It seems caused by a stalled IMAP connection (at least for me)…
++++ Verifying [INBOX] -> [INBOX]
Sending: 4068 STATUS INBOX (UIDNEXT)
Sent 29 bytes
Read: * STATUS INBOX (UIDNEXT 4142)
4068 OK Completed
Host2: uidnext is 4142
Host1: found that msg INBOX/9582 equals Host2 INBOX/664
Host1: flags init msg INBOX/9582 flags( Seen NonJunk category.Perso ) Host2 msg INBOX/664 flags( Seen )
Host1: flags filt msg INBOX/9582 flags( Seen ) Host2 msg INBOX/664 flags( Seen )
Host1: size msg INBOX/9582 = 3140 <> 3140 = Host2 INBOX/664
Host1: found that msg INBOX/9583 equals Host2 INBOX/665
Host1: flags init msg INBOX/9583 flags( Seen NonJunk category.Perso category.Perso.remy20 ) Host2 msg INBOX/665 flags( Seen )
Host1: flags filt msg INBOX/9583 flags( Seen ) Host2 msg INBOX/665 flags( Seen )
Host1: size msg INBOX/9583 = 37381 <> 37381 = Host2 INBOX/665
Host1: found that msg INBOX/9584 equals Host2 INBOX/666
Host1: flags init msg INBOX/9584 flags( Seen NonJunk category.Perso ) Host2 msg INBOX/666 flags( Seen )
Host1: flags filt msg INBOX/9584 flags( Seen ) Host2 msg INBOX/666 flags( Seen )
Host1: size msg INBOX/9584 = 7038 <> 7038 = Host2 INBOX/666
Host1: found that msg INBOX/9585 equals Host2 INBOX/667
Host1: flags init msg INBOX/9585 flags( Seen ) Host2 msg INBOX/667 flags( Seen )
Host1: flags filt msg INBOX/9585 flags( Seen ) Host2 msg INBOX/667 flags( Seen )
Host1: size msg INBOX/9585 = 8403 <> 8403 = Host2 INBOX/667
Host1: found that msg INBOX/9586 equals Host2 INBOX/668
Host1: flags init msg INBOX/9586 flags( NonJunk category.Perso ) Host2 msg INBOX/668 flags( NonJunk )
Host1: flags filt msg INBOX/9586 flags( ) Host2 msg INBOX/668 flags( NonJunk )
Host2: flags msg INBOX/668 replacing h2 flags( NonJunk ) with h1 flags( )
Sending: 4069 UID STORE 668 FLAGS.SILENT ()
Sent 36 bytes
ERROR: timeout waiting 120s for data from server at /usr/share/perl5/Mail/IMAPClient.pm line 1893.
Mail::IMAPClient::__read_more(Mail::IMAPClient=HASH(0x5564453014d8), IO::Socket::SSL=GLOB(0x556445302250), 120) called at /usr/share/perl5/Mail/IMAPClient.pm li
ne 1859
Mail::IMAPClient::_read_more(Mail::IMAPClient=HASH(0x5564453014d8), IO::Socket::SSL=GLOB(0x556445302250), 120) called at /usr/share/perl5/Mail/IMAPClient.pm lin
e 1670
Mail::IMAPClient::_read_line(Mail::IMAPClient=HASH(0x5564453014d8)) called at /usr/share/perl5/Mail/IMAPClient.pm line 1406
Mail::IMAPClient::_get_response(Mail::IMAPClient=HASH(0x5564453014d8), 4069, undef) called at /usr/share/perl5/Mail/IMAPClient.pm line 1340
Mail::IMAPClient::_imap_command_do(Mail::IMAPClient=HASH(0x5564453014d8), "UID STORE 668 FLAGS.SILENT ()") called at /usr/share/perl5/Mail/IMAPClient.pm line 12
38
Mail::IMAPClient::_imap_command(Mail::IMAPClient=HASH(0x5564453014d8), "UID STORE 668 FLAGS.SILENT ()") called at /usr/share/perl5/Mail/IMAPClient.pm line 1450
Mail::IMAPClient::_imap_uid_command(Mail::IMAPClient=HASH(0x5564453014d8), "STORE", 668, "FLAGS.SILENT ()") called at /usr/share/perl5/Mail/IMAPClient.pm line 2
338
Mail::IMAPClient::store(Mail::IMAPClient=HASH(0x5564453014d8), 668, "FLAGS.SILENT ()") called at /opt/imapsync/imapsync line 6112
main::sync_flags(HASH(0x55644229d030), "INBOX", 9586, "NonJunk category.Perso", "INBOX", 668, "NonJunk", "") called at /opt/imapsync/imapsync line 6058
main::sync_flags_fir(HASH(0x55644229d030), "INBOX", 9586, "INBOX", 668, "", HASH(0x556445c26b78), HASH(0x5564454b4358)) called at /opt/imapsync/imapsync line 27
69
main::single_sync(HASH(0x55644229d030), HASH(0x5564408014d8), HASH(0x55644229d498)) called at /opt/imapsync/imapsync line 1250
reconnecting to os-gravelines-1.webmsg.me, last error: timeout waiting 120s for data from server
Connecting with IO::Socket::SSL PeerAddr os-gravelines-1.webmsg.me PeerPort 993 Proto tcp Timeout 120 Debug 1 SSL_cipher_list DEFAULT:!DH SSL_verify_mode 0 SSL_verifycn
_scheme imap
DEBUG: .../IO/Socket/SSL.pm:3010: new ctx 93889243497008
DEBUG: .../IO/Socket/SSL.pm:762: socket not yet connected
DEBUG: .../IO/Socket/SSL.pm:1177: global error: Undefined SSL object
DEBUG: .../IO/Socket/SSL.pm:1177: global error: Undefined SSL object
DEBUG: .../IO/Socket/SSL.pm:764: socket connected
DEBUG: .../IO/Socket/SSL.pm:787: ssl handshake not started
DEBUG: .../IO/Socket/SSL.pm:829: using SNI with hostname os-gravelines-1.webmsg.me
DEBUG: .../IO/Socket/SSL.pm:880: set socket to non-blocking to enforce timeout=120
DEBUG: .../IO/Socket/SSL.pm:894: call Net::SSLeay::connect
DEBUG: .../IO/Socket/SSL.pm:897: done Net::SSLeay::connect -> 1
DEBUG: .../IO/Socket/SSL.pm:952: ssl handshake done
Connected to os-gravelines-1.webmsg.me
DEBUG: .../IO/Socket/SSL.pm:3059: free ctx 93889080230576 open=93889243497008 93889080230576 93889209037856
DEBUG: .../IO/Socket/SSL.pm:3070: OK free ctx 93889080230576
Read: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS AUTH=PLAIN SASL-IR] os-gravelines-1.webmsg.me Cyrus IMAP 3.4.2-dirty-Debian-3.4.2-1~bpo11+1 server ready
Sending: 4070 LOGIN <<<REDACTED>>> [Redact: Count=4070 Showcredentials=OFF]
Sent 41 bytes
Read: 4070 OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE ACL ANNOTATE-EXPERIMENT-1 BINARY CATENATE CHILDREN CONDSTORE CREATE-SPECIAL-USE ESEARCH ESORT LIST-EXTENDED LIS
T-MYRIGHTS LIST-STATUS MAILBOX-REFERRALS METADATA MOVE MULTIAPPEND NAMESPACE OBJECTID QRESYNC QUOTA RIGHTS=kxten SAVEDATE SEARCH=FUZZY SORT SORT=DISPLAY SPECIAL-USE STA
TUS=SIZE THREAD=ORDEREDSUBJECT THREAD=REFERENCES UIDPLUS UNSELECT URLAUTH URLAUTH=BINARY WITHIN DIGEST=SHA1 LIST-METADATA NO_ATOMIC_RENAME PREVIEW=FUZZY SCAN SORT=MODSE
Q SORT=UID THREAD=REFS X-CREATEDMODSEQ X-REPLICATION XLIST XMOVE LOGINDISABLED XCONVERSATIONS COMPRESS=DEFLATE X-QUOTA=STORAGE X-QUOTA=MESSAGE X-QUOTA=X-ANNOTATION-STOR
AGE X-QUOTA=X-NUM-FOLDERS IDLE] User logged in SESSIONID=<cyrus-1637308599-80986-1-11610858836795431422>
Sending: 4071 SELECT INBOX
Sent 19 bytes
Read: * 4100 EXISTS
* 0 RECENT
* FLAGS (Answered Flagged Draft Deleted Seen $Forwarded $label3 $MDNSent $toreply NonJunk Junk)
* OK [PERMANENTFLAGS (Answered Flagged Draft Deleted Seen $Forwarded $label3 $MDNSent $toreply NonJunk Junk *)] Ok
* OK [UNSEEN 10] Ok
* OK [UIDVALIDITY 1628200824] Ok
* OK [UIDNEXT 4142] Ok
* OK [HIGHESTMODSEQ 479815] Ok
* OK [URLMECH INTERNAL] Ok
* OK [ANNOTATIONS 65536] Ok
4071 OK [READ-WRITE] Completed
reconnect success(1) on try #1/3
Sending: 4072 UID STORE 668 FLAGS.SILENT ()
Sent 36 bytes
Read: 4072 OK Completed
Host1: size msg INBOX/9586 = 1081199 <> 1081199 = Host2 INBOX/668
Host1: found that msg INBOX/9587 equals Host2 INBOX/669
Host1: flags init msg INBOX/9587 flags( NonJunk category.Perso ) Host2 msg INBOX/669 flags( NonJunk )
Host1: flags filt msg INBOX/9587 flags( ) Host2 msg INBOX/669 flags( NonJunk )
Host2: flags msg INBOX/669 replacing h2 flags( NonJunk ) with h1 flags( )
Sending: 4073 UID STORE 669 FLAGS.SILENT ()
Sent 36 bytes
...
