Connecting to dovecot with ssl3 causes imap-login to die:
$ openssl s_client -connect localhost:993 -ssl3 CONNECTED(00000003) 4277630796:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:s3_pkt.c:1461:SSL alert number 40 4277630796:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:645:
no peer certificate available
No client certificate CA names sent
SSL handshake has read 7 bytes and written 0 bytes
New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : SSLv3 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1426851034 Timeout : 7200 (sec) Verify return code: 0 (ok)
syslog: Mar 20 11:30:35 MAILHOST dovecot: [ID 583609 mail.crit] imap-login: Fatal: master: service(imap-login): child 21918 killed with signal 11 (core dumped) [last ip=127.0.0.1]
dovecot.conf had: ssl_protocols = !SSLv2 !SSLv3
removing that line stops the core dump and syslog then shows:
Mar 20 11:36:25 MAILHOST dovecot: [ID 583609 mail.info] imap-login: Disconnected (disconnected before auth was ready, waited 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, TLS handshaking: SSL_accept() failed: error:14076102:SSL routines:SSL23_GET_CLIENT_HELLO:unsupported protocol, session=<eqr1ubYRWgB/AAAB>
the "SSL23_GET_CLIENT_HELLO:unsupported protocol" seems to do what I thought the ssl_protocols setting did. Do I still need, if I ever needed, the "ssl_protocols = " setting?
James.
# dovecot -n # 2.2.16: /etc/opt/XXXX/dovecot/dovecot.conf # Pigeonhole version 0.4.7 # OS: SunOS 5.10 i86pc auth_mechanisms = plain login digest-md5 cram-md5 base_dir = /var/opt/XXXX/dovecot/ lda_mailbox_autocreate = yes lda_mailbox_autosubscribe = yes login_trusted_networks = 111.222.333.444/24 mail_gid = vmail mail_home = /XXXXXX/XXXX/%d/%n mail_location = maildir:/XXXXX/XXXX/%d/%n/Maildir mail_max_userip_connections = 20 mail_plugins = quota mail_uid = vmail mailbox_idle_check_interval = 10 secs managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate passdb { args = /etc/opt/XXXX/dovecot/dovecot-sql.conf driver = sql } plugin { fts_autoindex = yes quota = maildir:User quota quota_rule = *:storage=1G quota_rule2 = Trash:storage=+10% quota_warning = storage=90%% quota-warning 90 %u quota_warning2 = storage=95%% quota-warning 95 %u quota_warning3 = storage=99%% quota-warning 99 %u sieve = /XXXXX/XXXX/%d/%n/dovecot.sieve sieve_dir = /XXXXX/XXXX/%d/%n/sieve } protocols = imap lmtp sieve service auth { drop_priv_before_exec = yes unix_listener auth-client { mode = 0660 } unix_listener auth-master { mode = 0600 } user = root } service imap-login { chroot = drop_priv_before_exec = yes executable = imap-login -D service_count = 1 user = dovecot } service lmtp { group = vmail unix_listener lmtp { mode = 0666 } user = vmail } service quota-warning { executable = script /etc/opt/XXXX/dovecot/quota-warning user = vmail } ssl_cert = </etc/opt/XXXX/dovecot/dovecot.pem ssl_cipher_list = AES128+EECDH:AES128+EDH ssl_key = </etc/opt/XXXX/dovecot/dovecot.pem ssl_prefer_server_ciphers = yes ssl_protocols = !SSLv2 !SSLv3 userdb { driver = prefetch } userdb { args = /etc/opt/XXXX/dovecot/dovecot-sql.conf driver = sql } protocol lda { auth_socket_path = /var/opt/XXXX/dovecot/auth-master mail_plugins = quota sieve postmaster_address = postmaster@XXXXXXXX sendmail_path = /opt/XXXX/sbin/exim } protocol pop3 { mail_plugins = quota } protocol imap { mail_plugins = quota imap_quota } protocol lmtp { mail_plugins = quota sieve postmaster_address = postmaster@XXXXXX sendmail_path = /opt/XXXX/sbin/exim }