dovecot - Dec 2013 - imap-login hangs after receiving revoked SSL certificate

Good time of the day!

My English is not very good, excuse me if I said something wrong.

I use dovecot-2.1.16 on Gentoo Linux amd64.

I need to setup dovecot (imap and pop3) for SSL and non-SSL connection
simultaneously. For SSL connections client must submit a valid SSL
certificate. Now SSL part of dovecot.conf looks like this:

-----------------
ssl = yes
ssl_cert = </etc/ssl/dovecot/dovecot.pem
ssl_key = </etc/ssl/dovecot/dovecot.pem
ssl_ca = </etc/ssl/ca/ca.pem
ssl_verify_client_cert = yes
auth_ssl_require_client_cert = yes

protocol !smtp {
    auth_ssl_require_client_cert = yes
}
-----------------

All works fine with valid certificates. But if I submit revoked
certificate, dovecot doesn't send error or success messages to mail
client, process 'imap-login' eats 100% CPU and completely hangs. Only
SIGKILL can terminate it. When dovecot receives revoked certificate,
following messages appears in the log:

------------------
Dec  2 13:50:26 mail dovecot: imap-login: Invalid certificate:
certificate revoked: /O=AP inc./OU=Admins/CN=Alexey Prokopchuk/UID=alexpro
Dec  2 13:50:26 mail dovecot: imap-login: Invalid certificate: Different
CRL scope: /CN=AP inc. root certification authority/O=AP inc./C=UA
Dec  2 13:50:39 mail last message repeated 17950 times
-------------------
If I'm not mistaken, in case of revoked certificate submission, dovecot
must simply answer "SSL error" or "permission denied" to
client and
close connection, but according to log, it tries to check certificate
again and again and do it in infinite loop.

I can't understand for now - I misconfigured something or it's a bug?

Thanks for attention, with best regards, Alexey Prokopchuk (AP8686-RIPE)

On 2.12.2013, at 15.41, ??????? ????????? <alexpro at homelan.lg.ua>
wrote:
> I use dovecot-2.1.16 on Gentoo Linux amd64.
> 
> All works fine with valid certificates. But if I submit revoked
> certificate, dovecot doesn't send error or success messages to mail
> client, process 'imap-login' eats 100% CPU and completely hangs.
Only
> SIGKILL can terminate it. When dovecot receives revoked certificate,
> following messages appears in the log:
> 
> ------------------
> Dec  2 13:50:26 mail dovecot: imap-login: Invalid certificate:
> certificate revoked: /O=AP inc./OU=Admins/CN=Alexey Prokopchuk/UID=alexpro
> Dec  2 13:50:26 mail dovecot: imap-login: Invalid certificate: Different
> CRL scope: /CN=AP inc. root certification authority/O=AP inc./C=UA
> Dec  2 13:50:39 mail last message repeated 17950 times
> -------------------
What OpenSSL version are you using?

This looks like the same issue:

http://rt.openssl.org/Ticket/Display.html?id=3090&user=guest&pass=guest

Where the fix is in:

http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=4b26645c1a71cf9ce489e4f79fc836760b670ffe

Not sure if Dovecot should be doing something different here, or maybe working
around that bug. I think Postfix has the same problem.