What seems suspicious is what happens just befor ethe connection stalls:
Host2: flags msg INBOX/668 replacing h2 flags( NonJunk ) with h1 flags( )
Sending: 4069 UID STORE 668 FLAGS.SILENT ()
Sent 36 bytes
I’m replacing IMAP flags, probably because I have the following option in my script : --regexflag 's/.*?(?:([\$]S+s?)|$)/defined($1)?$1:q()/eg'
This is because on Host1 (Dovecot), I have too much IMAP flags defined (I have a sieve script that defines flags for anything) and on Host2 (Cyrus) I cannot define as many flags (there is a hard limit of acout 200 flags in Cyrus).
Effectively, on Host2, I have a segfault of Cyrus IMAP
Содержание
- DEBUG: . /IO/Socket/SSL.pm:1177: global error: Undefined SSL object
- DEBUG: . /IO/Socket/SSL.pm:1177: global error: Undefined SSL object #293
- Comments
- office login issues — tried everything #310
- Comments
DEBUG: . /IO/Socket/SSL.pm:1177: global error: Undefined SSL object
mendel5 opened this issue 2 years ago · comments
I receive a debugging statement when working with imapsync. My imapsync is running on a Linux Mint 20.1 system.
Here is my command (partially adjusted to not reveal my credentials):
./imapsync —host1 ‘imap.old-hosting-provider.com’ —port1 993 —user1 ‘old.email@mydomain1.com’ —password1 ‘mypassword1’ —host2 ‘imap.new-hosting-provider.com’ —port2 993 —user2 ‘new.email@mydomain2.com’ —password2 ‘mypassword2’ —ssl1 —sslargs1 SSL_verify_mode=1 —sslargs1 SSL_version=TLSv1_2 —ssl2 —sslargs2 SSL_verify_mode=1 —sslargs2 SSL_version=TLSv1_3 —expunge1 —subscribeall
The debug statement:
This debug message appears 4 times, twice for the connection to host1 and twice for the connection to host2.
However, the TLS encryption for both connections — TLS1.2 to host1 and TLS1.3 to host2 — works correctly. I have checked that by using Wireshark to inspect my own traffic. The transfer of the emails from host1 to host2 finishes successfully despite the error message.
If you need any other info please let me know.
Do you have a real concrete example I can reproduce? Something like:
but with an other host than test1.lamiral.info, a one that fails and I can play with.
I tried to reproduce the issue with the following command:
There is no debug statement. It seems that the issue cannot be reproduced by using only this command. An actual login to a mailbox including the transfer of e-mails might be necessary to reproduce the debug message.
I tried to reproduce the issue with the following command:
There is no debug statement. It seems that the issue cannot be reproduced by using only this command.
An actual login to a mailbox including the transfer of e-mails might be necessary to reproduce the debug message.
You’re right, I can not reproduce the error myself, but I get another one: imap.old-hosting-provider.com doesn’t resolve at all.
Can you give a real concrete example I can reproduce, Is imap.old-hosting-provider.com the real hostname?
I tried to add it to the previous command but the error message can still not be reproduced.
Is imap.old-hosting-provider.com the real hostname?
No, it’s not the real hostname. I just used it as an example.
Can you give a real concrete example I can reproduce
Yes. Can I contact you via email at gilles@lamiral.info ?
The debug statement
originates from the Perl module IO::Socket::SSL .
As can be seen in the first comment, the version of IO::Socket::SSL that has been used is 2.067 . At the time of writing this comment, the current version is 2.071 . Maybe the debug message has been fixed in the meantime.
Links to IO::Socket::SSL :
Since the debug message does not orignate from imapsync but from IO::Socket::SSL , I will close this issue.
Unfortunately, the corresponding issue over at IO::Socket::SSL has been closed as well, because they argue there is something wrong in the caller program. Link: [https://github.com/noxxi/p5-io-socket-ssl/issues/109]
I happened to find this thread because it occurs randomly during transfers. I could not find any pattern, just that it always appears twice. I can create a detailed log for you, just let me know what debug options to set.
I can create a detailed log for you, just let me know what debug options to set.
Hi @OldGrumpy-de , as far as I know the issue does not originate from imapsync, so gilleslamiral cannot do much about it.
Maybe we can reopen the issue at noxxi/p5-io-socket-ssl#109
It looks for me like the method blocking with called on an object which is not yet or no longer an SSL object. But that’s all I can get from the error message. It is unlikely that the problem is caused by imapsync directly though since imapclient does not use IO::Socket::SSL directly.
Unfortunately it looks like there are not enough information for others to reproduce the problem, which make debugging and fixing it a problem hard. The severity seems to be low though, i.e. just an error message without any reported side effects.
I’ll fix it when I’ll encounter it reproductively with a bad side effect.
All right, thanks for the feedback from both of you.
I have the same error (DEBUG: . /IO/Socket/SSL.pm:1177: global error: Undefined SSL object) but imapsync is executed without any ssl specific flag. It didn’t occur before. Also, it sems either very slow to sync, or it is stalling on the INBOX folder (running a partial sync with most of the mails synchronized before). The message just appear many times as in a loop and the sync does not progress.
I’ll try to provide more useful logs with —debugssl=4 —debugimap
It seems caused by a stalled IMAP connection (at least for me).
bpo11+1 server ready Sending: 4070 LOGIN >> [Redact: Count=4070 Showcredentials=OFF] Sent 41 bytes Read: 4070 OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE ACL ANNOTATE-EXPERIMENT-1 BINARY CATENATE CHILDREN CONDSTORE CREATE-SPECIAL-USE ESEARCH ESORT LIST-EXTENDED LIS T-MYRIGHTS LIST-STATUS MAILBOX-REFERRALS METADATA MOVE MULTIAPPEND NAMESPACE OBJECTID QRESYNC QUOTA RIGHTS=kxten SAVEDATE SEARCH=FUZZY SORT SORT=DISPLAY SPECIAL-USE STA TUS=SIZE THREAD=ORDEREDSUBJECT THREAD=REFERENCES UIDPLUS UNSELECT URLAUTH URLAUTH=BINARY WITHIN DIGEST=SHA1 LIST-METADATA NO_ATOMIC_RENAME PREVIEW=FUZZY SCAN SORT=MODSE Q SORT=UID THREAD=REFS X-CREATEDMODSEQ X-REPLICATION XLIST XMOVE LOGINDISABLED XCONVERSATIONS COMPRESS=DEFLATE X-QUOTA=STORAGE X-QUOTA=MESSAGE X-QUOTA=X-ANNOTATION-STOR AGE X-QUOTA=X-NUM-FOLDERS IDLE] User logged in SESSIONID= Sending: 4071 SELECT INBOX Sent 19 bytes Read: * 4100 EXISTS * 0 RECENT * FLAGS (Answered Flagged Draft Deleted Seen $Forwarded $label3 $MDNSent $toreply NonJunk Junk) * OK [PERMANENTFLAGS (Answered Flagged Draft Deleted Seen $Forwarded $label3 $MDNSent $toreply NonJunk Junk *)] Ok * OK [UNSEEN 10] Ok * OK [UIDVALIDITY 1628200824] Ok * OK [UIDNEXT 4142] Ok * OK [HIGHESTMODSEQ 479815] Ok * OK [URLMECH INTERNAL] Ok * OK [ANNOTATIONS 65536] Ok 4071 OK [READ-WRITE] Completed reconnect success(1) on try #1/3 Sending: 4072 UID STORE 668 FLAGS.SILENT () Sent 36 bytes Read: 4072 OK Completed Host1: size msg INBOX/9586 = 1081199 <> 1081199 = Host2 INBOX/668 Host1: found that msg INBOX/9587 equals Host2 INBOX/669 Host1: flags init msg INBOX/9587 flags( NonJunk category.Perso ) Host2 msg INBOX/669 flags( NonJunk ) Host1: flags filt msg INBOX/9587 flags( ) Host2 msg INBOX/669 flags( NonJunk ) Host2: flags msg INBOX/669 replacing h2 flags( NonJunk ) with h1 flags( ) Sending: 4073 UID STORE 669 FLAGS.SILENT () Sent 36 bytes . «>
What seems suspicious is what happens just befor ethe connection stalls:
I’m replacing IMAP flags, probably because I have the following option in my script : —regexflag ‘s/.*?(?:([\$]S+s?)|$)/defined($1)?$1:q()/eg’
This is because on Host1 (Dovecot), I have too much IMAP flags defined (I have a sieve script that defines flags for anything) and on Host2 (Cyrus) I cannot define as many flags (there is a hard limit of acout 200 flags in Cyrus).
Effectively, on Host2, I have a segfault of Cyrus IMAP
Источник
DEBUG: . /IO/Socket/SSL.pm:1177: global error: Undefined SSL object #293
I receive a debugging statement when working with imapsync. My imapsync is running on a Linux Mint 20.1 system.
Here is my command (partially adjusted to not reveal my credentials):
./imapsync —host1 ‘imap.old-hosting-provider.com’ —port1 993 —user1 ‘old.email@mydomain1.com’ —password1 ‘mypassword1’ —host2 ‘imap.new-hosting-provider.com’ —port2 993 —user2 ‘new.email@mydomain2.com’ —password2 ‘mypassword2’ —ssl1 —sslargs1 SSL_verify_mode=1 —sslargs1 SSL_version=TLSv1_2 —ssl2 —sslargs2 SSL_verify_mode=1 —sslargs2 SSL_version=TLSv1_3 —expunge1 —subscribeall
The debug statement:
This debug message appears 4 times, twice for the connection to host1 and twice for the connection to host2.
However, the TLS encryption for both connections — TLS1.2 to host1 and TLS1.3 to host2 — works correctly. I have checked that by using Wireshark to inspect my own traffic. The transfer of the emails from host1 to host2 finishes successfully despite the error message.
If you need any other info please let me know.
The text was updated successfully, but these errors were encountered:
Do you have a real concrete example I can reproduce? Something like:
but with an other host than test1.lamiral.info, a one that fails and I can play with.
I tried to reproduce the issue with the following command:
There is no debug statement. It seems that the issue cannot be reproduced by using only this command. An actual login to a mailbox including the transfer of e-mails might be necessary to reproduce the debug message.
I tried to reproduce the issue with the following command:
There is no debug statement. It seems that the issue cannot be reproduced by using only this command.
An actual login to a mailbox including the transfer of e-mails might be necessary to reproduce the debug message.
