SSL_read() failed: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

SSL_read() failed: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init

Kadlecsik József
Hello,

We upgraded one of our dovecot servers to debian stretch with dovecot
2.2.27 and since then an alpine MUA user has been experiencing random IMAP
failures.

We enabled debugging at both sides, the client tells only:

{XXXX}INBOX: [CLOSED] IMAP connection broken (server response)

and we could verify that the client indeed did not receive the server
response.

On the server side the raw log shows that the correct response is pushed
to the client, but at the same time in the debug log we see:

Oct 20 18:50:05 mail2 dovecot: imap-login: Debug: SSL error: SSL_read()
failed: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init

The openssl package is 1.1.0f-3.

The error messsage is total cryptic to me: how could three states be
intermixed?

I think it's a dovecot issue about how the openssl library is used but I'm
unfamiliar with the details of the openssl library: what function, macro
is used incorrectly then, at which state?

Thanks any help!

Best regards,
Jozsef
--
E-mail : [hidden email]
PGP key: http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address: Wigner Research Centre for Physics, Hungarian Academy of Sciences
         H-1525 Budapest 114, POB. 49, Hungary
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: SSL_read() failed: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init

Matt Caswell-2


On 26/10/17 11:22, Kadlecsik József wrote:

> Hello,
>
> We upgraded one of our dovecot servers to debian stretch with dovecot
> 2.2.27 and since then an alpine MUA user has been experiencing random IMAP
> failures.
>
> We enabled debugging at both sides, the client tells only:
>
> {XXXX}INBOX: [CLOSED] IMAP connection broken (server response)
>
> and we could verify that the client indeed did not receive the server
> response.
>
> On the server side the raw log shows that the correct response is pushed
> to the client, but at the same time in the debug log we see:
>
> Oct 20 18:50:05 mail2 dovecot: imap-login: Debug: SSL error: SSL_read()
> failed: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
>
> The openssl package is 1.1.0f-3.
>
> The error messsage is total cryptic to me: how could three states be
> intermixed?
>
> I think it's a dovecot issue about how the openssl library is used but I'm
> unfamiliar with the details of the openssl library: what function, macro
> is used incorrectly then, at which state?

SSL_shutdown() is used to shut down an SSL/TLS connection that has
already been established (meaning that the SSL/TLS handshake has
completed and we are ready to send/receive application data). If you
call SSL_shutdown() while the handshake is still in progress then you
get the "shutdown while in init" error message.

Matt

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: SSL_read() failed: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init

Kadlecsik József
Hi,

On Thu, 26 Oct 2017, Matt Caswell wrote:

> > Oct 20 18:50:05 mail2 dovecot: imap-login: Debug: SSL error: SSL_read()
> > failed: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
> >
> > The openssl package is 1.1.0f-3.
> >
> > The error messsage is total cryptic to me: how could three states be
> > intermixed?
> >
> > I think it's a dovecot issue about how the openssl library is used but I'm
> > unfamiliar with the details of the openssl library: what function, macro
> > is used incorrectly then, at which state?
>
> SSL_shutdown() is used to shut down an SSL/TLS connection that has
> already been established (meaning that the SSL/TLS handshake has
> completed and we are ready to send/receive application data). If you
> call SSL_shutdown() while the handshake is still in progress then you
> get the "shutdown while in init" error message.

But why SSL_read() failed with this error message?

Best regards,
Jozsef
--
E-mail : [hidden email]
PGP key: http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address: Wigner Research Centre for Physics, Hungarian Academy of Sciences
         H-1525 Budapest 114, POB. 49, Hungary
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: SSL_read() failed: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init

Matt Caswell-2


On 26/10/17 13:28, Kadlecsik József wrote:

> Hi,
>
> On Thu, 26 Oct 2017, Matt Caswell wrote:
>
>>> Oct 20 18:50:05 mail2 dovecot: imap-login: Debug: SSL error: SSL_read()
>>> failed: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
>>>
>>> The openssl package is 1.1.0f-3.
>>>
>>> The error messsage is total cryptic to me: how could three states be
>>> intermixed?
>>>
>>> I think it's a dovecot issue about how the openssl library is used but I'm
>>> unfamiliar with the details of the openssl library: what function, macro
>>> is used incorrectly then, at which state?
>>
>> SSL_shutdown() is used to shut down an SSL/TLS connection that has
>> already been established (meaning that the SSL/TLS handshake has
>> completed and we are ready to send/receive application data). If you
>> call SSL_shutdown() while the handshake is still in progress then you
>> get the "shutdown while in init" error message.
>
> But why SSL_read() failed with this error message?

