On 20.03.2018 10:16, Kadlecsik József wrote: > On Fri, 20 Oct 2017, Kadlecsik József wrote: > >> On Fri, 6 Oct 2017, Jozsef Kadlecsik wrote: >> >>> We upgraded one of our dovecot servers to debian stretch with dovecot >>> 2.2.27 and since then one of our users has been experiencing random IMAP >>> failures. >>> >>> On the client side the user runs alpine and the corresponding debug lines: >>> >>> IMAP DEBUG 14:22:02.216167: 00000011 FETCH 6 (BODYSTRUCTURE FLAGS) >>> >>> 14:22:02.217396 >>> IMAP 14:22:02 10/6 mm_notify bye: >>> {[127.0.0.1]:1555/imap/user="ha4aa"}INBOX: [CLOSED] IMAP connection broken >>> (server response) >> The date of the last rawlog line corresponds to an ssl debug log of >> dovecot (from the last run): >> >> Oct 20 18:50:05 mail2 dovecot: imap-login: Debug: SSL error: SSL_read() >> failed: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init > It is an openssl compatibility issue introduced in OpenSSL 1.0.2f. The > IMAP failures could be solved with the following patches, which are > similar to what nginx uses (http://hg.nginx.org/nginx/rev/062c189fee20): > > For Dovecot 2.2.35: > > diff --git a/src/lib-ssl-iostream/iostream-openssl.c > b/src/lib-ssl-iostream/iostream-openssl.c > index 68ec221..31d1017 100644 > --- a/src/lib-ssl-iostream/iostream-openssl.c > +++ b/src/lib-ssl-iostream/iostream-openssl.c > @@ -324,7 +324,7 @@ static void openssl_iostream_unref(struct ssl_iostream > *ssl_io) > > static void openssl_iostream_destroy(struct ssl_iostream *ssl_io) > { > - if (SSL_shutdown(ssl_io->ssl) != 1) { > + if (!SSL_in_init(ssl_io->ssl) && SSL_shutdown(ssl_io->ssl) != 1) { > /* if bidirectional shutdown fails we need to clear > the error queue */ > openssl_iostream_clear_errors(); > diff --git a/src/login-common/ssl-proxy-openssl.c > b/src/login-common/ssl-proxy-openssl.c > index 947c8ef..3ac6823 100644 > --- a/src/login-common/ssl-proxy-openssl.c > +++ b/src/login-common/ssl-proxy-openssl.c > @@ -833,7 +833,7 @@ void ssl_proxy_destroy(struct ssl_proxy *proxy) > if (proxy->io_plain_write != NULL) > io_remove(&proxy->io_plain_write); > > - if (SSL_shutdown(proxy->ssl) != 1) { > + if (!SSL_in_init(proxy->ssl) && SSL_shutdown(proxy->ssl) != 1) { > /* if bidirectional shutdown fails we need to clear > the error queue. */ > openssl_iostream_clear_errors(); > > For Dovecot master branch: > > diff --git a/src/lib-ssl-iostream/iostream-openssl.c > b/src/lib-ssl-iostream/iostream-openssl.c > index 45de412..ed1f0a4 100644 > --- a/src/lib-ssl-iostream/iostream-openssl.c > +++ b/src/lib-ssl-iostream/iostream-openssl.c > @@ -345,7 +345,7 @@ static void openssl_iostream_unref(struct ssl_iostream > *ssl_io) > > static void openssl_iostream_destroy(struct ssl_iostream *ssl_io) > { > - if (SSL_shutdown(ssl_io->ssl) != 1) { > + if (!SSL_in_init(ssl_io->ssl) && SSL_shutdown(ssl_io->ssl) != 1) { > /* if bidirectional shutdown fails we need to clear > the error queue */ > openssl_iostream_clear_errors(); > > Best regards, > Jozsef > -- > E-mail : kadlecsik.joz...@wigner.mta.hu > PGP key: http://www.kfki.hu/~kadlec/pgp_public_key.txt > Address: Wigner Research Centre for Physics, Hungarian Academy of Sciences > H-1525 Budapest 114, POB. 49, Hungary Hi!
Thank you for your patch, we'll look into it. Aki