[Dovecot] SSL renegotiation vulnerability

Steinar Bang sb at dod.no
Wed Oct 26 11:43:39 EEST 2011


>>>>> Steinar Bang <sb at dod.no>:
>>>>> Timo Sirainen <tss at iki.fi>:

>> I don't know if I'm doing something wrong, but I can't even cause a
>> DoS. Even while all imap-login processes are eating 100% CPU (almost
>> 500 handshakes/second), I can successfully log in with another client.

> Are you using the tool linked to in the article, to stress the server?
>   http://www.thc.org/thc-ssl-dos/

Here's what the article says about stressing dovecot:
 "Alle servertjenester benytter SSL kan i utgangspunktet være
  berørt. Digi.no har testet verktøyet mot en eldre, intern server som
  kjører Linux. Angrepet mot Apache/HTTPD var mislykket, fordi SSL
  Renegotiation var deaktivert som standard. Men en angrep mot en
  POP3S-basert (kryptert e-post) tjeneste levert av serverprogramvaren
  Dovecot, kjørte CPU-lasten i taket med over tusen «handshakes» i
  sekundet. Angrepet førte ikke til at hele maskinen ble utilgjengelig,
  men POP3S-tjenesten ble i praksis ubrukelig så lenge angrepet varte."

A quick translate:
  All services using SSL can be affected.  Digi.no has tested the tool
  against an old, internal server running Linux.  The attach against
  Apache httpd failed, because SSL Renegotiation was deactivated by
  default.   But an attach against a POP3S (encrypted email) service
  delivered by the server program Dovecot, ran the CPU-load into the
  roof with over a thousand "Handshakes" per second.  The attack didn't
  cause the computer to be inaccessible, but the POP3S-service was
  unusable for the duration of the attack.

So it looks like they didn't test IMAPS access, only POP3S.



More information about the dovecot mailing list