On 2.12.2013, at 15.41, Алексей Прокопчук <alexpro@homelan.lg.ua> wrote:
I use dovecot-2.1.16 on Gentoo Linux amd64.
All works fine with valid certificates. But if I submit revoked certificate, dovecot doesn't send error or success messages to mail client, process 'imap-login' eats 100% CPU and completely hangs. Only SIGKILL can terminate it. When dovecot receives revoked certificate, following messages appears in the log:
Dec 2 13:50:26 mail dovecot: imap-login: Invalid certificate: certificate revoked: /O=AP inc./OU=Admins/CN=Alexey Prokopchuk/UID=alexpro Dec 2 13:50:26 mail dovecot: imap-login: Invalid certificate: Different CRL scope: /CN=AP inc. root certification authority/O=AP inc./C=UA Dec 2 13:50:39 mail last message repeated 17950 times
What OpenSSL version are you using?
This looks like the same issue:
http://rt.openssl.org/Ticket/Display.html?id=3090&user=guest&pass=guest
Where the fix is in:
http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=4b26645c1a71cf9c...
Not sure if Dovecot should be doing something different here, or maybe working around that bug. I think Postfix has the same problem.