Hello, We are running Dovecot 1.0.0 (Debian Etch, Backports.org, OpenSSL) in a production environment and we experience sporadic SSL connection problems. At the moment, it's difficult to tell if the server goes back to normal operation after some time or if it can be reproduces at any time because we have to restart it as soon as we get Nagios alerts. Some tests with openssl s_client have shown difficulties to proceed the SSL handshake (hanging at different stages), or no response to IMAP commands. SSL client used: openssl s_client -host imap -port 993 - First case : s_client hangs on the first output "CONNECTED(00000003)" and there is no handshake at all; - Second case : like the first but the handshake starts after a few minutes; - Third case : the handshake goes fine but the "OK" server banner is never sent (no response to commands); - Fourth case : the greeting banner is received but dovecot will never answer. The configuration file is almost identical to the default and SSL certificate is not the autogenerated one. Log files do not show dying process. I've searched the ML archive for SSL issues but not found related bug. Does anyone use the Backport.org package of Dovecot ? Thank you :) -- Thibault VINCENT tibal at reloaded.fr thibault.vincent at reloaded.fr PGP Key : 0x4BA8A39B
On Thu, 2007-08-23 at 14:24 +0200, Thibault VINCENT wrote:> - First case : s_client hangs on the first output "CONNECTED(00000003)" and > there is no handshake at all; > - Second case : like the first but the handshake starts after a few minutes; > - Third case : the handshake goes fine but the "OK" server banner is never > sent (no response to commands); > - Fourth case : the greeting banner is received but dovecot will never answer. > > The configuration file is almost identical to the default and SSL certificate > is not the autogenerated one. > Log files do not show dying process.You could strace imap-login process to see what it's doing while the connection is hanging, and what changes when the handshake starts. Set login_processes_count=1 to make it easier to figure out what imap-login process to strace. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20070824/bf2c2756/attachment-0002.bin>
Timo Sirainen a ?crit :> You could strace imap-login process to see what it's doing while the > connection is hanging, and what changes when the handshake starts. Set > login_processes_count=1 to make it easier to figure out what imap-login > process to strace.Thank you Timo, but how can I figure out what imap-login process needs to be straced with login_processes_count=1 ? Even with this setting, I have about 60 imap-login processes and it's impossible to pick the right one (if I was able to login, I could actually find it with the PPID of it's child but I can't). I've enabled plain IMAP so next time it crashes I'll see if only the SSL sessions are affected. -- Thibault VINCENT