You’re right, I can not reproduce the error myself, but I get another one: imap.old-hosting-provider.com doesn’t resolve at all.
Can you give a real concrete example I can reproduce, Is imap.old-hosting-provider.com the real hostname?
I tried to add it to the previous command but the error message can still not be reproduced.
Is imap.old-hosting-provider.com the real hostname?
No, it’s not the real hostname. I just used it as an example.
Can you give a real concrete example I can reproduce
Yes. Can I contact you via email at gilles@lamiral.info ?
The debug statement
originates from the Perl module IO::Socket::SSL .
As can be seen in the first comment, the version of IO::Socket::SSL that has been used is 2.067 . At the time of writing this comment, the current version is 2.071 . Maybe the debug message has been fixed in the meantime.
Links to IO::Socket::SSL :
Since the debug message does not orignate from imapsync but from IO::Socket::SSL , I will close this issue.
Unfortunately, the corresponding issue over at IO::Socket::SSL has been closed as well, because they argue there is something wrong in the caller program. Link: [https://github.com/noxxi/p5-io-socket-ssl/issues/109]
I happened to find this thread because it occurs randomly during transfers. I could not find any pattern, just that it always appears twice. I can create a detailed log for you, just let me know what debug options to set.
I can create a detailed log for you, just let me know what debug options to set.
Hi @OldGrumpy-de , as far as I know the issue does not originate from imapsync, so gilleslamiral cannot do much about it.
Maybe we can reopen the issue at noxxi/p5-io-socket-ssl#109
It looks for me like the method blocking with called on an object which is not yet or no longer an SSL object. But that’s all I can get from the error message. It is unlikely that the problem is caused by imapsync directly though since imapclient does not use IO::Socket::SSL directly.
Unfortunately it looks like there are not enough information for others to reproduce the problem, which make debugging and fixing it a problem hard. The severity seems to be low though, i.e. just an error message without any reported side effects.
I’ll fix it when I’ll encounter it reproductively with a bad side effect.
All right, thanks for the feedback from both of you.
I have the same error (DEBUG: . /IO/Socket/SSL.pm:1177: global error: Undefined SSL object) but imapsync is executed without any ssl specific flag. It didn’t occur before. Also, it sems either very slow to sync, or it is stalling on the INBOX folder (running a partial sync with most of the mails synchronized before). The message just appear many times as in a loop and the sync does not progress.
I’ll try to provide more useful logs with —debugssl=4 —debugimap
It seems caused by a stalled IMAP connection (at least for me).
bpo11+1 server ready Sending: 4070 LOGIN >> [Redact: Count=4070 Showcredentials=OFF] Sent 41 bytes Read: 4070 OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE ACL ANNOTATE-EXPERIMENT-1 BINARY CATENATE CHILDREN CONDSTORE CREATE-SPECIAL-USE ESEARCH ESORT LIST-EXTENDED LIS T-MYRIGHTS LIST-STATUS MAILBOX-REFERRALS METADATA MOVE MULTIAPPEND NAMESPACE OBJECTID QRESYNC QUOTA RIGHTS=kxten SAVEDATE SEARCH=FUZZY SORT SORT=DISPLAY SPECIAL-USE STA TUS=SIZE THREAD=ORDEREDSUBJECT THREAD=REFERENCES UIDPLUS UNSELECT URLAUTH URLAUTH=BINARY WITHIN DIGEST=SHA1 LIST-METADATA NO_ATOMIC_RENAME PREVIEW=FUZZY SCAN SORT=MODSE Q SORT=UID THREAD=REFS X-CREATEDMODSEQ X-REPLICATION XLIST XMOVE LOGINDISABLED XCONVERSATIONS COMPRESS=DEFLATE X-QUOTA=STORAGE X-QUOTA=MESSAGE X-QUOTA=X-ANNOTATION-STOR AGE X-QUOTA=X-NUM-FOLDERS IDLE] User logged in SESSIONID= Sending: 4071 SELECT INBOX Sent 19 bytes Read: * 4100 EXISTS * 0 RECENT * FLAGS (Answered Flagged Draft Deleted Seen $Forwarded $label3 $MDNSent $toreply NonJunk Junk) * OK [PERMANENTFLAGS (Answered Flagged Draft Deleted Seen $Forwarded $label3 $MDNSent $toreply NonJunk Junk *)] Ok * OK [UNSEEN 10] Ok * OK [UIDVALIDITY 1628200824] Ok * OK [UIDNEXT 4142] Ok * OK [HIGHESTMODSEQ 479815] Ok * OK [URLMECH INTERNAL] Ok * OK [ANNOTATIONS 65536] Ok 4071 OK [READ-WRITE] Completed reconnect success(1) on try #1/3 Sending: 4072 UID STORE 668 FLAGS.SILENT () Sent 36 bytes Read: 4072 OK Completed Host1: size msg INBOX/9586 = 1081199 <> 1081199 = Host2 INBOX/668 Host1: found that msg INBOX/9587 equals Host2 INBOX/669 Host1: flags init msg INBOX/9587 flags( NonJunk category.Perso ) Host2 msg INBOX/669 flags( NonJunk ) Host1: flags filt msg INBOX/9587 flags( ) Host2 msg INBOX/669 flags( NonJunk ) Host2: flags msg INBOX/669 replacing h2 flags( NonJunk ) with h1 flags( ) Sending: 4073 UID STORE 669 FLAGS.SILENT () Sent 36 bytes . «>
What seems suspicious is what happens just befor ethe connection stalls:
I’m replacing IMAP flags, probably because I have the following option in my script : —regexflag ‘s/.*?(?:([\$]S+s?)|$)/defined($1)?$1:q()/eg’
This is because on Host1 (Dovecot), I have too much IMAP flags defined (I have a sieve script that defines flags for anything) and on Host2 (Cyrus) I cannot define as many flags (there is a hard limit of acout 200 flags in Cyrus).
Effectively, on Host2, I have a segfault of Cyrus IMAP
Источник
office login issues — tried everything #310
Hi,
first I would like to say thank you for this amazing software.
I’m having trouble syncing from dovecot to office365,
I’ve done this before, but right now office365 does not want to authenticate.
I have tried all sorts of arguments without any success.
for example I have tested:
- —office2
- tried all office365 imap servers in your documentation
- double checked if IMAP auth is enabled in office365.(also checked in powershell, to be sure. Results below. )
- no special characters in passwd
- disabled 2factor auth
- disabled security defaults
- tried to give admin fullaccess to user mailbox and use the «—authuser2 user_admin@domain.com —user2 user_to_be_migrated@domain.com»
- tried —ssl1
- verified that basic auth is allowed for IMAP, SMTP, POP
- tried the webversion of imapsync/X
1AppDataLocalTemppar-6c6f63616c61646d696ecache-9a559c19df46e5030e9dbee73dfad88436183ffdinclib/Mail/IMAPClient.pm line 1298. Mail::IMAPClient::_imap_command(Mail::IMAPClient=HASH(0x6af8850), «LOGIN username@domain.com SuperSecretMaskedPass») called at C:UsersLOCALA
1AppDataLocalTemppar-6c6f63616c61646d696ecache-9a559c19df46e5030e9dbee73dfad88436183ffdinclib/Mail/IMAPClient.pm line 601 Mail::IMAPClient::login(Mail::IMAPClient=HASH(0x6af8850)) called at script/imapsync line 7704 main::authenticate_imap(Mail::IMAPClient=HASH(0x6af8850), «outlook.office365.com», 993, «username@domain.com», «SuperSecretMaskedPass», 1, undef, 1, . ) called at script/imapsync line 7587 main::login_imap(«outlook.office365.com», 993, «username@domain.com», «SuperSecretMaskedPass», 1, undef, 1, 100, . ) called at script/imapsync line 1904 main::single_sync(HASH(0x57af510), HASH(0x55b2b80), HASH(0x5e45608)) called at script/imapsync line 1250 require main called at /PAR.pm line 647 PAR::_run_member(Archive::Zip::ZipFileMember=HASH(0x3bc30c0), 1) called at script/main.pl line 26 require main called at /PAR.pm line 647 PAR::_run_member(Archive::Zip::ZipFileMember=HASH(0x3bbc3a0)) called at /PAR.pm line 434 PAR::import(«PAR») called at -e line 594 eval <. >called at -e line 42 __par_pl::BEGIN() called at script/imapsync line 0 eval <. >called at script/imapsync line 0 Host2 info: authmech [LOGIN] user [username@domain.com] authuser [] IsUnconnected [] Host2 failure: Error login on [outlook.office365.com] with user [username@domain.com] auth [LOGIN]: 2 NO LOGIN failed. Host2: failed login on [outlook.office365.com] with user [username@domain.com] auth [LOGIN] Host1 Buffer I/O: 4096 ++++ Listing 1 errors encountered during the sync ( avoid this listing with —noerrorsdump ). Err 1/1: Host2 failure: Error login on [outlook.office365.com] with user [username@domain.com] auth [LOGIN]: 2 NO LOGIN failed. The most frequent error is ERR_AUTHENTICATION_FAILURE_USER2 Exiting with return value 162 (EXIT_AUTHENTICATION_FAILURE_USER2) 1/50 nb_errors/max_errors PID 76852 Removing pidfile C:UsersLOCALA
1AppDataLocalTemp/imapsync.pid Disconnecting from host1 mail.domain.com user1 username@domain.com*superuser Sending: 3 LOGOUT Sent 10 bytes Read: * BYE Logging out 3 OK Logout completed (0.001 + 0.000 secs). Log file is LOG_imapsync/2021_12_05_15_00_11_069_username@domain.com_superuser_username@domain.com.txt ( to change it, use —logfile filepath ; or use —nolog to turn off logging )»>
Here is powershell output for the office365 user:
This is not related to imapsync. I tested ncat.
Results:
Basic auth allowed verified:
Very strange.
Something in the office environment is preventing me from connecting.
But it’s not the security defaults, or IMAP enable/disable feature.
its something else. something new.
I do have one cutover migration batch running with different mailboxes. I know I cannot run an IMAP migration at the same time as a cutover migration is running. So maybe this is the issue.
I tested another Tenant in office365. and that was successful. No issues with another tenant.
i’m out of options. as you can see I tried a lot of things.
