I get infrequent hangs with spamdyke 4.3.1 with SSL connections. As far as I can tell the relevant code is not changed in spamdyke 5.x.

Using gdb I can see the following sequence:

spamdyke.c:2676: tls_read() is called (if ((read_result = NETWORK_READ(...))

tls.c:545:  SSL_read() returns -1

tls.c548: SSL_get_error() returns 1 (SSL_ERROR_SSL)

spamdyke.c:2696: SSL_pending() says there is more data pending

With verbose logging I got:

ERROR: unable to read from SSL/TLS stream: A protocol or library failure occurred, error:140800FF:lib(20):func(128):reason(255)

* One possibility is: according to SSL_shutdown() <https://www.openssl.org/docs/man1.0.2/man3/SSL_shutdown.html> documentation:

/"Note that SSL_shutdown() must not be called if a previous fatal error has occurred on a connection i.e. if SSL_get_error() has returned SSL_ERROR_SYSCALL or SSL_ERROR_SSL."/

As I understand it, spamdyke should abandon connection without further attempts to read/write or anything if SSL_ERROR_SSL occurs.

* Another possibility is some kind of error handling confusion as described in|https://github.com/openssl/openssl/issues/7291|

/|"|//Make sure you call //|ERR_clear_error()|//after any errors. If you have stale errors on the error queue //|SSL_get_error()|//is going to get confused."//||/

I can't swear by that, but if I'm not mistaken the errors started to appear after upgrade to openssl 1.0.2r, which contains fix for CVE-2019-1559 <https://nvd.nist.gov/vuln/detail/CVE-2019-1559>.

Best regards,

spamdyke-users mailing list

Reply via email to