Workaround patch for OpenSSL bug 1513
Laura Bowser
lbowser at geminisecurity.com
Wed Jul 18 19:21:55 EDT 2007
I've run into the following SSL bug: http://rt.openssl.org/Ticket/
Display.html?id=1513&user=guest&pass=guest
and for a while, I haven't been able to connect to my IMAP server
over TLS. I finally delved into the code, and discovered what the
problem was.
My situation:
cyrus-imapd - 2.3.8 on FreeBSD 6.2 installed from ports
self-signed certificate, no CAs
tls_ca_path is the default of blank (none)
tls_cert_file and tls_key_file point to the certificate and key
respectively.
So, from what I can tell is happening, when
SSL_CTX_load_verify_locations returns an error in like 672, the error
is sticking around by the time control rolls around to
SSL_CTX_use_certificate_chain_file on line 362, but 1513 is
triggered, and it returns an error, even though there isn't one.
Realizing this probably isn't the best solution because you lose the
SSL error stack, I added ERR_clear_error(); between lines 361 and 362.
Since the previous error is already reported, I didn't think losing
the stack was that big of a deal, but I'm not normally a developer,
so I defer to those with more knowledge. I just had an itch to scratch.
My patch is available at http://weblog.elwing.org/elwing/wp-content/
patch-imap-tls.c for those of you who'd like to look at it.
Laura
More information about the Cyrus-devel
mailing list