Hi,
I'd like to just update that this issue still happens with OpenBSD 6.9
and latest uw-imapd installed from ports. I don't know if it's due to
Thunderbird, iOS email client or Android email client. But in any case I
end up having a lot of stale imapd processes in busyloop that I need to
manually kill.
I don't know why it happens or where, but likely in disconnection code
path related to SSL. So somehow it came back in OpenBSD 6.8 after it got
fixed in 6.7. Possibly due to some changes in either imapd (I don't
think so), or in libssl.
Best regards,
- Jussi
On 1/28/21 8:35 AM, Theo Buehler wrote:
> Hi,
>
> On Thu, Jan 28, 2021 at 01:09:20AM +0200, Jussi Laako wrote:
>> Hi,
>>
>> Looks like this problem has somehow resurfaced on OpenBSD 6.8, at least in
>> the pre-built packages. I have again imapd processes stuck in a busyloop...
>
> Do I understand correctly that you're back to seeing the spinning when
> thunderbird clients connect after you upgraded your mail server from 6.7
> to 6.8-stable?
>
> Can you figure out where the spinning happens?
>
> Is it again the patches/patch-imap_src_osdep_unix_ssl_unix_c patch for
> alpine or is it something else? My understanding is that this is still
> needed to be able to talk to gmail.
>
> It would probably speed things up if you could provide some instructions
> and a config file so we can reproduce the problem and poke at it.
>
> Regards,
>
> Theo
>
>>
>>
>> Best regards,
>>
>> - Jussi
>>
>>
>> On 13.9.2020 12.17, Jussi Laako wrote:
>>> Hi,
>>>
>>> I've updated my server with version built using this patch and it seems
>>> to work without problems too.
>>>
>>>
>>> Best regards,
>>>
>>> - Jussi
>>>
>>>
>>> On 12.9.2020 14.00, richard.n.procter@gmail.com wrote:
>>>>
>>>>
>>>> On Sat, 12 Sep 2020, Theo Buehler wrote:
>>>>
>>>>> On Sat, Sep 12, 2020 at 07:09:16PM +1200,
>>>>> richard.n.procter@gmail.com wrote:
>>>>>>
>>>>>> On Fri, 11 Sep 2020, Theo Buehler wrote:
>>>>>>
>>>>>>> Hi Richard,
>>>>>>>
>>>>>>> Could you please give the patch below a go on a relatively -current
>>>>>>> machine (anything after May 24 should be fine) and try if you can send
>>>>>>> and read mail with gmail?
>>>>>>>
>>>>>>> We have enabled AUTO_RETRY in libssl, so we should no longer do the
>>>>>>> retry of the writes, it may actually break things. That should also
>>>>>>> address the busy looping Jussi sees on the alpine server.
>>>>>>
>>>>>> Hi Theo,
>>>>>>
>>>>>> Sure thing. It looks like a no-go. Here's what I did:
>>>>>>
>>>>>> First build the latest alpine(1) sans-patch and test:
>>>>>> - sysupgrade
>>>>>> - /usr/ports$ cvs -ACd
>>>>>> - make build && make install in /usr/ports/mail/alpine
>>>>>> - this connects to gmail fine (as expected).
>>>>>>
>>>>>> Then build with your patch. Alpine then fails to connect to gmail with
>>>>>> "SSL negotiation failed".
>>>>>>
>>>>>> I applied my debug patch below on top of your patch (I've attached the
>>>>>> final patches/patch-imap_src_osdep_unix_ssl_unix_c file as
>>>>>> the resultant
>>>>>> patch was unwieldly) and got the following two lines of output:
>>>>>>
>>>>>> ssl_start_work: SSL_get_error: 3
>>>>>> ssl_start_work: ERR_get_error_line_data
>>>>>>
>>>>>> Happy to help work on this further if you need.
>>>>>
>>>>> Thank you. So that's again the issue we fixed by retrying the SSL_write
>>>>> before 6.7.
>>>>>
>>>>> The patch below should still let alpine interoperate with gmail and
>>>>> hopefully also fix Jussi's thunderbird issue on the server. I simplified
>>>>> and cleaned up the retry logic a bit. It preserves the logic apparently
>>>>> really needed for gmail interoperation and removes the second SSL_write
>>>>> retry that is probably spinning in a tight loop on Jussi's server.
>>>>>
>>>>> Could both of you give this a try please?
>>>>
>>>> alpine opens my gmail inbox with this patch.
>>>>
>>>> I've also reconfirmed that the prior patch induced the "SSL negotiation
>>>> failed" error.
>>>>
>>>> cheers,
>>>> Richard.
