Subject: TLS and Cyrus-Imapd
To: netbsd-help <netbsd-help@netbsd.org>
From: Brent Newson <brent.newson@baldey.net>
List: netbsd-help
Date: 11/20/2001 09:53:28
Hi all can anyone please help with the following:
I have NetBSD 1.5.2 running the following relevant packages:
cyrus-imapd-2.0.16=20
perl-5.6.1nb6 =20
db3-2.9.2 =20
openssl-0.9.6nb2 =20
cyrus-sasl-1.5.24nb3=20
All the packages have been set up with default configurations:
I can successfuly log into this mail server using imap on port 143 but
when i try and use imap over ssl i get the following error:
esme master[1529]: process 1539 exited, signaled to death by 11
Nov 16 13:02:35 esme imapd[1540]: TLS engine: cannot load CA data
Nov 16 13:02:35 esme imapd[1540]: starttls: TLSv1 with cipher (NONE)
(0/0 bits) no authentication
Nov 16 13:02:35 esme imapd[1540]: Undefined error: 0, closing connection
When i try to use the imtest utility from cyrus i get the following:
bash-2.05# imtest -t "" localhost
C: C01 CAPABILITY
S: * OK esme.webscreen-technology.com Cyrus IMAP4 v2.0.16 server ready
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS ID
NO_ATOMIC_RENAME UNSELECT MULTIAPPEND SORT THREAD=3DORDEREDSUBJECT
THREAD=3DREFERENCES IDLE STARTTLS AUTH=3DDIGEST-MD5 AUTH=3DCRAM-MD5 X-NETSC=
APE
S: C01 OK Completed
S01 OK Begin TLS negotiation now
Nov 16 13:07:51 esme imapd[1563]: TLS engine: cannot load CA data
Nov 16 13:07:51 esme imapd[1563]: TLS engine: No CA file specified.
Client side certs may not work
verify error:num=3D18:self signed certificate
Segmentation fault (core dumped)
Nov 16 13:07:51 esme imapd[1563]: starttls: TLSv1 with cipher (NONE)
(0/0 bits) no authentication
bash-2.05# Nov 16 13:07:51 esme imapd[1563]: Undefined error: 0, closing
connection
When i uninstall and reinstall specifying -DEBUG=3D1 i get the following
error after running:
imapd: illegal option -- s
imapd: illegal option -- d
imapd: illegal option -- 9
imapd: illegal option -- d
imapd: illegal option -- 9
This to me suggests that the master process is trying to call the imapd
daemon with the -s switch that starts imap over ssl but the imapd daemon
is reporting back that this isnt an option?=20
Below is the output from running the imtest program under gdb -
(gdb) run
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program:=20
/usr/pkgsrc/mail/cyrus-imapd/work/cyrus-imapd-2.0.16/imtest/imtest -t=20
"" esme
Cannot insert breakpoint 8:
Nov 19 21:26:05 esme imapd[839]: starttls: TLSv1 with cipher (NONE)=20
(0/0 bits) no authentication
Temporarily disabling shared library breakpoints:
8 9 10 11 13 14
Nov 19 21:26:05 esme imapd[839]: Undefined error: 0, closing=20
connection
C: C01 CAPABILITY
S: * OK esme.webscreen-technology.com Cyrus IMAP4 v2.0.16 server ready
S: * CAPABILITY IMAP4 IMAP4rev1 ACL QUOTA LITERAL+ NAMESPACE UIDPLUS=20
ID NO_ATOMIC_RENAME UNSELECT MULTIAPPEND SORT THREAD=3DORDEREDSUBJECT=20
THREAD=3DREFERENCES IDLE STARTTLS AUTH=3DANONYMOUS AUTH=3DDIGEST-MD5=20
AUTH=3DCRAM-MD5 X-NETSCAPE
S: C01 OK Completed
Nov 19 21:26:05 esme imapd[849]: TLS engine: cannot load CA data
Nov 19 21:26:05 esme imapd[849]: TLS engine: No CA file specified.=20
Client side certs may not work
S01 OK Begin TLS negotiation now
Breakpoint 3, tls_init_clientengine (verifydepth=3D10,
var_tls_cert_file=3D0xbfbfdc56 "", var_tls_key_file=3D0xbfbfdc56 "")
at imtest.c:304
304 int off =3D 0;
(gdb) info locals
off =3D 134543444
verify_flags =3D 76
CApath =3D 0x1004 <Error reading address 0x1004: Invalid argument>
CAfile =3D 0x804ca8b "\211CD=C7C@"
c_cert_file =3D 0xbfbfd6c4 "=F7=C7\004\b\n"
c_key_file =3D 0x1004 <Error reading address 0x1004: Invalid argument>
(gdb) info variables
All defined variables:
File imtest.c:
sasl_conn_t *conn;
struct protstream *pin;
struct protstream *pout;
int sock;
int tls_cipher_algbits;
char *tls_cipher_name;
int tls_cipher_usebits;
char *tls_issuer_CN;
char *tls_peer_CN;
char *tls_protocol;
char *var_tls_CAfile;
char *var_tls_CApath;
int verbose;
static char *authname;
static sasl_callback_t callbacks[0];
static int do_dump;
static char fingerprint[108];
static char issuer_CN[256];
static unsigned char md[36];
static char peer_CN[256];
---Type <return> to continue, or q <return> to quit---
static char peer_issuer[256];
static char peer_subject[256];
static char *realm;
static SSL *tls_conn;
static SSL_CTX *tls_ctx;
static char *username;
static int verify_depth;
static int verify_error;
Non-debugging symbols:
0804f7b0 __progname
0804f7b4 __ps_strings
0804f838 rsa_tmp.12
0804fae0 optarg
0804fae4 optind
0804fae8 __sF
080500e0 errbuf.34
080501e0 __mainprog_obj
080501e4 environ
4805eccf WS.18
4805f7f8 __sys_nerr14
4805fafa __infinity
4805fb20 _C_toupper_
---Type <return> to continue, or q <return> to quit---q
Quit
(gdb) list
299 * The skeleton of this function is taken from OpenSSL=20
apps/s_client.c.300 */
301
302 static int tls_init_clientengine(int verifydepth, char=20
*var_tls_cert_file, char *var_tls_key_file)
303 {
304 int off =3D 0;
305 int verify_flags =3D SSL_VERIFY_NONE;
306 char *CApath;
307 char *CAfile;
308 char *c_cert_file;
(gdb) cont
Continuing.
