Re: [Assp-test] SSL failures - client being denied

Thomas Eckardt Wed, 18 Jul 2018 00:48:02 -0700

is there a good reason for the 64 open files restriction in the OS?

Thomas






Von:    "James Brown via Assp-test" <assp-test@lists.sourceforge.net>
An:     "ASSP development mailing list" <assp-test@lists.sourceforge.net>
Kopie:  "James Brown" <jlbr...@bordo.com.au>
Datum:  18.07.2018 09:37
Betreff:        Re: [Assp-test] SSL failures - client being denied



This is it failing with useDB4IntCache turned on:

Jul 18 17:03:28 mail ASSP[85659]: Jul-18-18 17:03:28 [Main_Thread] 
MainThread started
Jul 18 17:03:32 mail mdworker[85664]: (Normal) Import: Using too many 
resources after 64 files (wired: 0 resident: 129997 swapped: 2 regions: 
471), hit usage threshold importing 
/Applications/assp/sl-cache/main-SNMPhandler.sl, exiting to clean up now.
Jul 18 17:03:37 mail com.apple.launchd.peruser.89[9715] 
(com.apple.mdworker.pool.1): Throttling respawn: Will start in 5 seconds
Jul 18 17:03:43 mail mdworker[85669]: (Normal) Import: Using too many 
resources after 64 files (wired: 0 resident: 129495 swapped: 2 regions: 
473), hit usage threshold importing 
/Applications/assp/sl-cache/main-getOriginIPs.sl, exiting to clean up now.
Jul 18 17:03:48 mail com.apple.launchd.peruser.89[9715] 
(com.apple.mdworker.pool.1): Throttling respawn: Will start in 5 seconds
Jul 18 17:03:53 mail mdworker[85672]: (Normal) Import: Using too many 
resources after 64 files (wired: 0 resident: 129934 swapped: 2 regions: 
470), hit usage threshold importing 
/Applications/assp/sl-cache/main-DMARCaddReport.sl, exiting to clean up 
now.
Jul 18 17:03:58 mail com.apple.launchd.peruser.89[9715] 
(com.apple.mdworker.pool.1): Throttling respawn: Will start in 5 seconds
Jul 18 17:04:04 mail mdworker[85674]: (Normal) Import: Using too many 
resources after 64 files (wired: 0 resident: 130416 swapped: 2 regions: 
467), hit usage threshold importing 
/Applications/assp/sl-cache/main-BombWeight_Run.sl, exiting to clean up 
now.
Jul 18 17:04:09 mail com.apple.launchd.peruser.89[9715] 
(com.apple.mdworker.pool.1): Throttling respawn: Will start in 5 seconds
Jul 18 17:04:14 mail mdworker[85678]: (Normal) Import: Using too many 
resources after 64 files (wired: 0 resident: 129928 swapped: 2 regions: 
464), hit usage threshold importing 
/Applications/assp/sl-cache/main-BackDNSCacheAdd.sl, exiting to clean up 
now.

James.


On 18 Jul 2018, at 5:01 pm, James Brown via Assp-test <
assp-test@lists.sourceforge.net> wrote:

I turned on useDB4IntCache and restarted. It seemed to startup ok, but was 
not accepting any connections. Perl was running at almost 100% CPU, and 
the process was using about 4GB of RAM (normally under 1GB).

I had to turn it off (manually edit the config file) and force-quit Perl.

Is that normal? Did I just need to wait longer?

James.



On 18 Jul 2018, at 4:01 pm, Thomas Eckardt <thomas.ecka...@thockar.com> 
wrote:

Your Perl is not working correctly. 

The SSL-failed-Cache is not shared between all running threads. Depending 
on the setting of 'useDB4IntCache' BerkeleyDB or threads::shared does not 
work. 

Worker_1 has the IP in its SSL-failed-Cache - the MainThread (shows the 
GUI) has not. 