The text was updated successfully, but these errors were encountered:
Источник
-
Summary
-
Files
-
Reviews
-
Support
-
Tickets
-
Wiki
-
Mailing Lists
-
Forum
-
News
-
Donate/Sponsoring
-
SVN
-
old CVS
-
old Discussion
Menu
▾
▴
|
From: Thomas Eckardt <Thoma…@th…> — 2021-08-04 15:11:33 |
>global error: Undefined SSL object this is only seen in SSL-debug mode - because the SSL object does not exists and is new created just have a look in to my post - I got the same "error" in first place Aug-3-21 16:53:16 [Worker_1] SSL-DEBUG: .../IO/Socket/SSL.pm:1620: start handshake Aug-3-21 16:53:16 [Worker_1] SSL-DEBUG: .../IO/Socket/SSL.pm:1177: global error: Undefined SSL object Aug-3-21 16:53:16 [Worker_1] SSL-DEBUG: .../IO/Socket/SSL.pm:1061: starting sslifying Aug-3-21 16:53:16 [Worker_1] SSL-DEBUG: .../IO/Socket/SSL.pm:1109: Net::SSLeay::accept -> -1 Aug-3-21 16:53:16 [Worker_1] SSL-DEBUG: .../IO/Socket/SSL.pm:1109: Net::SSLeay::accept -> -1 Aug-3-21 16:53:16 [Worker_1] SSL-DEBUG: .../IO/Socket/SSL.pm:1109: Net::SSLeay::accept -> 1 Aug-3-21 16:53:16 [Worker_1] SSL-DEBUG: .../IO/Socket/SSL.pm:1157: handshake done, socket ready Thomas Von: "William L. Thomson Jr." <wl...@o-...> An: assp-...@li... Datum: 04.08.2021 17:00 Betreff: [Assp-user] SSL-DEBUG: .../IO/Socket/SSL.pm:1177: global error: Undefined SSL object I am getting a lot of the above messages after updating to the latest IO-Socket-SSL version 2.71.0 https://metacpan.org/pod/IO::Socket::SSL I asked about the issue upstream, and it is a usage issue, but I am unsure if it is an actual problem or not. https://github.com/noxxi/p5-io-socket-ssl/issues/109 It happens with STARTTLS per the log output Aug 4 07:52:48 mail2 assp.pl[20227]: [Worker_1] 192.92.97.208 info: got STARTTLS request from 192.92.97.208 Aug 4 07:52:48 mail2 assp.pl[20227]: [Worker_1] SSL-DEBUG: .../IO/Socket/SSL.pm:1177: global error: Undefined SSL object Aug 4 07:52:48 mail2 assp.pl[20227]: [Worker_1] SSL-DEBUG: .../IO/Socket/SSL.pm:1177: global error: Undefined SSL object Aug 4 07:53:48 mail2 assp.pl[20227]: [Worker_1] [TLS-in] [TLS-out] 192.92.97.208 disconnected: session:564A1D942C30 192.92.97.208 - processing time 60 seconds I do not believe this is related in to the TLS timeout issue. I do not get those messages as part of the TLS connection timeouts. Aug 4 07:51:24 mail2 assp.pl[20227]: [Worker_3] [TLS-in] [TLS-out] 40.107.100.95 TLS-Connection idle for 180 secs - timeout Aug 4 07:51:24 mail2 assp.pl[20227]: [Worker_3] [TLS-in] [TLS-out] 40.107.100.95 [SMTP Status] 451 Connection timeout, try later Aug 4 07:51:24 mail2 assp.pl[20227]: [Worker_3] [TLS-in] [TLS-out] 40.107.100.95 disconnected: session:7F513C534D80 40.107.100.95 - processing time 0 seconds -- William L. Thomson Jr. _______________________________________________ Assp-user mailing list Assp-...@li... https://lists.sourceforge.net/lists/listinfo/assp-user DISCLAIMER: ******************************************************* This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the individual to whom it is addressed. This email was multiple times scanned for viruses. There should be no known virus in this email! ******************************************************* |
View entire thread
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
I am trying to use git send-email under Linux Mint 20.
Same configuration was working under Debian Sid.
Now I get error:
mcon@cinderella:~/vocore/__V2__/u-boot$ git send-email --to=u-boot@lists.denx.de /tmp/output/ --smtp-debug
/tmp/output/0000-cover-letter.patch
/tmp/output/0001-Small-fixes-to-reduce-size-and-ensure-correct-consol.patch
/tmp/output/0002-Enlarge-SPL-malloc-area-to-prevent-failure-in-lzma-d.patch
/tmp/output/0003-Fix-missing-__udivdi3-in-SquashFS-implementation.patch
(mbox) Adding cc: Mauro Condarelli <mc5686@mclink.it> from line 'From: Mauro Condarelli <mc5686@mclink.it>'
DEBUG: .../IO/Socket/SSL.pm:1177: global error: Undefined SSL object
DEBUG: .../IO/Socket/SSL.pm:900: local error: SSL connect attempt failed error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol
DEBUG: .../IO/Socket/SSL.pm:903: fatal SSL error: SSL connect attempt failed error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol
Unable to initialize SMTP properly. Check config and use --smtp-debug. VALUES: server=mail2.mclink.it encryption=ssl hello=cinderella.condarelli.it port=465 at /usr/lib/git-core/git-send-email line 1558.
AFAIK this is due to my upstream mailer not accepting TLSv2 protocol (which is currently enforced by default).
IFF this is correct: how do I convince git send-email to use TLSv1?
Obviously I have NO way to force upstream mailer to «upgrade».
asked Sep 20, 2020 at 9:42
…. server=mail2.mclink.it … port=465
This is a pretty broken server you are trying to use here. It looks like that the best it can do is TLS 1.0 with RC4-MD5 as cipher which is weak in many ways. This cipher is usually no longer compiled in in newer versions of openssl, so it is likely that it will not work with your current setup.
But there is SMTP access on the same server also possible on port 25, including TLS using STARTTLS. This instance actually offers TLS 1.2 with a strong cipher. So better change your setup to use this instead. Note that you have to set smtpEncryption to tls in this case instead of ssl since tls is interpreted as SMTP+STARTTLS (usually on port 25 and 587) while ssl is interpreted as implicit TLS (usually on port 465).
AFAIK this is due to my upstream mailer not accepting TLSv2 protocol (which is currently enforced by default).
TLS automatically uses the best protocol version supported by both client and server. There is no need to explicitly downgrade unless the server is too broken and chokes if newer protocol versions are offered.
IFF this is correct: how do I convince git send-email to use TLSv1?
You can’t. There is no way to set the protocol or ciphers for send-email. Based on the source code it simply uses Perl Net::SMTP which then uses IO::Socket::SSL with its default settings — no attempts to override these are done in the script. Any recommendations regarding this might apply to the git connection itself but not to git-send-email.
answered Sep 20, 2020 at 10:34
Steffen UllrichSteffen Ullrich
110k10 gold badges129 silver badges167 bronze badges
Я хочу использовать imapsync для импорта некоторых папок из моей старой почтовой учетной записи в gmail. Я установил imapsync, и тестовые прогоны imapsync --testslive и sh examples/imapsync_example.sh прошли успешно. Затем я хотел сделать пробный прогон следующим образом:
imapsync --host1 imap.old_account.ch --user1 old_user --password1 'oldpassword'
--host2 imap.gmail.com --user2 new.user@gmail.com --password2 'newpassword'
--automap --justfolders --dry "$@"
Соединение со старой учетной записью может быть установлено (я удалил записи для Host2):
...
Host1: SSL default mode is like --sslargs1 "SSL_verify_mode=0", meaning for host1 SSL_VERIFY_NONE, ie, do not check the certificate server.
Host1: Use --sslargs1 SSL_verify_mode=1 to have SSL_VERIFY_PEER, ie, check the certificate server of host1
Host1: will try to use LOGIN authentication on host1
Host1: imap connection timeout is 120 seconds
Host1: IMAP server [imap.old_account.ch] port [993] user [old_user]
Host1: connecting and login on host1 [imap.old_account.ch] port [993] with user [old_user]
DEBUG: .../IO/Socket/SSL.pm:1177: global error: Undefined SSL object
DEBUG: .../IO/Socket/SSL.pm:1177: global error: Undefined SSL object
Host1 IP address: xxx.yyy.zzz.ttt
Host1 banner: * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready.
Host1 capability before authentication: IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN AUTH
Host1: imap.old_account.ch says it has CAPABILITY for AUTHENTICATE LOGIN
Host1: success login on [imap.old_account.ch] with user [old_user] auth [LOGIN]
...
С другой стороны, соединение с gmail не работает:
...
Host2: SSL default mode is like --sslargs2 "SSL_verify_mode=0", meaning for host2 SSL_VERIFY_NONE, ie, do not check the certificate server.
Host2: Use --sslargs2 SSL_verify_mode=1 to have SSL_VERIFY_PEER, ie, check the certificate server of host2
Host2: will try to use LOGIN authentication on host2
Host2: imap connection timeout is 120 seconds
Host2: IMAP server [imap.gmail.com] port [993] user [new.user@gmail.com]
Host2: connecting and login on host2 [imap.gmail.com] port [993] with user [new.user@gmail.com]
Host2 IP address: 108.177.119.109
Host2 banner: * OK Gimap ready for requests from xxx.yyy.zzz.ttt ek19mb91982044edb
Host2 capability before authentication: IMAP4rev1 UNSELECT IDLE NAMESPACE QUOTA ID XLIST CHILDREN X-GM-EXT-1 XYZZY SASL-IR AUTH=XOAUTH2 AUTH=PLAIN AUTH=PLAIN-CLIENTTOKEN AUTH=OAUTHBEARER AUTH=XOAUTH AUTH
Host2: connecting and login on host2 [imap.gmail.com] port [993] with user [new.user@gmail.com]
DEBUG: .../IO/Socket/SSL.pm:1177: global error: Undefined SSL object
DEBUG: .../IO/Socket/SSL.pm:1177: global error: Undefined SSL object
Host2 IP address: 108.177.119.109
Host2 banner: * OK Gimap ready for requests from xxx.yyy.zzz.ttt ek19mb91982044edb
Host2 capability before authentication: IMAP4rev1 UNSELECT IDLE NAMESPACE QUOTA ID XLIST CHILDREN X-GM-EXT-1 XYZZY SASL-IR AUTH=XOAUTH2 AUTH=PLAIN AUTH=PLAIN-CLIENTTOKEN AUTH=OAUTHBEARER AUTH=XOAUTH AUTH
Host2 info: authmech [LOGIN] user [new.user@gmail.com] authuser [] IsUnconnected []
Host2 failure: Error login on [imap.gmail.com] with user [new.user@gmail.com] auth [LOGIN]: 2 NO [AUTHENTICATIONFAILED] Invalid credentials (Failure)
Exiting with return value 16 (EXIT_AUTHENTICATION_FAILURE) 1/50 nb_errors/max_errors
Disconnecting from host1 imap.old_account.ch user1 old_user
Я думаю, что сбой не связан напрямую с global error: Undefined SSL object, потому что такое же сообщение появилось при подключении со старой учетной записью.