Breakpoint 1, tls_start_clienttls (layer=3D0xbfbfd6d8,=20
authid=3D0xbfbfd6dc)
at imtest.c:468
468 if (verbose=3D=3D1)
(gdb) list
463 unsigned int n;
464 SSL_SESSION *session;
465 SSL_CIPHER *cipher;
466 X509 *peer;
467
468 if (verbose=3D=3D1)
469 printf("setting up TLS connection\n");
470
471 if (tls_conn =3D=3D NULL) {
472 tls_conn =3D (SSL *) SSL_new(tls_ctx);
(gdb) info locals
sts =3D -1077945568
j =3D 1048575
n =3D 0
session =3D (SSL_SESSION *) 0x0
cipher =3D (SSL_CIPHER *) 0x0
peer =3D (X509 *) 0x0
(gdb) list
473 }
474 if (tls_conn =3D=3D NULL) {
475 printf("Could not allocate 'con' with SSL_new()\n");
476 return IMTEST_FAIL;
477 }
478 SSL_clear(tls_conn);
479
480 if (!SSL_set_fd(tls_conn, sock)) {
481 printf("SSL_set_fd failed\n");
482 return IMTEST_FAIL;
(gdb) cont
Continuing.
Breakpoint 15, tls_start_clienttls (layer=3D0xbfbfd6d8,=20
authid=3D0xbfbfd6dc)
at imtest.c:488
488 SSL_set_connect_state(tls_conn);
(gdb) info locals
sts =3D -1077945568
j =3D 1048575
n =3D 0
session =3D (SSL_SESSION *) 0x0
cipher =3D (SSL_CIPHER *) 0x0
peer =3D (X509 *) 0x0
(gdb) list
483 }
484 /*
485 * This is the actual handshake routine. It will do all=20
the negotiations
486 * and will check the client cert etc.
487 */
488 SSL_set_connect_state(tls_conn);
489
490
491 /*
492 * We do have an SSL_set_fd() and now suddenly a BIO_=20
routine is called?
(gdb) info tls_conn
Undefined info command: "tls_conn". Try "help info".
(gdb) info locals tls_conn
sts =3D -1077945568
j =3D 1048575
n =3D 0
session =3D (SSL_SESSION *) 0x0
cipher =3D (SSL_CIPHER *) 0x0
peer =3D (X509 *) 0x0
(gdb) info variables tls_conn
All variables matching regular expression "tls_conn":
File imtest.c:
static SSL *tls_conn;
(gdb) print tls_conn
$1 =3D (SSL *) 0x8056300
(gdb) print *tls_conn
$2 =3D {version =3D 769, type =3D 0, method =3D 0x4827a560, rbio =3D 0x8054=
380,
wbio =3D 0x8054380, bbio =3D 0x0, rwstate =3D 1, in_handshake =3D 0,
handshake_func =3D 0, server =3D 0, new_session =3D 0, quiet_shutdown =3D=
0,
shutdown =3D 0, state =3D 20480, rstate =3D 240, init_buf =3D 0x0, init_n=
um=20
=3D 0,
init_off =3D 0, packet =3D 0x0, packet_length =3D 0, s2 =3D 0x0, s3 =3D=20
0x8053400,
read_ahead =3D 0, hit =3D 0, purpose =3D 0, trust =3D 0, cipher_list =3D =
0x0,
cipher_list_by_id =3D 0x0, enc_read_ctx =3D 0x0, read_hash =3D 0x0,=20
expand =3D 0x0,
enc_write_ctx =3D 0x0, write_hash =3D 0x0, compress =3D 0x0, cert =3D=20
0x8059600,
sid_ctx_length =3D 0, sid_ctx =3D '\000' <repeats 31 times>, session =3D=20
0x0,
verify_mode =3D 0, verify_depth =3D -1,
verify_callback =3D 0x804a0dc <verify_callback>, info_callback =3D 0,=20
error =3D 0,
error_code =3D 0, ctx =3D 0x8056200, debug =3D 0, verify_result =3D 0,=20
ex_data =3D {
sk =3D 0x0, dummy =3D 0}, client_CA =3D 0x0, references =3D 1, options =
=3D=20
1048575,
mode =3D 0, first_packet =3D 0, client_version =3D 769}
(gdb) break 489
Breakpoint 17 at 0x804aa96: file imtest.c, line 489.
