imap-login SSLv3 causes signal 11, core dump and DoS. ssl_protocols = ??
James
lista at xdrv.co.uk
Fri Mar 20 11:59:09 UTC 2015
Connecting to dovecot with ssl3 causes imap-login to die:
$ openssl s_client -connect localhost:993 -ssl3
CONNECTED(00000003)
4277630796:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert
handshake failure:s3_pkt.c:1461:SSL alert number 40
4277630796:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake
failure:s3_pkt.c:645:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : SSLv3
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1426851034
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
syslog:
Mar 20 11:30:35 MAILHOST dovecot: [ID 583609 mail.crit] imap-login:
Fatal: master: service(imap-login): child 21918 killed with signal 11
(core dumped) [last ip=127.0.0.1]
dovecot.conf had:
ssl_protocols = !SSLv2 !SSLv3
removing that line stops the core dump and syslog then shows:
Mar 20 11:36:25 MAILHOST dovecot: [ID 583609 mail.info] imap-login:
Disconnected (disconnected before auth was ready, waited 0 secs):
user=<>, rip=127.0.0.1, lip=127.0.0.1, TLS handshaking: SSL_accept()
failed: error:14076102:SSL routines:SSL23_GET_CLIENT_HELLO:unsupported
protocol, session=<eqr1ubYRWgB/AAAB>
the "SSL23_GET_CLIENT_HELLO:unsupported protocol" seems to do what I
thought the ssl_protocols setting did.
Do I still need, if I ever needed, the "ssl_protocols = " setting?
James.
# dovecot -n
# 2.2.16: /etc/opt/XXXX/dovecot/dovecot.conf
# Pigeonhole version 0.4.7
# OS: SunOS 5.10 i86pc
auth_mechanisms = plain login digest-md5 cram-md5
base_dir = /var/opt/XXXX/dovecot/
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
login_trusted_networks = 111.222.333.444/24
mail_gid = vmail
mail_home = /XXXXXX/XXXX/%d/%n
mail_location = maildir:/XXXXX/XXXX/%d/%n/Maildir
mail_max_userip_connections = 20
mail_plugins = quota
mail_uid = vmail
mailbox_idle_check_interval = 10 secs
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope
encoded-character vacation subaddress comparator-i;ascii-numeric
relational regex imap4flags copy include variables body enotify
environment mailbox date index ihave duplicate
passdb {
args = /etc/opt/XXXX/dovecot/dovecot-sql.conf
driver = sql
}
plugin {
fts_autoindex = yes
quota = maildir:User quota
quota_rule = *:storage=1G
quota_rule2 = Trash:storage=+10%
quota_warning = storage=90%% quota-warning 90 %u
quota_warning2 = storage=95%% quota-warning 95 %u
quota_warning3 = storage=99%% quota-warning 99 %u
sieve = /XXXXX/XXXX/%d/%n/dovecot.sieve
sieve_dir = /XXXXX/XXXX/%d/%n/sieve
}
protocols = imap lmtp sieve
service auth {
drop_priv_before_exec = yes
unix_listener auth-client {
mode = 0660
}
unix_listener auth-master {
mode = 0600
}
user = root
}
service imap-login {
chroot =
drop_priv_before_exec = yes
executable = imap-login -D
service_count = 1
user = dovecot
}
service lmtp {
group = vmail
unix_listener lmtp {
mode = 0666
}
user = vmail
}
service quota-warning {
executable = script /etc/opt/XXXX/dovecot/quota-warning
user = vmail
}
ssl_cert = </etc/opt/XXXX/dovecot/dovecot.pem
ssl_cipher_list = AES128+EECDH:AES128+EDH
ssl_key = </etc/opt/XXXX/dovecot/dovecot.pem
ssl_prefer_server_ciphers = yes
ssl_protocols = !SSLv2 !SSLv3
userdb {
driver = prefetch
}
userdb {
args = /etc/opt/XXXX/dovecot/dovecot-sql.conf
driver = sql
}
protocol lda {
auth_socket_path = /var/opt/XXXX/dovecot/auth-master
mail_plugins = quota sieve
postmaster_address = postmaster at XXXXXXXX
sendmail_path = /opt/XXXX/sbin/exim
}
protocol pop3 {
mail_plugins = quota
}
protocol imap {
mail_plugins = quota imap_quota
}
protocol lmtp {
mail_plugins = quota sieve
postmaster_address = postmaster at XXXXXX
sendmail_path = /opt/XXXX/sbin/exim
}
More information about the dovecot
mailing list