything went smoothly

rh1









Joined: 10 Apr 2010

Posts: 501

GuruJoined: 10 Apr 2010Posts: 501

Posted: Tue Jul 13, 2010 6:07 pm Post subject: Had some time on lunch. After further checking, I don't think the openoffice-bin thing was related to this. Anyway un-emerging and then re-emerging OO cleared this up for me. Everything else seems to work fine. No issues with openssl so far.

SamuliSuominen









Joined: 30 Sep 2005

Posts: 2133

Location: Finland Retired DevJoined: 30 Sep 2005Posts: 2133Location: Finland

Posted: Wed Jul 14, 2010 7:42 am Post subject: 14 Jul 2010; Samuli Suominen <ssuominen@gentoo.org> openssl-1.0.0a.ebuild:

Release OpenSSL 1.x to testing. Known issues have been resolved wrt

#304279.



Thanks to everyone who tested!

Martux









Joined: 04 Feb 2005

Posts: 1917

VeteranJoined: 04 Feb 2005Posts: 1917

Posted: Thu Jul 15, 2010 8:47 am Post subject: Hi!

I get errors with mysql-5.0.

emerge @preserved-rebuild wants to update to 5.1, which cannot be done because the embedded flag is set for amarok (and it shall stay that way):

Code:



* Error: The above package list contains packages which cannot be

* installed at the same time on the same system.



('ebuild', '/', 'media-sound/amarok-2.3.1-r2', 'merge') pulled in by

media-sound/amarok:4 required by @preserved-rebuild



('ebuild', '/', 'dev-db/mysql-5.1.46', 'merge') pulled in by

=dev-db/mysql-5.1* required by ('ebuild', '/', 'virtual/mysql-5.1', 'merge')

>=dev-db/mysql-5.0.76 required by ('ebuild', '/', 'media-sound/amarok-2.3.1-r2', 'merge')

dev-db/mysql:0 required by @preserved-rebuild



_________________

"Coincidence is God's way of remaining anonymous."

Albert Einstein

"The road to success is always under construction"

SamuliSuominen









Joined: 30 Sep 2005

Posts: 2133

Location: Finland Retired DevJoined: 30 Sep 2005Posts: 2133Location: Finland

Posted: Thu Jul 15, 2010 8:50 am Post subject: Martux wrote: Hi!

I get errors with mysql-5.0.

emerge @preserved-rebuild wants to update to 5.1, which cannot be done because the embedded flag is set for amarok (and it shall stay that way):

Code:



* Error: The above package list contains packages which cannot be

* installed at the same time on the same system.



('ebuild', '/', 'media-sound/amarok-2.3.1-r2', 'merge') pulled in by

media-sound/amarok:4 required by @preserved-rebuild



('ebuild', '/', 'dev-db/mysql-5.1.46', 'merge') pulled in by

=dev-db/mysql-5.1* required by ('ebuild', '/', 'virtual/mysql-5.1', 'merge')

>=dev-db/mysql-5.0.76 required by ('ebuild', '/', 'media-sound/amarok-2.3.1-r2', 'merge')

dev-db/mysql:0 required by @preserved-rebuild





That has nothing to do with OpenSSL... It's about USE="embedded" in amarok, I'm pretty sure there are other threads for that.

Martux









Joined: 04 Feb 2005

Posts: 1917

VeteranJoined: 04 Feb 2005Posts: 1917

Posted: Thu Jul 15, 2010 10:06 am Post subject: ssuominen, thanks you are right. Fiddling with /etc/portage/package.mask did the trick.

So, the openssl update went through without a problem. Just had to unmerge/remerge openoffice-bin and nxclient.

_________________

"Coincidence is God's way of remaining anonymous."

Albert Einstein

"The road to success is always under construction"

krinn









Joined: 02 May 2003

Posts: 7447

WatchmanJoined: 02 May 2003Posts: 7447

Posted: Thu Jul 15, 2010 10:16 am Post subject: thank you for your work ssuominen, openssl users will appreciate

avx









Joined: 21 Jun 2004

Posts: 2152

AdvocateJoined: 21 Jun 2004Posts: 2152

Posted: Fri Jul 16, 2010 1:54 pm Post subject: [quote="AM088"] AM088 wrote: OK, I ran: Code: # c_rehash /etc/ssl/certs/ and now fetchmail works again. Thanks.



For me, emerging some packages failed, because wget spits Quote: Connecting to sourceforge.net (sourceforge.net)|216.34.181.60|:443... connected.

ERROR: cannot verify sourceforge.net’s certificate, issued by “/C=US/O=Equifax/OU=Equifax Secure Certificate Authority”:

Unable to locally verify the issuer’s authority.

