Compile warnings under FreeBSD 8.2-STABLE appears to break server linking

[nixsec]

When compiling 2.0.8 (pulled from git) I receive the following warnings during the build process:

Locating include directory for package gnutls for module m_ssl_gnutls.cpp... -I/usr/local/include -I/usr/local/include/p11-kit-1 -DVERSION_GNUTLS="2.12.18" (version 2.12.18)
Locating library directory for package gnutls for module m_ssl_gnutls.cpp... -L/usr/local/lib -lgnutls (version 2.12.18)
Adding extra library path to m_ssl_gnutls.cpp ... /usr/local/lib
BUILD: modules/m_ssl_gnutls.cpp
In file included from /usr/home/[username]/inspircd/src/modules/m_ssl_gnutls.cpp:27:
/usr/local/include/gcrypt.h:1336: warning: 'gcry_ac_io_mode_t' is deprecated (declared at /usr/local/include/gcrypt.h:1324)
/usr/local/include/gcrypt.h:1337: warning: 'gcry_ac_io_type_t' is deprecated (declared at /usr/local/include/gcrypt.h:1331)
/usr/local/include/gcrypt.h:1344: warning: 'gcry_ac_data_read_cb_t' is deprecated (declared at /usr/local/include/gcrypt.h:1312)
/usr/local/include/gcrypt.h:1358: warning: 'gcry_ac_data_write_cb_t' is deprecated (declared at /usr/local/include/gcrypt.h:1317)
/usr/local/include/gcrypt.h:1393: warning: 'gcry_md_algo_t' is deprecated (declared at /usr/local/include/gcrypt.h:1387)
/usr/local/include/gcrypt.h:1401: warning: 'gcry_md_algo_t' is deprecated (declared at /usr/local/include/gcrypt.h:1387)
/usr/home/[username]/inspircd/src/modules/m_ssl_gnutls.cpp: In member function 'virtual void ModuleSSLGnuTLS::OnModuleRehash(User*, const std::string&)':
/usr/home/[username]/inspircd/src/modules/m_ssl_gnutls.cpp:319: warning: 'gnutls_certificate_client_set_retrieve_function' is deprecated (declared at /usr/local/include/gnutls/compat.h:161)
/usr/home/[username]/inspircd/src/modules/m_ssl_gnutls.cpp:319: warning: 'gnutls_certificate_client_set_retrieve_function' is deprecated (declared at /usr/local/include/gnutls/compat.h:161)

The build completes successfully, however, when attempting to link to another server running inspircd 2.0.8, the handshake fails. The remote server which I'm trying to link to does not exhibit this behavior - services links to the remote server perfectly fine using GNUTLS.

Also, during compilation, I had to manually edit BSDmakefile to disable optimization otherwise the build failed. I don't know if this would cause the issue but I'm expecting the culprit is my version of libgcrypt. I'm compiling on a host system where I don't have access to up/down grading these, I simply have normal user access - it's a shell account.

Here's the dump from .config.cache

USE_POLL="y"
CC="g++"
DESTINATION="BASE"
UID="1279"
default_libdir_gnutls="-L/usr/local/lib -lgnutls "
HAS_OPENSSL_PORT=""
BUILD_DIR="/usr/home/[username]/inspircd/build"
default_includedir_gnutls="-I/usr/local/include -I/usr/local/include/p11-kit-1 -DVERSION_GNUTLS="2.12.18""
HAS_KQUEUE="1"
USE_GNUTLS="y"
USE_FREEBSD_PORTS_SSL="n"
HAS_OPENSSL="y"
MAXBUF="512"
GCCVER="4"
_SOMAXCONN="128"
HAS_GNUTLS="y"
HAS_EVENTFD="false"
HAS_EPOLL=""
STARTSCRIPT="inspircd"
ME="/usr/home/[username]/inspircd"
USE_OPENSSL="n"
OPTIMISATI="-g1"
USE_KQUEUE="y"
CONFIG_DIR="/usr/home/[username]/ircd/conf"
MODULE_DIR="/usr/home/[username]/ircd/modules"
HAS_STRLCPY="true"
USE_PORTS="0"
SYSTEM="freebsd"
BASE_DIR="/usr/home/[username]/ircd"
USE_FREEBSD_BASE_SSL="y"
IS_DARWIN="NO"
CHANGE_COMPILER="n"
HAS_STDINT="true"
OSNAME="freebsd"
GCCMINOR="2"
USE_SSL="y"
SOCKETENGINE="socketengine_kqueue"
CERTGEN="y"
BINARY_DIR="/usr/home/[username]/ircd/bin"
MODUPDATE="n"
USE_EPOLL="0"

[nixsec]

I've attempted various "hacks" such as installing libgcrypt and gnutls into my home directory and recompiling, still no luck. My host has libgcrypt 1.5.0 and gnutls 2.12.18 installed, for reasons unknown to me except one - the 1.4 branch is entering EOL on 2012-31-12. I haven't done too much thorough homework so the upgrade may pertain to some vulnerability related to FreeBSD.