That I can't explain since SSL_read() does not call SSL_shutdown().
Plausibly if SSL_read() fails (e.g. because the underlying TCP
connection died) then dovecot could call SSL_shutdown() immediately even
if it's still not completed the handshake. Then dovecot reports the
SSL_read() failure along with the error message from the subsequent
attempt to shutdown the connection. Just a theory.

Matt

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: SSL_read() failed: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init

Kadlecsik József
Hi Matt,

On Thu, 26 Oct 2017, Matt Caswell wrote:

> >>> Oct 20 18:50:05 mail2 dovecot: imap-login: Debug: SSL error: SSL_read()
> >>> failed: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
> >
> > But why SSL_read() failed with this error message?
>
> That I can't explain since SSL_read() does not call SSL_shutdown().
> Plausibly if SSL_read() fails (e.g. because the underlying TCP
> connection died) then dovecot could call SSL_shutdown() immediately even
> if it's still not completed the handshake. Then dovecot reports the
> SSL_read() failure along with the error message from the subsequent
> attempt to shutdown the connection. Just a theory.

The failures happen after several IMAP commands were already
issued/answered in the session and not in an initial phase.

Both the server and the client machines are virtual and in the same LAN
and were moved around the physical machines just to exclude hardware
issues.

So can SSL_read() be called before the handshake is completed, i.e. in the
"while in init" state?

Thanks your answers!

Best regards,
Jozsef
--
E-mail : [hidden email]
PGP key: http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address: Wigner Research Centre for Physics, Hungarian Academy of Sciences
         H-1525 Budapest 114, POB. 49, Hungary
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: SSL_read() failed: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init

Matt Caswell-2


On 26/10/17 13:50, Kadlecsik József wrote:

> Hi Matt,
>
> On Thu, 26 Oct 2017, Matt Caswell wrote:
>
>>>>> Oct 20 18:50:05 mail2 dovecot: imap-login: Debug: SSL error: SSL_read()
>>>>> failed: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
>>>
>>> But why SSL_read() failed with this error message?
>>
>> That I can't explain since SSL_read() does not call SSL_shutdown().
>> Plausibly if SSL_read() fails (e.g. because the underlying TCP
>> connection died) then dovecot could call SSL_shutdown() immediately even
>> if it's still not completed the handshake. Then dovecot reports the
>> SSL_read() failure along with the error message from the subsequent
>> attempt to shutdown the connection. Just a theory.
>
> The failures happen after several IMAP commands were already
> issued/answered in the session and not in an initial phase.
>
> Both the server and the client machines are virtual and in the same LAN
> and were moved around the physical machines just to exclude hardware
> issues.
>
> So can SSL_read() be called before the handshake is completed, i.e. in the
> "while in init" state?

Yes SSL_read() can be called before the handshake is completed. If that
happens then the first thing it does is attempt to perform a handshake.

If you have already exchanged application data over a TLS connection
then the handshake must have completed. Plausibly a new one could be
initiated via a renegotiation. If you call SSL_shutdown() in the middle
of that then I think you will also get the "shutdown while in init"
error. Basically don't call SSL_shutdown() if SSL_in_init() is true.

Matt


>
> Thanks your answers!
>
> Best regards,
> Jozsef
> --
> E-mail : [hidden email]
> PGP key: http://www.kfki.hu/~kadlec/pgp_public_key.txt
> Address: Wigner Research Centre for Physics, Hungarian Academy of Sciences
>          H-1525 Budapest 114, POB. 49, Hungary
>
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users