mod_tls and mod_sftp complain about OpenSSL version mismatch

The same applies to mod_sftp/0.9.7

I believe by rebuilding this packages can fixing this bug. Proftpd-dfsg need rebuild because they have mod_tls/sftp that compiled by openssl old.

Attached debdiff for oneiric-proposed

Status changed to 'Confirmed' because the bug affects multiple users.

Is that actually an error? Looks like it still works...

Yes, it still working. I came across this message while finding out why proftpd didn't start (reference to mod_vroot that doesn't exist anymore) and first thought this would have kept it from starting.

Let's assume that this doesn't need a rebuild then.

I still think a rebuild should be done because:
- that message that shows up on each startup is at least confusing
- i didn't test ssl functionality yet, i only checked if startup works

ProFTP does not start on server upgraded to 11.10 because of this error. Remarked out following lines in /etc/proftpd/modules.conf as work-around:

LoadModule mod_tls.c
LoadModule mod_sftp.c
LoadModule mod_sftp_pam.c

ProFTP starts, but those SSL-dependent services/modules won't work of course. On this system I wasn't using them anyway. Still a serious problem that needs to be addressed.

I have the same problem after upgrading from 11.04 to 11.10. Unfortunately I do actually need to use SFTP on my server so this is a big problem!

Yunosh and Stefanor initially indicated proftpd would not start, but then seem to indicate that proftpd does start for them but generates an error message. Are some servers starting and others not? Without the work-around I mentioned before, I could not get proftpd to start at all, and I see no way to get it to start with sftp support enabled. Johathan-spence seems to have observed the same thing.

I should have addressed the Won't-Fix status when I first posted, but I missed it. If there is a work-around to get proftpd to start with sftp support enabled, please post it here. If not, please submit the patch suggested earlier to fix the problem.

Luckily for me I only did the upgrade on a testing server so it was no big deal. However I would suggest there are 2 ways to get SFTP working again:
a) Use OpenSSH to run your SFTP server (not that easy but there is a guide on the forums to CHroot SFTP users like you would with ProFTPd
b) Remove ProFTPd from apt and then download and compile it yourself. If you have already installed it via apt then you should have all the dependencies so you should be able to download the source and comiple it e.g.:
wget ftp://ftp35.us.proftpd.org/pub/ProFTPD/distrib/source/proftpd-1.3.4a.tar.gz
tar -zxvf proftpd-1.3.4a.tar.gz
cd proftpd-1.3.4a
sudo ./configure && sudo make && suco checkinstall
sudo ldconfig

(you may need to do a sudo apt-get install gcc g++ automake before running the ./configure etc. line)

Jan, sanitycheck, Zeon: I checked, and TLS / sftp works fine for me. Is it really not working for you?

You can ignore the warning, it's not important.

(Note, you need to set it up, i.e. have generated certificates, uncomment the relevant bits of tls.conf, and uncomment the Include tls.conf directive in proftpd.conf)

See comment #6. It starts up and is working, I haven't tested SSL support though.

Jan, as per #6 mod_vroot has been separated in source.
$ rmadison -u ubuntu proftpd-mod-vroot
proftpd-mod-vroot | 0.9.2-1 | oneiric/universe | source, amd64, armel, i386, powerpc
proftpd-mod-vroot | 0.9.2-2 | precise/universe | source, amd64, armel, armhf, i386, powerpc

My non-SFTP server would not start after the upgrade without changes; Zeon's SFTP installation would not start without changes. The issue appears to be that any Ubuntu system with a working proftpd setup will be broken by an 11.10 distribution upgrade.

I mentioned SFTP only because that feature was the reason proftpd wouldn't start after the upgrade, even though I was not using it before the upgrade.

Hi sanitycheck (2012.01.05_07:31:07_+0200)
> The issue appears to be that any Ubuntu system with a working proftpd
> setup will be broken by an 11.10 distribution upgrade.

But the issue we are discussing is the "OpenSSL version mismatch"
warning. Which I'm asserting can be ignored.

You may need to make other changes to your proftpd configuration, but
that's not unusual.

Stefano: I'm not sure if ignoring is a good thing SSL related. It might be harmless, but the user doesn't necessarily know if there are any security implications. I wouldn't trust a security feature of a software that only starts with a warning.
Mahyuddin: Yes, but as Stefano pointed out, this is not really what this bug report is about.

Jan: In #6 and #15 you state SSL is working, but your installation stopped working after the dist upgrade as well. What did you do to get proftpd to work again?

Stefano: The SSL error message and proftpd not starting after a dist upgrade appear to be related. I have not seen any indication here to the contrary. Only after I commented out the SSL-related features could I get proftpd to start again, and only then did the SSL error message go away. I'm glad to file a new bug report if these issues are not related.

> You may need to make other changes to your proftpd configuration, but
> that's not unusual.

Having to make changes to any application to get it to work after an upgrade should be considered unusual. If it's unavoidable, I would expect to see a notice in the distribution release notes.

> Stefano: I'm not sure if ignoring is a good thing SSL related. It
> might be harmless, but the user doesn't necessarily know if there are
> any security implications.

Jan: It's not a security concern. The check is there to warn that it may
not function at all. However, I think the check is unnecessary, as
OpenSSL has a relatively stable ABI, and as long as the same soname is
available, it should work.

> Stefano: The SSL error message and proftpd not starting after a dist
> upgrade appear to be related.

Well, if you read the source code, you'll see it's a warning only, it
doesn't result in an abort.

Run it in debug mode, and maybe you'll see why it doesn't start:
# proftpd -d 10 -n

> Having to make changes to any application to get it to work after an
> upgrade should be considered unusual. If it's unavoidable, I would
> expect to see a notice in the distribution release notes.

Of course, that's not desirable, but features come and go, and a config
file that was valid in one version of an application may not be valid in
the next.

Since Debian has taken no action on this in almost two years, please patch the Ubuntu package to remove this check.

This bug should be combined with bug #1059722 they are the same thing.