[dovecot] STARTTLS hangs due to client_skip_line (Was: Re: Plain auth broken)

Sun Feb 2 08:28:42 EET 2003

Dear Timo,

Thanks for the patch.  It shows the connections, but auth never gets
called.

I finally pulled my act together so that I could compile from source. 
So, I thought I would be a little more clear.

If I turn on ssl (comment out ssl_disable = yes, the default) and turn
off plaintext (uncomment disable_plaintext_auth = yes), then immediately
after SSL negotiation, my client hangs (I'm testing with mutt).

Eventually, I determined what's happening, to some degree.  Alas, I've
been programming in Java for five years, so I have trouble debugging a
real programming language.  However: in login/client.c,
client_handle_input, the first part of the function checks for
client->cmd_finished, and if so, clears client->cmd_tag and
client->cmd_name.  It then checks client->skip_line, and if true, calls
client_skip_line.  Adding debugging to client_skip_line (i_info with the
contents of data) shows that, after the starttls command,
client_skip_line discards the whole next command (in my case, a0002
CAPABILITY).  The client is waiting for a response.  The server is
waiting for a command (having discarded one).  login times out sixty
seconds later, for inactivity.

There's where my skills prove inadequate, I'm afraid, because bypassing
client_skip_line if the last command was STARTTLS doesn't seem to do any
good; the server never sees the capability command.  I'm between a rock
and a hard place, it appears; if the server sees the command, it
discards it and then times out, but if it doesn't, it times out anyway. 
*sigh*

No one else seems to be having this sort of problem, though.  Is that
because most folks are using TLS on the imaps port?  Or have I got a
misconfiguration that runs somehow deeper?  I don't *think* I'm chasing
a wild hare.

Sorry to be a bother.

Amy!
On 21 Jan 2003 09:43:06 +0200
Timo Sirainen <tss at iki.fi> wrote:

> On Sat, 2003-01-18 at 19:01, Amelia A.Lewis wrote:
> > I'm running the debian package 0.99.7-2.  If I turn off SSL, and
> > allow plaintext, I can log in.  If I turn SSL on (comment out
> > ssl_diable = yes), then I can't.  It was working in 0.99.6, I know.
> 
> If it was working in .6, I can't think of what could have broken. But
> here's a patch for more verbose logging if "auth_verbose = yes" in
> config file.
> 
> 

-- 
Amelia A. Lewis                    amyzing {at} talsever.com
There are two major products that came out of Berkeley: LSD and BSD
Unix.  We don't believe this to be a coincidence.