Subject: TLS and Cyrus-Imapd
To: netbsd-bugs <netbsd-bugs@netbsd.org>
From: Brent Newson <brent.newson@baldey.net>
List: netbsd-bugs
Date: 11/20/2001 10:02:06
Hi all can anyone please help with the following:
I have NetBSD 1.5.2 running the following relevant packages:
cyrus-imapd-2.0.16=20
perl-5.6.1nb6 =20
db3-2.9.2 =20
openssl-0.9.6nb2 =20
cyrus-sasl-1.5.24nb3=20
All the packages have been set up with default configurations:
I can successfuly log into this mail server using imap on port 143 but
when i try and use imap over ssl i get the following error:
esme master[1529]: process 1539 exited, signaled to death by 11
Nov 16 13:02:35 esme imapd[1540]: TLS engine: cannot load CA data
Nov 16 13:02:35 esme imapd[1540]: starttls: TLSv1 with cipher (NONE)
(0/0 bits) no authentication
Nov 16 13:02:35 esme imapd[1540]: Undefined error: 0, closing connection
When i try to use the imtest utility from cyrus i get the following:
bash-2.05# imtest -t "" localhost
C: C01 CAPABILITY
S: * OK esme.webscreen-technology.com Cyrus IMAP4 v2.0.16 server ready
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS ID
NO_ATOMIC_RENAME UNSELECT MULTIAPPEND SORT THREAD=3DORDEREDSUBJECT
THREAD=3DREFERENCES IDLE STARTTLS AUTH=3DDIGEST-MD5 AUTH=3DCRAM-MD5 X-NETSC=
APE
S: C01 OK Completed
S01 OK Begin TLS negotiation now
Nov 16 13:07:51 esme imapd[1563]: TLS engine: cannot load CA data
Nov 16 13:07:51 esme imapd[1563]: TLS engine: No CA file specified.
Client side certs may not work
verify error:num=3D18:self signed certificate
Segmentation fault (core dumped)
Nov 16 13:07:51 esme imapd[1563]: starttls: TLSv1 with cipher (NONE)
(0/0 bits) no authentication
bash-2.05# Nov 16 13:07:51 esme imapd[1563]: Undefined error: 0, closing
connection
When i uninstall and reinstall specifying -DEBUG=3D1 i get the following
error after running:
imapd: illegal option -- s
imapd: illegal option -- d
imapd: illegal option -- 9
imapd: illegal option -- d
imapd: illegal option -- 9
This to me suggests that the master process is trying to call the imapd
daemon with the -s switch that starts imap over ssl but the imapd daemon
is reporting back that this isnt an option?=20
Below is the output from running the imtest program under gdb -
(gdb) run
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program:=20
/usr/pkgsrc/mail/cyrus-imapd/work/cyrus-imapd-2.0.16/imtest/imtest -t=20
"" esme
Cannot insert breakpoint 8:
Nov 19 21:26:05 esme imapd[839]: starttls: TLSv1 with cipher (NONE)=20
(0/0 bits) no authentication
Temporarily disabling shared library breakpoints:
8 9 10 11 13 14
Nov 19 21:26:05 esme imapd[839]: Undefined error: 0, closing=20
connection
C: C01 CAPABILITY
S: * OK esme.webscreen-technology.com Cyrus IMAP4 v2.0.16 server ready
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS=20
ID NO_ATOMIC_RENAME UNSELECT MULTIAPPEND SORT THREAD=3DORDEREDSUBJECT=20
THREAD=3DREFERENCES IDLE STARTTLS AUTH=3DANONYMOUS AUTH=3DDIGEST-MD5=20
AUTH=3DCRAM-MD5 X-NETSCAPE
S: C01 OK Completed
Nov 19 21:26:05 esme imapd[849]: TLS engine: cannot load CA data
Nov 19 21:26:05 esme imapd[849]: TLS engine: No CA file specified.=20
Client side certs may not work
S01 OK Begin TLS negotiation now
Breakpoint 3, tls_init_clientengine (verifydepth=3D10,
var_tls_cert_file=3D0xbfbfdc56 "", var_tls_key_file=3D0xbfbfdc56 "")
at imtest.c:304
304 int off =3D 0;
(gdb) info locals
off =3D 134543444
verify_flags =3D 76
CApath =3D 0x1004 <Error reading address 0x1004: Invalid argument>
CAfile =3D 0x804ca8b "\211CD=C7C@"
c_cert_file =3D 0xbfbfd6c4 "=F7=C7\004\b\n"
c_key_file =3D 0x1004 <Error reading address 0x1004: Invalid argument>
(gdb) info variables
All defined variables:
File imtest.c:
sasl_conn_t *conn;
struct protstream *pin;
struct protstream *pout;
int sock;
int tls_cipher_algbits;
char *tls_cipher_name;
int tls_cipher_usebits;
char *tls_issuer_CN;
char *tls_peer_CN;
char *tls_protocol;
char *var_tls_CAfile;
char *var_tls_CApath;
int verbose;
static char *authname;
static sasl_callback_t callbacks[0];
static int do_dump;
static char fingerprint[108];
static char issuer_CN[256];
static unsigned char md[36];
static char peer_CN[256];
---Type <return> to continue, or q <return> to quit---
static char peer_issuer[256];
static char peer_subject[256];
static char *realm;
static SSL *tls_conn;
static SSL_CTX *tls_ctx;
static char *username;
static int verify_depth;
static int verify_error;
Non-debugging symbols:
0804f7b0 __progname
0804f7b4 __ps_strings
0804f838 rsa_tmp.12
0804fae0 optarg
0804fae4 optind
0804fae8 __sF
080500e0 errbuf.34
080501e0 __mainprog_obj
080501e4 environ
4805eccf WS.18
4805f7f8 __sys_nerr14
4805fafa __infinity
4805fb20 _C_toupper_
---Type <return> to continue, or q <return> to quit---q
Quit
(gdb) list
299 * The skeleton of this function is taken from OpenSSL=20
apps/s_client.c.300 */
301
302 static int tls_init_clientengine(int verifydepth, char=20
*var_tls_cert_file, char *var_tls_key_file)
303 {
304 int off =3D 0;
305 int verify_flags =3D SSL_VERIFY_NONE;
306 char *CApath;
307 char *CAfile;
308 char *c_cert_file;
(gdb) cont
Continuing.
