[Dovecot] imap-login hangs after receiving revoked SSL certificate

Timo Sirainen tss at iki.fi
Mon Dec 2 18:19:37 EET 2013


On 2.12.2013, at 15.41, Алексей Прокопчук <alexpro at homelan.lg.ua> wrote:

> I use dovecot-2.1.16 on Gentoo Linux amd64.
> 
> All works fine with valid certificates. But if I submit revoked
> certificate, dovecot doesn't send error or success messages to mail
> client, process 'imap-login' eats 100% CPU and completely hangs. Only
> SIGKILL can terminate it. When dovecot receives revoked certificate,
> following messages appears in the log:
> 
> ------------------
> Dec  2 13:50:26 mail dovecot: imap-login: Invalid certificate:
> certificate revoked: /O=AP inc./OU=Admins/CN=Alexey Prokopchuk/UID=alexpro
> Dec  2 13:50:26 mail dovecot: imap-login: Invalid certificate: Different
> CRL scope: /CN=AP inc. root certification authority/O=AP inc./C=UA
> Dec  2 13:50:39 mail last message repeated 17950 times
> -------------------

What OpenSSL version are you using?

This looks like the same issue:

http://rt.openssl.org/Ticket/Display.html?id=3090&user=guest&pass=guest

Where the fix is in:

http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=4b26645c1a71cf9ce489e4f79fc836760b670ffe

Not sure if Dovecot should be doing something different here, or maybe working around that bug. I think Postfix has the same problem.



More information about the dovecot mailing list