[openssl-users] SSL_read() failed: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init

[Matt Caswell]

On 26/10/17 13:50, Kadlecsik József wrote:
> Hi Matt,
> 
> On Thu, 26 Oct 2017, Matt Caswell wrote:
> 
>>>>> Oct 20 18:50:05 mail2 dovecot: imap-login: Debug: SSL error: SSL_read() 
>>>>> failed: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
>>>
>>> But why SSL_read() failed with this error message?
>>
>> That I can't explain since SSL_read() does not call SSL_shutdown(). 
>> Plausibly if SSL_read() fails (e.g. because the underlying TCP 
>> connection died) then dovecot could call SSL_shutdown() immediately even 
>> if it's still not completed the handshake. Then dovecot reports the 
>> SSL_read() failure along with the error message from the subsequent 
>> attempt to shutdown the connection. Just a theory.
> 
> The failures happen after several IMAP commands were already 
> issued/answered in the session and not in an initial phase.
> 
> Both the server and the client machines are virtual and in the same LAN
> and were moved around the physical machines just to exclude hardware 
> issues.
> 
> So can SSL_read() be called before the handshake is completed, i.e. in the 
> "while in init" state?

Yes SSL_read() can be called before the handshake is completed. If that
happens then the first thing it does is attempt to perform a handshake.

If you have already exchanged application data over a TLS connection
then the handshake must have completed. Plausibly a new one could be
initiated via a renegotiation. If you call SSL_shutdown() in the middle
of that then I think you will also get the "shutdown while in init"
error. Basically don't call SSL_shutdown() if SSL_in_init() is true.

Matt


> 
> Thanks your answers!
> 
> Best regards,
> Jozsef
> --
> E-mail : kadlecsik.jozsef at wigner.mta.hu
> PGP key: http://www.kfki.hu/~kadlec/pgp_public_key.txt
> Address: Wigner Research Centre for Physics, Hungarian Academy of Sciences
>          H-1525 Budapest 114, POB. 49, Hungary
>