[Dovecot] imap-login hangs after receiving revoked SSL certificate

Mon Dec 2 15:41:42 EET 2013

Good time of the day!

My English is not very good, excuse me if I said something wrong.

I use dovecot-2.1.16 on Gentoo Linux amd64.

I need to setup dovecot (imap and pop3) for SSL and non-SSL connection
simultaneously. For SSL connections client must submit a valid SSL
certificate. Now SSL part of dovecot.conf looks like this:

-----------------
ssl = yes
ssl_cert = </etc/ssl/dovecot/dovecot.pem
ssl_key = </etc/ssl/dovecot/dovecot.pem
ssl_ca = </etc/ssl/ca/ca.pem
ssl_verify_client_cert = yes
auth_ssl_require_client_cert = yes

protocol !smtp {
    auth_ssl_require_client_cert = yes
}
-----------------

All works fine with valid certificates. But if I submit revoked
certificate, dovecot doesn't send error or success messages to mail
client, process 'imap-login' eats 100% CPU and completely hangs. Only
SIGKILL can terminate it. When dovecot receives revoked certificate,
following messages appears in the log:

------------------
Dec  2 13:50:26 mail dovecot: imap-login: Invalid certificate:
certificate revoked: /O=AP inc./OU=Admins/CN=Alexey Prokopchuk/UID=alexpro
Dec  2 13:50:26 mail dovecot: imap-login: Invalid certificate: Different
CRL scope: /CN=AP inc. root certification authority/O=AP inc./C=UA
Dec  2 13:50:39 mail last message repeated 17950 times
-------------------
If I'm not mistaken, in case of revoked certificate submission, dovecot
must simply answer "SSL error" or "permission denied" to client and
close connection, but according to log, it tries to check certificate
again and again and do it in infinite loop.

I can't understand for now - I misconfigured something or it's a bug?

Thanks for attention, with best regards, Alexey Prokopchuk (AP8686-RIPE)