Hi,
I've noticed that nmap crashes my imap-login (also pop3-login) and
narrowed it down to `nmap -sV -p 993 $host`. I've noticed that if I
remove "ssl_protocols = !SSLv2 !SSLv3" from my config or enable SSLv3
rather than disabling it the segfault disappears.
I'm running on Arch Linux with dovecot 2.2.16-1 and openssl 1.0.2.a-1.
I've also attached a network capture, but since it's SSL this probably
won't help all that much.
I hope this is enough information to reproduce the issue. If necessary I
can recompile dovecot with debug symbols for a better backtrace.
Thanks,
Florian
dovecot.conf
https://paste.xinu.at/PUsJ/
syslog:> Apr 21 10:52:16 karif dovecot[7849]: imap-login: Disconnected (no auth
attempts in 6 secs): user=<>, rip=81.217.47.122, lip=78.46.56.141, TLS
handshaking: SSL_accept() failed: error:1407609C:SSL
routines:SSL23_GET_CLIENT_HELLO:http request
> Apr 21 10:52:16 karif dovecot[7849]: imap-login: Fatal: master:
service(imap-login): child 7879 killed with signal 11 (core not dumped - add -D
parameter to service imap-login { executable } [last ip=81.217.47.122]
> Apr 21 10:52:16 karif kernel: imap-login[7879] segfault at f0 ip
00007fb2b8b1360b sp 00007fff926ffd50 error 4 in
libssl.so.1.0.0[7fb2b8af3000+6f000]
backtrace:> #0 0x00007f120100260b in ssl3_get_client_hello () from
/usr/lib/libssl.so.1.0.0
> #1 0x00007f120100738f in ssl3_accept () from /usr/lib/libssl.so.1.0.0
> #2 0x00007f1201012b36 in ssl3_write_bytes () from /usr/lib/libssl.so.1.0.0
> #3 0x00007f1201906200 in ?? () from /usr/lib/dovecot/libdovecot-login.so.0
> #4 0x00007f12019062d8 in ?? () from /usr/lib/dovecot/libdovecot-login.so.0
> #5 0x00007f1201905f72 in ssl_proxy_destroy () from
/usr/lib/dovecot/libdovecot-login.so.0
> #6 0x00007f12019060e4 in ?? () from /usr/lib/dovecot/libdovecot-login.so.0
> #7 0x00007f1201906671 in ?? () from /usr/lib/dovecot/libdovecot-login.so.0
> #8 0x00007f1201902efa in ?? () from /usr/lib/dovecot/libdovecot-login.so.0
> #9 0x00007f120162d503 in ?? () from /usr/lib/dovecot/libdovecot.so.0
> #10 0x00007f120168d62c in io_loop_call_io () from
/usr/lib/dovecot/libdovecot.so.0
> #11 0x00007f120168e665 in io_loop_handler_run_internal () from
/usr/lib/dovecot/libdovecot.so.0
> #12 0x00007f120168d699 in io_loop_handler_run () from
/usr/lib/dovecot/libdovecot.so.0
> #13 0x00007f120168d718 in io_loop_run () from
/usr/lib/dovecot/libdovecot.so.0
> #14 0x00007f120162cb23 in master_service_run () from
/usr/lib/dovecot/libdovecot.so.0
> #15 0x00007f1201903788 in login_binary_run () from
/usr/lib/dovecot/libdovecot-login.so.0
> #16 0x00007f120127d800 in __libc_start_main () from /usr/lib/libc.so.6
> #17 0x0000000000402909 in _start ()
nmap output:>> nmap -sV --packet-trace -p 993 karif
>
> Starting Nmap 6.47 ( http://nmap.org ) at 2015-04-21 10:52 CEST
> CONN (0.0426s) TCP localhost > 78.46.56.141:80 => Operation now in
progress
> CONN (0.0427s) TCP localhost > 78.46.56.141:443 => Operation now in
progress
> NSOCK INFO [0.0650s] nsi_new2(): nsi_new (IOD #1)
> NSOCK INFO [0.0650s] nsock_connect_udp(): UDP connection requested to
192.168.4.1:53 (IOD #1) EID 8
> NSOCK INFO [0.0650s] nsock_read(): Read request from IOD #1
[192.168.4.1:53] (timeout: -1ms) EID 18
> NSOCK INFO [0.0650s] nsock_trace_handler_callback(): Callback: CONNECT
SUCCESS for EID 8 [192.168.4.1:53]
> NSOCK INFO [0.0650s] nsock_trace_handler_callback(): Callback: WRITE
SUCCESS for EID 27 [192.168.4.1:53]
> NSOCK INFO [0.0650s] nsock_trace_handler_callback(): Callback: READ SUCCESS
for EID 18 [192.168.4.1:53] (79 bytes):
.............141.56.46.78.in-addr.arpa..................karif.server-speed.net.
