James
2015-Mar-21 10:00 UTC
imap-login SSLv3 causes signal 11, core dump and DoS. ssl_protocols = ??
On 20/03/2015 18:24, Timo Sirainen wrote:>> Connecting to dovecot with ssl3 causes imap-login to die: >> >> Mar 20 11:30:35 MAILHOST dovecot: [ID 583609 mail.crit] imap-login: Fatal: master: service(imap-login): child 21918 killed with signal 11 (core dumped) [last ip=127.0.0.1] > > I can't reproduce it. I tried it with the same ssl_* settings you had. Can you get a gdb backtrace from the crash? It says "core dumped", so I guess there should be a core file somewhere. http://dovecot.org/bugreport.html has some more info on how to get it.Thank you for your interest, here is a dbx trace. This was with OpenSSL 1.0.2a. (dbx) where =>[1] ssl3_get_client_hello(s = 0x809b2a0) (optimized), at 0xfe9db0d5 (line ~1362) in "s3_srvr.c" [2] ssl3_accept(s = 0x809b2a0) (optimized), at 0xfe9d9892 (line ~357) in "s3_srvr.c" [3] SSL_accept(s = 0x809b2a0) (optimized), at 0xfea09f07 (line ~990) in "ssl_lib.c" [4] ssl_handshake(proxy = 0x809ba38) (optimized), at 0xfee35c18 (line ~481) in "ssl-proxy-openssl.c" [5] ssl_step(proxy = 0x809ba38) (optimized), at 0xfee35ee0 (line ~545) in "ssl-proxy-openssl.c" [6] ssl_proxy_flush(proxy = 0x809ba38) (optimized), at 0xfee3680c (line ~817) in "ssl-proxy-openssl.c" [7] ssl_proxy_destroy(proxy = 0x809ba38) (optimized), at 0xfee3686b (line ~825) in "ssl-proxy-openssl.c" [8] ssl_handle_error(proxy = 0x809ba38, ret = -1, func_name = 0xfee3b2d8 "SSL_accept()") (optimized), at 0xfee35bc0 (line ~465) in "ssl-proxy-openssl.c" [9] ssl_handshake(proxy = 0x809ba38) (optimized), at 0xfee35cc9 (line ~483) in "ssl-proxy-openssl.c" [10] ssl_step(proxy = 0x809ba38) (optimized), at 0xfee35ee0 (line ~545) in "ssl-proxy-openssl.c" [11] ssl_proxy_start(proxy = 0x809ba38) (optimized), at 0xfee36341 (line ~685) in "ssl-proxy-openssl.c" [12] client_connected_finish(conn = 0x8047ae0) (optimized), at 0xfee31d62 (line ~151) in "main.c" [13] client_connected(conn = 0x8047ae0) (optimized), at 0xfee32148 (line ~246) in "main.c" [14] master_service_listen(l = 0x8096b30) (optimized), at 0xfecfac7e (line ~837) in "master-service.c" [15] io_loop_call_io(io = 0x8096bd0) (optimized), at 0xfeda764b (line ~501) in "ioloop.c" [16] io_loop_handler_run_internal(ioloop = 0x8071d70) (optimized), at 0xfedaa419 (line ~211) in "ioloop-poll.c" [17] io_loop_handler_run(ioloop = 0x8071d70) (optimized), at 0xfeda77be (line ~548) in "ioloop.c" [18] io_loop_run(ioloop = 0x8071d70) (optimized), at 0xfeda7711 (line ~525) in "ioloop.c" [19] master_service_run(service = 0x8071cb8, callback = 0xfee32040 = &`libdovecot-login.so.0.0.0`main.c`client_connected(struct master_service_connection *conn)) (optimized), at 0xfecfa3d7 (line ~569) in "master-service.c" [20] login_binary_run(binary = 0x8068c50, argc = 2, argv = 0x8047d4c) (optimized), at 0xfee3294a (line ~470) in "main.c" [21] main(argc = 2, argv = 0x8047d4c) (optimized), at 0x8054de7 (line ~706) in "client.c">> dovecot.conf had: >> ssl_protocols = !SSLv2 !SSLv3 >> >> removing that line stops the core dump and syslog then shows: >> >> Mar 20 11:36:25 MAILHOST dovecot: [ID 583609 mail.info] imap-login: Disconnected (disconnected before auth was ready, waited 