Re: How to make sync_client invoke STARTTLS for replication
Hello Wesley,
On 06/04/2010 10:32 PM, Wesley Craig wrote:
And that's all? At a minimum, if authN is failing, you should get
this syslog:
if ((r = backend_authenticate(ret, prot,mlist, userid,
cb, auth_status))) {
syslog(LOG_ERR, couldn't authenticate to backend
server: %s,
sasl_errstring(r, NULL, NULL));
if (!ret_backend) free(ret);
close(sock);
ret = NULL;
}
If you're not, I guess you're in some sort of loop in
backend_authenticate(). Do you get a backtrace?
I'm new to gdb, so I hope I don't give you any wrong information.
I set a breakpoint on backend_authenticate but i don't get any break.
However I set a breakpoint in backend_connect and stepped a lot.
Please see attached file bt and bt2.
I could not get a good backtrace because I didn't know how to get it.
However the file bt2 shows the backtrace I was able to get. I don't
know how to say break on a specific line. as the line numbers gdb shows
are not matching the line numbers in the source file :(.
Thank you very much!
Rudy
Breakpoint 1, backend_connect (ret_backend=0x0, server=0x1415e50
maild1r.ugent.be, prot=0x6d5b40, userid=0x44dbfd , cb=0x1418230,
auth_status=0x0)
at backend.c:321
321 {
(gdb) continue
Continuing.
Breakpoint 2, backend_connect (ret_backend=0x0, server=value optimized out,
prot=0x6d5b40, userid=0x44dbfd , cb=0x1418230, auth_status=0x0)
at backend.c:514
514 do_compress(ret, prot-compress_cmd)) {
(gdb) step
463 const void *ssf;
(gdb) step
514 do_compress(ret, prot-compress_cmd)) {
(gdb) step
517 if (!ret_backend) free(ret);
(gdb) step
520 }
(gdb) step
config_getswitch (opt=IMAPOPT_PROXY_COMPRESS) at libconfig.c:119
119 assert(opt IMAPOPT_ZERO opt IMAPOPT_LAST);
(gdb) step
118 {
(gdb) step
119 assert(opt IMAPOPT_ZERO opt IMAPOPT_LAST);
(gdb) step
120 assert(imapopts[opt].t == OPT_SWITCH);
(gdb) step
122 if ((imapopts[opt].val.b 0x7fff)||
(gdb) step
129 }
(gdb) step
backend_connect (ret_backend=0x0, server=0x14183b8 0�D\001, prot=0x6d5b40,
userid=0x44dbfd , cb=0x1418230, auth_status=0x0) at backend.c:534
534 prot_printf(s-out, %s\r\n, s-prot-ping_cmd.cmd);
(gdb) step
replica_connect (be=0x0, servername=0x1415e50 maild1r.ugent.be, cb=0x1418230)
at sync_client.c:3406
3406_exit(1);
(gdb) step
3403fprintf(stderr, Can not connect to server '%s'\n,
(gdb) step
3406_exit(1);
(gdb) step
3408
(gdb) step
Can not connect to server 'maild1r.ugent.be', retrying in 15 seconds
3411 * http://en.wikipedia.org/wiki/Nagle's_algorithm
Starting program: /usr/cyrus-2.3.16/bin/sync_client -v -l -C
/mail/maild1-p1/etc/imapd.conf -u rudy.geva...@ugent.be
[Thread debugging using libthread_db enabled]
[New Thread 0x7f2ae0eb5700 (LWP 8133)]
Can not connect to server 'maild1r.ugent.be', retrying in 15 seconds
Can not connect to server 'maild1r.ugent.be', retrying in 30 seconds
Can not connect to server 'maild1r.ugent.be', retrying in 60 seconds
Can not connect to server 'maild1r.ugent.be', retrying in 120 seconds
^C
Program received signal SIGINT, Interrupt.
[Switching to Thread 0x7f2ae0eb5700 (LWP 8133)]
0x7f2adfa7cfc0 in nanosleep () from /lib/libc.so.6
(gdb) bt
#0 0x7f2adfa7cfc0 in nanosleep () from /lib/libc.so.6
#1 0x7f2adfa7ce17 in sleep () from /lib/libc.so.6
#2 0x00408776 in replica_connect (be=0x0, servername=0x19e6e50
maild1r.ugent.be, cb=0x19e9230) at sync_client.c:3411
#3 0x0040e2d0 in main (argc=7, argv=0x7fff61e4a818) at
sync_client.c:3717
(gdb) bt full
#0 0x7f2adfa7cfc0 in nanosleep () from /lib/libc.so.6
No symbol table info available.
