Loading ...
Sorry, an error occurred while loading the content.
 

warning: dane configured, but no requisite library support

Expand Messages
  • Patrick Ben Koetter
    Greetings, I am experiencing troubles enabling outbound DANE on a RHEL 6.5 system: warning: sys4.de: dane configured, but no requisite library support
    Message 1 of 9 , Jul 28, 2014
      Greetings,

      I am experiencing troubles enabling outbound DANE on a RHEL 6.5 system:

      warning: sys4.de: dane configured, but no requisite library support

      <http://postfix.1071664.n5.nabble.com/Client-side-DANE-minimum-openssl-version-td67768.html>
      suggests, the underlying openssl library is too old. Viktor writes at least
      openssl 1.0.0 would be required.

      The machine in questions runs OpenSSL 1.0.1e-fips. This is where I got stuck.
      Could it be the openssl package has been built without DANe support? What can
      I do to track this down?

      Thanks

      p@rick


      Here's debug info:

      # lsb_release -i -r
      Distributor ID: RedHatEnterpriseServer
      Release: 6.5

      # postconf mail_version
      mail_version = 2.11.1

      # openssl version
      OpenSSL 1.0.1e-fips 11 Feb 2013

      # ldd /usr/libexec/postfix/smtp
      linux-vdso.so.1 => (0x00007fffbf97d000)
      libldap-2.4.so.2 => /lib64/libldap-2.4.so.2 (0x00007f25de32e000)
      liblber-2.4.so.2 => /lib64/liblber-2.4.so.2 (0x00007f25de11f000)
      libpcre.so.0 => /lib64/libpcre.so.0 (0x00007f25ddef2000)
      libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x00007f25ddcd8000)
      libssl.so.10 => /usr/lib64/libssl.so.10 (0x00007f25dda6c000)
      libcrypto.so.10 => /usr/lib64/libcrypto.so.10 (0x00007f25dd68b000)
      libdl.so.2 => /lib64/libdl.so.2 (0x00007f25dd487000)
      libz.so.1 => /lib64/libz.so.1 (0x00007f25dd271000)
      libdb-4.7.so => /lib64/libdb-4.7.so (0x00007f25dcefc000)
      libnsl.so.1 => /lib64/libnsl.so.1 (0x00007f25dcce3000)
      libresolv.so.2 => /lib64/libresolv.so.2 (0x00007f25dcac9000)
      libc.so.6 => /lib64/libc.so.6 (0x00007f25dc734000)
      libssl3.so => /usr/lib64/libssl3.so (0x00007f25dc4f6000)
      libsmime3.so => /usr/lib64/libsmime3.so (0x00007f25dc2ca000)
      libnss3.so => /usr/lib64/libnss3.so (0x00007f25dbf8b000)
      libnssutil3.so => /usr/lib64/libnssutil3.so (0x00007f25dbd5f000)
      libplds4.so => /lib64/libplds4.so (0x00007f25dbb5b000)
      libplc4.so => /lib64/libplc4.so (0x00007f25db955000)
      libnspr4.so => /lib64/libnspr4.so (0x00007f25db718000)
      libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007f25db4e1000)
      libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 (0x00007f25db29c000)
      libkrb5.so.3 => /lib64/libkrb5.so.3 (0x00007f25dafb6000)
      libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007f25dadb2000)
      libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x00007f25dab85000)
      /lib64/ld-linux-x86-64.so.2 (0x0000003709e00000)
      libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f25da968000)
      librt.so.1 => /lib64/librt.so.1 (0x00007f25da75f000)
      libfreebl3.so => /lib64/libfreebl3.so (0x00007f25da4e8000)
      libkrb5support.so.0 => /lib64/libkrb5support.so.0 (0x00007f25da2dd000)
      libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00007f25da0d9000)
      libselinux.so.1 => /lib64/libselinux.so.1 (0x00007f25d9eba000)

      # ls -l /usr/lib64/libssl.so.10
      lrwxrwxrwx. 1 root root 16 6. Jun 00:41 /usr/lib64/libssl.so.10 -> libssl.so.1.0.1e

      --
      [*] sys4 AG

      https://sys4.de, +49 (89) 30 90 46 64
      Franziskanerstraße 15, 81669 München

      Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
      Vorstand: Patrick Ben Koetter, Marc Schiffbauer
      Aufsichtsratsvorsitzender: Florian Kirstein
    • Wietse Venema
      ... Why the hell are you using FIPS? Wietse
      Message 2 of 9 , Jul 28, 2014
        Patrick Ben Koetter:
        > Greetings,
        >
        > I am experiencing troubles enabling outbound DANE on a RHEL 6.5 system:
        >
        > warning: sys4.de: dane configured, but no requisite library support
        >
        > <http://postfix.1071664.n5.nabble.com/Client-side-DANE-minimum-openssl-version-td67768.html>
        > suggests, the underlying openssl library is too old. Viktor writes at least
        > openssl 1.0.0 would be required.
        >
        > The machine in questions runs OpenSSL 1.0.1e-fips. This is where I got stuck.

