[openssl-dev] [openssl.org #3818] [BUG] dovecot imap-login segfault when running nmap -sV

[Matt Caswell via RT]

On Thu Apr 23 19:51:49 2015, bluewind at xinu.at wrote:
> Hi,
>
> The only reply I've got on the dovecot list so far believe this to be
> an
> openssl issue so I'm sending this to you guys.
>
> I've noticed that nmap crashes imap-login of my dovecot (also
> pop3-login) and narrowed it down to `nmap -sV -p 993 $host`. I've
> noticed that if I remove "ssl_protocols = !SSLv2 !SSLv3" from my
> config
> or enable SSLv3 rather than disabling it the segfault disappears.

Thank you for your detailed description of the issue. I suspect I know what the
problem is. If I'm correct then its actually OpenSSL being less than forgiving
of a dovecot bug.

In your capture you can see nmap sending an SSLv3 ClientHello message to
OpenSSL, and then OpenSSL responding with a handshake failure alert (as it
should do because you have disabled SSLv3). At this point OpenSSL will return
to dovecot with a fatal error code. The SSL object for the connection should
have no further attempts made to continue to read from it or write to it. If
dovecot does so then it is likely to have bad consequences. My suspicion is
that dovecot has ignored the returned error and attempted to continue with the
connection.

If I'm right then this is a dovecot bug to fix. Having said that OpenSSL should
probably be more forgiving of this error condition. Please see attached patch
for 1.0.2a. If this resolves the issue, then it confirms my suspicions. The
patch simply ensures that any subsequent attempt to use the SSL object will
immediately return with an error.

Let me know how you get on.

Matt

-------------- next part --------------
A non-text attachment was scrubbed...
Name: retry-cert-fix.patch
Type: text/x-patch
Size: 1523 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150423/ad079c74/attachment.bin>