On Tue, Dec 16, 2008 at 02:45:19PM -0700, Jes?s Manuel Loaiza Vidal wrote: > >We need to log the error detail from the SSL library to see what the > >library is unhappy about. This sure looks like an SSL library bug, > >compiler bug or hardware issue. The kernel is no longer suspect for now. > > > >In addition to the previous patch, please also apply: > > > >--- src/tls/tls_bio_ops.c 2008-12-16 15:12:12.000000000 -0500 > >+++ src/tls/tls_bio_ops.c 2008-12-16 15:12:30.000000000 -0500 > >@@ -345,6 +345,10 @@ > > return (-1); /* network read/write error > > */ > > } > > break; > >+ case SSL_ERROR_SSL: > >+ if (hsfunc == 0) > >+ tls_print_errors(); > >+ /* FALLTHROUGH */ > > default: > > retval = status; > > done = 1; > > > >and report the results (logs).
> The logs: > mail log <http://www.ich.edu.mx/attachments/postfix-4.txt> > pcap file <http://www.ich.edu.mx/attachments/tcp-4.cap> Thanks: Dec 16 14:39:49 [postfix/smtpd] warning: TLS library problem: 3079596704:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure: s3_pkt.c:1053:SSL alert number 40: This is bogus. It appears that the library believes it has valid protocol data to consume without reading the client's next record, but the previous record containing the client's "RCPT TO:" command is of the right length to account for all the data seen on the wire and was fully consumed by a previous SSL_read(). So the internal library state is at this point severely corrupted. It sees an "alert" record instead of an empty buffer. Try different hardware and/or memory diagnostics. Also try recompiling both Postfix and OpenSSL on a known non-flaky machine... -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the "Reply-To" header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: <mailto:majord...@postfix.org?body=unsubscribe%20postfix-users> If my response solves your problem, the best way to thank me is to not send an "it worked, thanks" follow-up. If you must respond, please put "It worked, thanks" in the "Subject" so I can delete these quickly.
