SSL negotiation failures with TLSv1 and TLSv1.3 against gateway/ical on Debian 10

TomSchmidt

@modelnine,
thank you yery much to make things clear. This is quite sad while imaps isn’t state of the art but many still use it.
I’m wondering that there’s a major release upgrade and this isn’t working.

Stupid me tested in a sandbox but I did not test the imaps function. I cannot go back to 8.7

So I will wait for things coming.

modelnine

@fbartels is there any possibility of getting one of the two patchsets (or both) which are now in my Github-tree into Kopano some time soon? ;-) Basically, as it stands, for 9.0 and 8.7, (at least) all server-side SSL is currently broken. Thanks!

fbartels

Hi @modelnine,

as far as I know they are currently in review, but apart from my answers here I am not involved in this topic.

embexx

@TomSchmidt: I use stunnel to have imaps as long as kopano-gateway fails to provide imaps.

TomSchmidt

@embexx
Hi, nice idea, but I have to connect two Thunderbird-Users and TB can’t use z-push as AcitveSync. The addons promising ActiveSync are crap. One of them is my Mom using Win10. So this idea crashes here :-)

But thank a lot for replying!

tom

embexx

@TomSchmidt stunnel is like a proxy or SSL-wrapper. With stunnel iprovide imaps with kopano-gateway to connect my TB-users.
ActiveSync has not too much to do with that.

TomSchmidt

@embexx
OK, I got it, was on a wrong journey. I did the same and it works perfectly.

Thanks!

umgfoin

Hello @modelnine,
it looks like recent refactorings to HrEnableTLS, HrSetCtx and related are causing issues:
I’m getting SIGSEVs on SSL_accept (using openSSL 1.0.1e) , similar problems are discussed here.

Reverting commits introduced by PR22 fixes the issues on my unsupported system (CentOS6).

2020-01-30T12:28:10.497752: [kopano-gateway|T14538] [=======] Starting kopano-gateway version 10.0.1.89 (pid 14538 uid 482)
2020-01-30T12:28:10.498129: [kopano-gateway|T14538] [info   ] Re-using fd 5 for 0.0.0.0:143
2020-01-30T12:28:10.498157: [kopano-gateway|T14538] [info   ] Re-using fd 6 for [::]:143
2020-01-30T12:28:10.498248: [kopano-gateway|T14538] [info   ] Re-using fd 7 for 0.0.0.0:993
2020-01-30T12:28:10.498286: [kopano-gateway|T14538] [info   ] Re-using fd 8 for [::]:993
2020-01-30T12:28:10.500566: [kopano-gateway|T14538] [info   ] ECChannel::HrSetCtx(): SSL_CTX_NEW: Success.
2020-01-30T12:30:05.887132: [kopano-gateway|T14538] [info   ] Accepted connection from [2xx1:c22:xxxx:xxxx:1d52:xxxx:a949:xxxx]:56320
2020-01-30T12:30:05.887176: [kopano-gateway|T14538] [notice ] Starting worker thread for IMAPs request
2020-01-30T12:30:05.887360: [kopano-gateway|T14818] [warning] HTML safety filter is enabled in configuration, but KC is not compiled with libtidy
2020-01-30T12:30:05.887437: [kopano-gateway|T14818] [info   ] ECChannel::HrEnableTLS(): TLS flags 0x814a0bf7
2020-01-30T12:30:05.887474: [kopano-gateway|T14818] [crit   ] ----------------------------------------------------------------------
2020-01-30T12:30:05.887482: [kopano-gateway|T14818] [crit   ] Fatal error detected. Please report all following information.
2020-01-30T12:30:05.887490: [kopano-gateway|T14818] [crit   ] kopano-dagent 10.0.1.89
2020-01-30T12:30:05.887503: [kopano-gateway|T14818] [crit   ] OS: CentOS release 6.10 (Final)
 (Linux 3.10.0-957.12.2.vz7.86.2 x86_64)
2020-01-30T12:30:05.887515: [kopano-gateway|T14818] [crit   ] Thread name: kopano-gateway
2020-01-30T12:30:05.887528: [kopano-gateway|T14818] [crit   ] Peak RSS: 10024
2020-01-30T12:30:05.887536: [kopano-gateway|T14818] [crit   ] Pid 14538 caught SIGSEGV (11), traceback:
2020-01-30T12:30:05.887542: [kopano-gateway|T14818] [crit   ] Backtrace:
2020-01-30T12:30:05.887822: [kopano-gateway|T14818] [crit   ] f0. /usr/lib64/libkcutil.so.0(+0x51c2b) [0x7f21332c5c2b]
2020-01-30T12:30:05.887835: [kopano-gateway|T14818] [crit   ] f1. /usr/lib64/libkcutil.so.0(+0x37f7f) [0x7f21332abf7f]
2020-01-30T12:30:05.887843: [kopano-gateway|T14818] [crit   ] f2. /usr/lib64/libkcutil.so.0(+0x3a003) [0x7f21332ae003]
2020-01-30T12:30:05.887850: [kopano-gateway|T14818] [crit   ] f3. /lib64/libpthread.so.0() [0x329f00f7e0]
2020-01-30T12:30:05.887858: [kopano-gateway|T14818] [crit   ] f4. /usr/lib64/libssl.so.10(SSL_accept+0x1) [0x3b2cc42c41]
2020-01-30T12:30:05.887865: [kopano-gateway|T14818] [crit   ] f5. /usr/lib64/libkcutil.so.0(_ZN2KC9ECChannel11HrEnableTLSEv+0xce) [0x7f213329dbae]
2020-01-30T12:30:05.887873: [kopano-gateway|T14818] [crit   ] f6. /usr/sbin/kopano-gateway() [0x4102c8]
2020-01-30T12:30:05.887880: [kopano-gateway|T14818] [crit   ] f7. /lib64/libpthread.so.0() [0x329f007aa1]
2020-01-30T12:30:05.887887: [kopano-gateway|T14818] [crit   ] f8. /lib64/libc.so.6(clone+0x6d) [0x329e8e8c4d]
2020-01-30T12:30:05.887901: [kopano-gateway|T14818] [crit   ] Signal errno: Success, signal code: 1
2020-01-30T12:30:05.887909: [kopano-gateway|T14818] [crit   ] Sender pid: 48, sender uid: 0, si_status: 0
2020-01-30T12:30:05.887916: [kopano-gateway|T14818] [crit   ] Signal value: 0, faulting address: 0x30
2020-01-30T12:30:05.887931: [kopano-gateway|T14818] [crit   ] When reporting this traceback, please include Linux distribution name (and version), system architecture and Kopano version.

Best regards,
umgfoin.

koole

Hi guys,

What is the status against kopano-gateway in Debian 10?

We have experienced also same problem (many times in a hour; autorestart works partly):

Tue Feb 25 14:19:07 2020: [ZGateway IMAPs|T542] [crit ] #20. /lib/x86_64-linux-gnu/libc.so.6(clone+0x3f) [0x7f243aa8b4cf]
Tue Feb 25 14:19:07 2020: [ZGateway IMAPs|T542] [crit ] Signal errno: Success, signal code: 1

in kopano-gateway 8.7.0-3 (comes from Debian buster main section)

What should I do - downgrade system to Debian stretch/9 and use some supported kopano-core (and kopano-gateway) version or is there somewhere working kopano-core/gateway system against Debian 10 already?

All we know that Debian 9 is already old-stable. So better solution might be Ubuntu 18.04 then?

(sorry - maybe there is a better thread…)

/Mikko

jengelh

The status is that all is in good order in the source codes as of Feb 1 2020, corresponding to v9.0.3 and v10.0.1.