[gnutls-help] GNUTLS_E_PREMATURE_TERMINATION error

Lavrentiev, Anton (NIH/NLM/NCBI) [C] lavr at ncbi.nlm.nih.gov
Mon May 5 15:51:26 CEST 2014


Just theorizing:

It may be that the SMTP server "optimizes" on connection closure immediately
following the 221 goodbye response (could you prove there was no 221 issued
by the server at all?):  if the closure is not graceful (which otherwise would
leave a TIME_WAIT'd port per TCP, and thus not to be to the server's advantage),
the alternative is TCP abort, which injects TCP RST.  The RST may clobber
the sequence on the receiving end (the mail client), and cause all
preceding pending data dropped (SSL data with the encoded 221),
and EOF seen immediately.  So you get the premature termination.

P.S.  The server should have waited to see EOF from the client end in
response to the issued 221, then close the connection (regular close in
this case would not have hurt: no TIME_WAIT on close acknowledgement).

P.P.S. You may be able to check the above scenario by using unencrypted
connection (if server allows), or by tracing the server execution (if have
access to the server software).

Anton Lavrentiev
Contractor NIH/NLM/NCBI

> -----Original Message-----
> From: Polina Abramov [mailto:polinaa at image-vault.com]
> Sent: Monday, May 05, 2014 9:27 AM
> To: Nikos Mavrogiannopoulos
> Cc: gnutls-help at lists.gnutls.org
> Subject: Re: [gnutls-help] GNUTLS_E_PREMATURE_TERMINATION error
> 
> You are right, it was the alert message type, not the alert type.
> After some more investigation I now see what is happening but it is
> still unclear why.
> 
> When my smtp client is done sending the email it issues smtp QUIT
> message  and waits for 221 reply which the server should issue based on
> SMTP standard. However for some unknown reason
> the client never receives that 221 reply, instead gnutls_record_recv()
> function returns GNUTLS_E_PREMATURE_TERMINATION. Seems like the server
> starts termination process without notifying the client.
> As a result of not receiving the expected 221 reply, our TLS session
> times out and that's when the alert to close the session is issued. So
> the alert that I am seeing is an expected behavior.
> The only thing that is unclear here is why don't I receive 221 reply to
> my QUIT message from gmail and hotmail servers.
> Any ideas about that?
> 
> Thanks,
> P.A.
> 
> 
> -----Original Message-----
> From: n.mavrogiannopoulos at gmail.com
> [mailto:n.mavrogiannopoulos at gmail.com] On Behalf Of Nikos
> Mavrogiannopoulos
> Sent: Friday, May 02, 2014 3:30 AM
> To: Polina Abramov
> Cc: gnutls-help at lists.gnutls.org
> Subject: Re: [gnutls-help] GNUTLS_E_PREMATURE_TERMINATION error
> 
> On Thu, May 1, 2014 at 8:20 PM, Polina Abramov <polinaa at image-vault.com>
> wrote:
> > Thanks!
> > I ran wireshark and it looks like at some point my client issues
> > Encrypted Alert 21. Is it something I should be worried about?
> 
> How did you see the alert type? (it is encrypted) What you've seen is
> probably the alert message type which is also 21.
> 
> In that case it is most probably that you're sending the close notify
> alert, that is the proper way to signal the termination of the TLS
> session. If that's the case you could ignore the premature termination
> errors are you already intended to terminate it.
> 
> regards,
> Nikos
> 
> _______________________________________________
> Gnutls-help mailing list
> Gnutls-help at lists.gnutls.org
> http://lists.gnupg.org/mailman/listinfo/gnutls-help



More information about the Gnutls-help mailing list