[Dovecot] Dovecot + SSL + Fedora
I've been seeing the Dovecot/SSL/Fedora 1 problem.
I have a dovecot server which tends to die at least once a day, with messages like these :- May 24 13:44:44 mail pop3-login: RAND_bytes() failed: error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not seeded May 24 13:44:44 mail dovecot: Login process died too early - shutting down
I noticed Timo's email about this at: http://www.dovecot.org/list/dovecot/2004-May/003316.html with the patch that just ignores the return code of RAND_bytes().
Would disabling SSL in dovecot.conf also be a reasonable way of avoiding the problem of dovecot crashing?
My plan is to set ssl_disable = yes and also take out pops and imaps from protocols. That is a lot easier for me than getting source, patching it, re-compiling and re-installing.
We are using Fedora Core 1 (fedora-release-1-3 i386 rpm) Dovecot 0.99.10 (dovecot-0.99.10-4 i386 rpm) OpenSSL 0.9.7a (openssl-0.9.7a-33.10 i386 rpm)
David Keegel <djk@cybersource.com.au> http://www.cyber.com.au/users/djk/ Cybersource P/L: Linux/Unix Systems Administration Consulting/Contracting
On 24.5.2004, at 10:43, David Keegel wrote:
I've been seeing the Dovecot/SSL/Fedora 1 problem.
I have a dovecot server which tends to die at least once a day, with messages like these :- May 24 13:44:44 mail pop3-login: RAND_bytes() failed: error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not seeded May 24 13:44:44 mail dovecot: Login process died too early - shutting down
I noticed Timo's email about this at: http://www.dovecot.org/list/dovecot/2004-May/003316.html with the patch that just ignores the return code of RAND_bytes().
That fixes the crashes, but probably still causes occational problems with SSL connection handshakes failing.
Would disabling SSL in dovecot.conf also be a reasonable way of avoiding the problem of dovecot crashing?
My plan is to set ssl_disable = yes
If you don't need SSL, it's a good solution.
and also take out pops and imaps from protocols. That is a lot easier for me than getting source, patching it, re-compiling and re-installing.
We are using Fedora Core 1 (fedora-release-1-3 i386 rpm) Dovecot 0.99.10 (dovecot-0.99.10-4 i386 rpm) OpenSSL 0.9.7a (openssl-0.9.7a-33.10 i386 rpm)
This could also be fixed by patching OpenSSL (I think). Patch in https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=115284
On Mon, May 24, 2004 at 07:50:54PM +0300, Timo Sirainen wrote:
This could also be fixed by patching OpenSSL (I think). Patch in https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=115284
That looks similar to a private patch I created some time back when openssl changed its RAND_bytes logic . I've moved it forward to successive openssl releases as I've installed them. This is pretty specific to the environment here though-- particularly where you know that you have a /dev/urandom. That openssl change (the one that necessitated this patch) also broke systems where the /dev/urandom was implemented via a pipe to a command.
Anyway, just for grins.. here's that local patch as carried forward to 0.9.7d
*** rand_unix.c.orig Sat Dec 27 11:01:52 2003 --- rand_unix.c Wed Mar 17 23:13:25 2004
*** 167,182 **** --- 167,203 ----
for (randomfile = randomfiles; *randomfile && n < ENTROPY_NEEDED; randomfile++)
{
- #ifndef MV_COMM if ((fd = open(*randomfile, O_RDONLY|O_NONBLOCK
- #else /* mem 20030409 -- yes, let's block */
if ((fd = open(*randomfile, O_RDONLY
- #endif /* MV_COMM */
- #ifdef O_NOCTTY /* If it happens to be a TTY (god forbid), do not make it our controlling tty */ |O_NOCTTY #endif
- #ifndef MV_COMM /* mem 20030409 -- we don't have O_NOFOLLOW
- #ifdef O_NOFOLLOW /* Fail if the file is a symbolic link */ |O_NOFOLLOW #endif
- #endif /* MV_COMM */ )) >= 0) {
- #ifndef MV_COMM /* mem 20030409 -- don't do this idiotic timeout
struct timeval t = { 0, 10*1000 }; /* Spend 10ms on each file. */ int r;
*** 208,213 **** --- 229,251 ---- } while ((r > 0 || (errno == EINTR || errno == EAGAIN)) && t.tv_usec != 0 && n < ENTROPY_NEEDED); +
#else /* MV_COMM */
#endif /* MV_COMM */
close(fd); }
On Mon, 24 May 2004, Timo Sirainen wrote:
On 24.5.2004, at 10:43, David Keegel wrote:
I've been seeing the Dovecot/SSL/Fedora 1 problem.
I have a dovecot server which tends to die at least once a day, with messages like these :- May 24 13:44:44 mail pop3-login: RAND_bytes() failed: error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not seeded May 24 13:44:44 mail dovecot: Login process died too early - shutting down
I noticed Timo's email about this at: http://www.dovecot.org/list/dovecot/2004-May/003316.html with the patch that just ignores the return code of RAND_bytes().
That fixes the crashes, but probably still causes occational problems with SSL connection handshakes failing.
I require encrypted communications between my server and my client for all services, including smtp and imap. I was getting ready to upgrade my server from RH9 and imap-2000 to fedora core 1 and dovecot until I saw this thread.
Has anybody brought the ssl problem to the upstream maintainers so that it can get fixed?
Thanks!
Ben
On 2.6.2004, at 00:44, Benjamin J. Weiss wrote:
Has anybody brought the ssl problem to the upstream maintainers so that it can get fixed?
This was also at the bottom of the mail you replied:
"This could also be fixed by patching OpenSSL (I think). Patch in https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=115284"
I think the patch in there is a full solution to the problem. I haven't tried contacting OpenSSL people about it, it's somewhat Redhat/Fedora-specific problem anyway so I'll leave it to them.
Hi!
Dovecot runs with no problems on my up2date RH9 box with SSL. Also, I've
build custom rpm for 0.99.10.5 release with uw-imap pop3 uid patch based on FC2 dovecot and they works pretty good. ;-)
Regards, Oleg.
----- Original Message ----- From: "Benjamin J. Weiss" <benjamin@Weiss.name> To: <dovecot@dovecot.org> Sent: Wednesday, June 02, 2004 1:44 AM Subject: Re: [Dovecot] Dovecot + SSL + Fedora
On Mon, 24 May 2004, Timo Sirainen wrote:
On 24.5.2004, at 10:43, David Keegel wrote:
I've been seeing the Dovecot/SSL/Fedora 1 problem.
I have a dovecot server which tends to die at least once a day, with messages like these :- May 24 13:44:44 mail pop3-login: RAND_bytes() failed: error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not seeded May 24 13:44:44 mail dovecot: Login process died too early - shutting down
I noticed Timo's email about this at: http://www.dovecot.org/list/dovecot/2004-May/003316.html with the patch that just ignores the return code of RAND_bytes().
That fixes the crashes, but probably still causes occational problems with SSL connection handshakes failing.
I require encrypted communications between my server and my client for all services, including smtp and imap. I was getting ready to upgrade my server from RH9 and imap-2000 to fedora core 1 and dovecot until I saw this thread.
Has anybody brought the ssl problem to the upstream maintainers so that it can get fixed?
Thanks!
Ben
participants (5)
-
Benjamin J. Weiss
-
David Keegel
-
Mark E. Mallett
-
Oleg I. Vdovikin
-
Timo Sirainen