Re: [jussi@sonarnerd.net: Bug in Alpine TLS patch applied in 6.7/6.8/6.9 (ports/mail/alpine)]

Wed, 07 Jul 2021 12:24:36 -0700 

Hi,
I'd like to just update that this issue still happens with OpenBSD 6.9 and latest uw-imapd installed from ports. I don't know if it's due to Thunderbird, iOS email client or Android email client. But in any case I end up having a lot of stale imapd processes in busyloop that I need to manually kill. 


I don't know why it happens or where, but likely in disconnection code 
path related to SSL. So somehow it came back in OpenBSD 6.8 after it got 
fixed in 6.7. Possibly due to some changes in either imapd (I don't 
think so), or in libssl.



Best regards,

        - Jussi


On 1/28/21 8:35 AM, Theo Buehler wrote:

Hi,

On Thu, Jan 28, 2021 at 01:09:20AM +0200, Jussi Laako wrote:

Hi,

Looks like this problem has somehow resurfaced on OpenBSD 6.8, at least in
the pre-built packages. I have again imapd processes stuck in a busyloop...


Do I understand correctly that you're back to seeing the spinning when
thunderbird clients connect after you upgraded your mail server from 6.7
to 6.8-stable?

Can you figure out where the spinning happens?

Is it again the patches/patch-imap_src_osdep_unix_ssl_unix_c patch for
alpine or is it something else?  My understanding is that this is still
needed to be able to talk to gmail.

It would probably speed things up if you could provide some instructions
and a config file so we can reproduce the problem and poke at it.

Regards,

Theo




Best regards,

        - Jussi


On 13.9.2020 12.17, Jussi Laako wrote:

Hi,

I've updated my server with version built using this patch and it seems
to work without problems too.


Best regards,

      - Jussi


On 12.9.2020 14.00, richard.n.proc...@gmail.com wrote:



On Sat, 12 Sep 2020, Theo Buehler wrote:


On Sat, Sep 12, 2020 at 07:09:16PM +1200,
richard.n.proc...@gmail.com wrote:


On Fri, 11 Sep 2020, Theo Buehler wrote:


Hi Richard,

Could you please give the patch below a go on a relatively -current
machine (anything after May 24 should be fine) and try if you can send
and read mail with gmail?

We have enabled AUTO_RETRY in libssl, so we should no longer do the
retry of the writes, it may actually break things. That should also
address the busy looping Jussi sees on the alpine server.


Hi Theo,

Sure thing. It looks like a no-go. Here's what I did:

First build the latest alpine(1) sans-patch and test:
- sysupgrade
- /usr/ports$ cvs -ACd
- make build && make install    in /usr/ports/mail/alpine
- this connects to gmail fine (as expected).

Then build with your patch. Alpine then fails to connect to gmail with
"SSL negotiation failed".

I applied my debug patch below on top of your patch (I've attached the
final patches/patch-imap_src_osdep_unix_ssl_unix_c file as
the resultant
patch was unwieldly) and got the following two lines of output:

ssl_start_work: SSL_get_error: 3
ssl_start_work: ERR_get_error_line_data

Happy to help work on this further if you need.


Thank you. So that's again the issue we fixed by retrying the SSL_write
before 6.7.

The patch below should still let alpine interoperate with gmail and
hopefully also fix Jussi's thunderbird issue on the server. I simplified
and cleaned up the retry logic a bit. It preserves the logic apparently
really needed for gmail interoperation and removes the second SSL_write
retry that is probably spinning in a tight loop on Jussi's server.

Could both of you give this a try please?


alpine opens my gmail inbox with this patch.

I've also reconfirmed that the prior patch induced the "SSL negotiation
failed" error.

cheers,
Richard.



