Hi,
I've noticed that nmap crashes my imap-login (also pop3-login) and
narrowed it down to nmap -sV -p 993 $host. I've noticed that if I
remove "ssl_protocols = !SSLv2 !SSLv3" from my config or enable SSLv3
rather than disabling it the segfault disappears.
I'm running on Arch Linux with dovecot 2.2.16-1 and openssl 1.0.2.a-1. I've also attached a network capture, but since it's SSL this probably won't help all that much.
I hope this is enough information to reproduce the issue. If necessary I can recompile dovecot with debug symbols for a better backtrace.
Thanks, Florian
dovecot.conf https://paste.xinu.at/PUsJ/
syslog:
Apr 21 10:52:16 karif dovecot[7849]: imap-login: Disconnected (no auth attempts in 6 secs): user=<>, rip=81.217.47.122, lip=78.46.56.141, TLS handshaking: SSL_accept() failed: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request Apr 21 10:52:16 karif dovecot[7849]: imap-login: Fatal: master: service(imap-login): child 7879 killed with signal 11 (core not dumped - add -D parameter to service imap-login { executable } [last ip=81.217.47.122] Apr 21 10:52:16 karif kernel: imap-login[7879] segfault at f0 ip 00007fb2b8b1360b sp 00007fff926ffd50 error 4 in libssl.so.1.0.0[7fb2b8af3000+6f000]
backtrace:
#0 0x00007f120100260b in ssl3_get_client_hello () from /usr/lib/libssl.so.1.0.0 #1 0x00007f120100738f in ssl3_accept () from /usr/lib/libssl.so.1.0.0 #2 0x00007f1201012b36 in ssl3_write_bytes () from /usr/lib/libssl.so.1.0.0 #3 0x00007f1201906200 in ?? () from /usr/lib/dovecot/libdovecot-login.so.0 #4 0x00007f12019062d8 in ?? () from /usr/lib/dovecot/libdovecot-login.so.0 #5 0x00007f1201905f72 in ssl_proxy_destroy () from /usr/lib/dovecot/libdovecot-login.so.0 #6 0x00007f12019060e4 in ?? () from /usr/lib/dovecot/libdovecot-login.so.0 #7 0x00007f1201906671 in ?? () from /usr/lib/dovecot/libdovecot-login.so.0 #8 0x00007f1201902efa in ?? () from /usr/lib/dovecot/libdovecot-login.so.0 #9 0x00007f120162d503 in ?? () from /usr/lib/dovecot/libdovecot.so.0 #10 0x00007f120168d62c in io_loop_call_io () from /usr/lib/dovecot/libdovecot.so.0 #11 0x00007f120168e665 in io_loop_handler_run_internal () from /usr/lib/dovecot/libdovecot.so.0 #12 0x00007f120168d699 in io_loop_handler_run () from /usr/lib/dovecot/libdovecot.so.0 #13 0x00007f120168d718 in io_loop_run () from /usr/lib/dovecot/libdovecot.so.0 #14 0x00007f120162cb23 in master_service_run () from /usr/lib/dovecot/libdovecot.so.0 #15 0x00007f1201903788 in login_binary_run () from /usr/lib/dovecot/libdovecot-login.so.0 #16 0x00007f120127d800 in __libc_start_main () from /usr/lib/libc.so.6 #17 0x0000000000402909 in _start ()
nmap output:
nmap -sV --packet-trace -p 993 karif
Starting Nmap 6.47 ( http://nmap.org ) at 2015-04-21 10:52 CEST CONN (0.0426s) TCP localhost > 78.46.56.141:80 => Operation now in progress CONN (0.0427s) TCP localhost > 78.46.56.141:443 => Operation now in progress NSOCK INFO [0.0650s] nsi_new2(): nsi_new (IOD #1) NSOCK INFO [0.0650s] nsock_connect_udp(): UDP connection requested to 192.168.4.1:53 (IOD #1) EID 8 NSOCK INFO [0.0650s] nsock_read(): Read request from IOD #1 [192.168.4.1:53] (timeout: -1ms) EID 18 NSOCK INFO [0.0650s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 8 [192.168.4.1:53] NSOCK INFO [0.0650s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 27 [192.168.4.1:53] NSOCK INFO [0.0650s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 18 [192.168.4.1:53] (79 bytes): .............141.56.46.78.in-addr.arpa..................karif.server-speed.net. NSOCK INFO [0.0650s] nsock_read(): Read request from IOD #1 [192.168.4.1:53] (timeout: -1ms) EID 34 NSOCK INFO [0.0650s] nsi_delete(): nsi_delete (IOD #1) NSOCK INFO [0.0650s] msevent_cancel(): msevent_cancel on event #34 (type READ) CONN (0.0656s) TCP localhost > 78.46.56.141:993 => Operation now in progress NSOCK INFO [0.1320s] nsi_new2(): nsi_new (IOD #1) NSOCK INFO [0.1330s] nsock_connect_tcp(): TCP connection requested to 78.46.56.141:993 (IOD #1) EID 8 NSOCK INFO [0.1550s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 8 [78.46.56.141:993] Service scan sending probe NULL to 78.46.56.141:993 (tcp) NSOCK INFO [0.1550s] nsock_read(): Read request from IOD #1 [78.46.56.141:993] (timeout: 6000ms) EID 18 NSOCK INFO [6.1610s] nsock_trace_handler_callback(): Callback: READ TIMEOUT for EID 18 [78.46.56.141:993] Service scan sending probe GetRequest to 78.46.56.141:993 (tcp) NSOCK INFO [6.1610s] nsock_read(): Read request from IOD #1 [78.46.56.141:993] (timeout: 5000ms) EID 34 NSOCK INFO [6.1610s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 27 [78.46.56.141:993] NSOCK INFO [6.1840s] nsock_trace_handler_callback(): Callback: READ ERROR [Connection reset by peer (104)] for EID 34 [78.46.56.141:993] NSOCK INFO [6.1840s] nsi_delete(): nsi_delete (IOD #1) NSOCK INFO [6.1840s] nsi_new2(): nsi_new (IOD #2) NSOCK INFO [6.1840s] nsock_connect_tcp(): TCP connection requested to 78.46.56.141:993 (IOD #2) EID 40 NSOCK INFO [6.2050s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 40 [78.46.56.141:993] Service scan sending probe SSLSessionReq to 78.46.56.141:993 (tcp) NSOCK INFO [6.2060s] nsock_read(): Read request from IOD #2 [78.46.56.141:993] (timeout: 5000ms) EID 58 NSOCK INFO [6.2060s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 51 [78.46.56.141:993] NSOCK INFO [6.2280s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 58 [78.46.56.141:993] (7 bytes): ......( Service scan match (Probe SSLSessionReq matched with SSLSessionReq line 10443): 78.46.56.141:993 is ssl. Version: |TLSv1||| NSOCK INFO [6.2280s] nsi_delete(): nsi_delete (IOD #2) NSOCK INFO [6.2280s] nsi_new2(): nsi_new (IOD #3) NSOCK INFO [6.2280s] nsock_connect_ssl(): SSL connection requested to 78.46.56.141:993/tcp (IOD #3) EID 65 NSOCK INFO [6.3370s] nsock_trace_handler_callback(): Callback: SSL-CONNECT SUCCESS for EID 65 [78.46.56.141:993] Service scan sending probe NULL to 78.46.56.141:993 (tcp) NSOCK INFO [6.3370s] nsock_read(): Read request from IOD #3 [78.46.56.141:993] (timeout: 6000ms) EID 74 NSOCK INFO [6.3960s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 74 [78.46.56.141:993] (114 bytes) Service scan match (Probe NULL matched with NULL line 1312): 78.46.56.141:993 is SSL/imap. Version: |Dovecot imapd||| NSOCK INFO [6.3960s] nsi_delete(): nsi_delete (IOD #3) Nmap scan report for karif (78.46.56.141) Host is up (0.023s latency). rDNS record for 78.46.56.141: karif.server-speed.net PORT STATE SERVICE VERSION 993/tcp open ssl/imap Dovecot imapd
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 6.40 seconds
On 2015-04-21 11:24:55 +0200, Florian Pritz wrote:
dovecot.conf https://paste.xinu.at/PUsJ/
syslog:
Apr 21 10:52:16 karif dovecot[7849]: imap-login: Disconnected (no auth attempts in 6 secs): user=<>, rip=81.217.47.122, lip=78.46.56.141, TLS handshaking: SSL_accept() failed: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request Apr 21 10:52:16 karif dovecot[7849]: imap-login: Fatal: master: service(imap-login): child 7879 killed with signal 11 (core not dumped - add -D parameter to service imap-login { executable } [last ip=81.217.47.122] Apr 21 10:52:16 karif kernel: imap-login[7879] segfault at f0 ip 00007fb2b8b1360b sp 00007fff926ffd50 error 4 in libssl.so.1.0.0[7fb2b8af3000+6f000]