> NSOCK INFO [0.0650s] nsock_read(): Read request from IOD #1
[192.168.4.1:53] (timeout: -1ms) EID 34
> NSOCK INFO [0.0650s] nsi_delete(): nsi_delete (IOD #1)
> NSOCK INFO [0.0650s] msevent_cancel(): msevent_cancel on event #34 (type
READ)
> CONN (0.0656s) TCP localhost > 78.46.56.141:993 => Operation now in
progress
> NSOCK INFO [0.1320s] nsi_new2(): nsi_new (IOD #1)
> NSOCK INFO [0.1330s] nsock_connect_tcp(): TCP connection requested to
78.46.56.141:993 (IOD #1) EID 8
> NSOCK INFO [0.1550s] nsock_trace_handler_callback(): Callback: CONNECT
SUCCESS for EID 8 [78.46.56.141:993]
> Service scan sending probe NULL to 78.46.56.141:993 (tcp)
> NSOCK INFO [0.1550s] nsock_read(): Read request from IOD #1
[78.46.56.141:993] (timeout: 6000ms) EID 18
> NSOCK INFO [6.1610s] nsock_trace_handler_callback(): Callback: READ TIMEOUT
for EID 18 [78.46.56.141:993]
> Service scan sending probe GetRequest to 78.46.56.141:993 (tcp)
> NSOCK INFO [6.1610s] nsock_read(): Read request from IOD #1
[78.46.56.141:993] (timeout: 5000ms) EID 34
> NSOCK INFO [6.1610s] nsock_trace_handler_callback(): Callback: WRITE
SUCCESS for EID 27 [78.46.56.141:993]
> NSOCK INFO [6.1840s] nsock_trace_handler_callback(): Callback: READ ERROR
[Connection reset by peer (104)] for EID 34 [78.46.56.141:993]
> NSOCK INFO [6.1840s] nsi_delete(): nsi_delete (IOD #1)
> NSOCK INFO [6.1840s] nsi_new2(): nsi_new (IOD #2)
> NSOCK INFO [6.1840s] nsock_connect_tcp(): TCP connection requested to
78.46.56.141:993 (IOD #2) EID 40
> NSOCK INFO [6.2050s] nsock_trace_handler_callback(): Callback: CONNECT
SUCCESS for EID 40 [78.46.56.141:993]
> Service scan sending probe SSLSessionReq to 78.46.56.141:993 (tcp)
> NSOCK INFO [6.2060s] nsock_read(): Read request from IOD #2
[78.46.56.141:993] (timeout: 5000ms) EID 58
> NSOCK INFO [6.2060s] nsock_trace_handler_callback(): Callback: WRITE
SUCCESS for EID 51 [78.46.56.141:993]
> NSOCK INFO [6.2280s] nsock_trace_handler_callback(): Callback: READ SUCCESS
for EID 58 [78.46.56.141:993] (7 bytes): ......(
> Service scan match (Probe SSLSessionReq matched with SSLSessionReq line
10443): 78.46.56.141:993 is ssl. Version: |TLSv1|||
> NSOCK INFO [6.2280s] nsi_delete(): nsi_delete (IOD #2)
> NSOCK INFO [6.2280s] nsi_new2(): nsi_new (IOD #3)
> NSOCK INFO [6.2280s] nsock_connect_ssl(): SSL connection requested to
78.46.56.141:993/tcp (IOD #3) EID 65
> NSOCK INFO [6.3370s] nsock_trace_handler_callback(): Callback: SSL-CONNECT
SUCCESS for EID 65 [78.46.56.141:993]
> Service scan sending probe NULL to 78.46.56.141:993 (tcp)
> NSOCK INFO [6.3370s] nsock_read(): Read request from IOD #3
[78.46.56.141:993] (timeout: 6000ms) EID 74
> NSOCK INFO [6.3960s] nsock_trace_handler_callback(): Callback: READ SUCCESS
for EID 74 [78.46.56.141:993] (114 bytes)
> Service scan match (Probe NULL matched with NULL line 1312):
78.46.56.141:993 is SSL/imap. Version: |Dovecot imapd|||
> NSOCK INFO [6.3960s] nsi_delete(): nsi_delete (IOD #3)
> Nmap scan report for karif (78.46.56.141)
> Host is up (0.023s latency).
> rDNS record for 78.46.56.141: karif.server-speed.net
> PORT STATE SERVICE VERSION
> 993/tcp open ssl/imap Dovecot imapd
>
> Service detection performed. Please report any incorrect results at
http://nmap.org/submit/ .
> Nmap done: 1 IP address (1 host up) scanned in 6.40 seconds
-------------- next part --------------
A non-text attachment was scrubbed...
Name: imap-login-crash.pcapng.gz
Type: application/gzip
Size: 7625 bytes
Desc: not available
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20150421/df9bc5e5/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL:
<http://dovecot.org/pipermail/dovecot/attachments/20150421/df9bc5e5/attachment-0001.sig>