VU#120541/CVE-2009-3555 and IMAPS/POPS with nginx

Maxim Dounin mdounin at mdounin.ru
Sat Nov 21 05:51:01 MSK 2009


Hello!

On Fri, Nov 20, 2009 at 05:15:13PM -0800, Quanah Gibson-Mount wrote:

> --On Saturday, November 21, 2009 3:51 AM +0300 Maxim Dounin
> <mdounin at mdounin.ru> wrote:
> 
> >Hello!
> >
> >
> >>nginx-0.5.37 + security patches
> >>(<http://sysoev.ru/nginx/patch.cve-2009-3555.txt>, etc)
> >>openssl 0.9.8l
> >>
> >>As I noted, it correctly hangs up HTTPS.  It leaves POPS and IMAPS open.
> >
> >Just tested - works ok here.
> >
> >Are you sure you aren't used openssl 0.9.8l s_client for
> >imaps/pop3s tests?  It has renegotiation disabled and can't be
> >used for testing ("R" only prints "RENEGOTIATING" and do nothing).
> 
> [root at perf11 ~]# /usr/bin/openssl version
> OpenSSL 0.9.7a Feb 19 2003
> 
> [root at perf11 ~]# /usr/bin/openssl s_client -ssl3 -connect
> perf11.lab.zimbra.com:443
> CONNECTED(00000003)
> 
> [snip]
> 
> ---
> New, TLSv1/SSLv3, Cipher is AES256-SHA
> Server public key is 1024 bit
> SSL-Session:
>    Protocol  : SSLv3
> 
> ---
> R
> RENEGOTIATING
> 22917:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
> failure:s3_pkt.c:529:
> 
> As you can see, HTTPS correctly hangs up.
> 
> [root at perf11 ~]# /usr/bin/openssl s_client -ssl3 -connect
> perf11.lab.zimbra.com:993
> CONNECTED(00000003)
> 
> [snip]
> New, TLSv1/SSLv3, Cipher is AES256-SHA
> Server public key is 1024 bit
> SSL-Session:
>    Protocol  : SSLv3
> 
> 
> ---
> * OK IMAP4 ready
> R
> RENEGOTIATING
> 
> 
> (hang for over 20 minutes)

Which event method do you use?  I'm able to reproduce similar 
problem here using select or poll event methods, kqueue works ok.

Looks like the following bug, fixed in 0.7.7:

    *) Bugfix: mail proxy SSL connections hanged, if select, poll, or 
       /dev/poll methods were used.

This bugfix wasn't merged to 0.6.* branch, so it shows similar 
behaviour.  Both 0.8.* and 0.7.* works ok in all tested cases.

Probably it's just time to upgrade.  :)

Note well - I'm not observing infinite hang, it still times out as 
specified in config via timeout directive (by default after 60s).  
If your config implies timeout shorter than 20 minutes - it may be 
in fact different problem (but likely related).

Maxim Dounin





More information about the nginx mailing list