[Dovecot] [bug] ssl-params hangs when FIPS is enabled
Hi,
we found a bug in ssl-params. It calls openssl DH generator for 512 and 1024 bits, but in FIPS mode, openssl won't generate anything for less than 1024, so it fails with: error:0506A06E:Diffie-Hellman routines:DH_BUILTIN_GENPARAMS:key size too small
but when DH generator fails, ssl-params hangs forever in io_loop_run: __epoll_wait_nocancel() io_loop_handler_run(..) at ioloop-epoll.c:176 io_loop_run(..) at ioloop.c:406 master_service_run(..) at master-service.c:566 main(..) at main.c:156
Getting system in FIPS mode can be a little tricky, but DH_generator simulated failure can do the trick. Just change ssl-params/ssl-params-openssl.c:generate_dh_paramaters:39
if (dh == NULL) {
if (1 || dh == NULL) {
and when you run ssl-params (with no ssl-parameters.dat), it hangs.
Let me know if you need more information.
Regards, Michal Hlavinka
On 1.10.2013, at 21.14, Michal Hlavinka <mhlavink@redhat.com> wrote:
we found a bug in ssl-params. It calls openssl DH generator for 512 and 1024 bits, but in FIPS mode, openssl won't generate anything for less than 1024, so it fails with: error:0506A06E:Diffie-Hellman routines:DH_BUILTIN_GENPARAMS:key size too small
but when DH generator fails, ssl-params hangs forever in io_loop_run:
http://hg.dovecot.org/dovecot-2.2/rev/c472e0454ee3 should fix this.
On 11/02/2013 02:31 PM, Timo Sirainen wrote:
On 1.10.2013, at 21.14, Michal Hlavinka <mhlavink@redhat.com> wrote:
we found a bug in ssl-params. It calls openssl DH generator for 512 and 1024 bits, but in FIPS mode, openssl won't generate anything for less than 1024, so it fails with: error:0506A06E:Diffie-Hellman routines:DH_BUILTIN_GENPARAMS:key size too small
but when DH generator fails, ssl-params hangs forever in io_loop_run:
http://hg.dovecot.org/dovecot-2.2/rev/c472e0454ee3 should fix this.
tested (whole 2.2.7) and it works fine Thanks
On 11/02/2013 02:31 PM, Timo Sirainen wrote:
On 1.10.2013, at 21.14, Michal Hlavinka <mhlavink@redhat.com> wrote:
we found a bug in ssl-params. It calls openssl DH generator for 512 and 1024 bits, but in FIPS mode, openssl won't generate anything for less than 1024, so it fails with: error:0506A06E:Diffie-Hellman routines:DH_BUILTIN_GENPARAMS:key size too small
but when DH generator fails, ssl-params hangs forever in io_loop_run:
http://hg.dovecot.org/dovecot-2.2/rev/c472e0454ee3 should fix this.
I spoke too soon. Original issue is fixed - when FIPS mode is enabled, ssl-params no longer fails.
On the other hand, underlaying problem still exists. When ssl-params fails (for whatever reason) it gets stuck.
One way to reproduce it is chroot without /dev populated # /usr/libexec/dovecot/ssl-params Info: Generating SSL parameters Fatal: DH_generate_parameters(bits=1024, gen=2) failed: error:24064064:lib(36):func(100):reason(100) Error: child process failed with status 22784 -> ssl-params is stuck
participants (2)
-
Michal Hlavinka
-
Timo Sirainen