        Why the hell are you using FIPS?

        Wietse
      • Patrick Ben Koetter
        ... Because I like pain? Probably because the packet manager pulled it from some repo. I ll have a look. p@rick -- [*] sys4 AG https://sys4.de, +49 (89) 30 90
        Message 3 of 9 , Jul 28, 2014
          * Wietse Venema <wietse@...>:
          > Patrick Ben Koetter:
          > > Greetings,
          > >
          > > I am experiencing troubles enabling outbound DANE on a RHEL 6.5 system:
          > >
          > > warning: sys4.de: dane configured, but no requisite library support
          > >
          > > <http://postfix.1071664.n5.nabble.com/Client-side-DANE-minimum-openssl-version-td67768.html>
          > > suggests, the underlying openssl library is too old. Viktor writes at least
          > > openssl 1.0.0 would be required.
          > >
          > > The machine in questions runs OpenSSL 1.0.1e-fips. This is where I got stuck.
          >
          > Why the hell are you using FIPS?

          Because I like pain? Probably because the packet manager pulled it from some
          repo. I'll have a look.

          p@rick

          --
          [*] sys4 AG

          https://sys4.de, +49 (89) 30 90 46 64
          Franziskanerstraße 15, 81669 München

          Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
          Vorstand: Patrick Ben Koetter, Marc Schiffbauer
          Aufsichtsratsvorsitzender: Florian Kirstein
        • Patrick Ben Koetter
          ... The FIPS version has been pulled from RedHats own repositories: # yum info openssl.x86_64 Name : openssl Arch : x86_64 Version : 1.0.1e
          Message 4 of 9 , Jul 28, 2014
            * Patrick Ben Koetter <postfix-users@...>:
            > * Wietse Venema <wietse@...>:
            > > Patrick Ben Koetter:
            > > > Greetings,
            > > >
            > > > I am experiencing troubles enabling outbound DANE on a RHEL 6.5 system:
            > > >
            > > > warning: sys4.de: dane configured, but no requisite library support
            > > >
            > > > <http://postfix.1071664.n5.nabble.com/Client-side-DANE-minimum-openssl-version-td67768.html>
            > > > suggests, the underlying openssl library is too old. Viktor writes at least
            > > > openssl 1.0.0 would be required.
            > > >
            > > > The machine in questions runs OpenSSL 1.0.1e-fips. This is where I got stuck.
            > >
            > > Why the hell are you using FIPS?
            >
            > Because I like pain? Probably because the packet manager pulled it from some
            > repo. I'll have a look.

            The FIPS version has been pulled from RedHats own repositories:

            # yum info openssl.x86_64

            Name : openssl
            Arch : x86_64
            Version : 1.0.1e
            Release : 16.el6_5.14
            Size : 4.0 M
            Repo : installed
            From repo : rhel-6-server-rpms
            Summary : A general purpose cryptography library with TLS implementation
            URL : http://www.openssl.org/
            License : OpenSSL
            Description : The OpenSSL toolkit provides support for secure communications between
            : machines. OpenSSL includes a certificate management tool and shared
            : libraries which provide various cryptographic algorithms and
            : protocols.

            Using only RedHat repositories, this is the only one available:

