Welcome! Log In Create A New Profile

Re: VU#120541/CVE-2009-3555 and IMAPS/POPS with nginx

Forum List Message List New Topic Print View

Maxim Dounin

November 20, 2009 09:56PM

Hello!

On Fri, Nov 20, 2009 at 05:15:13PM -0800, Quanah Gibson-Mount wrote:

> --On Saturday, November 21, 2009 3:51 AM +0300 Maxim Dounin
> <mdounin@mdounin.ru> wrote:
>
> >Hello!
> >
> >
> >>nginx-0.5.37 + security patches
> >>(http://sysoev.ru/nginx/patch.cve-2009-3555.txt, etc)
> >>openssl 0.9.8l
> >>
> >>As I noted, it correctly hangs up HTTPS. It leaves POPS and IMAPS open.
> >
> >Just tested - works ok here.
> >
> >Are you sure you aren't used openssl 0.9.8l s_client for
> >imaps/pop3s tests? It has renegotiation disabled and can't be
> >used for testing ("R" only prints "RENEGOTIATING" and do nothing).
>
> [root@perf11 ~]# /usr/bin/openssl version
> OpenSSL 0.9.7a Feb 19 2003
>
> [root@perf11 ~]# /usr/bin/openssl s_client -ssl3 -connect
> perf11.lab.zimbra.com:443
> CONNECTED(00000003)
>
> [snip]
>
> ---
> New, TLSv1/SSLv3, Cipher is AES256-SHA
> Server public key is 1024 bit
> SSL-Session:
> Protocol : SSLv3
>
> ---
> R
> RENEGOTIATING
> 22917:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
> failure:s3_pkt.c:529:
>
> As you can see, HTTPS correctly hangs up.
>
> [root@perf11 ~]# /usr/bin/openssl s_client -ssl3 -connect
> perf11.lab.zimbra.com:993
> CONNECTED(00000003)
>
> [snip]
> New, TLSv1/SSLv3, Cipher is AES256-SHA
> Server public key is 1024 bit
> SSL-Session:
> Protocol : SSLv3
>
>
> ---
> * OK IMAP4 ready
> R
> RENEGOTIATING
>
>
> (hang for over 20 minutes)

Which event method do you use? I'm able to reproduce similar
problem here using select or poll event methods, kqueue works ok.

Looks like the following bug, fixed in 0.7.7:

*) Bugfix: mail proxy SSL connections hanged, if select, poll, or
/dev/poll methods were used.

This bugfix wasn't merged to 0.6.* branch, so it shows similar
behaviour. Both 0.8.* and 0.7.* works ok in all tested cases.

Probably it's just time to upgrade. :)

Note well - I'm not observing infinite hang, it still times out as
specified in config via timeout directive (by default after 60s).
If your config implies timeout shorter than 20 minutes - it may be
in fact different problem (but likely related).

Maxim Dounin

Reply Quote

RSS

Subject	Author	Posted
VU#120541/CVE-2009-3555 and IMAPS/POPS with nginx	Quanah Gibson-Mount	November 20, 2009 06:20PM
Re: VU#120541/CVE-2009-3555 and IMAPS/POPS with nginx	Maxim Dounin	November 20, 2009 07:16PM
Re: VU#120541/CVE-2009-3555 and IMAPS/POPS with nginx	Quanah Gibson-Mount	November 20, 2009 07:22PM
Re: VU#120541/CVE-2009-3555 and IMAPS/POPS with nginx	Maxim Dounin	November 20, 2009 07:54PM
Re: VU#120541/CVE-2009-3555 and IMAPS/POPS with nginx	Quanah Gibson-Mount	November 20, 2009 08:20PM
Re: VU#120541/CVE-2009-3555 and IMAPS/POPS with nginx	Maxim Dounin	November 20, 2009 09:56PM
Re: VU#120541/CVE-2009-3555 and IMAPS/POPS with nginx	Quanah Gibson-Mount	November 20, 2009 10:06PM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 128

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018