I've been seeing the Dovecot/SSL/Fedora 1 problem. I have a dovecot server which tends to die at least once a day, with messages like these :- May 24 13:44:44 mail pop3-login: RAND_bytes() failed: error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not seeded May 24 13:44:44 mail dovecot: Login process died too early - shutting down I noticed Timo's email about this at: http://www.dovecot.org/list/dovecot/2004-May/003316.html with the patch that just ignores the return code of RAND_bytes(). Would disabling SSL in dovecot.conf also be a reasonable way of avoiding the problem of dovecot crashing? My plan is to set ssl_disable = yes and also take out pops and imaps from protocols. That is a lot easier for me than getting source, patching it, re-compiling and re-installing. We are using Fedora Core 1 (fedora-release-1-3 i386 rpm) Dovecot 0.99.10 (dovecot-0.99.10-4 i386 rpm) OpenSSL 0.9.7a (openssl-0.9.7a-33.10 i386 rpm) ___________________________________________________________________________ David Keegel <djk at cybersource.com.au> http://www.cyber.com.au/users/djk/ Cybersource P/L: Linux/Unix Systems Administration Consulting/Contracting
On 24.5.2004, at 10:43, David Keegel wrote:> I've been seeing the Dovecot/SSL/Fedora 1 problem. > > I have a dovecot server which tends to die at least once a day, > with messages like these :- > May 24 13:44:44 mail pop3-login: RAND_bytes() failed: > error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not > seeded > May 24 13:44:44 mail dovecot: Login process died too early - shutting > down > > I noticed Timo's email about this at: > http://www.dovecot.org/list/dovecot/2004-May/003316.html > with the patch that just ignores the return code of RAND_bytes().That fixes the crashes, but probably still causes occational problems with SSL connection handshakes failing.> Would disabling SSL in dovecot.conf also be a reasonable way of > avoiding the problem of dovecot crashing? > > My plan is to set > ssl_disable = yesIf you don't need SSL, it's a good solution.> and also take out pops and imaps from protocols. That is a lot > easier for me than getting source, patching it, re-compiling and > re-installing. > > We are using > Fedora Core 1 (fedora-release-1-3 i386 rpm) > Dovecot 0.99.10 (dovecot-0.99.10-4 i386 rpm) > OpenSSL 0.9.7a (openssl-0.9.7a-33.10 i386 rpm)This could also be fixed by patching OpenSSL (I think). Patch in https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=115284 -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 186 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20040524/2ce1fff3/attachment-0001.bin>
On Mon, May 24, 2004 at 07:50:54PM +0300, Timo Sirainen wrote:> > This could also be fixed by patching OpenSSL (I think). Patch in > https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=115284That looks similar to a private patch I created some time back when openssl changed its RAND_bytes logic . I've moved it forward to successive openssl releases as I've installed them. This is pretty specific to the environment here though-- particularly where you know that you have a /dev/urandom. That openssl change (the one that necessitated this patch) also broke systems where the /dev/urandom was implemented via a pipe to a command. Anyway, just for grins.. here's that local patch as carried forward to 0.9.7d *** rand_unix.c.orig Sat Dec 27 11:01:52 2003 --- rand_unix.c Wed Mar 17 23:13:25 2004 *************** *** 167,182 **** --- 167,203 ---- for (randomfile = randomfiles; *randomfile && n < ENTROPY_NEEDED; randomfile++) { + + #ifndef MV_COMM if ((fd = open(*randomfile, O_RDONLY|O_NONBLOCK + #else /* mem 20030409 -- yes, let's block */ + if ((fd = open(*randomfile, O_RDONLY + #endif /* MV_COMM */ + #ifdef O_NOCTTY /* If it happens to be a TTY (god forbid), do not make it our controlling tty */ |O_NOCTTY #endif + + #ifndef MV_COMM /* mem 20030409 -- we don't have O_NOFOLLOW + but let's not even accidently consider + preventing following symbolic link here. + */ #ifdef O_NOFOLLOW /* Fail if the file is a symbolic link */ |O_NOFOLLOW #endif + #endif /* MV_COMM */ )) >= 0) { + + #ifndef MV_COMM /* mem 20030409 -- don't do this idiotic timeout + stuff-- just read from the file. I don't care + if it hangs forever, it's better than failing. + Besides we'll put /dev/urandom first in the + list so if it hangs there are bigger problems + anyway. + */ + struct timeval t = { 0, 10*1000 }; /* Spend 10ms on each file. */ int r; *************** *** 208,213 **** --- 229,251 ---- } while ((r > 0 || (errno == EINTR || errno == EAGAIN)) && t.tv_usec != 0 && n < ENTROPY_NEEDED); + + #else /* MV_COMM */ + + int r; + do { + r = read(fd, (unsigned char*)tmpbuf+n, + ENTROPY_NEEDED-n); + if ( r > 0 ) + n += r; + } + while ( (r > 0) || + ( (errno == EINTR) || ( errno == EAGAIN ) ) ); + /* yeah sure, check for AGAIN even though we + should be blocking. + */ + + #endif /* MV_COMM */ close(fd); }
On Mon, 24 May 2004, Timo Sirainen wrote:> On 24.5.2004, at 10:43, David Keegel wrote: > > > I've been seeing the Dovecot/SSL/Fedora 1 problem. > > > > I have a dovecot server which tends to die at least once a day, > > with messages like these :- > > May 24 13:44:44 mail pop3-login: RAND_bytes() failed: > > error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not > > seeded > > May 24 13:44:44 mail dovecot: Login process died too early - shutting > > down > > > > I noticed Timo's email about this at: > > http://www.dovecot.org/list/dovecot/2004-May/003316.html > > with the patch that just ignores the return code of RAND_bytes(). > > That fixes the crashes, but probably still causes occational problems > with SSL connection handshakes failing.I require encrypted communications between my server and my client for all services, including smtp and imap. I was getting ready to upgrade my server from RH9 and imap-2000 to fedora core 1 and dovecot until I saw this thread. Has anybody brought the ssl problem to the upstream maintainers so that it can get fixed? Thanks! Ben