            # yum list available openssl
            Loaded plugins: product-id, subscription-manager
            This system is receiving updates from Red Hat Subscription Management.
            rhel-6-server-eus-rpms | 3.7 kB 00:00
            rhel-6-server-realtime-rpms | 3.8 kB 00:00
            rhel-6-server-rpms | 3.7 kB 00:00
            rhel-ha-for-rhel-6-server-eus-rpms | 3.7 kB 00:00
            rhel-ha-for-rhel-6-server-rpms | 3.7 kB 00:00
            rhel-hpn-for-rhel-6-server-rpms | 3.7 kB 00:00
            rhel-lb-for-rhel-6-server-eus-rpms | 3.7 kB 00:00
            rhel-lb-for-rhel-6-server-rpms | 3.7 kB 00:00
            rhel-rs-for-rhel-6-server-eus-rpms | 3.7 kB 00:00
            rhel-rs-for-rhel-6-server-rpms | 3.7 kB 00:00
            rhel-sap-for-rhel-6-server-rpms | 3.7 kB 00:00
            rhel-sap-hana-for-rhel-6-server-rpms | 2.8 kB 00:00
            rhel-scalefs-for-rhel-6-server-rpms | 3.7 kB 00:00
            rhel-server-6-rhds-9-rpms | 3.1 kB 00:00
            rhel-server-dts-6-eus-rpms | 2.8 kB 00:00
            rhel-server-dts-6-rpms | 2.9 kB 00:00
            rhel-server-dts2-6-eus-rpms | 2.8 kB 00:00
            rhel-server-dts2-6-rpms | 2.6 kB 00:00
            rhel-sfs-for-rhel-6-server-eus-rpms | 3.4 kB 00:00
            rhel-sjis-for-rhel-6-server-rpms | 3.1 kB 00:00
            Available Packages
            openssl.i686 1.0.1e-16.el6_5.14 rhel-6-server-eus-rpms

            Excuse my ignorance, but what's wrong with a FIPS version of openssl? It seems
            as if I missed something everone else knows.

            p@rick

            --
            [*] sys4 AG

            https://sys4.de, +49 (89) 30 90 46 64
            Franziskanerstraße 15, 81669 München

            Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
            Vorstand: Patrick Ben Koetter, Marc Schiffbauer
            Aufsichtsratsvorsitzender: Florian Kirstein
          • lists@rhsoft.net
            ... just don t call that OpenSSL 1.0.1e-fips which implies you are running in FIPS mode or using a special package - that s where the confusion came from
            Message 5 of 9 , Jul 28, 2014
              Am 28.07.2014 14:03, schrieb Patrick Ben Koetter:
              > * Patrick Ben Koetter <postfix-users@...>:
              >> * Wietse Venema <wietse@...>:
              >>> Patrick Ben Koetter:
              >>>> Greetings,
              >>>>
              >>>> I am experiencing troubles enabling outbound DANE on a RHEL 6.5 system:
              >>>>
              >>>> warning: sys4.de: dane configured, but no requisite library support
              >>>>
              >>>> <http://postfix.1071664.n5.nabble.com/Client-side-DANE-minimum-openssl-version-td67768.html>
              >>>> suggests, the underlying openssl library is too old. Viktor writes at least
              >>>> openssl 1.0.0 would be required.
              >>>>
              >>>> The machine in questions runs OpenSSL 1.0.1e-fips. This is where I got stuck.
              >>>
              >>> Why the hell are you using FIPS?
              >>
              >> Because I like pain? Probably because the packet manager pulled it from some
              >> repo. I'll have a look.
              >
              > The FIPS version has been pulled from RedHats own repositories:
              >
              > Name : openssl
              > Arch : x86_64
              > Version : 1.0.1e
              > Release : 16.el6_5.14
              > Size : 4.0 M
              > Repo : installed
              > From repo : rhel-6-server-rpms
              > Summary : A general purpose cryptography library with TLS implementation
              > URL : http://www.openssl.org/
              > License : OpenSSL
              > Description : The OpenSSL toolkit provides support for secure communications between
              > : machines. OpenSSL includes a certificate management tool and shared
              > : libraries which provide various cryptographic algorithms and
              > : protocols

              just don't call that "OpenSSL 1.0.1e-fips" which implies you are
              running in FIPS mode or using a special package - that's where
              the confusion came from