Я убедился, что imap включен для моей учетной записи gmail, и я отключил двухэтапную аутентификацию в gmail.
Я также пробовал с пользователем2, установленным только на new.user, но это дало мне тот же результат.
Я уверен, что мои имя пользователя и пароль Gmail верны.
Должен ли я изменить некоторые другие настройки в моей учетной записи gmail, чтобы включить imapsync для подключения к imap.gmail.com? Или мне нужна какая-то другая форма аутентификации?
1 ответ
Я отключил двухэтапную аутентификацию в gmail.
Просто примечание: из-за удаления настройки менее безопасных приложений вы больше не можете использовать сервер imap с фактическим паролем пользователя gmail google.
Вы получите сообщение о неверном логине и пароле.
Вам нужно будет либо создать пароль приложений, включив 2fa, либо переключиться на использование Xoauth2.
Обратите внимание, что это не связано с вашей проблемой с неопределенным объектом SSL.
0
DaImTo
7 Ноя 2022 в 12:06
Fri Aug 17 08:15:03 2018
ppisar […] redhat.com — Ticket created
| Subject: | Tests fail with OpenSSL 1.1.1 |
OpenSSL has released 1.1.1pre7 version, a preview of 1.1.1 version with default TLSv1.3 support.
This needs a proper support in Net-SSLeay and then in IO-Socket-SSL. Net-SSLeay support is on the way (CPAN RT#125218) and with all its patches and some tweaks for IO-Socket-SSL, I was able to pass all IO-Socket-SSL tests except:
t/npn.t — NPN does not work for unknown reason
t/session_ticket.t — TLSv1.3 tickets needs to use SSL_CTX_sess_set_new_cb() that is not yet provided by Net-SSLeay.
t/sni_verify.t — server dies with SIGPIPE because tickets send to closes TCP socket, trivial to fix with a proper SSL_shutdown in t/sni_verify.t.
Latest changes for IO-Socket-SSL are attached.
| Subject: | 0001-Adapt-to-OpenSSL-1.1.1.patch |
From d432295468a1efa18e56c1fbb34e3a23bb07d1e8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Thu, 16 Aug 2018 14:56:23 +0200
Subject: [PATCH] Adapt to OpenSSL 1.1.1
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
It needs patched Net-SSLeay (CPAN RT#125218).
This patch introduces some TLSv1.3 identifiers but does not document
them. This is to let the IO-Socket-SSL maintainer to define the API.
This is not a final patch. We need to fix failures in:
t/npn.t
t/session_ticket.t
t/sni_verify.t
Signed-off-by: Petr PÃsaÅ <ppisar@redhat.com>
—
lib/IO/Socket/SSL.pm | 17 +++++++++++++++—
t/ecdhe.t | 16 +++++++++++——
t/protocol_version.t | 4 ++—
t/session_ticket.t | 2 ++
4 files changed, 30 insertions(+), 9 deletions(-)
diff —git a/lib/IO/Socket/SSL.pm b/lib/IO/Socket/SSL.pm
index 9c81ffc..5b43467 100644
— a/lib/IO/Socket/SSL.pm
+++ b/lib/IO/Socket/SSL.pm
@@ -211,7 +211,8 @@ BEGIN{
# get constants for SSL_OP_NO_* now, instead calling the related functions
# every time we setup a connection
my %SSL_OP_NO;
-for(qw( SSLv2 SSLv3 TLSv1 TLSv1_1 TLSv11:TLSv1_1 TLSv1_2 TLSv12:TLSv1_2 )) {
+for(qw( SSLv2 SSLv3 TLSv1 TLSv1_1 TLSv11:TLSv1_1 TLSv1_2 TLSv12:TLSv1_2
+ TLSv1_3 TLSv13:TLSv1_3 )) {
my ($k,$op) = m{:} ? split(m{:},$_,2) : ($_,$_);
my $sub = «Net::SSLeay::OP_NO_$op»;
local $SIG{__DIE__};
@@ -1836,6 +1837,7 @@ sub get_sslversion {
my $ssl = shift()->_get_ssl_object || return;
my $version = Net::SSLeay::version($ssl) or return;
return
+ $version == 0x0304 ? ‘TLSv1_3’ :
$version == 0x0303 ? ‘TLSv1_2’ :
$version == 0x0302 ? ‘TLSv1_1’ :
$version == 0x0301 ? ‘TLSv1’ :
@@ -2281,7 +2283,7 @@ sub new {
my $ver = »;
for (split(/s*:s*/,$arg_hash->{SSL_version})) {
— m{^(!?)(?:(SSL(?:v2|v3|v23|v2/3))|(TLSv1(?:_?[12])?))$}i
+ m{^(!?)(?:(SSL(?:v2|v3|v23|v2/3))|(TLSv1(?:_?[123])?))$}i
or croak(«invalid SSL_version specified»);
my $not = $1;
( my $v = lc($2||$3) ) =~s{^(…)}{U$1};
@@ -2329,6 +2331,17 @@ sub new {
IO::Socket::SSL->error(«SSL Context init failed»);
$CTX_CREATED_IN_THIS_THREAD{$ctx} = 1 if $use_threads;
+ # There is no CTX_tlsv1_3_new(). Create TLSv1.3 only context using
+ # a flexible method.
+ if ($ver eq ‘TLSv1_3’) {
+ if (!Net::SSLeay::CTX_set_min_proto_version($ctx,
+ Net::SSLeay::TLS1_3_VERSION()) or
+ !Net::SSLeay::CTX_set_max_proto_version($ctx,
+ Net::SSLeay::TLS1_3_VERSION())) {
+ IO::Socket::SSL->error(«TLSv1_3 context init failed»);
+ }
+ }
+
# SSL_OP_CIPHER_SERVER_PREFERENCE
$ssl_op |= 0x00400000 if $arg_hash->{SSL_honor_cipher_order};
diff —git a/t/ecdhe.t b/t/ecdhe.t
index 638d82b..1b229c5 100644
— a/t/ecdhe.t
+++ b/t/ecdhe.t
@@ -53,12 +53,18 @@ if ( !defined $pid ) {
};
ok( «client connected» );
— my $cipher = $to_server->get_cipher();
— if ( $cipher !~m/^ECDHE-/ ) {
— notok(«bad key exchange: $cipher»);
— exit;
+ my $protocol = $to_server->get_sslversion;
+ if ($protocol eq ‘TLSv1_3’) {
+ # <https://www.openssl.org/blog/blog/2017/05/04/tlsv1.3/>
+ ok(«# SKIP TLSv1.3 doesn’t advertize key exchange in a chipher name»);
+ } else {
+ my $cipher = $to_server->get_cipher();
+ if ( $cipher !~m/^ECDHE-/ ) {
+ notok(«bad key exchange: $cipher»);
+ exit;
+ }
+ ok(«ecdh key exchange: $cipher»);
}
— ok(«ecdh key exchange: $cipher»);
} else { ###### Server
diff —git a/t/protocol_version.t b/t/protocol_version.t
index e3853d8..3577720 100644
— a/t/protocol_version.t
+++ b/t/protocol_version.t
@@ -13,7 +13,7 @@ plan skip_all => «Test::More has no done_testing»
$|=1;
my $XDEBUG = 0;
-my @versions = qw(SSLv3 TLSv1 TLSv1_1 TLSv1_2);
+my @versions = qw(SSLv3 TLSv1 TLSv1_1 TLSv1_2 TLSv1_3);
my $server = IO::Socket::SSL->new(
LocalAddr => ‘127.0.0.1’,
@@ -82,7 +82,7 @@ if ($pid == 0) {
die «best protocol version server supports is $ver» if $supported{foo};
# Check if the OpenSSL was compiled without support for specific protocols
— for(qw(SSLv3 TLSv1 TLSv1_1)) {
+ for(qw(SSLv3 TLSv1 TLSv1_1 TLSv1_2 TLSv1_3)) {
if ( ! $check->($_,»)) {
diag(«looks like OpenSSL was compiled without $_ support»);
delete $supported{$_};
diff —git a/t/session_ticket.t b/t/session_ticket.t
index d3c15d9..bff6a86 100644
— a/t/session_ticket.t
+++ b/t/session_ticket.t
@@ -73,6 +73,8 @@ my $client = sub {
};
+# FIXME: TLSv1.3 requires to use SSL_CTX_sess_set_new_cb() by clients instead
+# of SSL_get1_session(). Missing from Net::SSLeay.
$client->(0,0,»no initial session -> no reuse»);
$client->(0,1,»reuse with the next session and secret[0]»);
$client->(1,1,»reuse even though server changed, since they share ticket secret»);
—
2.14.4
Fri Aug 17 08:52:13 2018
ppisar […] redhat.com — Correspondence added
Dne Pá 17.srp.2018 08:15:03, ppisar napsal(a):
Show quoted text
> t/sni_verify.t — server dies with SIGPIPE because tickets send to
> closes TCP socket, trivial to fix with a proper SSL_shutdown in
> t/sni_verify.t.
