[Dovecot] [bug] ssl-params hangs when FIPS is enabled
Michal Hlavinka
mhlavink at redhat.com
Tue Nov 5 16:42:58 EET 2013
On 11/02/2013 02:31 PM, Timo Sirainen wrote:
> On 1.10.2013, at 21.14, Michal Hlavinka <mhlavink at redhat.com> wrote:
>
>> we found a bug in ssl-params. It calls openssl DH generator for 512 and 1024 bits, but in FIPS mode, openssl won't generate anything for less than 1024, so it fails with:
>> error:0506A06E:Diffie-Hellman routines:DH_BUILTIN_GENPARAMS:key size too small
>>
>> but when DH generator fails, ssl-params hangs forever in io_loop_run:
>
> http://hg.dovecot.org/dovecot-2.2/rev/c472e0454ee3 should fix this.
I spoke too soon. Original issue is fixed - when FIPS mode is enabled,
ssl-params no longer fails.
On the other hand, underlaying problem still exists. When ssl-params
fails (for whatever reason) it gets stuck.
One way to reproduce it is chroot without /dev populated
# /usr/libexec/dovecot/ssl-params
Info: Generating SSL parameters
Fatal: DH_generate_parameters(bits=1024, gen=2) failed:
error:24064064:lib(36):func(100):reason(100)
Error: child process failed with status 22784
-> ssl-params is stuck
More information about the dovecot
mailing list