[Dovecot] imap-login hangs after receiving revoked SSL certificate
Good time of the day!
My English is not very good, excuse me if I said something wrong.
I use dovecot-2.1.16 on Gentoo Linux amd64.
I need to setup dovecot (imap and pop3) for SSL and non-SSL connection simultaneously. For SSL connections client must submit a valid SSL certificate. Now SSL part of dovecot.conf looks like this:
ssl = yes ssl_cert = </etc/ssl/dovecot/dovecot.pem ssl_key = </etc/ssl/dovecot/dovecot.pem ssl_ca = </etc/ssl/ca/ca.pem ssl_verify_client_cert = yes auth_ssl_require_client_cert = yes
protocol !smtp { auth_ssl_require_client_cert = yes }
All works fine with valid certificates. But if I submit revoked certificate, dovecot doesn't send error or success messages to mail client, process 'imap-login' eats 100% CPU and completely hangs. Only SIGKILL can terminate it. When dovecot receives revoked certificate, following messages appears in the log:
Dec 2 13:50:26 mail dovecot: imap-login: Invalid certificate: certificate revoked: /O=AP inc./OU=Admins/CN=Alexey Prokopchuk/UID=alexpro Dec 2 13:50:26 mail dovecot: imap-login: Invalid certificate: Different CRL scope: /CN=AP inc. root certification authority/O=AP inc./C=UA Dec 2 13:50:39 mail last message repeated 17950 times
If I'm not mistaken, in case of revoked certificate submission, dovecot must simply answer "SSL error" or "permission denied" to client and close connection, but according to log, it tries to check certificate again and again and do it in infinite loop.
I can't understand for now - I misconfigured something or it's a bug?
Thanks for attention, with best regards, Alexey Prokopchuk (AP8686-RIPE)
On 2.12.2013, at 15.41, Алексей Прокопчук <alexpro@homelan.lg.ua> wrote:
I use dovecot-2.1.16 on Gentoo Linux amd64.
All works fine with valid certificates. But if I submit revoked certificate, dovecot doesn't send error or success messages to mail client, process 'imap-login' eats 100% CPU and completely hangs. Only SIGKILL can terminate it. When dovecot receives revoked certificate, following messages appears in the log:
Dec 2 13:50:26 mail dovecot: imap-login: Invalid certificate: certificate revoked: /O=AP inc./OU=Admins/CN=Alexey Prokopchuk/UID=alexpro Dec 2 13:50:26 mail dovecot: imap-login: Invalid certificate: Different CRL scope: /CN=AP inc. root certification authority/O=AP inc./C=UA Dec 2 13:50:39 mail last message repeated 17950 times
What OpenSSL version are you using?
This looks like the same issue:
http://rt.openssl.org/Ticket/Display.html?id=3090&user=guest&pass=guest
Where the fix is in:
http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=4b26645c1a71cf9c...
Not sure if Dovecot should be doing something different here, or maybe working around that bug. I think Postfix has the same problem.
Hello again. 02.12.2013 18:19, Timo Sirainen пишет:
What OpenSSL version are you using?
This looks like the same issue:
http://rt.openssl.org/Ticket/Display.html?id=3090&user=guest&pass=guest
Where the fix is in:
http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=4b26645c1a71cf9c...
Not sure if Dovecot should be doing something different here, or maybe working around that bug. I think Postfix has the same problem.
I used openssl version 1.0.1c when wrote first message. Following your advice, I tried to apply patch from fix above on openssl-1.0.1e Now no hangs but dovecot assumes any user certificate as invalid. And very interesting. First dovecot reports that certificate is invalid, and immediately thereafter reports that same certificate is valid. And finally reports "client sent an invalid cert". I have own test CA based on EJBCA. Server and all client certificates which I tried to test were issued by this CA. Freshest CRL is embedded into ca.pem file which used as ca certificate in dovecot.conf. Here is the log:
Dec 3 00:10:25 mail dovecot: imap-login: Invalid certificate: Different CRL scope: /CN=AP inc. root certification authority/O=AP inc./C=UA Dec 3 00:10:25 mail dovecot: imap-login: Invalid certificate: unable to get certificate CRL: /CN=AP inc. root certification authority/O=AP inc./C=UA Dec 3 00:10:25 mail dovecot: imap-login: Valid certificate: /CN=AP inc. root certification authority/O=AP inc./C=UA Dec 3 00:10:25 mail dovecot: imap-login: Valid certificate: /O=AP inc./OU=Admins/CN=Alexey Prokopchuk/UID=alexpro Dec 3 00:10:25 mail dovecot: imap-login: Disconnected (client sent an invalid cert): user=<>, method=PLAIN, rip=192.168.200.55, lip=192.168.200.1, TLS, session=<K6FgcpTsAgDAqMg3>
Now I'm quite confused: apache works with these certificates as expected: accepts valid and refuses revoked. But with dovecot which yesterday accepts at least one certificate (which I revoked for testing) today rejects all others from same CA.
Thanks for attention, with best regards, Alexey Prokopchuk (AP8686-RIPE)
Hello again 03.12.2013 00:41, Алексей Прокопчук пишет:
I have own test CA based on EJBCA. Server and all client certificates which I tried to test were issued by this CA. Freshest CRL is embedded into ca.pem file which used as ca certificate in dovecot.conf.
Now I'm quite confused: apache works with these certificates as expected: accepts valid and refuses revoked. But with dovecot which yesterday accepts at least one certificate (which I revoked for testing) today rejects all others from same CA. Thanks for attention and excuse me that occupied your time. The problem was in CRL generated by EJBCA. Apparently, EJBCA and openSSL is not entirely compatible. When I remove CRL distribution point field from my EJBCA generated CRL, all works as expected: valid certificates accepted, revoked certificates rejected. And no problem with CRL scope, so fix from first reply doesn't needed, all works with initially installed openssl-1.0.1c
With regard to apache I think it checks certificate validity with OCSP. And I doesn't embed CRL in ca certificate for apache. Perhaps it would be nice to implement OCSP validity checking together with embedded CRL with possibility to choose which one will be used.
Thanks again, especially for a hint about openssl scope loop problem.
With best regards, Alexey Prokopchuk (AP8686-RIPE)
participants (2)
-
Timo Sirainen
-
Алексей Прокопчук