Breakpoint 1, tls_start_clienttls (layer=3D0xbfbfd6d8,=20
authid=3D0xbfbfd6dc)
at imtest.c:468
468 if (verbose=3D=3D1)
(gdb) list
463 unsigned int n;
464 SSL_SESSION *session;
465 SSL_CIPHER *cipher;
466 X509 *peer;
467
468 if (verbose=3D=3D1)
469 printf("setting up TLS connection\n");
470
471 if (tls_conn =3D=3D NULL) {
472 tls_conn =3D (SSL *) SSL_new(tls_ctx);
(gdb) info locals
sts =3D -1077945568
j =3D 1048575
n =3D 0
session =3D (SSL_SESSION *) 0x0
cipher =3D (SSL_CIPHER *) 0x0
peer =3D (X509 *) 0x0
(gdb) list
473 }
474 if (tls_conn =3D=3D NULL) {
475 printf("Could not allocate 'con' with SSL_new()\n");
476 return IMTEST_FAIL;
477 }
478 SSL_clear(tls_conn);
479
480 if (!SSL_set_fd(tls_conn, sock)) {
481 printf("SSL_set_fd failed\n");
482 return IMTEST_FAIL;
(gdb) cont
Continuing.
Breakpoint 15, tls_start_clienttls (layer=3D0xbfbfd6d8,=20
authid=3D0xbfbfd6dc)
at imtest.c:488
488 SSL_set_connect_state(tls_conn);
(gdb) info locals
sts =3D -1077945568
j =3D 1048575
n =3D 0
session =3D (SSL_SESSION *) 0x0
cipher =3D (SSL_CIPHER *) 0x0
peer =3D (X509 *) 0x0
(gdb) list
483 }
484 /*
485 * This is the actual handshake routine. It will do all=20
the negotiations
486 * and will check the client cert etc.
487 */
488 SSL_set_connect_state(tls_conn);
489
490
491 /*
492 * We do have an SSL_set_fd() and now suddenly a BIO_=20
routine is called?
(gdb) info tls_conn
Undefined info command: "tls_conn". Try "help info".
(gdb) info locals tls_conn
sts =3D -1077945568
j =3D 1048575
n =3D 0
session =3D (SSL_SESSION *) 0x0
cipher =3D (SSL_CIPHER *) 0x0
peer =3D (X509 *) 0x0
(gdb) info variables tls_conn
All variables matching regular expression "tls_conn":
File imtest.c:
static SSL *tls_conn;
(gdb) print tls_conn
$1 =3D (SSL *) 0x8056300
(gdb) print *tls_conn
$2 =3D {version =3D 769, type =3D 0, method =3D 0x4827a560, rbio =3D 0x8054=
380,
wbio =3D 0x8054380, bbio =3D 0x0, rwstate =3D 1, in_handshake =3D 0,
handshake_func =3D 0, server =3D 0, new_session =3D 0, quiet_shutdown =3D=
0,
shutdown =3D 0, state =3D 20480, rstate =3D 240, init_buf =3D 0x0, init_n=
um=20
=3D 0,
init_off =3D 0, packet =3D 0x0, packet_length =3D 0, s2 =3D 0x0, s3 =3D=20
0x8053400,
read_ahead =3D 0, hit =3D 0, purpose =3D 0, trust =3D 0, cipher_list =3D =
0x0,
cipher_list_by_id =3D 0x0, enc_read_ctx =3D 0x0, read_hash =3D 0x0,=20
expand =3D 0x0,
enc_write_ctx =3D 0x0, write_hash =3D 0x0, compress =3D 0x0, cert =3D=20
0x8059600,
sid_ctx_length =3D 0, sid_ctx =3D '\000' <repeats 31 times>, session =3D=20
0x0,
verify_mode =3D 0, verify_depth =3D -1,
verify_callback =3D 0x804a0dc <verify_callback>, info_callback =3D 0,=20
error =3D 0,
error_code =3D 0, ctx =3D 0x8056200, debug =3D 0, verify_result =3D 0,=20
ex_data =3D {
sk =3D 0x0, dummy =3D 0}, client_CA =3D 0x0, references =3D 1, options =
=3D=20
1048575,
mode =3D 0, first_packet =3D 0, client_version =3D 769}
(gdb) break 489
Breakpoint 17 at 0x804aa96: file imtest.c, line 489.
