After updating my system from OpenSSL 0.9.8j to 0.9.8k Dovecot has stopped functioning properly with TLS sessions. The version of Dovecot does not seem to matter as I tried 1.1.11 - 1.1.14. Other programs using SSL/TLS such as Postfix and lightty still work fine when built with the newer release of OpenSSL. The IMAP client doesn't matter. For the time being I have gone back to .13 linked against older OpenSSL. In the logs I see messages like the following... dovecot: Apr 16 23:12:18 Info: imap-login: Disconnected (no auth attempts): rip=2001:470:b01e:3:216:41ff:fe17:6933, lip=2001:470:1d:8c::2, TLS handshaking: Disconnected -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
On Apr 17, 2009, at 12:18 AM, Brad wrote:> In the logs I see messages like the following... > > dovecot: Apr 16 23:12:18 Info: imap-login: Disconnected (no auth > attempts): > rip=2001:470:b01e:3:216:41ff:fe17:6933, lip=2001:470:1d:8c::2, TLS > handshaking: DisconnectedAnything else if you set verbose_ssl=yes?
On Friday 17 April 2009 00:25:26 Timo Sirainen wrote:> On Apr 17, 2009, at 12:18 AM, Brad wrote: > > In the logs I see messages like the following... > > > > dovecot: Apr 16 23:12:18 Info: imap-login: Disconnected (no auth > > attempts): > > rip=2001:470:b01e:3:216:41ff:fe17:6933, lip=2001:470:1d:8c::2, TLS > > handshaking: Disconnected > > Anything else if you set verbose_ssl=yes?I have that set in my config already and the answer is no. Let me know if there is anything else I can do that might provide more details even if it means applying a patch or anything to add any additional logging. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Timo Sirainen wrote:> On Apr 17, 2009, at 12:18 AM, Brad wrote: > >> In the logs I see messages like the following... >> >> dovecot: Apr 16 23:12:18 Info: imap-login: Disconnected (no auth >> attempts): >> rip=2001:470:b01e:3:216:41ff:fe17:6933, lip=2001:470:1d:8c::2, TLS >> handshaking: Disconnected > > Anything else if you set verbose_ssl=yes?same problem here on OpenBSD 4.5-current (GENERIC) #28: Wed Apr 15 04:56:04 MDT 2009 deraadt at sparc64.openbsd.org:/usr/src/sys/arch/sparc64/compile/GENERIC with "OpenSSL 0.9.8k 25 Mar 2009" and Dovecot 1.1.14 from ports log with verbose_ssl=yes: dovecot: imap-login: Disconnected (no auth attempts): rip=Y.Y.Y.Y, lip=X.X.X.X, TLS handshaking: SSL_accept() failed: error:0307F041:bignum routines:BNRAND:malloc failure hope that helps
Timo Sirainen wrote:> On Apr 17, 2009, at 12:18 AM, Brad wrote: > >> In the logs I see messages like the following... >> >> dovecot: Apr 16 23:12:18 Info: imap-login: Disconnected (no auth >> attempts): >> rip=2001:470:b01e:3:216:41ff:fe17:6933, lip=2001:470:1d:8c::2, TLS >> handshaking: Disconnected > > Anything else if you set verbose_ssl=yes?same problem here on OpenBSD 4.5-current (GENERIC) #28: Wed Apr 15 04:56:04 MDT 2009 deraadt at sparc64.openbsd.org:/usr/src/sys/arch/sparc64/compile/GENERIC with "OpenSSL 0.9.8k 25 Mar 2009" and Dovecot 1.1.14 from ports log with verbose_ssl=yes: dovecot: imap-login: Disconnected (no auth attempts): rip=Y.Y.Y.Y, lip=X.X.X.X, TLS handshaking: SSL_accept() failed: error:0307F041:bignum routines:BNRAND:malloc failure hope that helps
Brad wrote:> On Saturday 18 April 2009 16:31:10 Timo Sirainen wrote: >> On Sat, 2009-04-18 at 22:26 +0200, Christian Rueger wrote: >>> dovecot: imap-login: Disconnected (no auth attempts): rip=Y.Y.Y.Y, >>> lip=X.X.X.X, TLS handshaking: SSL_accept() failed: error:0307F041:bignum >>> routines:BNRAND:malloc failure >> Oh. malloc() failed? See if increasing login_process_size helps (or set >> it to 0 to disable the limit). > > I am not seeing the bit about SSL_accept() and setting login_process_size > to 0 does not help. >same here and the imap-login-prozess eat much cpu-power
Christian Rueger wrote:> Brad wrote: >> On Saturday 18 April 2009 16:31:10 Timo Sirainen wrote: >>> On Sat, 2009-04-18 at 22:26 +0200, Christian Rueger wrote: >>>> dovecot: imap-login: Disconnected (no auth attempts): rip=Y.Y.Y.Y, >>>> lip=X.X.X.X, TLS handshaking: SSL_accept() failed: >>>> error:0307F041:bignum >>>> routines:BNRAND:malloc failure >>> Oh. malloc() failed? See if increasing login_process_size helps (or set >>> it to 0 to disable the limit). >> >> I am not seeing the bit about SSL_accept() and setting login_process_size >> to 0 does not help. >> > > same here and the imap-login-prozess eat much cpu-powertoday i enable tracing for the imap-process with login_process_size = 0 login_processes_count = 1 starting thunderbird on the client-side and wait until it timeout ktrace is attached
On Monday 20 July 2009 15:15:29 Michael wrote:> Hi, > > Am 18.04.2009 22:31, schrieb Timo Sirainen: > > On Sat, 2009-04-18 at 22:26 +0200, Christian Rueger wrote: > >> dovecot: imap-login: Disconnected (no auth attempts): rip=Y.Y.Y.Y, > >> lip=X.X.X.X, TLS handshaking: SSL_accept() failed: error:0307F041:bignum > >> routines:BNRAND:malloc failure > > > > Oh. malloc() failed? See if increasing login_process_size helps (or set > > it to 0 to disable the limit). > > just updated to the lastest sparc64 OpenBSD snapshot and am now getting > those messages too: > > Jul 20 20:34:37 warden dovecot: imap-login: Disconnected (no auth > attempts): rip=172.16.94.70, lip=80.237.235.10, TLS handshaking: SS > L_accept() failed: error:03078041:bignum > routines:BN_EXPAND_INTERNAL:malloc failure > Jul 20 20:34:38 warden dovecot: imap-login: Disconnected (no auth > attempts): rip=80.237.136.4, lip=80.237.235.10, TLS handshaking: SS > L_accept() failed: error:03078041:bignum > routines:BN_EXPAND_INTERNAL:malloc failure > > > However, deleting the ssl-parameters.dat file and restarting dovecot > fixed the issue. > > > MichaelTimo, Any idea why deleting the ssl-parameters.dat file helps? Should users have to delete this file when upgrading between OpenSSL versions? -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.