Re: How to make sync_client invoke STARTTLS for replication
Hello Wesley, On 06/04/2010 10:32 PM, Wesley Craig wrote: And that's all? At a minimum, if authN is failing, you should get this syslog: if ((r = backend_authenticate(ret, prot,mlist, userid, cb, auth_status))) { syslog(LOG_ERR, couldn't authenticate to backend server: %s, sasl_errstring(r, NULL, NULL)); if (!ret_backend) free(ret); close(sock); ret = NULL; } If you're not, I guess you're in some sort of loop in backend_authenticate(). Do you get a backtrace? I'm new to gdb, so I hope I don't give you any wrong information. I set a breakpoint on backend_authenticate but i don't get any break. However I set a breakpoint in backend_connect and stepped a lot. Please see attached file bt and bt2. I could not get a good backtrace because I didn't know how to get it. However the file bt2 shows the backtrace I was able to get. I don't know how to say break on a specific line. as the line numbers gdb shows are not matching the line numbers in the source file :(. Thank you very much! Rudy Breakpoint 1, backend_connect (ret_backend=0x0, server=0x1415e50 maild1r.ugent.be, prot=0x6d5b40, userid=0x44dbfd , cb=0x1418230, auth_status=0x0) at backend.c:321 321 { (gdb) continue Continuing. Breakpoint 2, backend_connect (ret_backend=0x0, server=value optimized out, prot=0x6d5b40, userid=0x44dbfd , cb=0x1418230, auth_status=0x0) at backend.c:514 514 do_compress(ret, prot-compress_cmd)) { (gdb) step 463 const void *ssf; (gdb) step 514 do_compress(ret, prot-compress_cmd)) { (gdb) step 517 if (!ret_backend) free(ret); (gdb) step 520 } (gdb) step config_getswitch (opt=IMAPOPT_PROXY_COMPRESS) at libconfig.c:119 119 assert(opt IMAPOPT_ZERO opt IMAPOPT_LAST); (gdb) step 118 { (gdb) step 119 assert(opt IMAPOPT_ZERO opt IMAPOPT_LAST); (gdb) step 120 assert(imapopts[opt].t == OPT_SWITCH); (gdb) step 122 if ((imapopts[opt].val.b 0x7fff)|| (gdb) step 129 } (gdb) step backend_connect (ret_backend=0x0, server=0x14183b8 0�D\001, prot=0x6d5b40, userid=0x44dbfd , cb=0x1418230, auth_status=0x0) at backend.c:534 534 prot_printf(s-out, %s\r\n, s-prot-ping_cmd.cmd); (gdb) step replica_connect (be=0x0, servername=0x1415e50 maild1r.ugent.be, cb=0x1418230) at sync_client.c:3406 3406_exit(1); (gdb) step 3403fprintf(stderr, Can not connect to server '%s'\n, (gdb) step 3406_exit(1); (gdb) step 3408 (gdb) step Can not connect to server 'maild1r.ugent.be', retrying in 15 seconds 3411 * http://en.wikipedia.org/wiki/Nagle's_algorithm Starting program: /usr/cyrus-2.3.16/bin/sync_client -v -l -C /mail/maild1-p1/etc/imapd.conf -u rudy.geva...@ugent.be [Thread debugging using libthread_db enabled] [New Thread 0x7f2ae0eb5700 (LWP 8133)] Can not connect to server 'maild1r.ugent.be', retrying in 15 seconds Can not connect to server 'maild1r.ugent.be', retrying in 30 seconds Can not connect to server 'maild1r.ugent.be', retrying in 60 seconds Can not connect to server 'maild1r.ugent.be', retrying in 120 seconds ^C Program received signal SIGINT, Interrupt. [Switching to Thread 0x7f2ae0eb5700 (LWP 8133)] 0x7f2adfa7cfc0 in nanosleep () from /lib/libc.so.6 (gdb) bt #0 0x7f2adfa7cfc0 in nanosleep () from /lib/libc.so.6 #1 0x7f2adfa7ce17 in sleep () from /lib/libc.so.6 #2 0x00408776 in replica_connect (be=0x0, servername=0x19e6e50 maild1r.ugent.be, cb=0x19e9230) at sync_client.c:3411 #3 0x0040e2d0 in main (argc=7, argv=0x7fff61e4a818) at sync_client.c:3717 (gdb) bt full #0 0x7f2adfa7cfc0 in nanosleep () from /lib/libc.so.6 No symbol table info available. #1 0x7f2adfa7ce17 in sleep () from /lib/libc.so.6 No symbol table info available. #2 0x00408776 in replica_connect (be=0x0, servername=0x19e6e50 maild1r.ugent.be, cb=0x19e9230) at sync_client.c:3411 wait = 240 proto = value optimized out #3 0x0040e2d0 in main (argc=7, argv=0x7fff61e4a818) at sync_client.c:3717 opt = value optimized out i = value optimized out alt_config = value optimized out input_filename = 0x0 r = value optimized out exit_rc = value optimized out mode = 1 wait = value optimized out timeout = 600 min_delta = 0 sync_log_file = '\0' repeats 280 times, %���*\177\000\000\000\000\000\000\000\000\000\000(\225��*\177\000\000o�[�*\177\000\000\004N��*\177, '\0' repeats 66 times, \001, '\0' repeats 167 times, %���*\177\000\000\000\000\000\000\000\000\000\000(\225��*\177\000\000�l|�*\177\000\000\004N��*\177, '\0' repeats 66 times, \001, '\0' repeats 215 times,