Thomas




Von:        "James Brown via Assp-test" <assp-test@lists.sourceforge.net> 
An:        "ASSP development mailing list" <
assp-test@lists.sourceforge.net> 
Kopie:        "James Brown" <jlbr...@bordo.com.au> 
Datum:        18.07.2018 07:44 
Betreff:        Re: [Assp-test] SSL failures - client being denied 



Setting banFailedSSLIP to ‘public only’ didn’t work: 

Jul-18-18 15:33:12 [Worker_1] Error: Worker_1 accept_SSL to client 
192.168.1.51 denied - the client failed before on SSL/TLS 
Error: Worker_1 accept_SSL to client 192.168.1.51 denied - the client 
failed before on SSL/TLS (suppressed 2 concurrent equal 'Error' loglines 
from all Workers) 

The IP 192.168.1.51 is not in SSL-failed-Cache 

James. 

On 18 Jul 2018, at 2:17 pm, Thomas Eckardt <thomas.ecka...@thockar.com> 
wrote: 

set 'banFailedSSLIP' to public only - and/or - include the ClientIP's 
(e.g. 192.168.0.0/16) in to 'noBanFailedSSLIP'


Thomas 


Von:        "James Brown via Assp-test" <assp-test@lists.sourceforge.net> 
An:        "ASSP development mailing list" <
assp-test@lists.sourceforge.net> 
Kopie:        "James Brown" <jlbr...@bordo.com.au> 
Datum:        18.07.2018 02:40 
Betreff:        [Assp-test] SSL failures - client being denied 



I’ve set up ASSP to accept connections on port 465 (was previously using 
stunnel).

It usually works fine, but sometimes I get users who can no longer send 
emails. Logs show:

Error: Worker_1 accept_SSL to client 192.168.1.51 denied - the client 
failed before on SSL/TLS (suppressed 8 concurrent equal 'Error' loglines 
from all Workers)
Jul-18-18 10:10:09 [Worker_1] Error: Worker_1 accept_SSL to client 
118.209.252.91 failed IO::Socket::SSL=GLOB(0x7f823b207498) (timeout: 5 s) 
: SSL wants a read first
Jul-18-18 10:10:55 [Worker_1] Error: Worker_1 accept_SSL to client 
192.168.1.51 denied - the client failed before on SSL/TLS
Error: Worker_1 accept_SSL to client 192.168.1.51 denied - the client 
failed before on SSL/TLS (suppressed 2 concurrent equal 'Error' loglines 
from all Workers)
Jul-18-18 10:11:09 [Worker_1] Error: Worker_1 accept_SSL to client 
118.209.252.91 denied - the client failed before on SSL/TLS

I have to restart ASSP so that they can send emails again. I’ll look at 
‘edit SSL-failed-cache’ next time.

Startup shows:

Jul-18-18 10:18:23 [init] Info: openssl version 1.0.2g is installed
Jul-18-18 10:18:23 [init] IO::Socket::SSL module version 2.022 installed - 
https and TLS/SSL is possible
Jul-18-18 10:18:23 [init] Found valid certificate and private key file - 
https and TLS/SSL is available
Jul-18-18 10:18:23 [init] The underlying SSL library Net::SSLeay version 
1.72 uses OpenSSL 1.0.2l  25 May 2017
Jul-18-18 10:18:23 [init] SSL_read_ahead will be used

Any suggestions?

I have:

SSLRetryOnError: 1
SSLtimeout: 5
maxSSLRenegotiations: 10
SSLDEBUG: 1

thanks,

James.

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally 
privileged and protected in law and are intended solely for the use of the 

individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no 
known virus in this email!
*******************************************************

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! 
http://sdm.link/slashdot_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test 
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally 
privileged and protected in law and are intended solely for the use of the 

individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no 
known virus in this email!
*******************************************************

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! 
http://sdm.link/slashdot_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! 
http://sdm.link/slashdot_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally 
privileged and protected in law and are intended solely for the use of the 

individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no 
known virus in this email!
*******************************************************

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Re: [Assp-test] SSL failures - client being denied

Reply via email to