To connect to sourceforge.net insecurely, use ‘--no-check-certificate’. Running the above mentioned command solved it.

baaann









Joined: 23 Jan 2006

Posts: 552

Location: uk GuruJoined: 23 Jan 2006Posts: 552Location: uk

Posted: Sat Jul 17, 2010 9:49 am Post subject: I am having a problem with nxclient, it appears that in my case nxssh depends on libcrypto.so-0.9.8 and I get the following error



Code: /usr/NX/bin/nxssh: error while loading shared libraries: libcrypto.so.0.9.8: cannot open shared object file: No such file or directory



I have run Code: emerge @preserved-rebuild uninstalled/reinstalled nxclient multiple times



run Code: revdep-rebuild -L libcrypto.so.1.0.0 and re-downloaded the distfiles



I still get the same error and am at a loss as to what else to try



My emerge --info

Code: emerge --info

WARNING: One or more repositories have missing repo_name entries:



/usr/local/portage/profiles/repo_name



NOTE: Each repo_name entry should be a plain text file containing a

unique name for the repository on the first line.

Portage 2.2_rc67 (default/linux/amd64/10.0/desktop, gcc-4.4.4, glibc-2.11.2-r0, 2.6.32-gentoo x86_64)

=================================================================

System uname: Linux-2.6.32-gentoo-x86_64-AMD_Athlon-tm-_64_X2_Dual_Core_Processor_4200+-with-gentoo-2.0.1

Timestamp of tree: Fri, 16 Jul 2010 08:45:01 +0000

ccache version 2.4 [enabled]

app-shells/bash: 4.1_p7

dev-java/java-config: 2.1.11

dev-lang/python: 2.6.5-r3, 3.1.2-r4

dev-util/ccache: 2.4-r8

dev-util/cmake: 2.8.1-r2

sys-apps/baselayout: 2.0.1

sys-apps/openrc: 0.6.1-r1

sys-apps/sandbox: 2.2

sys-devel/autoconf: 2.13, 2.65-r1

sys-devel/automake: 1.8.5-r3, 1.9.6-r3, 1.10.3, 1.11.1

sys-devel/binutils: 2.20.1-r1

sys-devel/gcc: 4.4.4-r1

sys-devel/gcc-config: 1.4.1

sys-devel/libtool: 2.2.10

virtual/os-headers: 2.6.34

ACCEPT_KEYWORDS="amd64 ~amd64"

ACCEPT_LICENSE="* -@EULA dlj-1.1 AdobeFlash-10 AdobeFlash-10.1"

CBUILD="x86_64-pc-linux-gnu"

CFLAGS="-march=athlon64 -O2 -pipe"

CHOST="x86_64-pc-linux-gnu"

CONFIG_PROTECT="/etc /usr/share/X11/xkb /usr/share/config"

CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/eselect/postgresql /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"

CXXFLAGS="-march=athlon64 -O2 -pipe"

DISTDIR="/usr/portage/distfiles"

FEATURES="assume-digests ccache distlocks fixpackages news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unmerge-logs unmerge-orphans userfetch"

GENTOO_MIRRORS="http://mirror.bytemark.co.uk/gentoo/ ftp://mirror.bytemark.co.uk/gentoo/ http://www.mirrorservice.org/sites/www.ibiblio.org/gentoo/ ftp://ftp.mirrorservice.org/sites/www.ibiblio.org/gentoo/ http://mirror.qubenet.net/mirror/gentoo/ ftp://mirror.qubenet.net/mirror/gentoo/ http://gentoo.virginmedia.com/ ftp://gentoo.virginmedia.com/sites/gentoo "

LDFLAGS="-Wl,-O1"

LINGUAS="en_GB en"

MAKEOPTS="-j3"

PKGDIR="/usr/portage/packages"

PORTAGE_CONFIGROOT="/"

PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"

PORTAGE_TMPDIR="/var/tmp"

PORTDIR="/usr/portage"

PORTDIR_OVERLAY="/usr/local/portage"

SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"

USE="3dnow 3dnowext X a52 aac acl acpi alsa amd64 berkdb bluetooth branding bzip2 cairo cdr cli consolekit cracklib crypt cups cxx dbus djvu dri dts dvd dvdr emboss encode exif fam firefox flac fortran gdbm gif gpm hal iconv ipv6 jpeg kde kqemu kvm lcms ldap libnotify mad mikmod mmx mmxext mng modules mp3 mp4 mpeg msn mudflap multilib mxdatetime mysql ncurses nls nptl nptlonly nsplugin ogg opengl openmp pam pango pcre pdf perl pg_legacytimestamp plasma png ppds pppd python qt3support qt4 readline reflection samba sdl semantic-desktop session spell spl sql sse sse2 ssl startup-notification svg sysfs tcpd tiff truetype unicode usb vnc vorbis webkit x264 xcb xcomposite xml xorg xulrunner xv xvid zeroconf zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en_GB en" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="nvidia" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"

Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, LC_ALL, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

SamuliSuominen









Joined: 30 Sep 2005

Posts: 2133

Location: Finland Retired DevJoined: 30 Sep 2005Posts: 2133Location: Finland

Posted: Sat Jul 17, 2010 10:18 am Post subject:

it's propably good idea to abandon the software because upstream has failed to support modern libraries, note that the same package is also pulling in obsolete libpng and jpeg.