              that's the ordinary openssl package

              [root@openvas:~]$ rpm -qa | grep openssl
              openssl-1.0.1e-16.el6_5.14.x86_64
            • Patrick Ben Koetter
              ... ACK. It was output from openssl version . Here s the corresponding package name: # rpm -qa openssl openssl-1.0.1e-16.el6_5.14.x86_64 -- [*] sys4 AG
              Message 6 of 9 , Jul 28, 2014
                * lists@... <lists@...>:
                >
                > Am 28.07.2014 14:03, schrieb Patrick Ben Koetter:
                > > * Patrick Ben Koetter <postfix-users@...>:
                > >> * Wietse Venema <wietse@...>:
                > >>> Patrick Ben Koetter:
                > >>>> Greetings,
                > >>>>
                > >>>> I am experiencing troubles enabling outbound DANE on a RHEL 6.5 system:
                > >>>>
                > >>>> warning: sys4.de: dane configured, but no requisite library support
                > >>>>
                > >>>> <http://postfix.1071664.n5.nabble.com/Client-side-DANE-minimum-openssl-version-td67768.html>
                > >>>> suggests, the underlying openssl library is too old. Viktor writes at least
                > >>>> openssl 1.0.0 would be required.
                > >>>>
                > >>>> The machine in questions runs OpenSSL 1.0.1e-fips. This is where I got stuck.
                > >>>
                > >>> Why the hell are you using FIPS?
                > >>
                > >> Because I like pain? Probably because the packet manager pulled it from some
                > >> repo. I'll have a look.
                > >
                > > The FIPS version has been pulled from RedHats own repositories:
                > >
                > > Name : openssl
                > > Arch : x86_64
                > > Version : 1.0.1e
                > > Release : 16.el6_5.14
                > > Size : 4.0 M
                > > Repo : installed
                > > From repo : rhel-6-server-rpms
                > > Summary : A general purpose cryptography library with TLS implementation
                > > URL : http://www.openssl.org/
                > > License : OpenSSL
                > > Description : The OpenSSL toolkit provides support for secure communications between
                > > : machines. OpenSSL includes a certificate management tool and shared
                > > : libraries which provide various cryptographic algorithms and
                > > : protocols
                >
                > just don't call that "OpenSSL 1.0.1e-fips" which implies you are
                > running in FIPS mode or using a special package - that's where
                > the confusion came from
                >
                > that's the ordinary openssl package
                >
                > [root@openvas:~]$ rpm -qa | grep openssl
                > openssl-1.0.1e-16.el6_5.14.x86_64

                ACK. It was output from "openssl version". Here's the corresponding package
                name:

                # rpm -qa openssl
                openssl-1.0.1e-16.el6_5.14.x86_64





                --
                [*] sys4 AG

                https://sys4.de, +49 (89) 30 90 46 64
                Franziskanerstraße 15, 81669 München

                Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
                Vorstand: Patrick Ben Koetter, Marc Schiffbauer
                Aufsichtsratsvorsitzender: Florian Kirstein
              • Viktor Dukhovni
                ... Beyond OpenSSL 1.0.0, you also need the resolver headers to define: RES_USE_DNSSEC RES_USE_EDNS0 and for OpenSSL to *not* define OPENSSL_NO_ECDH. On
                Message 7 of 9 , Jul 28, 2014
                  On Mon, Jul 28, 2014 at 10:44:04AM +0200, Patrick Ben Koetter wrote:
                  > Greetings,
                  >
                  > I am experiencing troubles enabling outbound DANE on a RHEL 6.5 system:
                  >
                  > warning: sys4.de: dane configured, but no requisite library support
                  >
                  > <http://postfix.1071664.n5.nabble.com/Client-side-DANE-minimum-openssl-version-td67768.html>
                  > suggests, the underlying openssl library is too old. Viktor writes at least
                  > openssl 1.0.0 would be required.
                  >
                  > The machine in questions runs OpenSSL 1.0.1e-fips. This is where I got stuck.
                  > Could it be the openssl package has been built without DANe support? What can
                  > I do to track this down?

                  Beyond OpenSSL 1.0.0, you also need the resolver headers to define:

                  RES_USE_DNSSEC
                  RES_USE_EDNS0

                  and for OpenSSL to *not* define OPENSSL_NO_ECDH. On RedHat systems,
                  it is this last constraint that is the likely problem. RedHat
                  systems have historically disabled EC algorithms based on FUD around
                  Certicom's patents (the most important of which, point compression,
                  expires tomorrow I hear).

                  Anyway, RedHat did add limited ECDH support (sufficient for for
                  Postfix DANE) some months back, make sure your system has the
                  updated OpenSSL build.

                  https://bugzilla.redhat.com/show_bug.cgi?id=319901

                  You can check that the OpenSSL headers define:

                  $ grep NID_X9_62_prime256v1 /usr/include/openssl/obj_mac.h
                  #define NID_X9_62_prime256v1 415

                  which is expected to be the case with the updated RedHat OpenSSL
                  library.