(gdb) cont
Continuing.
Breakpoint 13, 0x4826a7f0 in SSL_set_connect_state ()
(gdb) cont
Continuing.
Breakpoint 17, tls_start_clienttls (layer=3D0xbfbfd6d8,=20
authid=3D0xbfbfd6dc)
at imtest.c:496
496 if (verbose=3D=3D1)
(gdb) list
491 /*
492 * We do have an SSL_set_fd() and now suddenly a BIO_=20
routine is called?
493 * Well there is a BIO below the SSL routines that is=20
automatically 494 * created for us, so we can use it for=20
debugging purposes.
495 */
496 if (verbose=3D=3D1)
497 BIO_set_callback(SSL_get_rbio(tls_conn), bio_dump_cb);
498
499 /* Dump the negotiation for loglevels 3 and 4 */
500 if (verbose=3D=3D1)
(gdb) list 488
483 }
484 /*
485 * This is the actual handshake routine. It will do all=20
the negotiations
486 * and will check the client cert etc.
487 */
488 SSL_set_connect_state(tls_conn);
489
490
491 /*
492 * We do have an SSL_set_fd() and now suddenly a BIO_=20
routine is called?
(gdb) list
493 * Well there is a BIO below the SSL routines that is=20
automatically 494 * created for us, so we can use it for=20
debugging purposes.
495 */
496 if (verbose=3D=3D1)
497 BIO_set_callback(SSL_get_rbio(tls_conn), bio_dump_cb);
498
499 /* Dump the negotiation for loglevels 3 and 4 */
500 if (verbose=3D=3D1)
501 do_dump =3D 1;
502
(gdb) break 598
Breakpoint 18 at 0x804ad85: file imtest.c, line 598.
(gdb) break 498
Breakpoint 19 at 0x804aab6: file imtest.c, line 498.
(gdb) info variables vio_dump_cb
All variables matching regular expression "vio_dump_cb":
(gdb) info variables bio_dump_cb
All variables matching regular expression "bio_dump_cb":
(gdb) info locals bio_dump_cb
sts =3D -1077945568
j =3D 1048575
n =3D 0
session =3D (SSL_SESSION *) 0x0
cipher =3D (SSL_CIPHER *) 0x0
peer =3D (X509 *) 0x0
(gdb) cont
Continuing.
Breakpoint 19, tls_start_clienttls (layer=3D0xbfbfd6d8,=20
authid=3D0xbfbfd6dc)
at imtest.c:500
500 if (verbose=3D=3D1)
(gdb) list
495 */
496 if (verbose=3D=3D1)
497 BIO_set_callback(SSL_get_rbio(tls_conn), bio_dump_cb);
498
499 /* Dump the negotiation for loglevels 3 and 4 */
500 if (verbose=3D=3D1)
501 do_dump =3D 1;
502
503 if ((sts =3D SSL_connect(tls_conn)) < 0) {
504 printf("SSL_connect error %d\n", sts);
(gdb) break 504
Breakpoint 20 at 0x804aae2: file imtest.c, line 504.
(gdb) list
505 session =3D SSL_get_session(tls_conn);
506 if (session) {
507 SSL_CTX_remove_session(tls_ctx, session);
508 printf("SSL session removed\n");
509 }
510 if (tls_conn!=3DNULL)
511 SSL_free(tls_conn);
512 tls_conn =3D NULL;
513 return IMTEST_FAIL;
514 }
(gdb) break 515
Breakpoint 21 at 0x804ab58: file imtest.c, line 515.
(gdb) cont
Continuing.
=20
Breakpoint 14, 0x4826a374 in SSL_connect ()
(gdb) cont
Continuing.
=20
Breakpoint 10, 0x4815d2ff in X509_get_issuer_name ()
(gdb) cont
Continuing.
=20
Breakpoint 10, 0x4815d2ff in X509_get_issuer_name ()
(gdb) disable 10
(gdb) cont
Continuing.
verify error:num=3D18:self signed certificate
=20
Program received signal SIGSEGV, Segmentation fault.
0x0 in ?? ()
(gdb)
The SSL_connect library was called just before the program failed, could
this mean the library has bugs in it?
Anyhelp would be great on this as ive been trying to get it sorted out
for a week now!
Thanks in Advance for any help or suggestions!
--=20
Cheers
Brent Newson