Package: stunnel4
Version: 3:5.56-1
Severity: normal
Tags: security
I use stunnel to connect a local mail client to an IMAP server.
The IMAP protocol handler in stunnel sends the initial server greeting
(pre-STARTTLS) to my local client. This greeting can include
capabilities, for example:
+---
| * OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+
STARTTLS LOGINDISABLED] Dovecot (Debian) ready.
+---
Note the "LOGINDISABLED" capability as logins are only allowed *after*
STARTTLS. My local mail client (evolution) has recently started to
refuse to login to the IMAP server due to this capability listed.
The attached patch sends a fixed greeting to the local client instead;
clients then have to query the server capabilities with a separate
command which works fine for me.
RFC 3501 states:
+---
| Once [TLS] has been started, the client MUST discard cached
| information about server capabilities and SHOULD re-issue the
| CAPABILITY command. This is necessary to protect against man-in-
| the-middle attacks which alter the capabilities list prior to
| STARTTLS. The server MAY advertise different capabilities after
| STARTTLS.
+---
I've tagged this bug "security" as this mentions possible
man-in-the-middle attacks (which I would expect not to be able to do
too bad things given it can only mess with capabilities).
Ansgar
-- System Information:
Debian Release: bullseye/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500,
'testing'), (300, 'buildd-unstable'), (300, 'unstable'), (1,
'buildd-experimental'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.4.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8
(charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages stunnel4 depends on:
ii adduser 3.118
ii libc6 2.30-2
ii libssl1.1 1.1.1d-2
ii libsystemd0 245.2-1
ii libwrap0 7.6.q-30
ii lsb-base 11.1.0
ii netbase 6.1
ii openssl 1.1.1d-2
ii perl 5.30.0-9
stunnel4 recommends no packages.
Versions of packages stunnel4 suggests:
pn logcheck-database <none>
-- no debconf information
--- a/src/protocol.c
+++ b/src/protocol.c
@@ -976,7 +976,7 @@
str_free(line);
throw_exception(c, 1);
}
- fd_putline(c, c->local_wfd.fd, line);
+ fd_putline(c, c->local_wfd.fd, "* OK Connected.");
fd_putline(c, c->remote_fd.fd, "stunnel STARTTLS");
str_free(line);
line=fd_getline(c, c->remote_fd.fd);
