Description of problem: Dovecot crashes with the following error message: imap-login: RAND_bytes() failed: error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not seeded and with the next login attempt from the same machine dovecot: Login process died too early - shutting down The user is using "KMail" and checks every minute for mail. Version-Release number of selected component (if applicable): dovecot-0.99.10-6 How reproducible: Always
I'm not seeing this at all. Do you have anything away from the defaults in your dovecot.conf?
I'm seeing this same error. I've switched to ~/Maildir and postfix. But apart from that I have a standard setup. I'll attach my dovecot.conf
Created attachment 98061 [details] Dovecot.conf for machine which crashed. This crash happens very rarely. There's some mention of it here: http://dovecot.procontrol.fi/list/dovecot/2004-January/002838.html
This happend to our dovecot server as well. See log below. As far as I know we don't have any users using KMail. imap-login: Mar 30 08:08:00 Fatal: RAND_bytes() failed: error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not seeded dovecot: Mar 30 08:08:00 Error: Login process died too early - shutting down dovecot: Mar 30 08:08:00 Error: child 21354 (login) returned error 89
Today this crash happend 2 times and counting :-/ I am attaching my dovecot.conf as well. I see that the status is NEEDINFO - is there anything else I could do to help get this fixed?
Created attachment 99035 [details] doveconf file
I too have had this problem occur recently on 2 different servers that I just switched from stock imap to dovecot. They happened 1 day apart all within 3 days of switching to dovecot. Another 3rd machine I manage has been running dovecot for 1 week with the exact same configuration with zero errors so far. My dovecot.conf: protocols = imap imaps pop3 pop3s imap_listen = * pop3_listen = * ssl_cert_file = /usr/share/ssl/certs/dovecot.pem ssl_key_file = /usr/share/ssl/private/dovecot.pem login_dir = /var/run/dovecot-login login = imap login_process_per_connection = yes login = pop3 first_valid_uid = 300 maildir_copy_with_hardlinks = yes mbox_locks = fcntl umask = 0027 auth = default auth_mechanisms = plain auth_userdb = passwd auth_passdb = pam auth_user = root auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@
It's happened again for me. So that's a good 2 months since the last time. Apr 21 14:58:53 mithrandir imap-login: Login: michael [127.0.0.1] Apr 21 14:58:53 mithrandir imap-login: RAND_bytes() failed: error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not seeded Apr 21 14:58:53 mithrandir dovecot: Login process died too early - shutting down Apr 21 14:58:53 mithrandir dovecot: child 14926 (login) returned error 89
Happening to me, on two servers, both Fedora Core 1.0. About 20 users. Works find most of the time, but dovecot crashes about once a day, sometimes several times, sometimes not at all. I'm running a cron job every minute to check for dovecot and restart it as needed. The sshd and mod_ssl seem to work fine. I don't know SSL stuff very well, but it seems to be related to /dev/urandom - entropy starvation maybe? # cat /proc/version Linux version 2.4.22-1.2115.nptlsmp (bhcompile.redhat.com) (gcc version 3.2.3 20030422 (Red Hat Linux 3.2.3-6)) #1 SMP Wed Oct 29 15:30:09 EST 2003 # rpm -q openssl openssl-0.9.7a-23 # rpm -q dovecot dovecot-0.99.10-6
Created attachment 100137 [details] my dovecot.conf I've had the same problem using Fedora core 1. My dovecot.conf is attached. [root@mail log]# rpm -q dovecot openssl openssl096 glibc dovecot-0.99.10-6 openssl-0.9.7a-33.10 openssl096-0.9.6-26 glibc-2.3.2-101.4
I do not experience this using a Rawhide version dovecot-0.99.10.4-3 under either Red Hat 9 or Fedora Core 1, but did experience it using the stock Fedora Core 1 package dovecot-0.99.10-6. I am also using SSL connectivity.
