search for: ssl_proxy_destroy

...line 545 in the function ssl_step() the function ssl_handshake() is called. There SSL_accept() is called. If SSL_accept failes - because a client sent an invalid packet or something the server doesn't support or any other reason - ssl_handle_error() will be called. ssl_handle_error() will call ssl_proxy_destroy(). ssl_proxy_destroy() will then call ssl_proxy_flush(). And ssl_proxy_flush will call ssl_step() again. Here we have a loop. Now when SSL_accept() gets called again on the same context this is an invalid state for OpenSSL and it crashes. What to do? In essence, if ssl_proxy_destroy is called it s...

.../usr/lib/libssl.so.1.0.0 > #2 0x00007f1201012b36 in ssl3_write_bytes () from /usr/lib/libssl.so.1.0.0 > #3 0x00007f1201906200 in ?? () from /usr/lib/dovecot/libdovecot-login.so.0 > #4 0x00007f12019062d8 in ?? () from /usr/lib/dovecot/libdovecot-login.so.0 > #5 0x00007f1201905f72 in ssl_proxy_destroy () from /usr/lib/dovecot/libdovecot-login.so.0 > #6 0x00007f12019060e4 in ?? () from /usr/lib/dovecot/libdovecot-login.so.0 > #7 0x00007f1201906671 in ?? () from /usr/lib/dovecot/libdovecot-login.so.0 > #8 0x00007f1201902efa in ?? () from /usr/lib/dovecot/libdovecot-login.so.0 > #9...

...to clear the error queue */ openssl_iostream_clear_errors(); diff --git a/src/login-common/ssl-proxy-openssl.c b/src/login-common/ssl-proxy-openssl.c index 947c8ef..3ac6823 100644 --- a/src/login-common/ssl-proxy-openssl.c +++ b/src/login-common/ssl-proxy-openssl.c @@ -833,7 +833,7 @@ void ssl_proxy_destroy(struct ssl_proxy *proxy) if (proxy->io_plain_write != NULL) io_remove(&proxy->io_plain_write); - if (SSL_shutdown(proxy->ssl) != 1) { + if (!SSL_in_init(proxy->ssl) && SSL_shutdown(proxy->ssl) != 1) { /* if bidirectional shutdown fails we need to clear the...

...1.0.0 > > #2 0x00007f1201012b36 in ssl3_write_bytes () from /usr/lib/libssl.so.1.0.0 > > #3 0x00007f1201906200 in ?? () from /usr/lib/dovecot/libdovecot-login.so.0 > > #4 0x00007f12019062d8 in ?? () from /usr/lib/dovecot/libdovecot-login.so.0 > > #5 0x00007f1201905f72 in ssl_proxy_destroy () from /usr/lib/dovecot/libdovecot-login.so.0 > > #6 0x00007f12019060e4 in ?? () from /usr/lib/dovecot/libdovecot-login.so.0 > > #7 0x00007f1201906671 in ?? () from /usr/lib/dovecot/libdovecot-login.so.0 > > #8 0x00007f1201902efa in ?? () from /usr/lib/dovecot/libdovecot-login...

...gt; #2 0x00007f1201012b36 in ssl3_write_bytes () from /usr/lib/libssl.so.1.0.0 >> > #3 0x00007f1201906200 in ?? () from /usr/lib/dovecot/libdovecot-login.so.0 >> > #4 0x00007f12019062d8 in ?? () from /usr/lib/dovecot/libdovecot-login.so.0 >> > #5 0x00007f1201905f72 in ssl_proxy_destroy () from /usr/lib/dovecot/libdovecot-login.so.0 >> > #6 0x00007f12019060e4 in ?? () from /usr/lib/dovecot/libdovecot-login.so.0 >> > #7 0x00007f1201906671 in ?? () from /usr/lib/dovecot/libdovecot-login.so.0 >> > #8 0x00007f1201902efa in ?? () from /usr/lib/dovecot/libd...

...d), at 0xfee35c18 (line ~481) in "ssl-proxy-openssl.c" [5] ssl_step(proxy = 0x809ba38) (optimized), at 0xfee35ee0 (line ~545) in "ssl-proxy-openssl.c" [6] ssl_proxy_flush(proxy = 0x809ba38) (optimized), at 0xfee3680c (line ~817) in "ssl-proxy-openssl.c" [7] ssl_proxy_destroy(proxy = 0x809ba38) (optimized), at 0xfee3686b (line ~825) in "ssl-proxy-openssl.c" [8] ssl_handle_error(proxy = 0x809ba38, ret = -1, func_name = 0xfee3b2d8 "SSL_accept()") (optimized), at 0xfee35bc0 (line ~465) in "ssl-proxy-openssl.c" [9] ssl_handshake(proxy...

Hello, We upgraded one of our dovecot servers to debian stretch with dovecot 2.2.27 and since then one of our users has been experiencing random IMAP failures. We enabled raw logging at the server side and it shows normal IMAP commands/responses: 1507292522.222427 * 6 FETCH (FLAGS () BODYSTRUCTURE ("text" "plain" ("charset" "us-ascii") NIL NIL

Connecting to dovecot with ssl3 causes imap-login to die: $ openssl s_client -connect localhost:993 -ssl3 CONNECTED(00000003) 4277630796:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:s3_pkt.c:1461:SSL alert number 40 4277630796:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:645: --- no peer certificate available --- No client certificate