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, TLS handshaking: SSL_accept() failed: error:14076102:SSL routines:SSL23_GET_CLIENT_HELLO:unsupported protocol, session=<eqr1ubYRWgB/AAAB> >> >> >> >> the "SSL23_GET_CLIENT_HELLO:unsupported protocol" seems to do what I thought the ssl_protocols setting did. >> Do I still need, if I ever needed, the "ssl_protocols = " setting? > > All these ssl_* settings just go to OpenSSL without Dovecot (or I) knowing all that much about them. I think you still need it, but maybe it's because your ssl_cipher_list is so limited that it fails the session anyway (just my guess).I admit I just copied from somewhere else without full understanding. Please if someone can advise me on settings for ssl_protocols and ssl_cipher_list then I'll use. Removing "ssl_cipher_list = ", so using the default, does not cure the problem. James.
James
2015-Mar-21 10:51 UTC
imap-login SSLv3 causes signal 11, core dump and DoS. ssl_protocols = ??
On 21/03/2015 10:00, James wrote:>>> the "SSL23_GET_CLIENT_HELLO:unsupported protocol" seems to do what I >>> thought the ssl_protocols setting did. >>> Do I still need, if I ever needed, the "ssl_protocols = " setting? >> >> All these ssl_* settings just go to OpenSSL without Dovecot (or I) >> knowing all that much about them. I think you still need it, but maybe >> it's because your ssl_cipher_list is so limited that it fails the >> session anyway (just my guess).I'd better add this PS, my openssl is compiled with "no-ssl3" which is where the the SSL23 unsupported is coming from. I've remove the "no-ssl3" from openssl indeed it accepts the connection, however, with "ssl_protocols = !SSLv2 !SSLv3" in dovecot.conf imap-login still sig 11s. James.
Reindl Harald
2015-Mar-21 10:55 UTC
imap-login SSLv3 causes signal 11, core dump and DoS. ssl_protocols = ??
Am 21.03.2015 um 11:51 schrieb James:> On 21/03/2015 10:00, James wrote: > >>>> the "SSL23_GET_CLIENT_HELLO:unsupported protocol" seems to do what I >>>> thought the ssl_protocols setting did. >>>> Do I still need, if I ever needed, the "ssl_protocols = " setting? >>> >>> All these ssl_* settings just go to OpenSSL without Dovecot (or I) >>> knowing all that much about them. I think you still need it, but maybe >>> it's because your ssl_cipher_list is so limited that it fails the >>> session anyway (just my guess). > > I'd better add this PS, my openssl is compiled with "no-ssl3" which is > where the the SSL23 unsupported is coming from. I've remove the > "no-ssl3" from openssl indeed it accepts the connection, however, with > "ssl_protocols = !SSLv2 !SSLv3" in dovecot.conf imap-login still sig 11swell, remove that brickage of "special compile" -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: OpenPGP digital signature URL: <http://dovecot.org/pipermail/dovecot/attachments/20150321/fe913ef0/attachment.sig>
Maybe Matching Threads
- imap-login SSLv3 causes signal 11, core dump and DoS. ssl_protocols = ??
- imap-login SSLv3 causes signal 11, core dump and DoS. ssl_protocols = ??
- imap-login SSLv3 causes signal 11, core dump and DoS. ssl_protocols = ??
- imap-login SSLv3 causes signal 11, core dump and DoS. ssl_protocols = ??
- imap-login SSLv3 causes signal 11, core dump and DoS. ssl_protocols = ??