Those of you experiencing problems: Do you have more than one version of libssl installed? Strange crashes can occur if some applications/libraries use 0.9.6 and others use 0.9.7 concurrently - even if they are not linked together.
Adding Nalin to CC as he is the openssl maintainer and I want his input. In dovecot this error seems to be generated here: src/login-common/ssl-proxy-openssl.c line 447 /* PRNG initialization might want to use /dev/urandom, make sure it does it before chrooting. */ if (RAND_bytes(&buf, 1) != 1) i_fatal("RAND_bytes() failed: %s\n", ssl_last_error()); RAND_bytes is in the openssl library and if this fails dovecot fails so I don't think this is dovecot issue (or at least not yet). I briefly looked at the RAND_bytes implemtation all the all places where openssl generates "PRNG not seeded" error message but it was a bit opaque to me, Nalin I believe you own openssl, are you familar with this problem? Is there any reason to believe this is dovecot related, or is this a general failure of openssl?
# rpm -qa | grep -i ssl | sort openssl-0.9.7a-33.10 pyOpenSSL-0.5.1-11 There are just /lib/libssl.so.4 /lib/libssl.so.0.9.7a with /lib/libssl.so.4 -> libssl.so.0.9.7a. The RAND_bytes man page of the openssl-devel package says: "RAND_bytes() puts num cryptographically strong pseudo-random bytes into buf. An error occurs if the PRNG has not been seeded with enough randomness to ensure an unpredictable byte sequence." which seems to be the case here. Need some openssl expert on this matter. I tried to strace the whole thing, but after more than 3 weeks without the error I gave up. The above comment (written at the same time a mine) seems to point the right direction (IMHO).
http://dovecot.fi/list/dovecot/2004-May/003314.html http://dovecot.fi/list/dovecot/2004-May/003316.html (You may want to read the entire thread though...)
I tried using the rawhide version dovecot-0.99.10.4-3. It crashed 2 times within the first hour which isn't unsual. The I applied Timo's second patch (The one in 003316 above). After 24 hours no crashes :-) Since I would expect 5-10 crashes on a working day this looks promising!
http://www.redhat.com/archives/fedora-test-list/2004-May/msg01364.html dovecot-0.99.10.4-4 is what will be shipping in FC2, which contains three patches from Timo during last week. Unfortunately it seems at least one maildir user had new problems with -4 while -3 was fine. Due the maildir crash issue, and the SSL crash issue, it appears that we need to sort this stuff out and prepare a very well tested update for FC2 later this month.
I personally have been using this on FC1 with SSL with perfect stability through RH9 and FC1's lifetime. But now I realized that I am using my own custom vanilla upstream 2.4 kernel. This supports Timo's finding that this may be a problem with FC1's 2.4 kernel /dev/urandom. Nalin said something about running out of entropy. Any status update on this?
Well, the SSL related crash seems to be fixed with Timo's patch as I noted in comment #16. Now I have 8 days of uptime with it - it used to crash serveral times a day. It don't think the patch made it into the rpm yet though.
Timo, is that patch a proper general fix, or rather an ugly hack to workaround Fedora's openssl or kernel problem? Will future releases of dovecot contain that patch? Do you recommend FC's dovecot to be patched in that way?
It doesn't crash anymore, but I think it instead just fails SSL connections since it doesn't have enough entropy. I'm currently assuming this is all because Redhat kernel has some /dev/urandom change that makes it possible that read()ing it returns less bytes than requested. OpenSSL library then doesn't try reading more and fails instead. So the problem could be fixed in either of them. Maybe OpenSSL library fix would be better as it's logic currently is a bit broken.. There's this workaround: if (t.tv_usec == 10*1000) t.tv_usec=0; which is triggered with Linux every time as select() doesn't spend any time waiting for data and so tv_usec isn't updated. How about this attached patch.
Created attachment 100326 [details] OpenSSL random-patch
I think the /dev/urandom change isn't in the current FC2/3 2.6.x kernels so the patch is unnecessary.