Re: How to make sync_client invoke STARTTLS for replication
On 03 Jun 2010, at 04:38, Rudy Gevaert wrote: master side: Jun 3 10:39:12 cyrdev1 maild1/sync_client[3519]: starttls: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits new client) no authentication Jun 3 10:40:12 cyrdev1 maild1/sync_client[3519]: Doing a peer verify Jun 3 10:40:12 cyrdev1 maild1/sync_client[3519]: Doing a peer verify Jun 3 10:40:12 cyrdev1 maild1/sync_client[3519]: Doing a peer verify Jun 3 10:40:12 cyrdev1 maild1/sync_client[3519]: Doing a peer verify Jun 3 10:40:12 cyrdev1 maild1/sync_client[3519]: received server certificate Jun 3 10:40:12 cyrdev1 maild1/sync_client[3519]: starttls: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits new client) no authentication And that's all? At a minimum, if authN is failing, you should get this syslog: if ((r = backend_authenticate(ret, prot, mlist, userid, cb, auth_status))) { syslog(LOG_ERR, couldn't authenticate to backend server: %s, sasl_errstring(r, NULL, NULL)); if (!ret_backend) free(ret); close(sock); ret = NULL; } If you're not, I guess you're in some sort of loop in backend_authenticate(). Do you get a backtrace? :wes Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: How to make sync_client invoke STARTTLS for replication
On 06/01/2010 03:53 PM, Wesley Craig wrote: On 01 Jun 2010, at 05:09, Rudy Gevaert wrote: Can you tell me how to further troubleshoot, please? sync_client ought to syslog any error that backend_connect() gets. Helo Wesley, Sorry, I forgot about reporting it: replica side: Jun 3 10:40:12 cyrdev2 maild1r/syncserver[9595]: accepted connection Jun 3 10:40:12 cyrdev2 maild1r/syncserver[9595]: cmdloop(): startup Jun 3 10:40:12 cyrdev2 maild1r/syncserver[9595]: SSL_accept() incomplete - wait Jun 3 10:40:12 cyrdev2 maild1r/syncserver[9595]: SSL_accept() succeeded - done master side: Jun 3 10:39:12 cyrdev1 maild1/sync_client[3519]: starttls: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits new client) no authentication Jun 3 10:40:12 cyrdev1 maild1/sync_client[3519]: Doing a peer verify Jun 3 10:40:12 cyrdev1 maild1/sync_client[3519]: Doing a peer verify Jun 3 10:40:12 cyrdev1 maild1/sync_client[3519]: Doing a peer verify Jun 3 10:40:12 cyrdev1 maild1/sync_client[3519]: Doing a peer verify Jun 3 10:40:12 cyrdev1 maild1/sync_client[3519]: received server certificate Jun 3 10:40:12 cyrdev1 maild1/sync_client[3519]: starttls: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits new client) no authentication How can I further debug? Thanks! Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: How to make sync_client invoke STARTTLS for replication
On 05/28/2010 09:37 PM, Wesley Craig wrote: On 28 May 2010, at 09:09, Rudy Gevaert wrote: https://bugzilla.andrew.cmu.edu/show_bug.cgi?id=3174 Thanks, for replying. But I'm not sure what you are saying with the above patches. If you apply the above fix and set allowplaintext to no then sync_client will negotiate TLS and then use PLAIN (assuming everything else is configured appropriately). Does that get what you're after? Hello Wesley, Thanks for coming back to this! I applied your patch and have allowplaintext to no. Now when I start sync_client it doesn't segfault. However it gives 'Can not connect to server'. cy...@cyrdev1:/etc/cyrus-ugent$ synctest -a syncclient -u syncclient -t '' maild1r.ugent.be S: * STARTTLS S: * OK maild1r.ugent.be Cyrus sync server v2.3.16 C: STARTTLS S: OK Begin TLS negotiation now verify error:num=19:self signed certificate in certificate chain TLS connection established: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) S: * SASL PLAIN S: * OK maild1r.ugent.be Cyrus sync server v2.3.16 Please enter your password: C: AUTHENTICATE PLAIN ... S: OK Success (tls protection) Authenticated. Security strength factor: 256 Can you tell me how to further troubleshoot, please? Thanks! Rudy Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: How to make sync_client invoke STARTTLS for replication
