Re: "SSL_Shutdown:shutdown while in init" while sending and receiving

Mon, 11 May 2020 13:30:48 -0700 

On Mon, May 11, 2020 at 12:51:55PM -0700, Alexander Vasarab wrote:

> May 11 12:20:56 vasaconsulting postfix/smtpd[28652]: connect from <data 
> scrubbed>[<data scrubbed>]
> May 11 12:20:56 vasaconsulting postfix/tlsmgr[8390]: put smtpd session 
> id=AB4F6D34D354C888E50413E7DFADA37D900F7FD03D2A57145F8C9EBCD4F85CD5&s=submission&l=269488207
>  [data 137 bytes]
> May 11 12:20:56 vasaconsulting postfix/tlsmgr[8390]: write smtpd TLS cache 
> entry 
> AB4F6D34D354C888E50413E7DFADA37D900F7FD03D2A57145F8C9EBCD4F85CD5&s=submission&l=269488207:
>  time=1589224856 [data 137 bytes]
> May 11 12:20:56 vasaconsulting postfix/smtpd[28652]: Anonymous TLS connection 
> established from <data scrubbed>[<data scrubbed>]: TLSv1.3 with cipher 
> TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature 
> RSA-PSS (2048 bits) server-digest SHA256
> May 11 12:20:57 vasaconsulting postfix/smtpd[28652]: 53C0A102C037: 
> client=<data scrubbed>[<data scrubbed>], sasl_method=LOGIN, 
> sasl_username=<data scrubbed>
> May 11 12:20:57 vasaconsulting postfix/smtpd[28652]: warning: TLS library 
> problem: error:140E0197:SSL routines:SSL_shutdown:shutdown while in 
> init:../ssl/ssl_lib.c:2086:
> May 11 12:20:57 vasaconsulting postfix/smtpd[28652]: lost connection after 
> RCPT from <data scrubbed>[<data scrubbed>]
> May 11 12:20:57 vasaconsulting postfix/smtpd[28652]: disconnect from <data 
> scrubbed>[<data scrubbed>] ehlo=2 starttls=1 auth=1 mail=1 rcpt=1 commands=6

The real problem is that the connection was terminated mid-transaction.

The "shutdown while in init" is I think a distraction, Postfix was
cleaning up the TLS session, when it was not yet, or is no longer in a
state that is valid for calling SSL_shutdown().  If you manage to
collect a PCAP capture of the traffic for a failed delivery, it should
be possible (especially if limited to TLS 1.2, which is a bit easier to
debug from TCP captures) to see whether the failure is at the
application or TCP layer.

> I can upgrade OpenSSL to 1.1.1g, but it would go outside of the stable
> "channel" of my distribution, so it's not a preferred approach. I
> recognize that this is a symptom of an underlying problem, just trying
> to figure out what that underlying problem might be. Thanks.

Ideally, they have all the bug fixes from 1.1.1g in the package they're
calling 1.1.1d.

I think your next step is to get a PCAP of the traffic.

-- 
    Viktor.

Reply via email to