Bug#863520: cyrus-imapd version 2.5.10-3 Fatal error with SSL
Hi Debian Cyrus Team First of all, thank you for your support. And thank you Vladislav for the fix & Philip for the workaround ;) We've updated our mail servers to Stretch as well and we're now on cyrus-imapd 2.5.10-3 (amd64). Unfortunately, since the update, most of our iOS and OS X clients trigger the issue described here, which leads to a lot of headache because of dropping IMAP connections. Our logs have a lot of those entries as well: Jun 18 18:06:55 ?.???.confirm.ch cyrus/master[19739]: process type:SERVICE name:imaps path:/usr/lib/cyrus/bin/imapd age:306.344s pid:20713 exited, status 75 Any chance to get a fix soon? Can we do anything to help? Cheers Dominique
Bug#863520: cyrus-imapd version 2.5.10-3 Fatal error with SSL
Dear maintainer, I would greatly appreciate if you could push this fix into current Debian Stretch. The problem still persists in Cyrus-imapd 2.5.10-3 and above patch from upstream fixes it. After having upgraded a mailserver to Debian Stretch we had a massive amount of negative customer feedback complaining about dropped connections. The patched and recompiled packages are now running for more than 2 weeks on two rather busy mail servers (datenpark.ch / onlime.ch) and all trouble has gone away, cyrus-imapd works stable again. Thanks Vladislav for your great support! Here's a short howto for people who never built a Deb package before: $ apt-get source cyrus-imapd $ wget https://github.com/cyrusimap/cyrus-imapd/commit/a1c917df8de04e108228f38f0010498bec3d81e8.patch -O cyrus-imapd-issue1872.patch $ cd cyrus-imapd-2.5.10/ $ patch -p1 < ../cyrus-imapd-issue1872.patch $ apt-get build-dep cyrus-imapd $ dpkg-buildpackage -b $ cd ../ # install at least the following and put those packages on hold: $ dpkg -i cyrus-common_2.5.10-3_amd64.deb cyrus-imapd_2.5.10-3_amd64.deb cyrus-pop3d_2.5.10-3_amd64.deb libcyrus-imap-perl_2.5.10-3_amd64.deb $ echo cyrus-common hold | dpkg --set-selections $ echo cyrus-imapd hold | dpkg --set-selections $ echo cyrus-pop3d hold | dpkg --set-selections $ echo libcyrus-imap-perl hold | dpkg --set-selections # check package state $ dpkg --get-selections | grep cyrus | grep -v deinstall This fixes the issue and the "lib/cyrusdb_twoskip.c" fatal errors no longer pop up in mail.log Best regards, Philip
Bug#863520: cyrus-imapd version 2.5.10-3 Fatal error with SSL
Package: cyrus-imapd Version: 2.5.10-3 Followup-For: Bug #863520 Dear Maintainer, is there anything we could do to help this bug being fixed? It seems to be fixed upstream. I think this deserves to be fixed in stable. I have applied the patch mentioned above to debian sources, recompiled, repacked and reinstalled, and now I run without these problems. Best Regards Vladislav Kurz https://github.com/cyrusimap/cyrus-imapd/issues/1872 https://github.com/cyrusimap/cyrus-imapd/commit/a1c917df8de04e108228f38f0010498bec3d81e8 -- System Information: Debian Release: 9.1 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968), LANGUAGE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages cyrus-imapd depends on: ii cyrus-common 2.5.10-3 ii dpkg 1.18.24 ii libc6 2.24-11+deb9u1 ii libicu57 57.1-6 ii libsasl2-22.1.27~101-g0780600+dfsg-3 ii libssl1.1 1.1.0f-3 ii libwrap0 7.6.q-26 ii zlib1g1:1.2.8.dfsg-5 cyrus-imapd recommends no packages. cyrus-imapd suggests no packages. -- no debconf information
Bug#863520: cyrus-imapd version 2.5.10-3 Fatal error with SSL
