Hi all,
I think I've found a small bug in how Dovecot logs SSL/TLS info. Basically, if I connect to the server using TLS, the logs have a lot of entries saying I used SSLv3 (which is not allowed). Here's my system info:
OSX Yosemite (x86_64, HFS+) Dovecot 2.2.15 (via Homebrew) OpenSSL 0.9.8zd
The configuration (see below) disallows SSLv3, and if I try and connect with OpenSSL to test that ("openssl s_client -connect localhost:993 -ssl3") it fails as expected. If I do the same command, but with "-tls1" instead of "-ssl3", I can connect and run IMAP commands. The problem is, if I open up the Dovecot logs and look at the SSL log messages, they all say I used SSLv3. As an example, this is a truncated log from when I connected to the server and immediately did a LOGOUT:
14:50:59 : master: Warning: Killed with signal 15 (by pid=1 uid=0
code=unknown 0)
14:51:03 : master: Dovecot v2.2.15 starting up for imap, lmtp (core dumps
disabled)
14:51:13 : imap-login: Debug: SSL: elliptic curve secp384r1 will be used
for ECDH and ECDHE key exchanges
14:51:13 --- last message repeated 1 time ---
14:51:13 : imap-login: Debug: SSL: where=0x10, ret=1: before/accept
initialization [127.0.0.1]
14:51:13 : imap-login: Debug: SSL: where=0x2001, ret=1: before/accept
initialization [127.0.0.1]
14:51:13 : imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client
hello A [127.0.0.1]
14:51:13 : imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server
hello A [127.0.0.1]
14:51:13 : imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write
certificate A [127.0.0.1]
14:51:13 : imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write key
exchange A [127.0.0.1]
14:51:13 : imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server
done A [127.0.0.1]
14:51:13 : imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data
[127.0.0.1]
14:51:13 : imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client
certificate A [127.0.0.1]
14:51:13 : imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client
key exchange A [127.0.0.1]
14:51:13 --- last message repeated 1 time ---
14:51:13 : imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client
key exchange A [127.0.0.1]
14:51:13 : imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read finished
A [127.0.0.1]
14:51:13 : imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write session
ticket A [127.0.0.1]
14:51:13 : imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write change
cipher spec A [127.0.0.1]
14:51:13 : imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write
finished A [127.0.0.1]
14:51:13 : imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data
[127.0.0.1]
14:51:13 : imap-login: Debug: SSL: where=0x20, ret=1: SSL negotiation
finished successfully [127.0.0.1]
14:51:13 : imap-login: Debug: SSL: where=0x2002, ret=1: SSL negotiation
finished successfully [127.0.0.1]
14:51:19 : imap-login: Aborted login (no auth attempts in 6 secs): user=<>,
rip=127.0.0.1, lip=127.0.0.1, TLS, session=
The second to last line, which indicates I never tried to log in, correctly states that I used TLS. All the lines for SSL debugging, though, state I used SSL or SSLv3.
This is a test setup, so it accepts any mail from @example.com addresses over LMTP and allows any user to connect with the password "staticpassword". Here's the output of "dovecot -n":
# 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Darwin 14.3.0 x86_64 hfs default_client_limit = 50 default_internal_user = _dovecot default_login_user = _dovenull default_process_limit = 10 listen = 127.0.0.1 mail_gid = admin mail_location = mbox:/usr/local/etc/dovecot/mailboxes/%n mail_uid = [my username] namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { args = password=staticpassword driver = static } postmaster_address = postmaster at example.com protocols = imap lmtp service lmtp { inet_listener lmtp { address = 127.0.0.1 ::1 port = 24 } } ssl = required ssl_cert =