Hi, I've noticed that nmap crashes my imap-login (also pop3-login) and narrowed it down to `nmap -sV -p 993 $host`. I've noticed that if I remove "ssl_protocols = !SSLv2 !SSLv3" from my config or enable SSLv3 rather than disabling it the segfault disappears.
I'm running on Arch Linux with dovecot 2.2.16-1 and openssl 1.0.2.a-1. I've also attached a network capture, but since it's SSL this probably won't help all that much. I hope this is enough information to reproduce the issue. If necessary I can recompile dovecot with debug symbols for a better backtrace. Thanks, Florian dovecot.conf https://paste.xinu.at/PUsJ/ syslog: > Apr 21 10:52:16 karif dovecot[7849]: imap-login: Disconnected (no auth > attempts in 6 secs): user=<>, rip=81.217.47.122, lip=78.46.56.141, TLS > handshaking: SSL_accept() failed: error:1407609C:SSL > routines:SSL23_GET_CLIENT_HELLO:http request > Apr 21 10:52:16 karif dovecot[7849]: imap-login: Fatal: master: > service(imap-login): child 7879 killed with signal 11 (core not dumped - add > -D parameter to service imap-login { executable } [last ip=81.217.47.122] > Apr 21 10:52:16 karif kernel: imap-login[7879] segfault at f0 ip > 00007fb2b8b1360b sp 00007fff926ffd50 error 4 in > libssl.so.1.0.0[7fb2b8af3000+6f000] backtrace: > #0 0x00007f120100260b in ssl3_get_client_hello () from > /usr/lib/libssl.so.1.0.0 > #1 0x00007f120100738f in ssl3_accept () from /usr/lib/libssl.so.1.0.0 > #2 0x00007f1201012b36 in ssl3_write_bytes () from /usr/lib/libssl.so.1.0.0 > #3 0x00007f1201906200 in ?? () from /usr/lib/dovecot/libdovecot-login.so.0 > #4 0x00007f12019062d8 in ?? () from /usr/lib/dovecot/libdovecot-login.so.0 > #5 0x00007f1201905f72 in ssl_proxy_destroy () from > /usr/lib/dovecot/libdovecot-login.so.0 > #6 0x00007f12019060e4 in ?? () from /usr/lib/dovecot/libdovecot-login.so.0 > #7 0x00007f1201906671 in ?? () from /usr/lib/dovecot/libdovecot-login.so.0 > #8 0x00007f1201902efa in ?? () from /usr/lib/dovecot/libdovecot-login.so.0 > #9 0x00007f120162d503 in ?? () from /usr/lib/dovecot/libdovecot.so.0 > #10 0x00007f120168d62c in io_loop_call_io () from > /usr/lib/dovecot/libdovecot.so.0 > #11 0x00007f120168e665 in io_loop_handler_run_internal () from > /usr/lib/dovecot/libdovecot.so.0 > #12 0x00007f120168d699 in io_loop_handler_run () from > /usr/lib/dovecot/libdovecot.so.0 > #13 0x00007f120168d718 in io_loop_run () from /usr/lib/dovecot/libdovecot.so.0 > #14 0x00007f120162cb23 in master_service_run () from > /usr/lib/dovecot/libdovecot.so.0 > #15 0x00007f1201903788 in login_binary_run () from > /usr/lib/dovecot/libdovecot-login.so.0 > #16 0x00007f120127d800 in __libc_start_main () from /usr/lib/libc.so.6 > #17 0x0000000000402909 in _start () nmap output: >> nmap -sV --packet-trace -p 993 karif > > Starting Nmap 6.47 ( http://nmap.org ) at 2015-04-21 10:52 CEST > CONN (0.0426s) TCP localhost > 78.46.56.141:80 => Operation now in progress > CONN (0.0427s) TCP localhost > 78.46.56.141:443 => Operation now in progress > NSOCK INFO [0.0650s] nsi_new2(): nsi_new (IOD #1) > NSOCK INFO [0.0650s] nsock_connect_udp(): UDP connection requested to > 192.168.4.1:53 (IOD #1) EID 8 > NSOCK INFO [0.0650s] nsock_read(): Read request from IOD #1 [192.168.4.1:53] > (timeout: -1ms) EID 18 > NSOCK INFO [0.0650s] nsock_trace_handler_callback(): Callback: CONNECT > SUCCESS for EID 8 [192.168.4.1:53] > NSOCK INFO [0.0650s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS > for EID 27 [192.168.4.1:53] > NSOCK INFO [0.0650s] nsock_trace_handler_callback(): Callback: READ SUCCESS > for EID 18 [192.168.4.1:53] (79 bytes): > .............141.56.46.78.in-addr.arpa..................karif.server-speed.net. > NSOCK INFO [0.0650s] nsock_read(): Read request from IOD #1 [192.168.4.1:53] > (timeout: -1ms) EID 34 > NSOCK INFO [0.0650s] nsi_delete(): nsi_delete (IOD #1) > NSOCK INFO [0.0650s] msevent_cancel(): msevent_cancel on event #34 (type READ) > CONN (0.0656s) TCP localhost > 78.46.56.141:993 => Operation now in progress > NSOCK INFO [0.1320s] nsi_new2(): nsi_new (IOD #1) > NSOCK INFO [0.1330s] nsock_connect_tcp(): TCP connection requested to > 78.46.56.141:993 (IOD #1) EID 8 > NSOCK INFO [0.1550s] nsock_trace_handler_callback(): Callback: CONNECT > SUCCESS for EID 8 [78.46.56.141:993] > Service scan sending probe NULL to 78.46.56.141:993 (tcp) > NSOCK INFO [0.1550s] nsock_read(): Read request from IOD #1 > [78.46.56.141:993] (timeout: 6000ms) EID 18 > NSOCK INFO [6.1610s] nsock_trace_handler_callback(): Callback: READ TIMEOUT > for EID 18 [78.46.56.141:993] > Service scan sending probe GetRequest to 78.46.56.141:993 (tcp) > NSOCK INFO [6.1610s] nsock_read(): Read request from IOD #1 > [78.46.56.141:993] (timeout: 5000ms) EID 34 > NSOCK INFO [6.1610s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS > for EID 27 [78.46.56.141:993] > NSOCK INFO [6.1840s] nsock_trace_handler_callback(): Callback: READ ERROR > [Connection reset by peer (104)] for EID 34 [78.46.56.141:993] > NSOCK INFO [6.1840s] nsi_delete(): nsi_delete (IOD #1) > NSOCK INFO [6.1840s] nsi_new2(): nsi_new (IOD #2) > NSOCK INFO [6.1840s] nsock_connect_tcp(): TCP connection requested to > 78.46.56.141:993 (IOD #2) EID 40 > NSOCK INFO [6.2050s] nsock_trace_handler_callback(): Callback: CONNECT > SUCCESS for EID 40 [78.46.56.141:993] > Service scan sending probe SSLSessionReq to 78.46.56.141:993 (tcp) > NSOCK INFO [6.2060s] nsock_read(): Read request from IOD #2 > [78.46.56.141:993] (timeout: 5000ms) EID 58 > NSOCK INFO [6.2060s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS > for EID 51 [78.46.56.141:993] > NSOCK INFO [6.2280s] nsock_trace_handler_callback(): Callback: READ SUCCESS > for EID 58 [78.46.56.141:993] (7 bytes): ......( > Service scan match (Probe SSLSessionReq matched with SSLSessionReq line > 10443): 78.46.56.141:993 is ssl. Version: |TLSv1||| > NSOCK INFO [6.2280s] nsi_delete(): nsi_delete (IOD #2) > NSOCK INFO [6.2280s] nsi_new2(): nsi_new (IOD #3) > NSOCK INFO [6.2280s] nsock_connect_ssl(): SSL connection requested to > 78.46.56.141:993/tcp (IOD #3) EID 65 > NSOCK INFO [6.3370s] nsock_trace_handler_callback(): Callback: SSL-CONNECT > SUCCESS for EID 65 [78.46.56.141:993] > Service scan sending probe NULL to 78.46.56.141:993 (tcp) > NSOCK INFO [6.3370s] nsock_read(): Read request from IOD #3 > [78.46.56.141:993] (timeout: 6000ms) EID 74 > NSOCK INFO [6.3960s] nsock_trace_handler_callback(): Callback: READ SUCCESS > for EID 74 [78.46.56.141:993] (114 bytes) > Service scan match (Probe NULL matched with NULL line 1312): 78.46.56.141:993 > is SSL/imap. Version: |Dovecot imapd||| > NSOCK INFO [6.3960s] nsi_delete(): nsi_delete (IOD #3) > Nmap scan report for karif (78.46.56.141) > Host is up (0.023s latency). > rDNS record for 78.46.56.141: karif.server-speed.net > PORT STATE SERVICE VERSION > 993/tcp open ssl/imap Dovecot imapd > > Service detection performed. Please report any incorrect results at > http://nmap.org/submit/ . > Nmap done: 1 IP address (1 host up) scanned in 6.40 seconds
imap-login-crash.pcapng.gz
Description: application/gzip
signature.asc
Description: OpenPGP digital signature