meanwhile i've just committed slotted openssl-0.9.8o-r1 for these packages, see:



https://bugs.gentoo.org/328355



but since openssl is known to hit security issues often, not sure how long we can support such a hack... nxclient is a binary only software, so you can't recompile it against new openssl. as such, reinstalling it wont help anything.it's propably good idea to abandon the software because upstream has failed to support modern libraries, note that the same package is also pulling in obsolete libpng and jpeg.meanwhile i've just committed slotted openssl-0.9.8o-r1 for these packages, see:but since openssl is known to hit security issues often, not sure how long we can support such a hack...

krinn









Joined: 02 May 2003

Posts: 7447

WatchmanJoined: 02 May 2003Posts: 7447

Posted: Sat Jul 17, 2010 10:20 am Post subject: baaann wrote: Code: libcrypto.so.0.9.8: cannot open...

run Code: revdep-rebuild -L libcrypto.so.1.0.0



-L, --library NAME Emerge existing packages that use the library with NAME

revdep-rebuild -L libcrypto.so.0.9.8



Would a symlink to libcrypto.so.1.0.0 could made it for binary software? (i know, dirty hack)

SamuliSuominen









Joined: 30 Sep 2005

Posts: 2133

Location: Finland Retired DevJoined: 30 Sep 2005Posts: 2133Location: Finland

Posted: Sat Jul 17, 2010 10:51 am Post subject: krinn wrote: baaann wrote: Code: libcrypto.so.0.9.8: cannot open...

run Code: revdep-rebuild -L libcrypto.so.1.0.0



-L, --library NAME Emerge existing packages that use the library with NAME

revdep-rebuild -L libcrypto.so.0.9.8



Would a symlink to libcrypto.so.1.0.0 could made it for binary software? (i know, dirty hack)



Symlink wont work. There's significant differences between 0.9.8 and 1.0.0. Just to mention some, 0.9.8 still supported MD2, where as the support for MD2 was removed from 1.0.0.

baaann









Joined: 23 Jan 2006

Posts: 552

Location: uk GuruJoined: 23 Jan 2006Posts: 552Location: uk

Posted: Sat Jul 17, 2010 11:33 am Post subject:

Thanks for that, I was confused that Martux had apparently solved the issue by uninstalling and reinstalling nxclient. It will be hard to abandon as I have come to rely on it for work however there are alternatives so I will have to investigate them. With regard to the slotted openssl, I assume that I will have to adjust the nxclient ebuild? The current RDEPEND is @ssuominenThanks for that, I was confused that Martux had apparently solved the issue by uninstalling and reinstalling nxclient. It will be hard to abandon as I have come to rely on it for workhowever there are alternatives so I will have to investigate them. With regard to the slotted openssl, I assume that I will have to adjust the nxclient ebuild? The current RDEPEND is Code: >=dev-libs/openssl-0.9.8e





@krinn

Oops, thanks for pointing that out , still learning! and therefore I guess it will not pull in the new slotted version(I haven't tried as yet)?@krinnOops, thanks for pointing that out, still learning!

SamuliSuominen









Joined: 30 Sep 2005

Posts: 2133

Location: Finland Retired DevJoined: 30 Sep 2005Posts: 2133Location: Finland

Posted: Sat Jul 17, 2010 12:26 pm Post subject: baaann wrote: @ssuominen

Thanks for that, I was confused that Martux had apparently solved the issue by uninstalling and reinstalling nxclient. It will be hard to abandon as I have come to rely on it for work however there are alternatives so I will have to investigate them. With regard to the slotted openssl, I assume that I will have to adjust the nxclient ebuild? The current RDEPEND is Code: >=dev-libs/openssl-0.9.8e

and therefore I guess it will not pull in the new slotted version(I haven't tried as yet)?





nxclient's ebuild should depend on:



=dev-libs/openssl-0.9.8*



but meanwhile while waiting for the ebuild to be fixed, you can "emerge --sync" and "emerge -av openssl:0.9.8"

baaann









Joined: 23 Jan 2006

Posts: 552

Location: uk GuruJoined: 23 Jan 2006Posts: 552Location: uk

Posted: Sat Jul 17, 2010 2:00 pm Post subject: ssuominen wrote: nxclient's ebuild should depend on:



=dev-libs/openssl-0.9.8*



but meanwhile while waiting for the ebuild to be fixed, you can "emerge --sync" and "emerge -av openssl:0.9.8"



That worked



Thanks again for your help That workedThanks again for your help

discomfitor









Joined: 21 Feb 2003

Posts: 927

Location: None l33tJoined: 21 Feb 2003Posts: 927Location: None

Posted: Wed Jul 21, 2010 2:10 am Post subject: If you get your portage and wget broken by this like I did, just download the tbz2 files manually into your DISTDIR, ebuild ${portage-ver}.ebuild merge && emerge wget

_________________

There is no substitute for experience.

Imperfection indicates a lack of effort.