>
Fix for t/sni_verify.t is attached.
| Subject: | 0001-Do-two-way-shutdown-in-t-sni_verify.t.patch |
From 84a3bc6c273977bcd4b709e0d9a3d9fcdd58e36d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Fri, 17 Aug 2018 14:46:33 +0200
Subject: [PATCH] Do two-way shutdown in t/sni_verify.t
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
OpenSSL 1.1.1-pre7 sigipipes TLSv1.3 server if client does not
shutdown TLS properly.
<https://github.com/openssl/openssl/issues/6904>
Signed-off-by: Petr PÃsaÅ <ppisar@redhat.com>
—
t/sni_verify.t | 10 ++++++++++
1 file changed, 10 insertions(+)
diff —git a/t/sni_verify.t b/t/sni_verify.t
index b3b299b..b5ac4bd 100644
— a/t/sni_verify.t
+++ b/t/sni_verify.t
@@ -71,6 +71,13 @@ if ( $pid == 0 ) {
$client->verify_hostname($host,’http’) or print «not «;
print «ok # client verify hostname in cert $hostn»;
+
+ if ($client) {
+ # Shutdown TLS properly. Otherwise TLSv1.3 server will receive SIGPIPE
+ # in SSL_accept() and dies.
+ # <https://github.com/openssl/openssl/issues/6904>.
+ $client->close(‘SSL_fast_shutdown’ => 0);
+ }
}
exit;
}
@@ -81,5 +88,8 @@ for my $host (@tests) {
my $name = $csock->get_servername;
print «not » if ! $name or $name ne $host;
print «ok # server got SNI name $hostn»;
+ if ($csock) {
+ $csock->close(‘SSL_fast_shutdown’ => 0);
+ }
}
wait;
—
2.14.4
Fri Aug 17 09:18:55 2018
ppisar […] redhat.com — Correspondence added
Dne Pá 17.srp.2018 08:15:03, ppisar napsal(a):
Show quoted text
> t/npn.t — NPN does not work for unknown reason
It turned out TLSv1.3 does not support NPN <https://github.com/openssl/openssl/issues/3665>. Attached patch corrects the test.
| Subject: | 0001-NPN-is-unavailable-in-TLSv1.3.patch |
From 94b0b52f05911bd8cfe579406248c8afe36004d7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Fri, 17 Aug 2018 15:14:40 +0200
Subject: [PATCH] NPN is unavailable in TLSv1.3
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
TLSv1.3 does not support NPN. Application can use ALPN. This caused
t/npn.t failures when TLSv1.3 was negotiated. This patch disables
TLSv1.3 in the test.
<https://github.com/openssl/openssl/issues/3665>
Signed-off-by: Petr PÃsaÅ <ppisar@redhat.com>
—
lib/IO/Socket/SSL.pod | 2 +-
t/npn.t | 2 ++
2 files changed, 3 insertions(+), 1 deletion(-)
diff —git a/lib/IO/Socket/SSL.pod b/lib/IO/Socket/SSL.pod
index 95401aa..363901b 100644
— a/lib/IO/Socket/SSL.pod
+++ b/lib/IO/Socket/SSL.pod
@@ -1336,7 +1336,7 @@ as an array ref.
See also method C<next_proto_negotiated>.
Next Protocol Negotiation (NPN) is available with Net::SSLeay 1.46+ and
-openssl-1.0.1+.
+openssl-1.0.1+. NPN is unavailable in TLSv1.3 protocol.
To check support you might call C<< IO::Socket::SSL->can_npn() >>.
If you use this option with an unsupported Net::SSLeay/OpenSSL it will
throw an error.
diff —git a/t/npn.t b/t/npn.t
index 8992a77..6ee6ca6 100644
— a/t/npn.t
+++ b/t/npn.t
@@ -25,6 +25,8 @@ my $addr = ‘127.0.0.1’;
my $server = IO::Socket::SSL->new(
LocalAddr => $addr,
Listen => 2,
+ SSL_version => ‘SSLv23:!TLSv1_3’, # NPN does not exist in TLSv1.3
+ # https://github.com/openssl/openssl/issues/3665
SSL_cert_file => ‘certs/server-cert.pem’,
SSL_key_file => ‘certs/server-key.pem’,
SSL_npn_protocols => [qw(one two)],
—
2.14.4
Tue Aug 21 08:15:24 2018
ppisar […] redhat.com — Correspondence added
Dne Pá 17.srp.2018 08:15:03, ppisar napsal(a):
Show quoted text
> t/session_ticket.t — TLSv1.3 tickets needs to use
> SSL_CTX_sess_set_new_cb() that is not yet provided by Net-SSLeay.
It seems a proper support would need more than SSL_CTX_sess_set_new_cb() because the new API is quite rich including interaction with internal OpenSSL session cache.
Attached patch excluded TLSv1.3 from the t/session_ticket.t.
Tue Aug 21 08:15:45 2018
ppisar […] redhat.com — Correspondence added
Dne Pá 17.srp.2018 08:15:03, ppisar napsal(a):
Show quoted text
> t/session_ticket.t — TLSv1.3 tickets needs to use
> SSL_CTX_sess_set_new_cb() that is not yet provided by Net-SSLeay.
It seems a proper support would need more than SSL_CTX_sess_set_new_cb() because the new API is quite rich including interaction with internal OpenSSL session cache.
Attached patch excluded TLSv1.3 from the t/session_ticket.t.
| Subject: | 0001-Exclude-TLSv1.3-from-t-session_ticket.t.patch |
From c332d19048735e32e2754685fa3c8654ca068b78 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Tue, 21 Aug 2018 12:32:39 +0200
Subject: [PATCH] Exclude TLSv1.3 from t/session_ticket.t
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The test fails with OpenSSL 1.1.1 because SSL_get1_session() is not
reliable with TLSv1.3. A proper resumption support would need
migration to SSL_CTX_sess_set_new_cb() API.
This patch also performs full SSL_shutdown in the test becasue
SSL_get1_session() manual documents that a connection must be properly
SSL_shutdowned, otherwise the session will be removed from the
(internal) session cache.
Signed-off-by: Petr PÃsaÅ <ppisar@redhat.com>
—
t/session_ticket.t | 9 +++++++—
1 file changed, 7 insertions(+), 2 deletions(-)
diff —git a/t/session_ticket.t b/t/session_ticket.t
index bff6a86..69cbc96 100644
— a/t/session_ticket.t
+++ b/t/session_ticket.t
@@ -69,7 +69,7 @@ my $client = sub {
diag(«connect to $i: «.
($cl ? «success reuse=$reuse» : «error: $!,$SSL_ERROR»));
is($reuse,$expect_reuse,$desc);
— close($cl);
+ $cl->close(‘SSL_fast_shutdown’ => 0);
};
@@ -123,6 +123,11 @@ sub _server {
SSL_verify_mode => SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
SSL_ticket_keycb => $get_ticket_key,
SSL_session_id_context => ‘foobar’,
+ SSL_version => ‘SSLv23:!TLSv1_3’, # TLSv1.3 sends session tickes after
+ # a handshake, this SSL_get1_session() is not reliable anymore.
+ # Exclude TLSv1.3 from tests. Proper TLSv1.3 session resumption
+ # will need SSL_CTX_sess_set_new_cb().
+ # <https://www.openssl.org/blog/blog/2017/05/04/tlsv1.3/>
) or die «failed to create SSL context: $SSL_ERROR»;
}
@@ -158,7 +163,7 @@ sub _server {
print «rotate secretsn»;
push @secrets, shift(@secrets);
}
— close($cl);
+ $cl->close(‘SSL_fast_shutdown’ => 0);
alarm(0);
last;
}
—
2.14.4
Tue Aug 21 10:13:26 2018
ppisar […] redhat.com — Correspondence added
Dne Pá 17.srp.2018 08:15:03, ppisar napsal(a):
Show quoted text
> t/sni_verify.t — server dies with SIGPIPE because tickets send to
> closes TCP socket, trivial to fix with a proper SSL_shutdown in
> t/sni_verify.t.
>
Similar bug is n t/sni.t. But here instead of SIGPIPE the accept simply failed and undefined client socket lead to run-time exception when invoking a method on it.
Attached patch fixes it.
Maybe IO::Socket::SSL should default to ‘SSL_fast_shutdown’ => 0 in globally. Otherwise many application will be surprised.
| Subject: | 0001-Do-two-way-shutdown-in-t-sni.t.patch |
From 1d19a7d01960fd8dc00bb3929a1ffaee186470fd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Tue, 21 Aug 2018 16:02:19 +0200
Subject: [PATCH] Do two-way shutdown in t/sni.t
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
TLSv1.3 performs more reading and writing in SSL_accept(). If a client
disconnects after the handshake but before the server finishes
SSL_accept(), the t/sni.t test would fail because accept() could fail with
ECONNRESET. This happened randomly.
Failed accept() lead to undef->get_servername() call that triggered
a run-time exception and that caused a client being stucked and the
test script never exited.
This fixes both these issues.
Signed-off-by: Petr PÃsaÅ <ppisar@redhat.com>
—
t/sni.t | 20 ++++++++++++++++++—
1 file changed, 18 insertions(+), 2 deletions(-)
diff —git a/t/sni.t b/t/sni.t
index de0f06e..91206de 100644
— a/t/sni.t
+++ b/t/sni.t
@@ -68,15 +68,31 @@ if ( $pid == 0 ) {
$client->verify_hostname($host,’http’) or print «not «;
print «ok # client verify hostname in cert $hostn»;
+ # Shutdown TLS properly. Otherwise TLSv1.3 $server->accept() fails with
+ # ECONNRESET when a client disconnects too early.
+ $client->close(‘SSL_fast_shutdown’ => 0);
}
exit;
}
+# If the server dies, a client can get stuck in read(2) while Perl interpreter
+# is collecting children status in the die handler using wait4(2).
+$SIG{__DIE__} = sub {
+ STDERR->print(«Server died. Killing client with $pid PID.n»);
+ kill(9, $pid);
+};
for my $host (@tests) {
— my $csock = $server->accept or print «not «;
— print «ok # server acceptn»;
+ my $csock = $server->accept;
+ if (!$csock) {
+ print «not ok # server accept SSL_ERROR=’$SSL_ERROR’, errno=’$!'»;
+ } else {
+ print «ok # server acceptn»;
+ }
my $name = $csock->get_servername;
print «not » if ! $name or $name ne $host;
print «ok # server got SNI name $hostn»;
+ # Shutdown TLS properly. Otherwise TLSv1.3 $server->accept() fails with
+ # ECONNRESET when a client disconnects too early.
