Hi all,

I think I've found a small bug in how Dovecot logs SSL/TLS info. Basically, if I connect to the server using TLS, the logs have a lot of entries saying I used SSLv3 (which is not allowed). Here's my system info:

OSX Yosemite (x86_64, HFS+) Dovecot 2.2.15 (via Homebrew) OpenSSL 0.9.8zd

The configuration (see below) disallows SSLv3, and if I try and connect with OpenSSL to test that ("openssl s_client -connect localhost:993 -ssl3") it fails as expected. If I do the same command, but with "-tls1" instead of "-ssl3", I can connect and run IMAP commands. The problem is, if I open up the Dovecot logs and look at the SSL log messages, they all say I used SSLv3. As an example, this is a truncated log from when I connected to the server and immediately did a LOGOUT:

14:50:59 : master: Warning: Killed with signal 15 (by pid=1 uid=0 code=unknown 0) 14:51:03 : master: Dovecot v2.2.15 starting up for imap, lmtp (core dumps disabled) 14:51:13 : imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges 14:51:13 --- last message repeated 1 time --- 14:51:13 : imap-login: Debug: SSL: where=0x10, ret=1: before/accept initialization [127.0.0.1] 14:51:13 : imap-login: Debug: SSL: where=0x2001, ret=1: before/accept initialization [127.0.0.1] 14:51:13 : imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client hello A [127.0.0.1] 14:51:13 : imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server hello A [127.0.0.1] 14:51:13 : imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write certificate A [127.0.0.1] 14:51:13 : imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write key exchange A [127.0.0.1] 14:51:13 : imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server done A [127.0.0.1] 14:51:13 : imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data [127.0.0.1] 14:51:13 : imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client certificate A [127.0.0.1] 14:51:13 : imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client key exchange A [127.0.0.1] 14:51:13 --- last message repeated 1 time --- 14:51:13 : imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client key exchange A [127.0.0.1] 14:51:13 : imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read finished A [127.0.0.1] 14:51:13 : imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write session ticket A [127.0.0.1] 14:51:13 : imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write change cipher spec A [127.0.0.1] 14:51:13 : imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write finished A [127.0.0.1] 14:51:13 : imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data [127.0.0.1] 14:51:13 : imap-login: Debug: SSL: where=0x20, ret=1: SSL negotiation finished successfully [127.0.0.1] 14:51:13 : imap-login: Debug: SSL: where=0x2002, ret=1: SSL negotiation finished successfully [127.0.0.1] 14:51:19 : imap-login: Aborted login (no auth attempts in 6 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, TLS, session= 14:51:19 : imap-login: Debug: SSL alert: close notify [127.0.0.1]

The second to last line, which indicates I never tried to log in, correctly states that I used TLS. All the lines for SSL debugging, though, state I used SSL or SSLv3.

This is a test setup, so it accepts any mail from @example.com addresses over LMTP and allows any user to connect with the password "staticpassword". Here's the output of "dovecot -n":

# 2.2.15: /usr/local/etc/dovecot/dovecot.conf # OS: Darwin 14.3.0 x86_64 hfs default_client_limit = 50 default_internal_user = _dovecot default_login_user = _dovenull default_process_limit = 10 listen = 127.0.0.1 mail_gid = admin mail_location = mbox:/usr/local/etc/dovecot/mailboxes/%n mail_uid = [my username] namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = } passdb { args = password=staticpassword driver = static } postmaster_address = postmaster at example.com protocols = imap lmtp service lmtp { inet_listener lmtp { address = 127.0.0.1 ::1 port = 24 } } ssl = required ssl_cert =