CAfile problem with OpenSSL-1.1.1c

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

CAfile problem with OpenSSL-1.1.1c

Christian Rößner
Hi,

I recently upgraded my systems to have full openssl-1.1.1c support. After upgrading my mail-server, I realized that I had problems with trusting server certificates. I checked that the server still uses /etc/ssl/certs/ca-certificates.crt, but for some reason Postfix can not work with this file anymore. Even running update-ca-certificates (which added 141 CAs) did not solve the problem.

By changing *_CAfile parameters to *_CApath, everything started working again.

Is there something special woth TLSv1.3 (OpenSSL-1.1.1c) that I forgot to do after upgrade?

Here are some relevant logs I found while troubleshooting:
--------------------------------------------------------
Aug 12 20:32:45 mx postfix/relay/smtp[24007]: setting up TLS connection to mx.roessner-net.de[134.255.226.247]:25
Aug 12 20:32:45 mx postfix/relay/smtp[24007]: mx.roessner-net.de[134.255.226.247]:25: TLS cipher list "aNULL:-aNULL:HIGH:@STR
ENGTH:!aNULL"
Aug 12 20:32:45 mx postfix/relay/smtp[24007]: looking for session smtp&roessner-net.com&mx.roessner-net.de&134.255.226.247&&D
83C77C56AE6BC60C2C9E9B52C4E501B2D34BA7166F7510D567CEFBE7D30B548 in smtp cache
Aug 12 20:32:45 mx postfix/relay/tlsmgr[23993]: lookup smtp session id=smtp&roessner-net.com&mx.roessner-net.de&134.255.226.2
47&&D83C77C56AE6BC60C2C9E9B52C4E501B2D34BA7166F7510D567CEFBE7D30B548
Aug 12 20:32:45 mx postfix/relay/smtp[24007]: SSL_connect:before SSL initialization
Aug 12 20:32:45 mx postfix/relay/smtp[24007]: SSL_connect:SSLv3/TLS write client hello
Aug 12 20:32:45 mx postfix/relay/smtp[24007]: SSL_connect:SSLv3/TLS write client hello
Aug 12 20:32:45 mx postfix/relay/smtp[24004]: 466k0K1GwXzNkFw: to=<*****@ra-roessner-merle.de>, relay=mx.roessner-net.de[1
34.255.226.247]:25, delay=11792, delays=11792/0.16/0.26/0, dsn=4.7.5, status=deferred (Server certificate not trusted)
Aug 12 20:32:45 mx postfix/relay/smtp[24007]: SSL_connect:SSLv3/TLS read server hello
Aug 12 20:32:45 mx postfix/smtpd[24008]: disconnect from relay.roessner-net.de[134.255.226.249]:46037 ehlo=1 starttls=1 quit=
1 commands=3
Aug 12 20:32:45 mx postfix/relay/smtp[24007]: SSL_connect:TLSv1.3 read encrypted extensions
Aug 12 20:32:45 mx postfix/relay/smtp[24005]: SSL_connect:SSLv3/TLS read server certificate request
Aug 12 20:32:45 mx postfix/relay/smtp[24005]: mx.roessner-net.de[134.255.226.247]:25: depth=0 verify=0 subject=/CN=mx.roessne
r-net.de
Aug 12 20:32:45 mx postfix/relay/smtp[24005]: mx.roessner-net.de[134.255.226.247]:25: depth=0 verify=1 subject=/CN=mx.roessne
r-net.de
Aug 12 20:32:45 mx postfix/relay/smtp[24005]: SSL_connect:SSLv3/TLS read server certificate
Aug 12 20:32:45 mx postfix/relay/smtp[24005]: SSL_connect:TLSv1.3 read server certificate verify
Aug 12 20:32:45 mx postfix/relay/smtp[24005]: SSL_connect:SSLv3/TLS read finished
Aug 12 20:32:45 mx postfix/relay/smtp[24005]: SSL_connect:SSLv3/TLS write change cipher spec
Aug 12 20:32:45 mx postfix/relay/smtp[24005]: SSL_connect:SSLv3/TLS write client certificate
Aug 12 20:32:45 mx postfix/relay/smtp[24007]: SSL_connect:SSLv3/TLS read server certificate request
Aug 12 20:32:45 mx postfix/relay/smtp[24007]: mx.roessner-net.de[134.255.226.247]:25: depth=0 verify=0 subject=/CN=mx.roessne
r-net.de
Aug 12 20:32:45 mx postfix/relay/smtp[24007]: mx.roessner-net.de[134.255.226.247]:25: depth=0 verify=1 subject=/CN=mx.roessner-net.de
Aug 12 20:32:45 mx postfix/relay/smtp[24007]: SSL_connect:SSLv3/TLS read server certificate
Aug 12 20:32:45 mx postfix/relay/smtp[24005]: SSL_connect:SSLv3/TLS write certificate verify
Aug 12 20:32:45 mx postfix/relay/smtp[24007]: SSL_connect:TLSv1.3 read server certificate verify
Aug 12 20:32:45 mx postfix/relay/smtp[24005]: SSL_connect:SSLv3/TLS write finished
Aug 12 20:32:45 mx postfix/relay/smtp[24005]: certificate verification failed for mx.roessner-net.de[134.255.226.247]:25: self-signed certificate
Aug 12 20:32:45 mx postfix/relay/smtp[24005]: mx.roessner-net.de[134.255.226.247]:25: subject_CN=mx.roessner-net.de, issuer_CN=mx.roessner-net.de, fingerprint=1C:93:B4:39:D9:0A:3C:18:FA:84:90:55:73:77:42:2E, pkey_fingerprint=7C:C6:C5:59:7A:07:A4:E9:14:02:75:92:58:C3:DE:8E
Aug 12 20:32:45 mx postfix/relay/smtp[24005]: Untrusted TLS connection established to mx.roessner-net.de[134.255.226.247]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256
Aug 12 20:32:45 mx postfix/smtpd[24006]: Trusted TLS connection established from relay.roessner-net.de[134.255.226.249]:47803: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256
Aug 12 20:32:45 mx postfix/relay/smtp[24007]: SSL_connect:SSLv3/TLS read finished
Aug 12 20:32:45 mx postfix/relay/smtp[24007]: SSL_connect:SSLv3/TLS write change cipher spec
Aug 12 20:32:45 mx postfix/relay/smtp[24007]: SSL_connect:SSLv3/TLS write client certificate
Aug 12 20:32:45 mx postfix/relay/smtp[24005]: 466kX4238lzNkFS: to=<[hidden email]>, relay=mx.roessner-net.de[134.255.226.247]:25, delay=1082, delays=1081/0.19/0.28/0, dsn=4.7.5, status=deferred (Server certificate not trusted)
Aug 12 20:32:45 mx postfix/smtpd[24006]: disconnect from relay.roessner-net.de[134.255.226.249]:47803 ehlo=1 starttls=1 quit=1 commands=3
Aug 12 20:32:45 mx postfix/relay/smtp[24007]: SSL_connect:SSLv3/TLS write certificate verify
Aug 12 20:32:45 mx postfix/relay/smtp[24007]: SSL_connect:SSLv3/TLS write finished
Aug 12 20:32:45 mx postfix/relay/smtp[24007]: certificate verification failed for mx.roessner-net.de[134.255.226.247]:25: self-signed certificate
Aug 12 20:32:45 mx postfix/relay/smtp[24007]: mx.roessner-net.de[134.255.226.247]:25: subject_CN=mx.roessner-net.de, issuer_CN=mx.roessner-net.de, fingerprint=1C:93:B4:39:D9:0A:3C:18:FA:84:90:55:73:77:42:2E, pkey_fingerprint=7C:C6:C5:59:7A:07:A4:E9:14:02:75:92:58:C3:DE:8E
Aug 12 20:32:45 mx postfix/relay/smtp[24007]: Untrusted TLS connection established to mx.roessner-net.de[134.255.226.247]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256
Aug 12 20:32:45 mx postfix/smtpd[24012]: Trusted TLS connection established from relay.roessner-net.de[134.255.226.249]:60779: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256
Aug 12 20:32:45 mx postfix/relay/smtp[24007]: 466krX5vPFzNkFb: to=<*****@roessner-net.com>, relay=mx.roessner-net.de[134.255.226.247]:25, delay=225, delays=225/0.22/0.27/0, dsn=4.7.5, status=deferred (Server certificate not trusted)
Aug 12 20:32:45 mx postfix/smtpd[24012]: disconnect from relay.roessner-net.de[134.255.226.249]:60779 ehlo=1 starttls=1 quit=1 commands=3
--------------------------------------------------------

