imap-login SSLv3 causes signal 11, core dump and DoS. ssl_protocols = ??
Connecting to dovecot with ssl3 causes imap-login to die:
$ openssl s_client -connect localhost:993 -ssl3 CONNECTED(00000003) 4277630796:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:s3_pkt.c:1461:SSL alert number 40 4277630796:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:645:
no peer certificate available
No client certificate CA names sent
SSL handshake has read 7 bytes and written 0 bytes
New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : SSLv3 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1426851034 Timeout : 7200 (sec) Verify return code: 0 (ok)
syslog: Mar 20 11:30:35 MAILHOST dovecot: [ID 583609 mail.crit] imap-login: Fatal: master: service(imap-login): child 21918 killed with signal 11 (core dumped) [last ip=127.0.0.1]
dovecot.conf had: ssl_protocols = !SSLv2 !SSLv3
removing that line stops the core dump and syslog then shows:
Mar 20 11:36:25 MAILHOST dovecot: [ID 583609 mail.info] imap-login:
Disconnected (disconnected before auth was ready, waited 0 secs):
user=<>, rip=127.0.0.1, lip=127.0.0.1, TLS handshaking: SSL_accept()
failed: error:14076102:SSL routines:SSL23_GET_CLIENT_HELLO:unsupported
protocol, session=
the "SSL23_GET_CLIENT_HELLO:unsupported protocol" seems to do what I thought the ssl_protocols setting did. Do I still need, if I ever needed, the "ssl_protocols = " setting?
James.
# dovecot -n # 2.2.16: /etc/opt/XXXX/dovecot/dovecot.conf # Pigeonhole version 0.4.7 # OS: SunOS 5.10 i86pc auth_mechanisms = plain login digest-md5 cram-md5 base_dir = /var/opt/XXXX/dovecot/ lda_mailbox_autocreate = yes lda_mailbox_autosubscribe = yes login_trusted_networks = 111.222.333.444/24 mail_gid = vmail mail_home = /XXXXXX/XXXX/%d/%n mail_location = maildir:/XXXXX/XXXX/%d/%n/Maildir mail_max_userip_connections = 20 mail_plugins = quota mail_uid = vmail mailbox_idle_check_interval = 10 secs managesieve_notify_capability = mailto managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate passdb { args = /etc/opt/XXXX/dovecot/dovecot-sql.conf driver = sql } plugin { fts_autoindex = yes quota = maildir:User quota quota_rule = *:storage=1G quota_rule2 = Trash:storage=+10% quota_warning = storage=90%% quota-warning 90 %u quota_warning2 = storage=95%% quota-warning 95 %u quota_warning3 = storage=99%% quota-warning 99 %u sieve = /XXXXX/XXXX/%d/%n/dovecot.sieve sieve_dir = /XXXXX/XXXX/%d/%n/sieve } protocols = imap lmtp sieve service auth { drop_priv_before_exec = yes unix_listener auth-client { mode = 0660 } unix_listener auth-master { mode = 0600 } user = root } service imap-login { chroot = drop_priv_before_exec = yes executable = imap-login -D service_count = 1 user = dovecot } service lmtp { group = vmail unix_listener lmtp { mode = 0666 } user = vmail } service quota-warning { executable = script /etc/opt/XXXX/dovecot/quota-warning user = vmail } ssl_cert =
On 20 Mar 2015, at 13:59, James lista@xdrv.co.uk wrote:
Connecting to dovecot with ssl3 causes imap-login to die:
Mar 20 11:30:35 MAILHOST dovecot: [ID 583609 mail.crit] imap-login: Fatal: master: service(imap-login): child 21918 killed with signal 11 (core dumped) [last ip=127.0.0.1]
I can't reproduce it. I tried it with the same ssl_* settings you had. Can you get a gdb backtrace from the crash? It says "core dumped", so I guess there should be a core file somewhere. http://dovecot.org/bugreport.html has some more info on how to get it.
dovecot.conf had: ssl_protocols = !SSLv2 !SSLv3
removing that line stops the core dump and syslog then shows:
Mar 20 11:36:25 MAILHOST dovecot: [ID 583609 mail.info] imap-login: Disconnected (disconnected before auth was ready, waited 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, TLS handshaking: SSL_accept() failed: error:14076102:SSL routines:SSL23_GET_CLIENT_HELLO:unsupported protocol, session=
the "SSL23_GET_CLIENT_HELLO:unsupported protocol" seems to do what I thought the ssl_protocols setting did. Do I still need, if I ever needed, the "ssl_protocols = " setting?
