Re: [spamdyke-users] SSL endless loop on protocol error

Fri, 12 Apr 2019 01:12:54 -0700

Another thing I just noticed is that very often there are many of the following log lines from the IP address that leads to the cpu spinning spamdyke process:
Apr 11 14:30:08 serverXXX spamdyke[21259]: TIMEOUT from: [email protected] to: [email protected] origin_ip: 1.2.3.4 origin_rdns: customer-1-2-3-4.isp.com auth: [email protected] encryption: TLS reason: TIMEOUT 


On 10.04.19 г. 16:05 ч., Teodor Milkov via spamdyke-users wrote:


Hello,


I get infrequent hangs with spamdyke 4.3.1 with SSL connections. As 
far as I can tell the relevant code is not changed in spamdyke 5.x.


Using gdb I can see the following sequence:


spamdyke.c:2676: tls_read() is called (if ((read_result = 
NETWORK_READ(...))


tls.c:545:  SSL_read() returns -1

tls.c548: SSL_get_error() returns 1 (SSL_ERROR_SSL)

spamdyke.c:2696: SSL_pending() says there is more data pending

With verbose logging I got:


ERROR: unable to read from SSL/TLS stream: A protocol or library 
failure occurred, error:140800FF:lib(20):func(128):reason(255)



* One possibility is: according to SSL_shutdown() 
<https://www.openssl.org/docs/man1.0.2/man3/SSL_shutdown.html> 
documentation:



/"Note that SSL_shutdown() must not be called if a previous fatal 
error has occurred on a connection i.e. if SSL_get_error() has 
returned SSL_ERROR_SYSCALL or SSL_ERROR_SSL."/



As I understand it, spamdyke should abandon connection without further 
attempts to read/write or anything if SSL_ERROR_SSL occurs.



* Another possibility is some kind of error handling confusion as 
described in|https://github.com/openssl/openssl/issues/7291|



/|"|//Make sure you call //|ERR_clear_error()|//after any errors. If 
you have stale errors on the error queue //|SSL_get_error()|//is going 
to get confused."//||/



I can't swear by that, but if I'm not mistaken the errors started to 
appear after upgrade to openssl 1.0.2r, which contains fix for 
CVE-2019-1559 <https://nvd.nist.gov/vuln/detail/CVE-2019-1559>.


Best regards,
Teodor


_______________________________________________
spamdyke-users mailing list
[email protected]
https://spamdyke.org/mailman/listinfo/spamdyke-users

--
Teodor Milkov | http://icdsoft.com
Head of Linux Engineering & Operations

_______________________________________________
spamdyke-users mailing list
[email protected]
https://spamdyke.org/mailman/listinfo/spamdyke-users






















					Reply via email to