[openssl-users] SSL_read() failed: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
matt at openssl.org
Thu Oct 26 12:57:29 UTC 2017
On 26/10/17 13:50, Kadlecsik József wrote:
> Hi Matt,
> On Thu, 26 Oct 2017, Matt Caswell wrote:
>>>>> Oct 20 18:50:05 mail2 dovecot: imap-login: Debug: SSL error: SSL_read()
>>>>> failed: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init
>>> But why SSL_read() failed with this error message?
>> That I can't explain since SSL_read() does not call SSL_shutdown().
>> Plausibly if SSL_read() fails (e.g. because the underlying TCP
>> connection died) then dovecot could call SSL_shutdown() immediately even
>> if it's still not completed the handshake. Then dovecot reports the
>> SSL_read() failure along with the error message from the subsequent
>> attempt to shutdown the connection. Just a theory.
> The failures happen after several IMAP commands were already
> issued/answered in the session and not in an initial phase.
> Both the server and the client machines are virtual and in the same LAN
> and were moved around the physical machines just to exclude hardware
> So can SSL_read() be called before the handshake is completed, i.e. in the
> "while in init" state?
Yes SSL_read() can be called before the handshake is completed. If that
happens then the first thing it does is attempt to perform a handshake.
If you have already exchanged application data over a TLS connection
then the handshake must have completed. Plausibly a new one could be
initiated via a renegotiation. If you call SSL_shutdown() in the middle
of that then I think you will also get the "shutdown while in init"
error. Basically don't call SSL_shutdown() if SSL_in_init() is true.
> Thanks your answers!
> Best regards,
> E-mail : kadlecsik.jozsef at wigner.mta.hu
> PGP key: http://www.kfki.hu/~kadlec/pgp_public_key.txt
> Address: Wigner Research Centre for Physics, Hungarian Academy of Sciences
> H-1525 Budapest 114, POB. 49, Hungary
More information about the openssl-users