[tpop3d-discuss] ssl Bug

Dave Baker dave at dsb3.com
Wed, 5 Nov 2003 11:02:17 -0500


On Wed, Nov 05, 2003 at 04:50:17PM +0100, Jens Liebchen (ppp-design) wrote:
> If not, we should considere tpop3d in combination with ssl as unstable
> and maybe we/Chris should release a small advisory about that, as it can
> lead to a DoS of the effected mailbox.
>

As a workaround, I currently just use "fetchmail -e 1" when the mailbox
breaks.  That slows things down extraordinarily, but does *always* avoid
the problem by closing and reopening the connection between every email.

Chris's suggestion to me (which I haven't yet had time to follow up on as
tlsproxyd didnt' compile out of the box for me) was to try tlxproxyd in
front of non-ssl enabled tpop3d to try to duplicate the problem.  I think
you said your problem was happening on linux so perhaps you'll be able to
test that theory faster than I.

One other thought that just came to me is whether or not I can simulate
the same traffic flow by loading the mbox file on a web server and
retrieving it twice on a kept-alive HTTP connection.  I ran a quick test
and wasn't able to duplicate it by just fetching the file twice, but don't
really know if that means anything yet.



Dave

-- 

-    Dave Baker      :      dave@dsb3.com      :      http://dsb3.com/    -
GnuPG:  1024D/D7BCA55D / 09CD D148 57DE 711E 6708  B772 0DD4 51D5 D7BC A55D