>>>>
>>>>>
>>>>> Index: Makefile
>>>>> ===================================================================
>>>>> RCS file: /var/cvs/ports/mail/alpine/Makefile,v
>>>>> retrieving revision 1.47
>>>>> diff -u -p -r1.47 Makefile
>>>>> --- Makefile 1 May 2020 09:09:14 -0000 1.47
>>>>> +++ Makefile 12 Sep 2020 07:42:47 -0000
>>>>> @@ -28,7 +28,7 @@ PKGNAME-mailutil= mailutil-uw-${V}
>>>>> PKGNAME-pico= pico-${PICO_V}
>>>>> PKGNAME-pilot= pilot-${PILOT_V}
>>>>> -REVISION= 4
>>>>> +REVISION= 5
>>>>> REVISION-pico= 20
>>>>> REVISION-pilot= 20
>>>>> Index: patches/patch-imap_src_osdep_unix_ssl_unix_c
>>>>> ===================================================================
>>>>> RCS file: /var/cvs/ports/mail/alpine/patches/patch-imap_src_osdep_unix_ssl_unix_c,v
>>>>>
>>>>> retrieving revision 1.1
>>>>> diff -u -p -r1.1 patch-imap_src_osdep_unix_ssl_unix_c
>>>>> --- patches/patch-imap_src_osdep_unix_ssl_unix_c 1 May 2020
>>>>> 09:09:14 -0000 1.1
>>>>> +++ patches/patch-imap_src_osdep_unix_ssl_unix_c 12 Sep 2020
>>>>> 07:57:42 -0000
>>>>> @@ -1,7 +1,7 @@
>>>>> $OpenBSD: patch-imap_src_osdep_unix_ssl_unix_c,v 1.1
>>>>> 2020/05/01 09:09:14 tb Exp $
>>>>> * some popular mail services enforce SNI for TLSv1.3 clients,
>>>>> so send it
>>>>> -* retry SSL_write if we're told to do so.
>>>>> +* retry SSL_write on blocking socket if we're told to do so.
>>>>> Index: imap/src/osdep/unix/ssl_unix.c
>>>>> --- imap/src/osdep/unix/ssl_unix.c.orig
>>>>> @@ -14,7 +14,7 @@ Index: imap/src/osdep/unix/ssl_unix.c
>>>>> unsigned long sl,tl;
>>>>> char *s,*t,*err,tmp[MAILTMPLEN], buf[256];
>>>>> sslcertificatequery_t scq =
>>>>> -@@ -313,12 +314,22 @@ static char *ssl_start_work (SSLSTREAM
>>>>> *stream,char *h
>>>>> +@@ -313,12 +314,21 @@ static char *ssl_start_work (SSLSTREAM
>>>>> *stream,char *h
>>>>> /* create connection */
>>>>> if (!(stream->con = (SSL *) SSL_new (stream->context)))
>>>>> return "SSL connection failed";
>>>>> @@ -29,28 +29,11 @@ Index: imap/src/osdep/unix/ssl_unix.c
>>>>> - if (SSL_write (stream->con,"",0) < 0)
>>>>> + do {
>>>>> + ssl_err = SSL_write (stream->con,"",0);
>>>>> -+ } while ((ssl_err == -1 &&
>>>>> -+ SSL_get_error(stream->con, ssl_err) == SSL_ERROR_SYSCALL
>>>>> && errno == EINTR) ||
>>>>> -+ (ssl_err < 0 &&
>>>>> -+ (SSL_get_error(stream->con, ssl_err) == SSL_ERROR_WANT_READ ||
>>>>> -+ SSL_get_error(stream->con, ssl_err) ==
>>>>> SSL_ERROR_WANT_WRITE)));
>>>>> ++ } while (ssl_err < 0 &&
>>>>> ++ ((SSL_get_error(stream->con, ssl_err) ==
>>>>> SSL_ERROR_SYSCALL && errno == EINTR) ||
>>>>> ++ SSL_get_error(stream->con, ssl_err) == SSL_ERROR_WANT_READ ||
>>>>> ++ SSL_get_error(stream->con, ssl_err) == SSL_ERROR_WANT_WRITE));
>>>>> + if (ssl_err < 0)
>>>>> return ssl_last_error ? ssl_last_error : "SSL negotiation
>>>>> failed";
>>>>> /* need to validate host names? */
>>>>> if (!(flags & NET_NOVALIDATECERT) &&
>>>>> -@@ -626,7 +637,14 @@ long ssl_sout (SSLSTREAM *stream,char
>>>>> *string,unsigned
>>>>> - /* until request satisfied */
>>>>> - for (i = 0; size > 0; string += i,size -= i)
>>>>> - /* write as much as we can */
>>>>> -- if ((i = SSL_write (stream->con,string,(int) min
>>>>> (SSLBUFLEN,size))) < 0) {
>>>>> -+ do {
>>>>> -+ i = SSL_write (stream->con,string,(int) min (SSLBUFLEN,size));
>>>>> -+ } while ((i == -1 &&
>>>>> -+ SSL_get_error(stream->con, i) == SSL_ERROR_SYSCALL &&
>>>>> errno == EINTR) ||
>>>>> -+ (i < 0 &&
>>>>> -+ (SSL_get_error(stream->con, i) == SSL_ERROR_WANT_READ ||
>>>>> -+ SSL_get_error(stream->con, i) == SSL_ERROR_WANT_WRITE)));
>>>>> -+ if (i < 0) {
>>>>> - if (tcpdebug) {
>>>>> - char tmp[MAILTMPLEN];
>>>>> - sprintf (tmp,"SSL data write I/O error %d SSL error %d",
>>>>>
>>>
>>
No comments:
Post a Comment