Ubuntu
imapfilter package

imapfilter: core dump on initialisation following disabling of SSL3 in libssl

Bug #1516585 reported by Andy Whitcroft
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
imapfilter (Debian)
Fix Released
Unknown
imapfilter (Ubuntu)
Fix Released
High
Andy Whitcroft

Bug Description

We are seeing coredumps on startup as a result of libssl disabling all SSL3 methods. This leads to the ssl3ctx being NULL which we ignore, leading to explosions later. With debugging added we can see we are failing as below:

    ssl3ctx NULL140680560412304:error:140A90C4:SSL routines:SSL_CTX_new:null ssl method passed:ssl_lib.c:1876:

Andy Whitcroft (apw)
Changed in imapfilter (Ubuntu):
status: New → In Progress
importance: Undecided → High
assignee: nobody → Andy Whitcroft (apw)
Revision history for this message
Andy Whitcroft (apw) wrote :

The primary issue is we are assuming that an SSL context will always initialise, and run SSL_CTX_load_verify_locations() unconditionally against them:

        ssl3ctx = SSL_CTX_new(SSLv3_client_method());
        ssl23ctx = SSL_CTX_new(SSLv23_client_method());
        tls1ctx = SSL_CTX_new(TLSv1_client_method());
#if OPENSSL_VERSION_NUMBER >= 0x01000100fL
        tls11ctx = SSL_CTX_new(TLSv1_1_client_method());
        tls12ctx = SSL_CTX_new(TLSv1_2_client_method());
#endif

        if (exists_dir(opts.truststore))
                capath = opts.truststore;
        if (exists_file(opts.truststore))
                cafile = opts.truststore;
        SSL_CTX_load_verify_locations(ssl3ctx, cafile, capath);
        SSL_CTX_load_verify_locations(ssl23ctx, cafile, capath);
        SSL_CTX_load_verify_locations(tls1ctx, cafile, capath);
#if OPENSSL_VERSION_NUMBER >= 0x01000100fL
         SSL_CTX_load_verify_locations(tls11ctx, cafile, capath);
         SSL_CTX_load_verify_locations(tls12ctx, cafile, capath);

Bug Watch Updater (bug-watch-updater)
Changed in imapfilter (Debian):
status: Unknown → New
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package imapfilter - 1:2.6.2-1ubuntu1

---------------
imapfilter (1:2.6.2-1ubuntu1) xenial; urgency=low

  * Switch to using SSLv23_client_method in all cases to avoid using
    now removed/nutered protocols and increasing forward compatibility.
    (LP: #1516585).

 -- Andy Whitcroft <email address hidden> Mon, 16 Nov 2015 12:49:52 +0000

Changed in imapfilter (Ubuntu):
status: In Progress → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in imapfilter (Debian):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.