Another thing to point out is that when compiling 2.0.5, I don't have to modify the BSDMakefile in order to perform a successful build. As I stated previously, compiling 2.0.8, I have to disable compiler optimization by changing -O2 to -O0, this is not the case when compiling 2.0.5.

[nixsec]

The only function referenced from the compiler warnings is gnutls_certificate_client_set_retrieve_function.

Here's some more debug information, I could really use some help here - been at this for a few days now without any luck.

Tue Jul 17 12:26:49 2012: Initializing m_ssl_gnutls.so
Tue Jul 17 12:26:49 2012: m_ssl_gnutls.so: Enabling SSL for port 208.185.81.206:7099
Tue Jul 17 12:26:49 2012: m_ssl_gnutls.so: Enabling SSL for port 208.185.81.206:6697
Tue Jul 17 12:26:49 2012: m_ssl_gnutls.so: Enabling SSL for port 208.185.81.206:7000
Tue Jul 17 12:26:49 2012: m_ssl_gnutls.so: Failed to set X.509 trust file 'conf/ca.pem': Error while reading file.
Tue Jul 17 12:26:49 2012: m_ssl_gnutls.so: Failed to set X.509 CRL file 'conf/crl.pem': Error while reading file.
Tue Jul 17 12:26:49 2012: classbase::+ @0xbfbfe58c
Tue Jul 17 12:26:49 2012: classbase::~ @0xbfbfe58c

When attempting to connect to the remote server
-irc.nixsecurity.net- *** LINK: Connection to sigint.echelon4.net failed with error: Handshake Failed - An unexpected TLS packet was received.

Debug:

Tue Jul 17 12:29:26 2012: C[518AAAAAA] I :extern CONNECT sigint.echelon4.net
Tue Jul 17 12:29:26 2012: OPERLOG: [extern!extern@X] CONNECT sigint.echelon4.net
Tue Jul 17 12:29:26 2012: C[518AAAAAA] O :irc.nixsecurity.net NOTICE extern :* CONNECT: Connecting to server: sigint.echelon4.net (sigint.echelon4.net:7099)
Tue Jul 17 12:29:26 2012: Resolver::Resolver
Tue Jul 17 12:29:26 2012: classbase::+ @0xcf1a390
Tue Jul 17 12:29:26 2012: New file descriptor: 16
Tue Jul 17 12:29:26 2012: BufferedSocket::DoConnect success
Tue Jul 17 12:29:26 2012: S[16] O CAPAB START 1202
Tue Jul 17 12:29:26 2012: LINK: Connection to sigint.echelon4.net[sigint.echelon4.net] started.
Tue Jul 17 12:29:26 2012: C[518AAAAAA] O :irc.nixsecurity.net NOTICE extern :* LINK: Connection to sigint.echelon4.net[sigint.echelon4.net] started.
Tue Jul 17 12:29:26 2012: Error on FD 16 - 'Handshake Failed - An unexpected TLS packet was received.'
Tue Jul 17 12:29:26 2012: LINK: Connection to sigint.echelon4.net failed with error: Handshake Failed - An unexpected TLS packet was received.
Tue Jul 17 12:29:26 2012: C[518AAAAAA] O :irc.nixsecurity.net NOTICE extern :* LINK: Connection to sigint.echelon4.net failed with error: Handshake Failed - An unexpected TLS packet was received.
Tue Jul 17 12:29:30 2012: DoWrite on errored or closed socket
Tue Jul 17 12:29:30 2012: Remove file descriptor: 16
Tue Jul 17 12:29:30 2012: LINK: Connection to 'sigint.echelon4.net' failed.
Tue Jul 17 12:29:30 2012: C[518AAAAAA] O :irc.nixsecurity.net NOTICE extern :* LINK: Connection to 'sigint.echelon4.net' failed.
Tue Jul 17 12:29:30 2012: LINK: Connection to 'sigint.echelon4.net' was established for 4s
Tue Jul 17 12:29:30 2012: C[518AAAAAA] O :irc.nixsecurity.net NOTICE extern :*** LINK: Connection to 'sigint.echelon4.net' was established for 4s
Tue Jul 17 12:29:31 2012: Deleting 10TreeSocket @0xcf1a390
Tue Jul 17 12:29:31 2012: classbase::-10TreeSocket @0xcf1a390
Tue Jul 17 12:29:31 2012: classbase::~ @0xcf1a390

Deps/Libs Information

irc.nixsecurity.net is compiled against libgcrypt 1.5.0 and gnutls 2.12.18 (FreeBSD)
sigint.echelon4.net is compiled against libgcrypt-1.4.5-9.el6_2.2.x86_64 and gnutls-2.8.5-4.el6_2.2.x86_64 (CentOS)

[attilamolnar]

Errors such as "Handshake Failed - An unexpected TLS packet was received." are generated by gnutls itself, not by inspircd. The debug log shows the server connecting to another server, but then gnutls tells inspircd something went wrong and then inspircd breaks the connection because of that.

[attilamolnar]

Please comment if the problem persists with the newest version