Any update on when this fix can get into an update? It’s causing annoying problems Aug 12 22:35:11 lorien cyrus/imaps[21146]: inittls: Loading hard-coded DH parameters Aug 12 22:35:11 lorien cyrus/imaps[21146]: Fatal error: Internal error: assertion failed: lib/cyrusdb_twoskip.c: 1727: key && keylen Aug 12 22:35:11 lorien cyrus/master[20243]: process type:SERVICE name:imaps path:/usr/lib/cyrus/bin/imapd age:0.091s pid:21146 exited, status 75
Bug#863520: cyrus-imapd version 2.5.10-3 Fatal error with SSL
Further to bug #863520, fatyal errors are also logged with imap connections, not only pop3: Jul 8 15:56:17 cyrus/imap[10736]: SASL unable to canonify user and get auxprops Jul 8 15:56:21 cyrus/imap[10735]: Fatal error: Internal error: assertion failed: lib/cyrusdb_twoskip.c: 1727: key && keylen Jul 8 15:56:21 cyrus/master[2950]: process type:SERVICE name:imap path:/usr/lib/cyrus/bin/imapd age:46.830s pid:10735 exited, status 75 Cheers Michael
Bug#863520: cyrus-imapd version 2.5.10-3 Fatal error with SSL
Source: cyrus-imapd Followup-For: Bug #863520 I have also problems with imaps, attached patch fixes the reported problem, but I still to restart cyrus everyday because clients are not able to connect anymore to the server. reference bug here https://github.com/cyrusimap/cyrus-imapd/issues/1872 Regards -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-3-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) commit a1c917df8de04e108228f38f0010498bec3d81e8 Author: Bron Gondwana Date: Sun Apr 16 15:05:51 2017 +1000 tls: make sure we never try to do DB ops on a zero-length key diff --git a/imap/tls.c b/imap/tls.c index 68131d87d..05def8469 100644 --- a/imap/tls.c +++ b/imap/tls.c @@ -518,11 +518,13 @@ static int new_session_cb(SSL *ssl __attribute__((unused)), /* store the session in our database */ session_id = SSL_SESSION_get_id(sess, &session_id_length); - do { - ret = cyrusdb_store(sessdb, (const char *) session_id, - session_id_length, - (const char *) data, len + sizeof(time_t), NULL); - } while (ret == CYRUSDB_AGAIN); +if (session_id_length) { + do { + ret = cyrusdb_store(sessdb, (const char *) session_id, + session_id_length, + (const char *) data, len + sizeof(time_t), NULL); + } while (ret == CYRUSDB_AGAIN); +} } free(data); @@ -551,6 +553,7 @@ static void remove_session(const unsigned char *id, int idlen) assert(id); assert(idlen <= SSL_MAX_SSL_SESSION_ID_LENGTH); +if (!idlen) return; if (!sess_dbopen) return; do {
Bug#863520: cyrus-imapd version 2.5.10-3 Fatal error with SSL
Package: cyrus-imapd Version: 2.5.10-3 Severity: important Tags: upstream Dear Maintainer, *** Reporter, please consider answering these questions, where appropriate *** * What led up to the situation? * What exactly did you do (or not do) that was effective (or ineffective)? * What was the outcome of this action? * What outcome did you expect instead? *** End of the template - remove these template lines *** -- System Information: Debian Release: 9.0 APT prefers testing APT policy: (500, 'testing'), (500, 'oldstable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) Versions of packages cyrus-imapd depends on: ii cyrus-common 2.5.10-3 ii dpkg 1.18.24 ii libc6 2.24-10 ii libicu57 57.1-6 ii libsasl2-22.1.27~101-g0780600+dfsg-3 ii libssl1.1 1.1.0e-2 ii libwrap0 7.6.q-26 ii zlib1g1:1.2.8.dfsg-5 cyrus-imapd recommends no packages. cyrus-imapd suggests no packages. -- no debconf information Here is the log entry every time SSL fails from a client when it conenects to pop3d via SSL on ort 995 : cyrus/pop3[26981]: Fatal error: Internal error: assertion failed: lib/cyrusdb_twoskip.c: 1727: key && keylen