#1 0x7f2adfa7ce17 in sleep () from /lib/libc.so.6
No symbol table info available.
#2 0x00408776 in replica_connect (be=0x0, servername=0x19e6e50
maild1r.ugent.be, cb=0x19e9230) at sync_client.c:3411
wait = 240
proto = value optimized out
#3 0x0040e2d0 in main (argc=7, argv=0x7fff61e4a818) at
sync_client.c:3717
opt = value optimized out
i = value optimized out
alt_config = value optimized out
input_filename = 0x0
r = value optimized out
exit_rc = value optimized out
mode = 1
wait = value optimized out
timeout = 600
min_delta = 0
sync_log_file = '\0' repeats 280 times,
%���*\177\000\000\000\000\000\000\000\000\000\000(\225��*\177\000\000o�[�*\177\000\000\004N��*\177,
'\0' repeats 66 times, \001, '\0' repeats 167 times,
%���*\177\000\000\000\000\000\000\000\000\000\000(\225��*\177\000\000�l|�*\177\000\000\004N��*\177,
'\0' repeats 66 times, \001, '\0' repeats 215 times,
Re: How to make sync_client invoke STARTTLS for replication
On 03 Jun 2010, at 04:38, Rudy Gevaert wrote:
master side:
Jun 3 10:39:12 cyrdev1 maild1/sync_client[3519]: starttls: TLSv1 with
cipher DHE-RSA-AES256-SHA (256/256 bits new client) no authentication
Jun 3 10:40:12 cyrdev1 maild1/sync_client[3519]: Doing a peer verify
Jun 3 10:40:12 cyrdev1 maild1/sync_client[3519]: Doing a peer verify
Jun 3 10:40:12 cyrdev1 maild1/sync_client[3519]: Doing a peer verify
Jun 3 10:40:12 cyrdev1 maild1/sync_client[3519]: Doing a peer verify
Jun 3 10:40:12 cyrdev1 maild1/sync_client[3519]: received server
certificate
Jun 3 10:40:12 cyrdev1 maild1/sync_client[3519]: starttls: TLSv1 with
cipher DHE-RSA-AES256-SHA (256/256 bits new client) no authentication
And that's all? At a minimum, if authN is failing, you should get
this syslog:
if ((r = backend_authenticate(ret, prot, mlist, userid,
cb, auth_status))) {
syslog(LOG_ERR, couldn't authenticate to backend
server: %s,
sasl_errstring(r, NULL, NULL));
if (!ret_backend) free(ret);
close(sock);
ret = NULL;
}
If you're not, I guess you're in some sort of loop in
backend_authenticate(). Do you get a backtrace?
:wes
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: How to make sync_client invoke STARTTLS for replication
On 06/01/2010 03:53 PM, Wesley Craig wrote: On 01 Jun 2010, at 05:09, Rudy Gevaert wrote: Can you tell me how to further troubleshoot, please? sync_client ought to syslog any error that backend_connect() gets. Helo Wesley, Sorry, I forgot about reporting it: replica side: Jun 3 10:40:12 cyrdev2 maild1r/syncserver[9595]: accepted connection Jun 3 10:40:12 cyrdev2 maild1r/syncserver[9595]: cmdloop(): startup Jun 3 10:40:12 cyrdev2 maild1r/syncserver[9595]: SSL_accept() incomplete - wait Jun 3 10:40:12 cyrdev2 maild1r/syncserver[9595]: SSL_accept() succeeded - done master side: Jun 3 10:39:12 cyrdev1 maild1/sync_client[3519]: starttls: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits new client) no authentication Jun 3 10:40:12 cyrdev1 maild1/sync_client[3519]: Doing a peer verify Jun 3 10:40:12 cyrdev1 maild1/sync_client[3519]: Doing a peer verify Jun 3 10:40:12 cyrdev1 maild1/sync_client[3519]: Doing a peer verify Jun 3 10:40:12 cyrdev1 maild1/sync_client[3519]: Doing a peer verify Jun 3 10:40:12 cyrdev1 maild1/sync_client[3519]: received server certificate Jun 3 10:40:12 cyrdev1 maild1/sync_client[3519]: starttls: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits new client) no authentication How can I further debug? Thanks! Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: How to make sync_client invoke STARTTLS for replication
On 05/28/2010 09:37 PM, Wesley Craig wrote: On 28 May 2010, at 09:09, Rudy Gevaert wrote: https://bugzilla.andrew.cmu.edu/show_bug.cgi?id=3174 Thanks, for replying. But I'm not sure what you are saying with the above patches. If you apply the above fix and set allowplaintext to no then sync_client will negotiate TLS and then use PLAIN (assuming everything else is configured appropriately). Does that get what you're after? Hello Wesley, Thanks for coming back to this! I applied your patch and have allowplaintext to no. Now when I start sync_client it doesn't segfault. However it gives 'Can not connect to server'. cy...@cyrdev1:/etc/cyrus-ugent$ synctest -a syncclient -u syncclient -t '' maild1r.ugent.be S: * STARTTLS S: * OK maild1r.ugent.be Cyrus sync server v2.3.16 C: STARTTLS S: OK Begin TLS negotiation now verify error:num=19:self signed certificate in certificate chain TLS connection established: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) S: * SASL PLAIN S: * OK maild1r.ugent.be Cyrus sync server v2.3.16 Please enter your password: C: AUTHENTICATE PLAIN ... S: OK Success (tls protection) Authenticated. Security strength factor: 256 Can you tell me how to further troubleshoot, please? Thanks! Rudy Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: How to make sync_client invoke STARTTLS for replication
