On 20.03.2018 10:16, Kadlecsik József wrote:
> On Fri, 20 Oct 2017, Kadlecsik József wrote:
>
>> On Fri, 6 Oct 2017, Jozsef Kadlecsik wrote:
>>
>>> We upgraded one of our dovecot servers to debian stretch with dovecot
>>> 2.2.27 and since then one of our users has been experiencing random IMAP
>>> failures.
>>>
>>> On the client side the user runs alpine and the corresponding debug lines:
>>>
>>> IMAP DEBUG 14:22:02.216167: 00000011 FETCH 6 (BODYSTRUCTURE FLAGS)
>>>
>>> 14:22:02.217396
>>> IMAP 14:22:02 10/6 mm_notify bye:
>>> {[127.0.0.1]:1555/imap/user="ha4aa"}INBOX: [CLOSED] IMAP connection broken
>>> (server response)
>> The date of the last rawlog line corresponds to an ssl debug log of
>> dovecot (from the last run):
>>
>> Oct 20 18:50:05 mail2 dovecot: imap-login: Debug: SSL error: SSL_read()
>> failed: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
> It is an openssl compatibility issue introduced in OpenSSL 1.0.2f. The
> IMAP failures could be solved with the following patches, which are
> similar to what nginx uses (http://hg.nginx.org/nginx/rev/062c189fee20):
>
> For Dovecot 2.2.35:
>
> diff --git a/src/lib-ssl-iostream/iostream-openssl.c
> b/src/lib-ssl-iostream/iostream-openssl.c
> index 68ec221..31d1017 100644
> --- a/src/lib-ssl-iostream/iostream-openssl.c
> +++ b/src/lib-ssl-iostream/iostream-openssl.c
> @@ -324,7 +324,7 @@ static void openssl_iostream_unref(struct ssl_iostream
> *ssl_io)
>
> static void openssl_iostream_destroy(struct ssl_iostream *ssl_io)
> {
> - if (SSL_shutdown(ssl_io->ssl) != 1) {
> + if (!SSL_in_init(ssl_io->ssl) && SSL_shutdown(ssl_io->ssl) != 1) {
> /* if bidirectional shutdown fails we need to clear
> the error queue */
> openssl_iostream_clear_errors();
> diff --git a/src/login-common/ssl-proxy-openssl.c
> b/src/login-common/ssl-proxy-openssl.c
> index 947c8ef..3ac6823 100644
> --- a/src/login-common/ssl-proxy-openssl.c
> +++ b/src/login-common/ssl-proxy-openssl.c
> @@ -833,7 +833,7 @@ void ssl_proxy_destroy(struct ssl_proxy *proxy)
> if (proxy->io_plain_write != NULL)
> io_remove(&proxy->io_plain_write);
>
> - if (SSL_shutdown(proxy->ssl) != 1) {
> + if (!SSL_in_init(proxy->ssl) && SSL_shutdown(proxy->ssl) != 1) {
> /* if bidirectional shutdown fails we need to clear
> the error queue. */
> openssl_iostream_clear_errors();
>
> For Dovecot master branch:
>
> diff --git a/src/lib-ssl-iostream/iostream-openssl.c
> b/src/lib-ssl-iostream/iostream-openssl.c
> index 45de412..ed1f0a4 100644
> --- a/src/lib-ssl-iostream/iostream-openssl.c
> +++ b/src/lib-ssl-iostream/iostream-openssl.c
> @@ -345,7 +345,7 @@ static void openssl_iostream_unref(struct ssl_iostream
> *ssl_io)
>
> static void openssl_iostream_destroy(struct ssl_iostream *ssl_io)
> {
> - if (SSL_shutdown(ssl_io->ssl) != 1) {
> + if (!SSL_in_init(ssl_io->ssl) && SSL_shutdown(ssl_io->ssl) != 1) {
> /* if bidirectional shutdown fails we need to clear
> the error queue */
> openssl_iostream_clear_errors();
>
> Best regards,
> Jozsef
> --
> E-mail : kadlecsik.joz...@wigner.mta.hu
> PGP key: http://www.kfki.hu/~kadlec/pgp_public_key.txt
> Address: Wigner Research Centre for Physics, Hungarian Academy of Sciences
> H-1525 Budapest 114, POB. 49, Hungary
Hi!
Thank you for your patch, we'll look into it.
Aki