Index: Makefile
===================================================================
RCS file: /var/cvs/ports/mail/alpine/Makefile,v
retrieving revision 1.47
diff -u -p -r1.47 Makefile
--- Makefile    1 May 2020 09:09:14 -0000    1.47
+++ Makefile    12 Sep 2020 07:42:47 -0000
@@ -28,7 +28,7 @@ PKGNAME-mailutil=    mailutil-uw-${V}
   PKGNAME-pico=        pico-${PICO_V}
   PKGNAME-pilot=        pilot-${PILOT_V}
-REVISION=        4
+REVISION=        5
   REVISION-pico=        20
   REVISION-pilot=        20
Index: patches/patch-imap_src_osdep_unix_ssl_unix_c
===================================================================
RCS file: 
/var/cvs/ports/mail/alpine/patches/patch-imap_src_osdep_unix_ssl_unix_c,v

retrieving revision 1.1
diff -u -p -r1.1 patch-imap_src_osdep_unix_ssl_unix_c
--- patches/patch-imap_src_osdep_unix_ssl_unix_c    1 May 2020
09:09:14 -0000    1.1
+++ patches/patch-imap_src_osdep_unix_ssl_unix_c    12 Sep 2020
07:57:42 -0000
@@ -1,7 +1,7 @@
   $OpenBSD: patch-imap_src_osdep_unix_ssl_unix_c,v 1.1
2020/05/01 09:09:14 tb Exp $
   * some popular mail services enforce SNI for TLSv1.3 clients,
so send it
-* retry SSL_write if we're told to do so.
+* retry SSL_write on blocking socket if we're told to do so.
   Index: imap/src/osdep/unix/ssl_unix.c
   --- imap/src/osdep/unix/ssl_unix.c.orig
@@ -14,7 +14,7 @@ Index: imap/src/osdep/unix/ssl_unix.c
      unsigned long sl,tl;
      char *s,*t,*err,tmp[MAILTMPLEN], buf[256];
      sslcertificatequery_t scq =
-@@ -313,12 +314,22 @@ static char *ssl_start_work (SSLSTREAM
*stream,char *h
+@@ -313,12 +314,21 @@ static char *ssl_start_work (SSLSTREAM
*stream,char *h
                    /* create connection */
      if (!(stream->con = (SSL *) SSL_new (stream->context)))
        return "SSL connection failed";
@@ -29,28 +29,11 @@ Index: imap/src/osdep/unix/ssl_unix.c
   -  if (SSL_write (stream->con,"",0) < 0)
   +  do {
   +    ssl_err = SSL_write (stream->con,"",0);
-+  } while ((ssl_err == -1 &&
-+      SSL_get_error(stream->con, ssl_err) == SSL_ERROR_SYSCALL
&& errno == EINTR) ||
-+    (ssl_err < 0 &&
-+      (SSL_get_error(stream->con, ssl_err) == SSL_ERROR_WANT_READ ||
-+        SSL_get_error(stream->con, ssl_err) ==
SSL_ERROR_WANT_WRITE)));
++  } while (ssl_err < 0 &&
++      ((SSL_get_error(stream->con, ssl_err) ==
SSL_ERROR_SYSCALL && errno == EINTR) ||
++       SSL_get_error(stream->con, ssl_err) == SSL_ERROR_WANT_READ ||
++        SSL_get_error(stream->con, ssl_err) == SSL_ERROR_WANT_WRITE));
   +  if (ssl_err < 0)
        return ssl_last_error ? ssl_last_error : "SSL negotiation
failed";
                    /* need to validate host names? */
      if (!(flags & NET_NOVALIDATECERT) &&
-@@ -626,7 +637,14 @@ long ssl_sout (SSLSTREAM *stream,char
*string,unsigned
-                 /* until request satisfied */
-   for (i = 0; size > 0; string += i,size -= i)
-                 /* write as much as we can */
--    if ((i = SSL_write (stream->con,string,(int) min
(SSLBUFLEN,size))) < 0) {
-+    do {
-+      i = SSL_write (stream->con,string,(int) min (SSLBUFLEN,size));
-+    } while ((i == -1 &&
-+        SSL_get_error(stream->con, i) == SSL_ERROR_SYSCALL &&
errno == EINTR) ||
-+      (i < 0 &&
-+        (SSL_get_error(stream->con, i) == SSL_ERROR_WANT_READ ||
-+          SSL_get_error(stream->con, i) == SSL_ERROR_WANT_WRITE)));
-+    if (i < 0) {
-       if (tcpdebug) {
-     char tmp[MAILTMPLEN];
-     sprintf (tmp,"SSL data write I/O error %d SSL error %d",





















    











					Reply via email to