Welcome! Log In Create A New Profile

Re: VU#120541/CVE-2009-3555 and IMAPS/POPS with nginx

Forum List Message List New Topic Print View

Quanah Gibson-Mount

November 20, 2009 10:06PM

--On Saturday, November 21, 2009 5:51 AM +0300 Maxim Dounin
<mdounin@mdounin.ru> wrote:

> Hello!
>
> On Fri, Nov 20, 2009 at 05:15:13PM -0800, Quanah Gibson-Mount wrote:
>
>> --On Saturday, November 21, 2009 3:51 AM +0300 Maxim Dounin
>> <mdounin@mdounin.ru> wrote:
>>
>> > Hello!
>> >
>> >
>> >> nginx-0.5.37 + security patches
>> >> (http://sysoev.ru/nginx/patch.cve-2009-3555.txt, etc)
>> >> openssl 0.9.8l
>> >>
>> >> As I noted, it correctly hangs up HTTPS. It leaves POPS and IMAPS
>> >> open.
>> >
>> > Just tested - works ok here.
>> >
>> > Are you sure you aren't used openssl 0.9.8l s_client for
>> > imaps/pop3s tests? It has renegotiation disabled and can't be
>> > used for testing ("R" only prints "RENEGOTIATING" and do nothing).
>>
>> [root@perf11 ~]# /usr/bin/openssl version
>> OpenSSL 0.9.7a Feb 19 2003
>>
>> [root@perf11 ~]# /usr/bin/openssl s_client -ssl3 -connect
>> perf11.lab.zimbra.com:443
>> CONNECTED(00000003)
>>
>> [snip]
>>
>> ---
>> New, TLSv1/SSLv3, Cipher is AES256-SHA
>> Server public key is 1024 bit
>> SSL-Session:
>> Protocol : SSLv3
>>
>> ---
>> R
>> RENEGOTIATING
>> 22917:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
>> failure:s3_pkt.c:529:
>>
>> As you can see, HTTPS correctly hangs up.
>>
>> [root@perf11 ~]# /usr/bin/openssl s_client -ssl3 -connect
>> perf11.lab.zimbra.com:993
>> CONNECTED(00000003)
>>
>> [snip]
>> New, TLSv1/SSLv3, Cipher is AES256-SHA
>> Server public key is 1024 bit
>> SSL-Session:
>> Protocol : SSLv3
>>
>>
>> ---
>> * OK IMAP4 ready
>> R
>> RENEGOTIATING
>>
>>
>> (hang for over 20 minutes)
>
> Which event method do you use? I'm able to reproduce similar
> problem here using select or poll event methods, kqueue works ok.
>
> Looks like the following bug, fixed in 0.7.7:
>
> *) Bugfix: mail proxy SSL connections hanged, if select, poll, or
> /dev/poll methods were used.
>
> This bugfix wasn't merged to 0.6.* branch, so it shows similar
> behaviour. Both 0.8.* and 0.7.* works ok in all tested cases.
>
> Probably it's just time to upgrade. :)
>
> Note well - I'm not observing infinite hang, it still times out as
> specified in config via timeout directive (by default after 60s).
> If your config implies timeout shorter than 20 minutes - it may be
> in fact different problem (but likely related).

Thanks for your help in tracking this down! I'll update our bug on
upgrading. ;)

--Quanah

--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration

Reply Quote

RSS

Subject	Author	Posted
VU#120541/CVE-2009-3555 and IMAPS/POPS with nginx	Quanah Gibson-Mount	November 20, 2009 06:20PM
Re: VU#120541/CVE-2009-3555 and IMAPS/POPS with nginx	Maxim Dounin	November 20, 2009 07:16PM
Re: VU#120541/CVE-2009-3555 and IMAPS/POPS with nginx	Quanah Gibson-Mount	November 20, 2009 07:22PM
Re: VU#120541/CVE-2009-3555 and IMAPS/POPS with nginx	Maxim Dounin	November 20, 2009 07:54PM
Re: VU#120541/CVE-2009-3555 and IMAPS/POPS with nginx	Quanah Gibson-Mount	November 20, 2009 08:20PM
Re: VU#120541/CVE-2009-3555 and IMAPS/POPS with nginx	Maxim Dounin	November 20, 2009 09:56PM
Re: VU#120541/CVE-2009-3555 and IMAPS/POPS with nginx	Quanah Gibson-Mount	November 20, 2009 10:06PM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 165

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018