On 04/26/2015 04:07 PM, Florian Pritz wrote:> Since there are three people involved I kindly ask you to be more > specific as to who should provide which (exact) information. > > Given you ask for it right after quoting my link all I can tell you is > that I provide all the information you ask for (openssl version, crash > message) in the link you quoted.Sorry if I was not clear. Ive read the link you provided and I have all the information I need for now.> Where (openssl, distro, dovecot version) did you try reproducing it? > I've asked a friend using debian or centos (don't know which) and he was > unable to reproduce so as always they might be patching something, it > might not affect old software or they don't link with openssl.I tried Debain squeeze, CentOS6 and Ubuntu 1404. Seems the issue might require a version of libopenssl, that does not have support for sslv3 compiled in. I have been made aware, that we have a fix for Dovecot in the works. br, Teemu Huovila
On Sun, 26 Apr 2015 21:51:25 +0300 Teemu Huovila <teemu.huovila at dovecot.fi> wrote:> Seems the issue might require a version of libopenssl, that does not > have support for sslv3 compiled in. I have been made aware, that we > have a fix for Dovecot in the works.No that's not true. I have explicitely tried that. You just need to *disable* SSLv3, but that can be done within the config file. -- Hanno B?ck http://hboeck.de/ mail/jabber: hanno at hboeck.de GPG: BBB51E42 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 819 bytes Desc: OpenPGP digital signature URL: <http://dovecot.org/pipermail/dovecot/attachments/20150426/067a634b/attachment.sig>
On 04/26/2015 10:51 PM, Hanno B?ck wrote:> On Sun, 26 Apr 2015 21:51:25 +0300 > Teemu Huovila <teemu.huovila at dovecot.fi> wrote: > >> Seems the issue might require a version of libopenssl, that does not >> have support for sslv3 compiled in. I have been made aware, that we >> have a fix for Dovecot in the works. > > No that's not true. I have explicitely tried that. > You just need to *disable* SSLv3, but that can be done within the > config file.Fair enough. So it needs to be a libopenssl, with sslv3 removed somehow. Conversely, a workaround for this issue would be to enable sslv3, on the library level. Thank you again for your report and patch, Teemu Huovila
Maybe Matching Threads
- [patch] TLS Handshake failures can crash imap-login
- [patch] TLS Handshake failures can crash imap-login
- [patch] TLS Handshake failures can crash imap-login
- [patch] TLS Handshake failures can crash imap-login
- [patch] TLS Handshake failures can crash imap-login