On 04/25/2015 11:55 AM, James wrote:> On 24/04/2015 22:17, Hanno B?ck wrote: > > Hello, > >> I tracked down a tricky bug in dovecot that can cause the imap-login >> and pop3-login processes to crash on handshake failures. >> This can be tested by disabling SSLv3 in the dovecot config >> (ssl_protocols = !SSLv2 !SSLv3) and trying to connect with openssl and >> forced sslv3 (openssl s_client -ssl3 -connect localhost:995). This >> would cause a crash. > > Thank you for your work on this. > > >> I have seen that a bug that is probably rootet in this has been posted >> here before regarding ssl3-disabled configs: >> http://dovecot.org/pipermail/dovecot/2015-March/100188.html > > I made that earlier report. Here is another similar report: > > http://dovecot.org/pipermail/dovecot/2015-April/100576.htmlI was unable to reproduce this nor the first report. Could you describe your environment in more detail? What version of openssl do you have? What is the crash message you are seeing? br, Teemu Huovila
On Sat, 25 Apr 2015 21:36:25 +0300 Teemu Huovila <teemu.huovila at dovecot.fi> wrote:> I was unable to reproduce this nor the first report. Could you > describe your environment in more detail? What version of openssl do > you have? What is the crash message you are seeing?both openssl and dovecot latest (1.0.2a, 2.2.16) on a Gentoo. Please note that it's not dovecot itself that's crashing but pop3-login/imap-login. You don't note these if you haven't some kind of segfault reporting. -- Hanno B?ck http://hboeck.de/ mail/jabber: hanno at hboeck.de GPG: BBB51E42 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 819 bytes Desc: OpenPGP digital signature URL: <http://dovecot.org/pipermail/dovecot/attachments/20150426/c893ab35/attachment.sig>
On 25.04.2015 20:36, Teemu Huovila wrote:>> [..] http://dovecot.org/pipermail/dovecot/2015-April/100576.html > I was unable to reproduce this nor the first report. Could you > describe your environment in more detail? What version of openssl do > you have? What is the crash message you are seeing?Since there are three people involved I kindly ask you to be more specific as to who should provide which (exact) information. Given you ask for it right after quoting my link all I can tell you is that I provide all the information you ask for (openssl version, crash message) in the link you quoted. Where (openssl, distro, dovecot version) did you try reproducing it? I've asked a friend using debian or centos (don't know which) and he was unable to reproduce so as always they might be patching something, it might not affect old software or they don't link with openssl. I also provide a link to an openssl dev explaining why this happens later in my thread. Here's the openssl bug report about this issue: <https://rt.openssl.org/Ticket/Display.html?id=3818>. Login for the openssl tracker is guest/guest. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: OpenPGP digital signature URL: <http://dovecot.org/pipermail/dovecot/attachments/20150426/e774c3aa/attachment.sig>
On 04/26/2015 04:07 PM, Florian Pritz wrote:> Since there are three people involved I kindly ask you to be more > specific as to who should provide which (exact) information. > > Given you ask for it right after quoting my link all I can tell you is > that I provide all the information you ask for (openssl version, crash > message) in the link you quoted.Sorry if I was not clear. Ive read the link you provided and I have all the information I need for now.> Where (openssl, distro, dovecot version) did you try reproducing it? > I've asked a friend using debian or centos (don't know which) and he was > unable to reproduce so as always they might be patching something, it > might not affect old software or they don't link with openssl.I tried Debain squeeze, CentOS6 and Ubuntu 1404. Seems the issue might require a version of libopenssl, that does not have support for sslv3 compiled in. I have been made aware, that we have a fix for Dovecot in the works. br, Teemu Huovila
On 04/26/2015 01:39 PM, Hanno B?ck wrote:> On Sat, 25 Apr 2015 21:36:25 +0300 > Teemu Huovila <teemu.huovila at dovecot.fi> wrote: > >> I was unable to reproduce this nor the first report. Could you >> describe your environment in more detail? What version of openssl do >> you have? What is the crash message you are seeing? > > both openssl and dovecot latest (1.0.2a, 2.2.16) on a Gentoo. > > Please note that it's not dovecot itself that's crashing but > pop3-login/imap-login. You don't note these if you haven't some kind of > segfault reporting.Thank you for the information. br, Teemu Huovila
Possibly Parallel Threads
- [patch] TLS Handshake failures can crash imap-login
- [patch] TLS Handshake failures can crash imap-login
- [patch] TLS Handshake failures can crash imap-login
- [patch] TLS Handshake failures can crash imap-login
- Invalid memory access / read stack overflow when reading config with zero bytes