On 2013-02-23 11:32 AM, Reindl Harald <h.reindl@thelounge.net> wrote:
Am 23.02.2013 17:03, schrieb Charles Marcus:
OpenSSL was 1.0.0j, now updated to 1.0.1c Dovecot was 2.1.13, now updated to 2.1.15
on which distribtuion can you update openssl with a ABI-bump without re-compile half of the system?
Gentoo... been using it for over 8 years, and been through LOTS of major changes like this with only the occasional problem.
1.0.0x is not binary compatible with 1.0.1x and that is as example why Fedora 17 stays at 1.0.0x and Fedora 18 has 1.01x
When something like this does happen, gentoo automatically rebuilds any affected packages - or at least it is supposed to (mistakes happen, things get left out/missed)...
I'm getting a bunch of lines like the following:
Feb 23 10:48:01 myhost dovecot: imap-login: Disconnected (no auth attempts in 29 secs): user=<>, rip=#.#.#.#, lport=993, TLS handshaking: SSL_accept() syscall failed: Connection reset by peer, session=<In+cO2bWngCthJz2>
where only the session id (and number of seconds for no auth attempts) is different... how looks your "ssl_cipher_list"? ssl_cipher_list = ALL:!LOW:!MEDIUM:!SSLv2:!MD5:!aNULL:!eNUL:!ADH:!AESGCM:!EXP:HIGH
Using the defaults:
ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
Looks like they are slowly disappearing though... the last one was 12:35 yesterday. Also, looks like there were two other users/clients affected. I called the first one and had him check and he said he wasn't seeing any errors or problems on his end. I then had him restart all of his mail clients (restarted his phone just to be sure), and after he did this these errors disappeared (for his IP).
On 2013-02-24 9:55 AM, Timo Sirainen <tss@iki.fi> wrote:
Most likely related to the OpenSSL upgrade. Dovecot at least didn't change anything SSL related. You could see if verbose_ssl=yes logs anything interesting. And like Reindi mentioned, ssl_cipher_list is pretty much the only thing in Dovecot's configuration that may be related to this.
Yeah, I expected it to be related to the openssl upgrade, I was just seeing if anyone else had been through it before and whether or not I needed to do anything proactively to fix it.
Thanks for the responses,
--
Best regards,
*/Charles /*