On 01 Jun 2010, at 05:09, Rudy Gevaert wrote: Can you tell me how to further troubleshoot, please? sync_client ought to syslog any error that backend_connect() gets. :wes Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: How to make sync_client invoke STARTTLS for replication
On 28 May 2010, at 09:09, Rudy Gevaert wrote: https://bugzilla.andrew.cmu.edu/show_bug.cgi?id=3174 Thanks, for replying. But I'm not sure what you are saying with the above patches. If you apply the above fix and set allowplaintext to no then sync_client will negotiate TLS and then use PLAIN (assuming everything else is configured appropriately). Does that get what you're after? :wes Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: How to make sync_client invoke STARTTLS for replication
On 02/11/2010 11:53 PM, Rich Wales wrote: I'm running Cyrus 2.3.16 (with replication) between two Ubuntu servers. What do I have to do to make the sync_client application invoke STARTTLS when it connects to sync_server on the other host? I can invoke TLS when I use the synctest program, but I can't seem to figure out how to force sync_client to use TLS when actually replicating. The reason I'm assuming TLS is not happening is that when /var/log/syslog records the User logged in events associated with replication, TLS is not mentioned as part of the authentication mechanism in use. Right now, the lack of TLS is not a major issue because one of the servers is connected to my LAN via a VPN link (so it's encrypted). But I still want to know what I'm supposed to do in order for a TLS layer to happen. Hello list, Has anybody been able to fix this? Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: How to make sync_client invoke STARTTLS for replication
On 26 May 2010, at 10:58, Rudy Gevaert wrote: On 02/11/2010 11:53 PM, Rich Wales wrote: I'm running Cyrus 2.3.16 (with replication) between two Ubuntu servers. What do I have to do to make the sync_client application invoke STARTTLS when it connects to sync_server on the other host? I can invoke TLS when I use the synctest program, but I can't seem to figure out how to force sync_client to use TLS when actually replicating. The reason I'm assuming TLS is not happening is that when /var/log/ syslog records the User logged in events associated with replication, TLS is not mentioned as part of the authentication mechanism in use. Right now, the lack of TLS is not a major issue because one of the servers is connected to my LAN via a VPN link (so it's encrypted). But I still want to know what I'm supposed to do in order for a TLS layer to happen. Has anybody been able to fix this? Define fix. If you have allowplaintext set, there's no reason to use TLS. If you don't have allowplaintext, there are bugs in 2.3.16 that prevent it from working. See: https://bugzilla.andrew.cmu.edu/show_bug.cgi?id=3174 There are other configurations that don't work, either. For example, if you configure sync_client to use a list of mechs, those mechs aren't compared to the mechs offered by sync_server. See: https://bugzilla.andrew.cmu.edu/show_bug.cgi?id=3093 If you have feedback on either of these, I'm listening and committing improvements. Maybe you're trying to get TLS while using some other form of strong crypto? :wes Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
How to make sync_client invoke STARTTLS for replication
I'm running Cyrus 2.3.16 (with replication) between two Ubuntu servers. What do I have to do to make the sync_client application invoke STARTTLS when it connects to sync_server on the other host? I can invoke TLS when I use the synctest program, but I can't seem to figure out how to force sync_client to use TLS when actually replicating. The reason I'm assuming TLS is not happening is that when /var/log/syslog records the User logged in events associated with replication, TLS is not mentioned as part of the authentication mechanism in use. Right now, the lack of TLS is not a major issue because one of the servers is connected to my LAN via a VPN link (so it's encrypted). But I still want to know what I'm supposed to do in order for a TLS layer to happen. Rich Wales ri...@richw.org Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html