+ $csock->close(‘SSL_fast_shutdown’ => 0);
}
wait;
—
2.14.4
Tue Aug 21 11:10:45 2018
ppisar […] redhat.com — Correspondence added
Dne Pá 17.srp.2018 08:15:03, ppisar napsal(a):
Show quoted text
> Latest changes for IO-Socket-SSL are attached.
Adapt-to-OpenSSL-1.1.1.patch added TLSv1_3 constant and implemented TLSv1.3 only contexts using Net::SSLeay::TLS1_3_VERSION(). Using this constant-subroutine blasts if Net::SSLeay was built on a system with old OpenSSL without TLSv1.3 support.
Attached patch fixes Net::SSLeay::TLS1_3_VERSION() use so that it’s possible to build and pass all tests on systems with and without OpenSSL 1.1.1
| Subject: | 0001-Fix-building-on-systems-without-TLSv1.3-support.patch |
From 12ff43c81b10446bd74cc719f0a6913040598c58 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Tue, 21 Aug 2018 16:34:39 +0200
Subject: [PATCH] Fix building on systems without TLSv1.3 support
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
If OpenSSL does not support TLSv1.3, Net::SSLeay does not have
TLS1_3_VERSION() and t/protocol_version.t fails with:
# Failed test ‘Your vendor has not defined SSLeay macro TLS1_3_VERSION at /home/test/fedora/perl-IO-Socket-SSL/IO-Socket-SSL-2.059/blib/lib/IO/Socket/SSL.pm line 2337.
# ‘
# at ./t/testlib.pl line 39.
This patch fixes creating IO::Socket:SSL context for TLSv1.3 by
checking whether it’s supported by Net::SSLeay.
Signed-off-by: Petr PÃsaÅ <ppisar@redhat.com>
—
lib/IO/Socket/SSL.pm | 4 ++++
1 file changed, 4 insertions(+)
diff —git a/lib/IO/Socket/SSL.pm b/lib/IO/Socket/SSL.pm
index 5b43467..7138ab0 100644
— a/lib/IO/Socket/SSL.pm
+++ b/lib/IO/Socket/SSL.pm
@@ -2334,6 +2334,10 @@ sub new {
# There is no CTX_tlsv1_3_new(). Create TLSv1.3 only context using
# a flexible method.
if ($ver eq ‘TLSv1_3’) {
+ if (!eval {Net::SSLeay::TLS1_3_VERSION()}) {
+ return IO::Socket::SSL->_internal_error(
+ «SSL Version $ver not supported»,9);
+ }
if (!Net::SSLeay::CTX_set_min_proto_version($ctx,
Net::SSLeay::TLS1_3_VERSION()) or
!Net::SSLeay::CTX_set_max_proto_version($ctx,
—
2.14.4
Fri Aug 24 10:04:43 2018
Radiator Software — Correspondence added
On pe 17.elokuu 2018 08:15:03, ppisar wrote:
Show quoted text
> t/session_ticket.t — TLSv1.3 tickets needs to use
> SSL_CTX_sess_set_new_cb() that is not yet provided by Net-SSLeay.
Github issue now exists to track this:
https://github.com/radiator-software/p5-net-ssleay/issues/38
—
Heikki
Fri Aug 24 10:04:44 2018
The RT System itself — Status changed from ‘new’ to ‘open’
Fri Aug 24 18:32:55 2018
gregoa […] cpan.org — Cc gregoa […] cpan.org added
Wed Aug 29 12:15:14 2018
Steffen_Ullrich […] genua.de — Correspondence added
Thanks for the input so far.
From my perspective support in Perl for TLS 1.3 with OpenSSL 1.1.1 seems to be not really stable right now — there seem to be still changes needed in Net::SSLeay before TLS 1.3 can be fully integrated, tested and supported by IO::Socket::SSL. While your changes look fine in general I’m not really comfortable with the necessary SSL_fast_shutdown on various places in the tests, since this also means that end users might face and address these problems themselves in their own code when moving to the new OpenSSL version.
If possible I would prefer if you take these changes to github since its easier to handle larger changes there instead of extracting all patches and hopefully only the latest from this issuer tracker.
Regards,
Steffen
Wed Aug 29 12:15:15 2018
Steffen_Ullrich […] genua.de — Status changed from ‘open’ to ‘new’
Tue Sep 04 08:09:58 2018
ppisar […] redhat.com — Correspondence added
| Subject: | Re: [rt.cpan.org #126899] Tests fail with OpenSSL 1.1.1 |
| Date: | Tue, 4 Sep 2018 14:01:52 +0200 |
| To: | Steffen Ullrich via RT <bug-IO-Socket-SSL@rt.cpan.org> |
| From: | Petr Pisar <ppisar@redhat.com> |
On Wed, Aug 29, 2018 at 12:15:15PM -0400, Steffen Ullrich via RT wrote:
Show quoted text
> While your changes look fine in general I’m not really comfortable with the
> necessary SSL_fast_shutdown on various places in the tests, since this also
> means that end users might face and address these problems themselves in
> their own code when moving to the new OpenSSL version.
>
I agree with you. I was only worried about non-blocking mode that cannot
change default SSL shutdown to full two-way shutdown because of the nature of
the non-blocking mode. Therefore blocking and non-blocking mode would behave
differently.
Fortunately OpenSSL commited a change
<https://github.com/openssl/openssl/commit/f273ff953abfafbb5fc4d68904469f862fbeae8a>
that allows SSL_accept() to survive a half-closed TCP connection without
reporting an error. The only deficiency is that a server still has to
actively ignore SIGPIPE signal.
I will retest IO-Socket-SSL with the OpenSSL change. Probably won’t need
the SSL_fast_shutdown anymore.
Show quoted text
> If possible I would prefer if you take these changes to github since its
> easier to handle larger changes there instead of extracting all patches and
> hopefully only the latest from this issuer tracker.
>
Here it is <https://github.com/ppisar/p5-io-socket-ssl/commits/TLSv1.3>. I was
reluctant to use the github repository as it lack behined the
IO-Socket-SSL-2.059 CPAN release.
— Petr
Message body not shown because it is not plain text.
Tue Sep 04 08:31:05 2018
Steffen_Ullrich […] genua.de — Correspondence added
Show quoted text
>…. I was
> reluctant to use the github repository as it lack behined the
> IO-Socket-SSL-2.059 CPAN release.
>
It looks like I forgot to push the changes. github should now be up-to-date.
Tue Sep 04 08:31:05 2018
The RT System itself — Status changed from ‘new’ to ‘open’
Sat Sep 15 09:49:13 2018
kurt […] roeckx.be — Correspondence added
| Subject: | Re: [rt.cpan.org #126899] Tests fail with OpenSSL 1.1.1 |
| Date: | Sat, 15 Sep 2018 15:41:05 +0200 |
| To: | bug-IO-Socket-SSL@rt.cpan.org |
| From: | Kurt Roeckx <kurt@roeckx.be> |
With OpenSSL 1.1.1, when acting as client, I suggest that you turn
SSL_fast_shutdown into a 2 way shutdown.
This has the following advantages:
— This will prevent the server from getting an EPIPE.
— You can resume sessions, assuming you ask them at the right
time.
The disadvantage is that you of course need to wait for the reply
of the server.
Sun Sep 16 15:22:36 2018
Steffen_Ullrich […] genua.de — Correspondence added
Am Sa 15. Sep 2018, 09:49:13, kurt@roeckx.be schrieb:
Show quoted text
> With OpenSSL 1.1.1, when acting as client, I suggest that you turn
> SSL_fast_shutdown into a 2 way shutdown.
>
> This has the following advantages:
> — This will prevent the server from getting an EPIPE.
> — You can resume sessions, assuming you ask them at the right
> time.
>
> The disadvantage is that you of course need to wait for the reply
> of the server.
The expectation with close on IO::Socket objects is that it returns immediately. I would like to fullfill this expectation and not have it behave differently depending on the version of OpenSSL.
But I think that users of IO::Socket::SSL must be more aware on how much different a SSL socket from a «normal» socket can behave. It was actually possible even before OpenSSL 1.1.1 that a a signal PIPE might have been triggered during accept (i.e. SSL_accept) or close (i.e. SSL_shutdown) since both functions send data to the peer and the peer might already have been closed at the TCP level. It is only more likely that this happens now, but it is not actually new.
Therefore I added PIPE handling to the tests and also updated the documentation in 2.060 to specifically point out these problems.
Sun Sep 16 15:27:20 2018
Steffen_Ullrich […] genua.de — Correspondence added
Am Di 04. Sep 2018, 08:31:05, SULLR schrieb:
Show quoted text
>
> >…. I was
> > reluctant to use the github repository as it lack behined the
> > IO-Socket-SSL-2.059 CPAN release.
> >
>
> It looks like I forgot to push the changes. github should now be up-to-date.
Thanks,
I just release 2.060 which should be compatible with TLS 1.3 and OpenSSL 1.1.1. I’ve incorporated some of your changes but also did some things different than you did. Session resume is not yet done for TLS 1.3 but the tests should now all succeed so I close this issue.
Mon Sep 17 06:35:26 2018
dam […] cpan.org — Correspondence added
На 16 септ. 2018, нд 22:27:20, SULLR написа:
Show quoted text
> I just release 2.060 which should be compatible with TLS 1.3 and
> OpenSSL 1.1.1. I’ve incorporated some of your changes but also did
> some things different than you did. Session resume is not yet done for
> TLS 1.3 but the tests should now all succeed so I close this issue.
Thanks for the new release!
The Debian package of 2.060 still managed to fail a couple of tests, see https://buildd.debian.org/status/fetch.php?pkg=libio-socket-ssl-perl&arch=all&ver=2.060-1&stamp=1537167776&raw=0
Locally I also made t/startssl.t fail by running it in a loop and loading the CPU.
