Hi, Sorry for the very long delay, we've been swamped beyond reason. I took some time today to review your diff and it is ok, I have just committed it to our master and portable branch, it'll be part of upcoming snapshots
Thanks ! On Tue, Dec 09, 2014 at 03:20:15PM +0100, Stefan Sieg wrote: > Hi, > > did you already find some time to look at this? > > Stefan > > On 2014-09-29 21:37, Gilles Chehade wrote: > >I'll analyze your diff and its impact tomorrow with a clear mind, if > >sensible > >it'll be committed tomorrow > > > > > >On Mon, Aug 11, 2014 at 06:41:11PM +0200, Stefan Sieg wrote: > >>On 11.08.2014 11:33, Gilles Chehade wrote: > >>> hi, > >>> > >>> can you explain this diff better ? > >>> > >>> > >> > >>Hi, > >> > >>thank you for your time, i will try to explain it better ... > >> > >>This is only what leads me to the crude patch, i am not a programmer and > >>i just wanted the mails out of the queue, so please don't hit me to hard > >>if this is baloney :) ... > >> > >>The more or less non OpenSMTPD part: > >> > >>after this SSL diff: > >>http://openbsd.cs.toronto.edu/cgi-bin/cvsweb/src/lib/libssl/src/ssl/s23_clnt.c.diff?r1=1.27&r2=1.28 > >> > >>opensmtpd starts TLS connections with TLS 1.2 and some hosts quit the > >>TLS handshake with an error: > >>smtp-out: Error on session fb64ffbc1c251f66: SSL IO Error : > >>error:1407741A:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert decode > >>error > >> > >>Or with openssl: > >> > >># openssl s_client -msg -connect mail.example.com:25 -starttls smtp > >>CONNECTED(00000003) > >>>>> TLS 1.2 Handshake [length 0200], ClientHello > >> 01 00 01 fc 03 03 d7 4f 3e 01 4a 90 41 27 c7 bf > >> .. > >> .. > >> .. > >> > >><<< TLS 1.0 Alert [length 0002], fatal decode_error > >> 02 32 > >>5074867261276:error:1407741A:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 > >>alert decode > >>error:/usr/src/lib/libssl/ssl/../../libssl/src/ssl/s23_clnt.c:526 > >> > >>and mails to those hosts stay in the queue. > >>(I can send you some addresses to test if you like.) > >> > >>Before that SSL diff the handshake started with TLS 1.1 and all mails > >>were perfectly relayed. > >> > >>So, to not route the mails to those hosts through another relay, nor > >>to disable TLS 1.2 in s23_clnt.c i came up with the smtpd diff. > >> > >> > >>The OpenSMTPD part: > >> > >>In case of a SSL connect error in ioev.c (io_dispatch_connect_ssl) > >>we will end in default: > >> > >> ... > >> ... > >> > >> if ((ret = SSL_connect(io->ssl)) > 0) { > >> io->state = IO_STATE_UP; > >> io_callback(io, IO_TLSREADY); > >> goto leave; > >> } > >> > >> switch ((e = SSL_get_error(io->ssl, ret))) { > >> case SSL_ERROR_WANT_READ: > >> io_reset(io, EV_READ, io_dispatch_connect_ssl); > >> break; > >> case SSL_ERROR_WANT_WRITE: > >> io_reset(io, EV_WRITE, io_dispatch_connect_ssl); > >> break; > >> default: > >> io->error = io_ssl_error(); > >> ssl_error("io_dispatch_connect_ssl:SSL_connect"); > >>- io_callback(io, IO_ERROR); > >>+ io_callback(io, IO_TLSERROR); > >> break; > >> } > >> > >> > >>Without the diff this will lead to IO_ERROR: in mta_session.c (mta_io): > >> > >> case IO_ERROR: > >> log_debug("debug: mta: %p: IO error: %s", s, io->error); > >> if (!s->ready) { > >> mta_error(s, "IO Error: %s", io->error); > >> mta_connect(s); > >> break; > >> } > >> else if (!(s->flags & (MTA_FORCE_TLS|MTA_FORCE_ANYSSL))) { > >> /* error in non-strict SSL negotiation, downgrade to plain > >>*/ > >> .. > >> .. > >> > >>But as MTA_READY is not reached and therefore s->ready is not set to 1 > >>"downgrade to plain" is also not reached and it will try TLS again. > >>At least this is what happens after the TLS handshake error. > >> > >>Now the idea was not to use IO_ERROR but to define and use IO_TLSERROR > >>and use the "downgrade to plain" part without the "ready" test. > >> > >>+ case IO_TLSERROR: > >>+ log_debug("debug: mta: %p: TLS IO error: %s", s, > >>io->error); > >>+ if (!(s->flags & (MTA_FORCE_TLS|MTA_FORCE_ANYSSL))) { > >>+ /* error in non-strict SSL negotiation, > >>downgrade to plain */ > >>+ log_info("smtp-out: TLS Error on session > >>%016"PRIx64 > >>+ ": TLS failed, " > >>+ "downgrading to plain", s->id); > >>+ s->flags &= ~MTA_TLS; > >>+ s->flags |= MTA_DOWNGRADE_PLAIN; > >>+ mta_connect(s); > >>+ break; > >>+ } > >>+ mta_error(s, "IO Error: %s", io->error); > >>+ mta_free(s); > >>+ break; > >>+ > >> > >>Nothing more but that worked for me. > >> > >>Again ... thank you very much. > >> > >>Stefan > >> > >>-- > >>You received this mail because you are subscribed to [email protected] > >>To unsubscribe, send a mail to: [email protected] > >> > > > >-- > >Gilles Chehade > > > >https://www.poolp.org @poolpOrg > > -- > You received this mail because you are subscribed to [email protected] > To unsubscribe, send a mail to: [email protected] > -- Gilles Chehade https://www.poolp.org @poolpOrg -- You received this mail because you are subscribed to [email protected] To unsubscribe, send a mail to: [email protected]
