[openssl-dev] [openssl.org #4658] bug: Abort() in 1.0.2h parsing server cert in ASN.1 routine
Viktor Dukhovni
openssl-users at dukhovni.org
Thu Sep 1 22:42:15 UTC 2016
On Thu, Sep 01, 2016 at 01:58:00PM -0700, Quanah Gibson-Mount wrote:
> >The issue only happens when proxying IMAP on port 143 with startTLS or
> >993 (IMAPS). It does not occur on POP w/ starttls or web traffic (443).
> >It also is only happening with this one particular client, as we have
> >numerous customers (and our own setup) not experiencing this issue.
> >
> >I'll have them supply what's in their keystore that Jetty's using as well.
>
> Note, when this happens, the nginx log shows:
>
> 2016/08/22 03:12:10 [info] 530#0: *3326370 SSL_do_handshake() failed (SSL:
> error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate
> unknown:SSL alert number 46) w
> *** Error in `nginx: worker process': free(): invalid size:
> 0x00000000010cf560 ***
If this is the outbound connection from nginx to the backend IMAP
server, then the "alert" is received by nginx from the IMAP server,
which means that it is the IMAP server that fails to authenticate
the client cert used by nginx.
In which you're looking at the wrong certs:
> The CA certs in play are the same for both the jetty process being proxied
> to, and what nginx is using. I see nothing unusual about the server cert on
> the jetty side.
Perhaps something goes wrong when the connection fails as a result
of the IMAP server terminating it with an alert.
--
Viktor.
More information about the openssl-dev
mailing list