I wonder if it would be appropriate to ignore SIGPIPE in all tests that involve forking.
— dam
Mon Sep 17 06:36:49 2018
dam […] cpan.org — Cc dam […] cpan.org added
Mon Sep 17 07:54:39 2018
dam […] cpan.org — Correspondence added
На 17 септ. 2018, пн 13:35:26, DAM написа:
Show quoted text
> I wonder if it would be appropriate to ignore SIGPIPE in all tests
> that involve forking.
Here’s the list of the tests that still fail in 2.060 when run in a loop on my system with overloaded CPU:
— t/alpn.t
— t/compatibility.t
— t/dhe.t
— t/ecdhe.t
— t/io-socket-inet6.t
— t/io-socket-ip.t
— t/public_suffix_ssl.t
— t/sessions.t
— t/startssl.t
— t/verify_fingerprint.t
— t/verify_hostname.t
The symptom is Wstatus=13.
Ignoring SIGPIPE seems to make them to pass under the same conditions.
Attaching more-sigpipe-ignore.patch — a convenience patch adding $SIG{‘PIPE’} = «IGNORE» to them.
| Subject: | more-sigpipe-ignore.patch |
Description: ignore SIGPIPE in more tests
These are the tests which failed (killed with SIGPIPE, Wstat=13) when
run continuously on a CPU-loaded system.
Author: Damyan Ivanov <dmn@debian.org>
— a/t/compatibility.t
+++ b/t/compatibility.t
@@ -14,6 +14,7 @@ Test::More->builder->use_numbers(0);
Test::More->builder->no_ending(1);
$SIG{‘CHLD’} = «IGNORE»;
+$SIG{‘PIPE’} = «IGNORE»;
IO::Socket::SSL::context_init(SSL_verify_mode => 0x01);
— a/t/verify_hostname.t
+++ b/t/verify_hostname.t
@@ -14,6 +14,7 @@ my $can_idn = eval { require Encode } &
|| eval { require URI; URI->VERSION(1.50) }
);
+$SIG{‘PIPE’} = «IGNORE»;
$|=1;
my $max = 42;
$max+=3 if $can_idn;
— a/t/startssl.t
+++ b/t/startssl.t
@@ -8,6 +8,8 @@ use IO::Socket::SSL;
use IO::Select;
do ‘./testlib.pl’ || do ‘./t/testlib.pl’ || die «no testlib»;
+$SIG{‘PIPE’} = «IGNORE»;
+
$|=1;
print «1..21n»;
— a/t/dhe.t
+++ b/t/dhe.t
@@ -11,6 +11,7 @@ use Socket;
use IO::Socket::SSL;
do ‘./testlib.pl’ || do ‘./t/testlib.pl’ || die «no testlib»;
+$SIG{‘PIPE’} = «IGNORE»;
$|=1;
print «1..3n»;
— a/t/ecdhe.t
+++ b/t/ecdhe.t
@@ -14,6 +14,7 @@ if ( ! IO::Socket::SSL->can_ecdh ) {
exit
}
+$SIG{‘PIPE’} = «IGNORE»;
$|=1;
print «1..4n»;
— a/t/alpn.t
+++ b/t/alpn.t
@@ -17,6 +17,7 @@ if ( ! IO::Socket::SSL->can_alpn ) {
exit;
}
+$SIG{‘PIPE’} = «IGNORE»;
print «1..5n»;
# first create simple ssl-server
— a/t/io-socket-ip.t
+++ b/t/io-socket-ip.t
@@ -29,6 +29,8 @@ unless( IO::Socket::SSL->CAN_IPV6 eq «IO
exit
}
+$SIG{‘PIPE’} = «IGNORE»;
+
my $addr = ‘::1’;
# check if we can use ::1, e.g. if the computer has IPv6 enabled
if ( ! IO::Socket::IP->new(
— a/t/io-socket-inet6.t
+++ b/t/io-socket-inet6.t
@@ -37,6 +37,8 @@ unless( IO::Socket::SSL->CAN_IPV6 eq «IO
exit
}
+$SIG{‘PIPE’} = «IGNORE»;
+
my $addr = ‘::1’;
# check if we can use ::1, e.g. if the computer has IPv6 enabled
if ( ! IO::Socket::INET6->new(
— a/t/public_suffix_ssl.t
+++ b/t/public_suffix_ssl.t
@@ -34,6 +34,7 @@ my @tests = qw(
ok:www.foo.nodomain|*.foo.nodomain
);
+$SIG{‘PIPE’} = «IGNORE»;
$|=1;
plan tests => 0+@tests;
— a/t/sessions.t
+++ b/t/sessions.t
@@ -9,6 +9,7 @@ use Socket;
use IO::Socket::SSL;
do ‘./testlib.pl’ || do ‘./t/testlib.pl’ || die «no testlib»;
+$SIG{‘PIPE’} = «IGNORE»;
$|=1;
my $numtests = 35;
print «1..$numtestsn»;
— a/t/verify_fingerprint.t
+++ b/t/verify_fingerprint.t
@@ -8,6 +8,8 @@ do ‘./testlib.pl’ || do ‘./t/testlib.pl’
plan tests => 13;
+$SIG{‘PIPE’} = «IGNORE»;
+
my ($ca1,$cakey1) = CERT_create( CA => 1, subject => { CN => ‘ca1’ });
my ($cert1,$key1) = CERT_create(
subject => { CN => ‘cert1’ },
Mon Sep 17 08:12:30 2018
Steffen_Ullrich […] genua.de — Correspondence added
Am Mo 17. Sep 2018, 07:54:39, DAM schrieb:
Show quoted text
> На 17 септ. 2018, пн 13:35:26, DAM написа:
> > I wonder if it would be appropriate to ignore SIGPIPE in all tests
> > that involve forking.
I think this is a good idea. I made the relevant change to t/testlib.pl since this is used
by all tests which fork.
See https://github.com/noxxi/p5-io-socket-ssl/commit/e96b1c9e394011de4ee181cfa42b8021796bf7d4.
Mon Sep 24 09:33:19 2018
ppisar […] redhat.com — Correspondence added
Dne Ne 16.zář.2018 15:27:20, SULLR napsal(a):
Show quoted text
> I just release 2.060 which should be compatible with TLS 1.3 and
> OpenSSL 1.1.1.
I sent you documentation update <https://github.com/noxxi/p5-io-socket-ssl/pull/75> for TLSv1_3 SSL_protocol.
Sat Mar 02 11:42:57 2019
Steffen_Ullrich […] genua.de — Correspondence added
Support for OpenSSL 1.1.1 and TLS 1.3 is included in IO::Socket::SSL 2.061 but it needs Net::SSLeay 1.86 (not released yet, 1.86_07 works).
Sat Mar 02 11:42:59 2019
Steffen_Ullrich […] genua.de — Status changed from ‘open’ to ‘resolved’
Despite not being familiar with those Linuxes and their age, I have the following thoughts:
1. In the past two years, the use of SSL 3.0 has been deprecated. Many libraries, server configs and websites have either turned it off or removed any support for it. Linux usually uses the openssl library for this function.
2. TLS 1.0 is starting to be turned off on sites, but it isn’t common.
3. I think you’re needing to make configuration changes to turn off SSL 2.0 and 3.0 support. While you’re there you may also find some ciphers won’t work either. This page has some recommendations for what to use today: https://wiki.mozilla.org/Security/TLS_Configurations Opens a new window
4. Perl, openssl and other included things tend to be very old versions in Linux distributions. Depending on where this line of Ubuntu is on the spectrum of things, the versions of perl, openssl may be too old to know about some things you need. Your choices then are to step up to the next Linux line. Or download, build and maintain your versions of perl and openssl and whatever other dependencies are there.
Was this post helpful?
thumb_up
thumb_down
4. Perl, openssl and other included things tend to be very old versions in Linux distributions. Depending on where this line of Ubuntu is on the spectrum of things, the versions of perl, openssl may be too old to know about some things you need. Your choices then are to step up to the next Linux line. Or download, build and maintain your versions of perl and openssl and whatever other dependencies are there.
Thank you, Jim! You are correct, it is a known bug with SSL version number/s in the Perl SSL.pm file (at least according to multiple other posts online). I did try editing the file with Nano to *only* use SSLv3 (suggested on Server Fault), but for whatever reason, it did not work.
To my knowledge, Ubuntu is the only Debian flavor that AWS offers as a free instance to deploy, hence my choosing it. Any quick link/s you can point me to for how to «build and maintain» a newer version of Perl that might work?? I’m still noob with Linux.
Was this post helpful?
thumb_up
thumb_down
To date, I have avoided doing that since my Linux world is all production based on CentOS 5/6/7 and I like to type «yum update». If you don’t know they are Red Hat distributions.
1. yum is the RPM/package manager command. So I’d first look to see if there is an alternate perl package for you.
2. In addition you may be able to expand your collection of repositories to do the same.
3. If you want to get the source, it’s usually an excise like this:
a. download the desired package and unzip/unpack the tar ball into a directory tree for working with.
Extra step: make clean <- this will clean any cruft that may be in the tree.
One to all of these:
a. make config or make autoconfig or xmkmf # this looks around at your system and figures out all kinds of details.
b. make world or make (build it)
Between those two you may have to find additional yum packages to install for things that can’t be found.
f. make test (to test the installation; move on when it is happy. Iterate when it complains about missing things, usually another yum/rpm package to install.)
e. make -n install (run through the install process, but don’t actually do it. Looking at details of where it will install and permissions.) Common places are the /usr/local tree to avoid overwriting /usr/bin /usr/sbin/ /usr/lib versions. Update PATH environment variable config files as necessary.
(drop the -n when you want actually do it.)
Was this post helpful?
thumb_up
thumb_down
I was able to find a resolution by deleting this faulty AWS instance and deploying a new one, again of Ubuntu Server 14.04, only this time I followed these instructions to get sendEmail working (I think the instructions I originally used were the issue): https://ubuntuforums.org/showthread.php?t=1127478 Opens a new window
BASH
sudo apt-get install sendemail sudo apt-get install libio-socket-ssl-perl
Was this post helpful?
thumb_up
thumb_down