On 26/10/17 13:50, Kadlecsik József wrote: > Hi Matt, > > On Thu, 26 Oct 2017, Matt Caswell wrote: > >>>>> Oct 20 18:50:05 mail2 dovecot: imap-login: Debug: SSL error: SSL_read() >>>>> failed: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init >>> >>> But why SSL_read() failed with this error message? >> >> That I can't explain since SSL_read() does not call SSL_shutdown(). >> Plausibly if SSL_read() fails (e.g. because the underlying TCP >> connection died) then dovecot could call SSL_shutdown() immediately even >> if it's still not completed the handshake. Then dovecot reports the >> SSL_read() failure along with the error message from the subsequent >> attempt to shutdown the connection. Just a theory. > > The failures happen after several IMAP commands were already > issued/answered in the session and not in an initial phase. > > Both the server and the client machines are virtual and in the same LAN > and were moved around the physical machines just to exclude hardware > issues. > > So can SSL_read() be called before the handshake is completed, i.e. in the > "while in init" state? Yes SSL_read() can be called before the handshake is completed. If that happens then the first thing it does is attempt to perform a handshake. If you have already exchanged application data over a TLS connection then the handshake must have completed. Plausibly a new one could be initiated via a renegotiation. If you call SSL_shutdown() in the middle of that then I think you will also get the "shutdown while in init" error. Basically don't call SSL_shutdown() if SSL_in_init() is true. Matt > > Thanks your answers! > > Best regards, > Jozsef > -- > E-mail : kadlecsik.jozsef@xxxxxxxxxxxxx > PGP key: http://www.kfki.hu/~kadlec/pgp_public_key.txt > Address: Wigner Research Centre for Physics, Hungarian Academy of Sciences > H-1525 Budapest 114, POB. 49, Hungary > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