All these ssl_* settings just go to OpenSSL without Dovecot (or I) knowing all that much about them. I think you still need it, but maybe it's because your ssl_cipher_list is so limited that it fails the session anyway (just my guess).
On 20/03/2015 18:24, Timo Sirainen wrote:
Connecting to dovecot with ssl3 causes imap-login to die:
Mar 20 11:30:35 MAILHOST dovecot: [ID 583609 mail.crit] imap-login: Fatal: master: service(imap-login): child 21918 killed with signal 11 (core dumped) [last ip=127.0.0.1]
I can't reproduce it. I tried it with the same ssl_* settings you had. Can you get a gdb backtrace from the crash? It says "core dumped", so I guess there should be a core file somewhere. http://dovecot.org/bugreport.html has some more info on how to get it.
Thank you for your interest, here is a dbx trace. This was with OpenSSL 1.0.2a.
(dbx) where
=>[1] ssl3_get_client_hello(s = 0x809b2a0) (optimized), at 0xfe9db0d5
(line ~1362) in "s3_srvr.c"
[2] ssl3_accept(s = 0x809b2a0) (optimized), at 0xfe9d9892 (line ~357)
in "s3_srvr.c"
[3] SSL_accept(s = 0x809b2a0) (optimized), at 0xfea09f07 (line ~990)
in "ssl_lib.c"
[4] ssl_handshake(proxy = 0x809ba38) (optimized), at 0xfee35c18 (line
~481) in "ssl-proxy-openssl.c"
[5] ssl_step(proxy = 0x809ba38) (optimized), at 0xfee35ee0 (line
~545) in "ssl-proxy-openssl.c"
[6] ssl_proxy_flush(proxy = 0x809ba38) (optimized), at 0xfee3680c
(line ~817) in "ssl-proxy-openssl.c"
[7] ssl_proxy_destroy(proxy = 0x809ba38) (optimized), at 0xfee3686b
(line ~825) in "ssl-proxy-openssl.c"
[8] ssl_handle_error(proxy = 0x809ba38, ret = -1, func_name =
0xfee3b2d8 "SSL_accept()") (optimized), at 0xfee35bc0 (line ~465) in
"ssl-proxy-openssl.c"
[9] ssl_handshake(proxy = 0x809ba38) (optimized), at 0xfee35cc9 (line
~483) in "ssl-proxy-openssl.c"
[10] ssl_step(proxy = 0x809ba38) (optimized), at 0xfee35ee0 (line
~545) in "ssl-proxy-openssl.c"
[11] ssl_proxy_start(proxy = 0x809ba38) (optimized), at 0xfee36341
(line ~685) in "ssl-proxy-openssl.c"
[12] client_connected_finish(conn = 0x8047ae0) (optimized), at
0xfee31d62 (line ~151) in "main.c"
[13] client_connected(conn = 0x8047ae0) (optimized), at 0xfee32148
(line ~246) in "main.c"
[14] master_service_listen(l = 0x8096b30) (optimized), at 0xfecfac7e
(line ~837) in "master-service.c"
[15] io_loop_call_io(io = 0x8096bd0) (optimized), at 0xfeda764b (line
~501) in "ioloop.c"
[16] io_loop_handler_run_internal(ioloop = 0x8071d70) (optimized), at
0xfedaa419 (line ~211) in "ioloop-poll.c"
[17] io_loop_handler_run(ioloop = 0x8071d70) (optimized), at
0xfeda77be (line ~548) in "ioloop.c"
[18] io_loop_run(ioloop = 0x8071d70) (optimized), at 0xfeda7711 (line
~525) in "ioloop.c"
[19] master_service_run(service = 0x8071cb8, callback = 0xfee32040 =
&libdovecot-login.so.0.0.0main.c`client_connected(struct
master_service_connection *conn)) (optimized), at 0xfecfa3d7 (line ~569)
in "master-service.c"
[20] login_binary_run(binary = 0x8068c50, argc = 2, argv = 0x8047d4c)
(optimized), at 0xfee3294a (line ~470) in "main.c"
[21] main(argc = 2, argv = 0x8047d4c) (optimized), at 0x8054de7 (line
~706) in "client.c"
dovecot.conf had: ssl_protocols = !SSLv2 !SSLv3
removing that line stops the core dump and syslog then shows:
Mar 20 11:36:25 MAILHOST dovecot: [ID 583609 mail.info] imap-login: Disconnected (disconnected before auth was ready, waited 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, TLS handshaking: SSL_accept() failed: error:14076102:SSL routines:SSL23_GET_CLIENT_HELLO:unsupported protocol, session=
the "SSL23_GET_CLIENT_HELLO:unsupported protocol" seems to do what I thought the ssl_protocols setting did. Do I still need, if I ever needed, the "ssl_protocols = " setting?
