[patch] TLS Handshake failures can crash imap-login

Leonardo Rodrigues leolistas at solutti.com.br
Sat Apr 25 00:38:45 UTC 2015 

On 24/04/15 18:17, Hanno Böck wrote:
> Hi,
>
> I tracked down a tricky bug in dovecot that can cause the imap-login
> and pop3-login processes to crash on handshake failures.
> This can be tested by disabling SSLv3 in the dovecot config
> (ssl_protocols = !SSLv2 !SSLv3) and trying to connect with openssl and
> forced sslv3 (openssl s_client -ssl3 -connect localhost:995). This
> would cause a crash.
>
>

     I couldnt reproduce that on a fully patched CentOS 6.6 box

[root at correio ~]# cat /etc/redhat-release
CentOS release 6.6 (Final)

[root at correio ~]# openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013

[root at correio ~]# dovecot --version
2.2.16
(compiled from sources, not from any binary package)

[root at correio ~]# grep ssl_proto /etc/dovecot/extras/10-ssl.conf
ssl_protocols = !SSLv2 !SSLv3


from dovecot logs when running the openssl command:

Apr 24 21:36:38 correio dovecot: imap-login: Disconnected (no auth 
attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, TLS 
handshaking: Disconnected


dont know if it matters, but i'm running signed certificated from 
RapidSSL, not self-signed ones


The openssl command returns an error but i see no crash at all

[root at correio ~]# openssl s_client -ssl3 -connect localhost:995
CONNECTED(00000003)
140022021363528:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert 
handshake failure:s3_pkt.c:1259:SSL alert number 40
140022021363528:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl 
handshake failure:s3_pkt.c:598:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
     Protocol  : SSLv3
     Cipher    : 0000
     Session-ID:
     Session-ID-ctx:
     Master-Key:
     Key-Arg   : None
     Krb5 Principal: None
     PSK identity: None
     PSK identity hint: None
     Start Time: 1429922121
     Timeout   : 7200 (sec)
     Verify return code: 0 (ok)
---
[root at correio ~]#







-- 


	Atenciosamente / Sincerily,
	Leonardo Rodrigues
	Solutti Tecnologia
	http://www.solutti.com.br

	Minha armadilha de SPAM, NÃO mandem email
	gertrudes at solutti.com.br
	My SPAMTRAP, do not email it

More information about the dovecot mailing list