VU#120541/CVE-2009-3555 and IMAPS/POPS with nginx

Quanah Gibson-Mount quanah at zimbra.com
Sat Nov 21 06:01:56 MSK 2009 

--On Saturday, November 21, 2009 5:51 AM +0300 Maxim Dounin 
<mdounin at mdounin.ru> wrote:

> Hello!
>
> On Fri, Nov 20, 2009 at 05:15:13PM -0800, Quanah Gibson-Mount wrote:
>
>> --On Saturday, November 21, 2009 3:51 AM +0300 Maxim Dounin
>> <mdounin at mdounin.ru> wrote:
>>
>> > Hello!
>> >
>> >
>> >> nginx-0.5.37 + security patches
>> >> (<http://sysoev.ru/nginx/patch.cve-2009-3555.txt>, etc)
>> >> openssl 0.9.8l
>> >>
>> >> As I noted, it correctly hangs up HTTPS.  It leaves POPS and IMAPS
>> >> open.
>> >
>> > Just tested - works ok here.
>> >
>> > Are you sure you aren't used openssl 0.9.8l s_client for
>> > imaps/pop3s tests?  It has renegotiation disabled and can't be
>> > used for testing ("R" only prints "RENEGOTIATING" and do nothing).
>>
>> [root at perf11 ~]# /usr/bin/openssl version
>> OpenSSL 0.9.7a Feb 19 2003
>>
>> [root at perf11 ~]# /usr/bin/openssl s_client -ssl3 -connect
>> perf11.lab.zimbra.com:443
>> CONNECTED(00000003)
>>
>> [snip]
>>
>> ---
>> New, TLSv1/SSLv3, Cipher is AES256-SHA
>> Server public key is 1024 bit
>> SSL-Session:
>>    Protocol  : SSLv3
>>
>> ---
>> R
>> RENEGOTIATING
>> 22917:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
>> failure:s3_pkt.c:529:
>>
>> As you can see, HTTPS correctly hangs up.
>>
>> [root at perf11 ~]# /usr/bin/openssl s_client -ssl3 -connect
>> perf11.lab.zimbra.com:993
>> CONNECTED(00000003)
>>
>> [snip]
>> New, TLSv1/SSLv3, Cipher is AES256-SHA
>> Server public key is 1024 bit
>> SSL-Session:
>>    Protocol  : SSLv3
>>
>>
>> ---
>> * OK IMAP4 ready
>> R
>> RENEGOTIATING
>>
>>
>> (hang for over 20 minutes)
>
> Which event method do you use?  I'm able to reproduce similar
> problem here using select or poll event methods, kqueue works ok.
>
> Looks like the following bug, fixed in 0.7.7:
>
>     *) Bugfix: mail proxy SSL connections hanged, if select, poll, or
>        /dev/poll methods were used.
>
> This bugfix wasn't merged to 0.6.* branch, so it shows similar
> behaviour.  Both 0.8.* and 0.7.* works ok in all tested cases.
>
> Probably it's just time to upgrade.  :)
>
> Note well - I'm not observing infinite hang, it still times out as
> specified in config via timeout directive (by default after 60s).
> If your config implies timeout shorter than 20 minutes - it may be
> in fact different problem (but likely related).

Thanks for your help in tracking this down!  I'll update our bug on 
upgrading. ;)

--Quanah

--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration

More information about the nginx mailing list