All these ssl_* settings just go to OpenSSL without Dovecot (or I) knowing all that much about them. I think you still need it, but maybe it's because your ssl_cipher_list is so limited that it fails the session anyway (just my guess).
I admit I just copied from somewhere else without full understanding. Please if someone can advise me on settings for ssl_protocols and ssl_cipher_list then I'll use.
Removing "ssl_cipher_list = ", so using the default, does not cure the problem.
James.
On 21/03/2015 10:00, James wrote:
the "SSL23_GET_CLIENT_HELLO:unsupported protocol" seems to do what I thought the ssl_protocols setting did. Do I still need, if I ever needed, the "ssl_protocols = " setting?
All these ssl_* settings just go to OpenSSL without Dovecot (or I) knowing all that much about them. I think you still need it, but maybe it's because your ssl_cipher_list is so limited that it fails the session anyway (just my guess).
I'd better add this PS, my openssl is compiled with "no-ssl3" which is where the the SSL23 unsupported is coming from. I've remove the "no-ssl3" from openssl indeed it accepts the connection, however, with "ssl_protocols = !SSLv2 !SSLv3" in dovecot.conf imap-login still sig 11s.
James.
Am 21.03.2015 um 11:51 schrieb James:
On 21/03/2015 10:00, James wrote:
the "SSL23_GET_CLIENT_HELLO:unsupported protocol" seems to do what I thought the ssl_protocols setting did. Do I still need, if I ever needed, the "ssl_protocols = " setting?
All these ssl_* settings just go to OpenSSL without Dovecot (or I) knowing all that much about them. I think you still need it, but maybe it's because your ssl_cipher_list is so limited that it fails the session anyway (just my guess).
I'd better add this PS, my openssl is compiled with "no-ssl3" which is where the the SSL23 unsupported is coming from. I've remove the "no-ssl3" from openssl indeed it accepts the connection, however, with "ssl_protocols = !SSLv2 !SSLv3" in dovecot.conf imap-login still sig 11s
well, remove that brickage of "special compile"
Am 21.03.2015 um 12:02 schrieb James:
On 21/03/2015 10:55, Reindl Harald wrote:
well, remove that brickage of "special compile"
I'm sorry but I did not understand your comment
why do you compile openssl that way?
On 21/03/2015 11:07, Reindl Harald wrote:
well, remove that brickage of "special compile"
I'm sorry but I did not understand your comment
why do you compile openssl that way?
What way? With or without ssl3? I've now done it both ways.
Reading: https://wiki.openssl.org/index.php/Compilation_and_Installation no-ssl3 seems to be a popular and legitimate option.
Am 21.03.2015 um 12:12 schrieb James:
On 21/03/2015 11:07, Reindl Harald wrote:
well, remove that brickage of "special compile"
I'm sorry but I did not understand your comment
why do you compile openssl that way?
What way? With or without ssl3? I've now done it both ways.
Reading: https://wiki.openssl.org/index.php/Compilation_and_Installation no-ssl3 seems to be a popular and legitimate option
that maybe all fine and true, but since others can't reproduce your problem it's likely your openssl build and not dovecot itself
On 21/03/2015 11:15, Reindl Harald wrote:
that maybe all fine and true, but since others can't reproduce your problem it's likely your openssl build and not dovecot itself
http://www.dovecot.org/bugreport.html
"Whenever Dovecot crashes, ..."
"No matter how that happened, it's a bug and will be fixed ..."
participants (3)
-
James
-
Reindl Harald
-
Timo Sirainen