Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 125354

Summary: net-mail/courier-imap - couriertls errors while having a huge load with selinux
Product: Gentoo Linux Reporter: gentoo
Component: Current packagesAssignee: Robin Johnson <robbat2>
Status: RESOLVED FIXED    
Severity: normal CC: selinux
Priority: High    
Version: unspecified   
Hardware: AMD64   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description gentoo 2006-03-07 06:34:43 UTC 
since the last update (both courier-authlib and openssl) we're having some problems with the tls connections for imap and pop3. normally the users can connect without any problems to imap-ssl and pop3-ssl. sometimes there are some lonley errors in the logfile like below. but if i'm emerging some updates no user can't get anymore get connected to those (imap and pop3 non ssl still work well) and the logs get filled with errors below:

---
Mar  7 15:04:30 server1 pop3d-ssl: couriertls: accept: error:140B544E:SSL routines:SSL_GET_NEW_SESSION:ssl session id callback failed
Mar  7 15:04:31 server1 pop3d-ssl: couriertls: accept: error:140B544E:SSL routines:SSL_GET_NEW_SESSION:ssl session id callback failed
Mar  7 15:05:53 server1 pop3d-ssl: couriertls: connect: error:140B544E:SSL routines:SSL_GET_NEW_SESSION:ssl session id callback failed
---

and i'm not emerging something which would affect the running courier-imap. 

so as the errors appear sometimes and while i'm emerging and therefor the server is under some load i assume that there is maybe a problem with the tls while the host is under some load. well i don't know really why this should affect it, but this is currently the only explanation i have and i can reproduce it with every emerge i do.
Comment 1 gentoo 2006-03-07 06:36:46 UTC 
ah btw this might be an interesting information: i'm using a gentoo-hardened with selinux enabled, and if selinux is disabled this problem doesn't appear even under some load. so maybe it has some problems under selinux and some load.
Comment 2 petre rodan (RETIRED) gentoo-dev 2006-04-13 10:06:38 UTC 
do you receive any avc deny that would make selinux to be the cuplrit?

and what does 
cat /proc/sys/kernel/random/entropy_avail
return when you encounter that problem?
Comment 3 gentoo 2006-05-03 14:11:07 UTC 
fixed it with uncommenting the don't audit of selinux, then saw that there was sometimes a problem accessing /dev/random, now recompiled it with using /dev/urandom (which sould be enough for pop3s and imaps)

anyway about the question of entropy: always very deep: around 200 or so. looking for solutions to increase that. (not yet found)