backtrace:
#0 0x00007f120100260b in ssl3_get_client_hello () from /usr/lib/libssl.so.1.0.0 #1 0x00007f120100738f in ssl3_accept () from /usr/lib/libssl.so.1.0.0 #2 0x00007f1201012b36 in ssl3_write_bytes () from /usr/lib/libssl.so.1.0.0 #3 0x00007f1201906200 in ?? () from /usr/lib/dovecot/libdovecot-login.so.0 #4 0x00007f12019062d8 in ?? () from /usr/lib/dovecot/libdovecot-login.so.0 #5 0x00007f1201905f72 in ssl_proxy_destroy () from /usr/lib/dovecot/libdovecot-login.so.0 #6 0x00007f12019060e4 in ?? () from /usr/lib/dovecot/libdovecot-login.so.0 #7 0x00007f1201906671 in ?? () from /usr/lib/dovecot/libdovecot-login.so.0 #8 0x00007f1201902efa in ?? () from /usr/lib/dovecot/libdovecot-login.so.0 #9 0x00007f120162d503 in ?? () from /usr/lib/dovecot/libdovecot.so.0 #10 0x00007f120168d62c in io_loop_call_io () from /usr/lib/dovecot/libdovecot.so.0 #11 0x00007f120168e665 in io_loop_handler_run_internal () from /usr/lib/dovecot/libdovecot.so.0 #12 0x00007f120168d699 in io_loop_handler_run () from /usr/lib/dovecot/libdovecot.so.0 #13 0x00007f120168d718 in io_loop_run () from /usr/lib/dovecot/libdovecot.so.0 #14 0x00007f120162cb23 in master_service_run () from /usr/lib/dovecot/libdovecot.so.0 #15 0x00007f1201903788 in login_binary_run () from /usr/lib/dovecot/libdovecot-login.so.0 #16 0x00007f120127d800 in __libc_start_main () from /usr/lib/libc.so.6 #17 0x0000000000402909 in _start ()
looks more like a crash in openssl.
darix-- openSUSE - SUSE Linux is my linux openSUSE is good for you www.opensuse.org
On 21.04.2015 17:10, Marcus Rueckert wrote:
#0 0x00007f120100260b in ssl3_get_client_hello () from /usr/lib/libssl.so.1.0.0 #1 0x00007f120100738f in ssl3_accept () from /usr/lib/libssl.so.1.0.0 #2 0x00007f1201012b36 in ssl3_write_bytes () from /usr/lib/libssl.so.1.0.0 #3 0x00007f1201906200 in ?? () from /usr/lib/dovecot/libdovecot-login.so.0 #4 0x00007f12019062d8 in ?? () from /usr/lib/dovecot/libdovecot-login.so.0 #5 0x00007f1201905f72 in ssl_proxy_destroy () from /usr/lib/dovecot/libdovecot-login.so.0 #6 0x00007f12019060e4 in ?? () from /usr/lib/dovecot/libdovecot-login.so.0 #7 0x00007f1201906671 in ?? () from /usr/lib/dovecot/libdovecot-login.so.0 #8 0x00007f1201902efa in ?? () from /usr/lib/dovecot/libdovecot-login.so.0 #9 0x00007f120162d503 in ?? () from /usr/lib/dovecot/libdovecot.so.0 #10 0x00007f120168d62c in io_loop_call_io () from /usr/lib/dovecot/libdovecot.so.0 #11 0x00007f120168e665 in io_loop_handler_run_internal () from /usr/lib/dovecot/libdovecot.so.0 #12 0x00007f120168d699 in io_loop_handler_run () from /usr/lib/dovecot/libdovecot.so.0 #13 0x00007f120168d718 in io_loop_run () from /usr/lib/dovecot/libdovecot.so.0 #14 0x00007f120162cb23 in master_service_run () from /usr/lib/dovecot/libdovecot.so.0 #15 0x00007f1201903788 in login_binary_run () from /usr/lib/dovecot/libdovecot-login.so.0 #16 0x00007f120127d800 in __libc_start_main () from /usr/lib/libc.so.6 #17 0x0000000000402909 in _start ()
looks more like a crash in openssl.
It is indeed crashing in openssl, but apparently because dovecot ignores an earlier returned error and the ssl object is not properly set up. There is a patch that works around this, but I don't yet know if it will be included in openssl. Anyway, this should (also) be fixed in dovecot.
More details: https://rt.openssl.org/Ticket/Display.html?id=3818
Florian
On 24.04.2015 18:50, Florian Pritz wrote:
More details: https://rt.openssl.org/Ticket/Display.html?id=3818
login is guest/guest
participants (2)
-
Florian Pritz
-
Marcus Rueckert