On 01 Jun 2010, at 05:09, Rudy Gevaert wrote: Can you tell me how to further troubleshoot, please? sync_client ought to syslog any error that backend_connect() gets. :wes Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: How to make sync_client invoke STARTTLS for replication
On 28 May 2010, at 09:09, Rudy Gevaert wrote: https://bugzilla.andrew.cmu.edu/show_bug.cgi?id=3174 Thanks, for replying. But I'm not sure what you are saying with the above patches. If you apply the above fix and set allowplaintext to no then sync_client will negotiate TLS and then use PLAIN (assuming everything else is configured appropriately). Does that get what you're after? :wes Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: How to make sync_client invoke STARTTLS for replication
On 02/11/2010 11:53 PM, Rich Wales wrote: I'm running Cyrus 2.3.16 (with replication) between two Ubuntu servers. What do I have to do to make the sync_client application invoke STARTTLS when it connects to sync_server on the other host? I can invoke TLS when I use the synctest program, but I can't seem to figure out how to force sync_client to use TLS when actually replicating. The reason I'm assuming TLS is not happening is that when /var/log/syslog records the User logged in events associated with replication, TLS is not mentioned as part of the authentication mechanism in use. Right now, the lack of TLS is not a major issue because one of the servers is connected to my LAN via a VPN link (so it's encrypted). But I still want to know what I'm supposed to do in order for a TLS layer to happen. Hello list, Has anybody been able to fix this? Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: How to make sync_client invoke STARTTLS for replication
On 26 May 2010, at 10:58, Rudy Gevaert wrote: On 02/11/2010 11:53 PM, Rich Wales wrote: I'm running Cyrus 2.3.16 (with replication) between two Ubuntu servers. What do I have to do to make the sync_client application invoke STARTTLS when it connects to sync_server on the other host? I can invoke TLS when I use the synctest program, but I can't seem to figure out how to force sync_client to use TLS when actually replicating. The reason I'm assuming TLS is not happening is that when /var/log/ syslog records the User logged in events associated with replication, TLS is not mentioned as part of the authentication mechanism in use. Right now, the lack of TLS is not a major issue because one of the servers is connected to my LAN via a VPN link (so it's encrypted). But I still want to know what I'm supposed to do in order for a TLS layer to happen. Has anybody been able to fix this? Define fix. If you have allowplaintext set, there's no reason to use TLS. If you don't have allowplaintext, there are bugs in 2.3.16 that prevent it from working. See: https://bugzilla.andrew.cmu.edu/show_bug.cgi?id=3174 There are other configurations that don't work, either. For example, if you configure sync_client to use a list of mechs, those mechs aren't compared to the mechs offered by sync_server. See: https://bugzilla.andrew.cmu.edu/show_bug.cgi?id=3093 If you have feedback on either of these, I'm listening and committing improvements. Maybe you're trying to get TLS while using some other form of strong crypto? :wes Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
How to make sync_client invoke STARTTLS for replication
I'm running Cyrus 2.3.16 (with replication) between two Ubuntu servers. What do I have to do to make the sync_client application invoke STARTTLS when it connects to sync_server on the other host? I can invoke TLS when I use the synctest program, but I can't seem to figure out how to force sync_client to use TLS when actually replicating. The reason I'm assuming TLS is not happening is that when /var/log/syslog records the User logged in events associated with replication, TLS is not mentioned as part of the authentication mechanism in use. Right now, the lack of TLS is not a major issue because one of the servers is connected to my LAN via a VPN link (so it's encrypted). But I still want to know what I'm supposed to do in order for a TLS layer to happen. Rich Wales ri...@richw.org Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
