Re: [Dovecot] SSL errors for just one client after updaing both dovecot and openssl
On 2013-02-23 11:32 AM, Reindl Harald h.rei...@thelounge.net wrote: Am 23.02.2013 17:03, schrieb Charles Marcus: OpenSSL was 1.0.0j, now updated to 1.0.1c Dovecot was 2.1.13, now updated to 2.1.15 on which distribtuion can you update openssl with a ABI-bump without re-compile half of the system? Gentoo... been using it for over 8 years, and been through LOTS of major changes like this with only the occasional problem. 1.0.0x is not binary compatible with 1.0.1x and that is as example why Fedora 17 stays at 1.0.0x and Fedora 18 has 1.01x When something like this does happen, gentoo automatically rebuilds any affected packages - or at least it is supposed to (mistakes happen, things get left out/missed)... I'm getting a bunch of lines like the following: Feb 23 10:48:01 myhost dovecot: imap-login: Disconnected (no auth attempts in 29 secs): user=, rip=#.#.#.#, lport=993, TLS handshaking: SSL_accept() syscall failed: Connection reset by peer, session=In+cO2bWngCthJz2 where only the session id (and number of seconds for no auth attempts) is different... how looks your ssl_cipher_list? ssl_cipher_list = ALL:!LOW:!MEDIUM:!SSLv2:!MD5:!aNULL:!eNUL:!ADH:!AESGCM:!EXP:HIGH Using the defaults: ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL Looks like they are slowly disappearing though... the last one was 12:35 yesterday. Also, looks like there were two other users/clients affected. I called the first one and had him check and he said he wasn't seeing any errors or problems on his end. I then had him restart all of his mail clients (restarted his phone just to be sure), and after he did this these errors disappeared (for his IP). On 2013-02-24 9:55 AM, Timo Sirainen t...@iki.fi wrote: Most likely related to the OpenSSL upgrade. Dovecot at least didn't change anything SSL related. You could see if verbose_ssl=yes logs anything interesting. And like Reindi mentioned, ssl_cipher_list is pretty much the only thing in Dovecot's configuration that may be related to this. Yeah, I expected it to be related to the openssl upgrade, I was just seeing if anyone else had been through it before and whether or not I needed to do anything proactively to fix it. Thanks for the responses, -- Best regards, */Charles /*
Re: [Dovecot] SSL errors for just one client after updaing both dovecot and openssl
On 23.2.2013, at 18.03, Charles Marcus cmar...@media-brokers.com wrote: Ok, I have a strange problem after updating both dovecot and openssl... OpenSSL was 1.0.0j, now updated to 1.0.1c Dovecot was 2.1.13, now updated to 2.1.15 I'm getting a bunch of lines like the following: Feb 23 10:48:01 myhost dovecot: imap-login: Disconnected (no auth attempts in 29 secs): user=, rip=#.#.#.#, lport=993, TLS handshaking: SSL_accept() syscall failed: Connection reset by peer, session=In+cO2bWngCthJz2 where only the session id (and number of seconds for no auth attempts) is different... This is happening for only the one client. All other clients - I've counted about 25 so far - are working fine. Anyone have any ideas? I can't believe it is a generic openssl problem, since it is only affecting the one client. Most likely related to the OpenSSL upgrade. Dovecot at least didn't change anything SSL related. You could see if verbose_ssl=yes logs anything interesting. And like Reindi mentioned, ssl_cipher_list is pretty much the only thing in Dovecot's configuration that may be related to this.
[Dovecot] SSL errors for just one client after updaing both dovecot and openssl
Hi all, Ok, I have a strange problem after updating both dovecot and openssl... OpenSSL was 1.0.0j, now updated to 1.0.1c Dovecot was 2.1.13, now updated to 2.1.15 I'm getting a bunch of lines like the following: Feb 23 10:48:01 myhost dovecot: imap-login: Disconnected (no auth attempts in 29 secs): user=, rip=#.#.#.#, lport=993, TLS handshaking: SSL_accept() syscall failed: Connection reset by peer, session=In+cO2bWngCthJz2 where only the session id (and number of seconds for no auth attempts) is different... This is happening for only the one client. All other clients - I've counted about 25 so far - are working fine. Anyone have any ideas? I can't believe it is a generic openssl problem, since it is only affecting the one client. I've contacted him and asked him to reboot any/all devices that connect to our mail to see if that helps... -- Best regards, */Charles/*
Re: [Dovecot] SSL errors for just one client after updaing both dovecot and openssl
Am 23.02.2013 17:03, schrieb Charles Marcus: OpenSSL was 1.0.0j, now updated to 1.0.1c Dovecot was 2.1.13, now updated to 2.1.15 on which distribtuion can you update openssl with a ABI-bump without re-compile half of the system? 1.0.0x is not binary compatible with 1.0.1x and that is as example why Fedora 17 stays at 1.0.0x and Fedora 18 has 1.01x I'm getting a bunch of lines like the following: Feb 23 10:48:01 myhost dovecot: imap-login: Disconnected (no auth attempts in 29 secs): user=, rip=#.#.#.#, lport=993, TLS handshaking: SSL_accept() syscall failed: Connection reset by peer, session=In+cO2bWngCthJz2 where only the session id (and number of seconds for no auth attempts) is different... how looks your ssl_cipher_list? ssl_cipher_list = ALL:!LOW:!MEDIUM:!SSLv2:!MD5:!aNULL:!eNUL:!ADH:!AESGCM:!EXP:HIGH signature.asc Description: OpenPGP digital signature
