Irssi: SSL_do_accept failed does not properly disconnect

Created on 17 Dec 2014  路  5Comments  路  Source: irssi/irssi

When connecting to an IRCd where the SSL accept fails (e.g. currently ssl.irc.atw-inter.net port 6697) the network is not officially set to disconnected state, but remains in a limbo state.

14:20:25 [ircnet] :::: Irssi: Looking up ssl.irc.atw-inter.net
14:20:26 [ircnet] :::: Irssi: Connecting to ssl.irc.atw-inter.net [94.125.182.253] port 6697
14:20:26 [ircnet] :::: Irssi: Connection to ssl.irc.atw-inter.net established
14:20:26 [ircnet] :::: ERROR Closing Link: [email protected]

Version is 0.8.18-head (20141027). This may have lead to another bug I am filing separately (server != null checks failing)

bug help wanted tls
Source
picture ranieuwe

All 5 comments

I've had some really interesting funkyness with IRCnet and SSL, but I've never had a chance to debug it.

ahf picture ahf on 18 Dec 2014

Would it be possible to get either a tcpdump or a reliable way of reproducing this (e.g. an openssl s_server invocation that will result in a suitably broken server)? It seems like that server is fixed now so I'm not sure exactly how it was broken.

dgl picture dgl on 19 Dec 2014

Looks like it might be related to #130 (?)

LemonBoy picture LemonBoy on 23 Nov 2015

irssi never had an SSL_do_accept() function AFAICT nor do I see it in OpenSSL. Maybe it was a function in the server.

The error message shown appears to be one the server sent (ERROR :Closing Link[etc]\r\n). I suspect what happened was the server sent this ERROR message and didn't close the connection (as would be the norm). So the connection was open but inactive.

I tested with irssi using master as of today and one from the time of the report (688fc817dd9958f66e3be603dd0ee8ecc97d649d) with a small dummy server: https://gist.github.com/horgh/68b9ad83a216be9c2b9973f37a6d531a.

If I don't close the connection on the server side, irssi keeps the connection open with nothing happening.

So this looks like a server problem mainly. (It happens with plaintext connections too).

On irssi's side we could do a few things:

  1. Disconnect when we see an ERROR message. This seems probably too aggressive. Although I believe they are normally fatal messages from servers I don't know if that's always the case.
  2. Have some kind of timeout for how long we keep a connection open but not registered (maybe there is one already?) and disconnect if we hit that timeout.
  3. Do nothing and don't connect to misbehaving servers like this.

Actually I just kept the connection open while writing this. After 5 minutes irssi disconnected (and then reconnected). So it looks like option 2 is already there.

I'd opt for closing this.

horgh picture horgh on 9 Oct 2018
👍1

Wow SSL_do_accept really doesn't exist anywhere, not even in ircd 2.11.2p3. Google results are this issue, "burp" (a backup thing), "irods" (a data management thing), and a 2004 mailing list message from a very obviously spanish person who inexplicably tries to use SSL_new_accept and SSL_do_accept to start a server and doesn't understand why the linker can't find those symbols.

Unrelatedly I love this:

printf( "隆隆隆隆隆 ERROR: %s !!!!!\n", msg );

But yeah uh. Weirdddd. That server definitely had its own ssl patches which are likely lost to time now.

Anyway thanks for digging this one @horgh. I agree, if irssi timeouts that's doing as much as it can do, so closing this.

dequis picture dequis on 9 Oct 2018
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

wodim picture wodim  路  10Comments
lewisrobbins picture lewisrobbins  路  19Comments
ailin-nemui picture ailin-nemui  路  17Comments
fratertenc picture fratertenc  路  7Comments
spaghetti2514 picture spaghetti2514  路  47Comments