imap-login SSLv3 causes signal 11, core dump and DoS. ssl_protocols = ??
Timo Sirainen
tss at iki.fi
Fri Mar 20 18:24:27 UTC 2015
On 20 Mar 2015, at 13:59, James <lista at xdrv.co.uk> wrote:
>
> Connecting to dovecot with ssl3 causes imap-login to die:
>
> Mar 20 11:30:35 MAILHOST dovecot: [ID 583609 mail.crit] imap-login: Fatal: master: service(imap-login): child 21918 killed with signal 11 (core dumped) [last ip=127.0.0.1]
I can't reproduce it. I tried it with the same ssl_* settings you had. Can you get a gdb backtrace from the crash? It says "core dumped", so I guess there should be a core file somewhere. http://dovecot.org/bugreport.html has some more info on how to get it.
> dovecot.conf had:
> ssl_protocols = !SSLv2 !SSLv3
>
> removing that line stops the core dump and syslog then shows:
>
> Mar 20 11:36:25 MAILHOST dovecot: [ID 583609 mail.info] imap-login: Disconnected (disconnected before auth was ready, waited 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, TLS handshaking: SSL_accept() failed: error:14076102:SSL routines:SSL23_GET_CLIENT_HELLO:unsupported protocol, session=<eqr1ubYRWgB/AAAB>
>
>
>
> the "SSL23_GET_CLIENT_HELLO:unsupported protocol" seems to do what I thought the ssl_protocols setting did.
> Do I still need, if I ever needed, the "ssl_protocols = " setting?
All these ssl_* settings just go to OpenSSL without Dovecot (or I) knowing all that much about them. I think you still need it, but maybe it's because your ssl_cipher_list is so limited that it fails the session anyway (just my guess).
More information about the dovecot
mailing list