Re: [patch] TLS Handshake failures can crash imap-login

25 Apr 2015


      On 24/04/15 18:17, Hanno Böck wrote:
...
Hi,
I tracked down a tricky bug in dovecot that can cause the imap-login
and pop3-login processes to crash on handshake failures.
This can be tested by disabling SSLv3 in the dovecot config
(ssl_protocols = !SSLv2 !SSLv3) and trying to connect with openssl and
forced sslv3 (openssl s_client -ssl3 -connect localhost:995). This
would cause a crash.
 I couldnt reproduce that on a fully patched CentOS 6.6 box
[root@correio ~]# cat /etc/redhat-release
CentOS release 6.6 (Final)
[root@correio ~]# openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013
[root@correio ~]# dovecot --version
2.2.16
(compiled from sources, not from any binary package)
[root@correio ~]# grep ssl_proto /etc/dovecot/extras/10-ssl.conf
ssl_protocols = !SSLv2 !SSLv3
from dovecot logs when running the openssl command:
Apr 24 21:36:38 correio dovecot: imap-login: Disconnected (no auth
attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, TLS
handshaking: Disconnected
dont know if it matters, but i'm running signed certificated from
RapidSSL, not self-signed ones
The openssl command returns an error but i see no crash at all
[root@correio ~]# openssl s_client -ssl3 -connect localhost:995
CONNECTED(00000003)
140022021363528:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert
handshake failure:s3_pkt.c:1259:SSL alert number 40
140022021363528:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl
handshake failure:s3_pkt.c:598:
no peer certificate available
No client certificate CA names sent
SSL handshake has read 7 bytes and written 0 bytes
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol  : SSLv3
Cipher    : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg   : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1429922121
Timeout   : 7200 (sec)
Verify return code: 0 (ok)
[root@correio ~]#
--
Atenciosamente / Sincerily,
Leonardo Rodrigues
Solutti Tecnologia
http://www.solutti.com.br

Minha armadilha de SPAM, NÃO mandem email
gertrudes@solutti.com.br
My SPAMTRAP, do not email it