Re: (Calling Kurt Roeckx, Postfix + OpenSSL on Debian buster) (was: "SSL_Shutdown:shutdown while in init" while sending and receiving)
14.05.20, 03:32 CEST, Viktor Dukhovni: > Are any other Debian users seeing similar issues? I did grep for "TLS library problem"[1] an 2 Debian 10 servers (low volume, though) and didn't find anything that seemed related. [1] The following came up empty: $ zgrep -i "TLS library problem" /var/log/mail.log.*.gz | egrep -v "(no shared cipher|version too low|unknown protocol|wrong version number|bad certificate|bad record mac|unexpected message)" -- Regards mks
Re: (Calling Kurt Roeckx, Postfix + OpenSSL on Debian buster) (was: "SSL_Shutdown:shutdown while in init" while sending and receiving)
On Thu, May 14, 2020 at 07:48:27AM +0200, Matus UHLAR - fantomas wrote: > Can't that be kind of sender verification where the SMTP client doesn't > cleanly close TLS connection? > > shouldn't we focus on failed client connections? [No we should not] Would I be wasting my time and the OP's chasing bugs in low-level internals if it could be that simple? Please avoid unproductive speculation that's not consistent with the symptoms. Don't just guess, your hypothesis is ruled out by the packet traces, and the OpenSSL errors on SSL_read() purporting incorrect use of the SSL_shutdown() function on the server (local) side. -- Viktor.
Re: (Calling Kurt Roeckx, Postfix + OpenSSL on Debian buster) (was: "SSL_Shutdown:shutdown while in init" while sending and receiving)
>Is this the stock OpenSSL for your system, or your own build? There's just one OpenSSL library installed on the system, the stock version supplied by the OS's package manager. $ ldd | grep ssl libssl.so.1.1 => /usr/lib/x86_64-linux-gnu/libssl.so.1.1 (0x7f13e45fe000) $ strings /usr/lib/x86_64-linux-gnu/libssl.so.1.1 | grep 'OpenSSL' OpenSSL 1.1.1d 10 Sep 2019 >What OS are you running? On Wed, May 13, 2020 at 06:03:42PM -0700, Alexander Vasarab wrote: Debian GNU/Linux 10 (buster aka stable). Yesterday, I bumped libssl1.1 to the version available in the testing distribution, which is 1.1.1g, and noticed no change in the faulty behavior. Now I'm back to stable's 1.1.1d. On 13.05.20 21:32, Viktor Dukhovni wrote: At this point it becomes interesting what Debian-specific changes there may be in OpenSSL 1.1.1. Perhaps Kurt Roeckx (I believe he's on this list), might comment. The behaviour you're reporting exhibits issues below Postfix. Are any other Debian users seeing similar issues? none so far on those few debian 10 systems I checked. Can't that be kind of sender verification where the SMTP client doesn't cleanly close TLS connection? shouldn't we focus on failed client connections? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. We are but packets in the Internet of life (userfriendly.org)
Re: (Calling Kurt Roeckx, Postfix + OpenSSL on Debian buster) (was: "SSL_Shutdown:shutdown while in init" while sending and receiving)
[ Kurt, I don't know whether you've been following this thread, but the OP's system is exhibiting rather unexpected TLS session termination with "out of the blue" SSL_R_SHUTDOWN_WHILE_IN_INIT errors, even though I see no opportunity for Postfix to attempt to tear down the session, indeed Postfix is trying to read the next command after "RCPT TO", so as far as the SMTP server was concerned the session was live when the error was unexpectedly reported. http://postfix.1071664.n5.nabble.com/quot-SSL-Shutdown-shutdown-while-in-init-quot-while-sending-and-receiving-td105822.html ] On Wed, May 13, 2020 at 06:03:42PM -0700, Alexander Vasarab wrote: > >Is this the stock OpenSSL for your system, or your own build? > > There's just one OpenSSL library installed on the system, the stock > version supplied by the OS's package manager. > > $ ldd | grep ssl > libssl.so.1.1 => /usr/lib/x86_64-linux-gnu/libssl.so.1.1 > (0x7f13e45fe000) > > $ strings /usr/lib/x86_64-linux-gnu/libssl.so.1.1 | grep 'OpenSSL' > OpenSSL 1.1.1d 10 Sep 2019 > > >What OS are you running? > > Debian GNU/Linux 10 (buster aka stable). > > Yesterday, I bumped libssl1.1 to the version available in the testing > distribution, which is 1.1.1g, and noticed no change in the faulty > behavior. Now I'm back to stable's 1.1.1d. At this point it becomes interesting what Debian-specific changes there may be in OpenSSL 1.1.1. Perhaps Kurt Roeckx (I believe he's on this list), might comment. The behaviour you're reporting exhibits issues below Postfix. Are any other Debian users seeing similar issues? -- Viktor.