                  --
                  Viktor.
                • Patrick Ben Koetter
                  ... I think that s it. OpenSSL on the build host wasn t recent enough to reflect those changes. I ve updated, built and tested successfully on the build host.
                  Message 8 of 9 , Jul 28, 2014
                    * Viktor Dukhovni <postfix-users@...>:
                    > On Mon, Jul 28, 2014 at 10:44:04AM +0200, Patrick Ben Koetter wrote:
                    > > Greetings,
                    > >
                    > > I am experiencing troubles enabling outbound DANE on a RHEL 6.5 system:
                    > >
                    > > warning: sys4.de: dane configured, but no requisite library support
                    > >
                    > > <http://postfix.1071664.n5.nabble.com/Client-side-DANE-minimum-openssl-version-td67768.html>
                    > > suggests, the underlying openssl library is too old. Viktor writes at least
                    > > openssl 1.0.0 would be required.
                    > >
                    > > The machine in questions runs OpenSSL 1.0.1e-fips. This is where I got stuck.
                    > > Could it be the openssl package has been built without DANe support? What can
                    > > I do to track this down?
                    >
                    > Beyond OpenSSL 1.0.0, you also need the resolver headers to define:
                    >
                    > RES_USE_DNSSEC
                    > RES_USE_EDNS0
                    >
                    > and for OpenSSL to *not* define OPENSSL_NO_ECDH. On RedHat systems,
                    > it is this last constraint that is the likely problem. RedHat
                    > systems have historically disabled EC algorithms based on FUD around
                    > Certicom's patents (the most important of which, point compression,
                    > expires tomorrow I hear).
                    >
                    > Anyway, RedHat did add limited ECDH support (sufficient for for
                    > Postfix DANE) some months back, make sure your system has the
                    > updated OpenSSL build.

                    I think that's it. OpenSSL on the build host wasn't recent enough to reflect
                    those changes. I've updated, built and tested successfully on the build host.
                    Next step: Deploy and test on customers test servers.

                    p@rick

                    --
                    [*] sys4 AG

                    https://sys4.de, +49 (89) 30 90 46 64
                    Franziskanerstraße 15, 81669 München

                    Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
                    Vorstand: Patrick Ben Koetter, Marc Schiffbauer
                    Aufsichtsratsvorsitzender: Florian Kirstein
                  • Patrick Ben Koetter
                    ... Successfully tested and deployed. p@rick -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft:
                    Message 9 of 9 , Jul 29, 2014
                      * Patrick Ben Koetter <postfix-users@...>:
                      > * Viktor Dukhovni <postfix-users@...>:
                      > > On Mon, Jul 28, 2014 at 10:44:04AM +0200, Patrick Ben Koetter wrote:
                      > > > Greetings,
                      > > >
                      > > > I am experiencing troubles enabling outbound DANE on a RHEL 6.5 system:
                      > > >
                      > > > warning: sys4.de: dane configured, but no requisite library support
                      > > >
                      > > > <http://postfix.1071664.n5.nabble.com/Client-side-DANE-minimum-openssl-version-td67768.html>
                      > > > suggests, the underlying openssl library is too old. Viktor writes at least
                      > > > openssl 1.0.0 would be required.
                      > > >
                      > > > The machine in questions runs OpenSSL 1.0.1e-fips. This is where I got stuck.
                      > > > Could it be the openssl package has been built without DANe support? What can
                      > > > I do to track this down?
                      > >
                      > > Beyond OpenSSL 1.0.0, you also need the resolver headers to define:
                      > >
                      > > RES_USE_DNSSEC
                      > > RES_USE_EDNS0
                      > >
                      > > and for OpenSSL to *not* define OPENSSL_NO_ECDH. On RedHat systems,
                      > > it is this last constraint that is the likely problem. RedHat
                      > > systems have historically disabled EC algorithms based on FUD around
                      > > Certicom's patents (the most important of which, point compression,
                      > > expires tomorrow I hear).
                      > >
                      > > Anyway, RedHat did add limited ECDH support (sufficient for for
                      > > Postfix DANE) some months back, make sure your system has the
                      > > updated OpenSSL build.
                      >
                      > I think that's it. OpenSSL on the build host wasn't recent enough to reflect
                      > those changes. I've updated, built and tested successfully on the build host.
                      > Next step: Deploy and test on customers test servers.

                      Successfully tested and deployed.

                      p@rick


                      --
                      [*] sys4 AG

                      https://sys4.de, +49 (89) 30 90 46 64
                      Franziskanerstraße 15, 81669 München

                      Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
                      Vorstand: Patrick Ben Koetter, Marc Schiffbauer
                      Aufsichtsratsvorsitzender: Florian Kirstein
                    Your message has been successfully submitted and would be delivered to recipients shortly.