Good time of the day!
My English is not very good, excuse me if I said something wrong.
I use dovecot-2.1.16 on Gentoo Linux amd64.
I need to setup dovecot (imap and pop3) for SSL and non-SSL connection simultaneously. For SSL connections client must submit a valid SSL certificate. Now SSL part of dovecot.conf looks like this:
ssl = yes ssl_cert = </etc/ssl/dovecot/dovecot.pem ssl_key = </etc/ssl/dovecot/dovecot.pem ssl_ca = </etc/ssl/ca/ca.pem ssl_verify_client_cert = yes auth_ssl_require_client_cert = yes
protocol !smtp { auth_ssl_require_client_cert = yes }
All works fine with valid certificates. But if I submit revoked certificate, dovecot doesn't send error or success messages to mail client, process 'imap-login' eats 100% CPU and completely hangs. Only SIGKILL can terminate it. When dovecot receives revoked certificate, following messages appears in the log:
Dec 2 13:50:26 mail dovecot: imap-login: Invalid certificate: certificate revoked: /O=AP inc./OU=Admins/CN=Alexey Prokopchuk/UID=alexpro Dec 2 13:50:26 mail dovecot: imap-login: Invalid certificate: Different CRL scope: /CN=AP inc. root certification authority/O=AP inc./C=UA Dec 2 13:50:39 mail last message repeated 17950 times
If I'm not mistaken, in case of revoked certificate submission, dovecot must simply answer "SSL error" or "permission denied" to client and close connection, but according to log, it tries to check certificate again and again and do it in infinite loop.
I can't understand for now - I misconfigured something or it's a bug?
Thanks for attention, with best regards, Alexey Prokopchuk (AP8686-RIPE)