(gdb) cont
Continuing.
Breakpoint 13, 0x4826a7f0 in SSL_set_connect_state ()
(gdb) cont
Continuing.
Breakpoint 17, tls_start_clienttls (layer=3D0xbfbfd6d8,=20
authid=3D0xbfbfd6dc)
at imtest.c:496
496 if (verbose=3D=3D1)
(gdb) list
491 /*
492 * We do have an SSL_set_fd() and now suddenly a BIO_=20
routine is called?
493 * Well there is a BIO below the SSL routines that is=20
automatically 494 * created for us, so we can use it for=20
debugging purposes.
495 */
496 if (verbose=3D=3D1)
497 BIO_set_callback(SSL_get_rbio(tls_conn), bio_dump_cb);
498
499 /* Dump the negotiation for loglevels 3 and 4 */
500 if (verbose=3D=3D1)
(gdb) list 488
483 }
484 /*
485 * This is the actual handshake routine. It will do all=20
the negotiations
486 * and will check the client cert etc.
487 */
488 SSL_set_connect_state(tls_conn);
489
490
491 /*
492 * We do have an SSL_set_fd() and now suddenly a BIO_=20
routine is called?
(gdb) list
493 * Well there is a BIO below the SSL routines that is=20
automatically 494 * created for us, so we can use it for=20
debugging purposes.
495 */
496 if (verbose=3D=3D1)
497 BIO_set_callback(SSL_get_rbio(tls_conn), bio_dump_cb);
498
499 /* Dump the negotiation for loglevels 3 and 4 */
500 if (verbose=3D=3D1)
501 do_dump =3D 1;
502
(gdb) break 598
Breakpoint 18 at 0x804ad85: file imtest.c, line 598.
(gdb) break 498
Breakpoint 19 at 0x804aab6: file imtest.c, line 498.
(gdb) info variables vio_dump_cb
All variables matching regular expression "vio_dump_cb":
(gdb) info variables bio_dump_cb
All variables matching regular expression "bio_dump_cb":
(gdb) info locals bio_dump_cb
sts =3D -1077945568
j =3D 1048575
n =3D 0
session =3D (SSL_SESSION *) 0x0
cipher =3D (SSL_CIPHER *) 0x0
peer =3D (X509 *) 0x0
(gdb) cont
Continuing.
Breakpoint 19, tls_start_clienttls (layer=3D0xbfbfd6d8,=20
authid=3D0xbfbfd6dc)
at imtest.c:500
500 if (verbose=3D=3D1)
(gdb) list
495 */
496 if (verbose=3D=3D1)
497 BIO_set_callback(SSL_get_rbio(tls_conn), bio_dump_cb);
498
499 /* Dump the negotiation for loglevels 3 and 4 */
500 if (verbose=3D=3D1)
501 do_dump =3D 1;
502
503 if ((sts =3D SSL_connect(tls_conn)) < 0) {
504 printf("SSL_connect error %d\n", sts);
(gdb) break 504
Breakpoint 20 at 0x804aae2: file imtest.c, line 504.
(gdb) list
505 session =3D SSL_get_session(tls_conn);
506 if (session) {
507 SSL_CTX_remove_session(tls_ctx, session);
508 printf("SSL session removed\n");
509 }
510 if (tls_conn!=3DNULL)
511 SSL_free(tls_conn);
512 tls_conn =3D NULL;
513 return IMTEST_FAIL;
514 }
(gdb) break 515
Breakpoint 21 at 0x804ab58: file imtest.c, line 515.
(gdb) cont
Continuing.
=20
Breakpoint 14, 0x4826a374 in SSL_connect ()
(gdb) cont
Continuing.
=20
Breakpoint 10, 0x4815d2ff in X509_get_issuer_name ()
(gdb) cont
Continuing.
=20
Breakpoint 10, 0x4815d2ff in X509_get_issuer_name ()
(gdb) disable 10
(gdb) cont
Continuing.
verify error:num=3D18:self signed certificate
=20
Program received signal SIGSEGV, Segmentation fault.
0x0 in ?? ()
(gdb)
The SSL_connect library was called just before the program failed, could
this mean the library has bugs in it?
I have had the same versions of all the packages working fine on a
redhat 7.2 linux box and have tried installing NetBSD 1.5.2 and the same
packages on another machine but i get the same results.
Anyhelp would be great on this as ive been trying to get it sorted out
for a week now!
Thanks in Advance for any help or suggestions!
--=20
Cheers
Brent Newson