[Bug 226323] mail/dovecot: login crashes with libressl 2.6.4 because of "ssl_protocols = !SSLv2" default config

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Sat Mar 3 11:43:40 UTC 2018 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=226323

            Bug ID: 226323
           Summary: mail/dovecot: login crashes with libressl 2.6.4
                    because of "ssl_protocols = !SSLv2" default config
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: Individual Port(s)
          Assignee: adamw at FreeBSD.org
          Reporter: m.bueker at berlin.de
          Assignee: adamw at FreeBSD.org
             Flags: maintainer-feedback?(adamw at FreeBSD.org)

After the 28.02.2018 update of dovecot, I saw errors in maillog and was unable
to login:

Mar  1 09:21:21 server roundcube: IMAP Error: Login failed for XXX from XXX.
Failed to send LOGIN command in
/var/www/rc/program/lib/Roundcube/rcube_imap.php on line 196 (POST
/?_task=mail&_action=refresh) 
Mar  1 09:21:22 server dovecot: imap-login: Fatal: Unknown ssl_protocols
setting: Unrecognized protocol 'SSLv2' 
Mar  1 09:21:22 server dovecot: imap-login: Fatal: Unknown ssl_protocols
setting: Unrecognized protocol 'SSLv2' 
Mar  1 09:21:22 server dovecot: master: Error: service(imap-login): command
startup failed, throttling for 2 secs 
Mar  1 09:21:30 server dovecot: imap-login: Fatal: Unknown ssl_protocols
setting: Unrecognized protocol 'SSLv2' 
Mar  1 09:21:30 server dovecot: master: Error: service(imap-login): command
startup failed, throttling for 4 secs 

I traced the problem to this report, which talks about the default config
option "ssl_protocols = !SSLv2", which fails if SSL has dropped all support for
SSLv2: https://dovecot.org/list/dovecot/2016-November/106114.html

On my system, surprisingly, I found that "ssl_protocols = !SSLv2" is really in
the default config:

# doveconf -d ssl_protocols
ssl_protocols = !SSLv2 !SSLv3

So I followed the workaround advice of overriding the default in 10-ssl.conf:

# doveconf ssl_protocols
ssl_protocols = !SSLv3

In conclusion, since LibreSSL 2.6.4 dropped all support for SSLv2, but dovecot
includes "ssl_protocols = !SSLv2" as a default config option, these errors
occur when logging in.

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-ports-bugs mailing list