Here are the relevant tls options for relay.roessner-net.de:
--------------------------------------------------------
smtp_tls_policy_maps =
    socketmap:inet:127.0.0.1:8461:postfix,
    ${default_database_type}:${config_directory}/maps/smtp_tls_policy_maps
smtp_tls_security_level = dane
# smtp_tls_connection_reuse = yes
smtp_tls_loglevel = 1
smtp_tls_note_starttls_offer = yes
# smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_cert_file = /etc/ssl/${myhostname}/cert/fullchain.pem
smtp_tls_key_file = /etc/ssl/${myhostname}/key/privkey.pem
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_dns_support_level = dnssec
smtp_tls_mandatory_ciphers = high
smtp_tls_ciphers = high
smtp_tls_protocols = !SSLv2 !SSLv3 !TLSv1.1
--------------------------------------------------------
Need to use CApath in sending direction.

Here are the relevant tls options for mx.roessner-net.de:
--------------------------------------------------------
# TLS receiving
smtpd_tls_security_level = may
smtpd_tls_ask_ccert = yes
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtpd_tls_cert_file = /etc/ssl/${myhostname}/cert/fullchain.pem
smtpd_tls_key_file = /etc/ssl/${myhostname}/key/privkey.pem
smtpd_tls_dh1024_param_file = ${config_directory}/ssl/dh_2048.pem
smtpd_tls_dh512_param_file = ${config_directory}/ssl/dh_512.pem
smtpd_tls_mandatory_ciphers = high
smtpd_tls_ciphers = high
smtpd_tls_fingerprint_digest = sha256
smtpd_tls_protocols = !SSLv2 !SSLv3 !TLSv1.1
#
tls_preempt_cipherlist = yes
tls_ssl_options = NO_COMPRESSION
--------------------------------------------------------

I use Let's encrypt certificates.

Postfix version is:
postconf -d mail_version
mail_version = 3.4.6

Thanks for any ideas and help in advance

Christian
--
Rößner-Network-Solutions
Karl-Bröger-Str. 10, 36304 Alsfeld
Fax: +49 6631 78823409, Mobil: +49 171 9905345
USt-IdNr.: DE225643613, https://roessner.website
PGP fingerprint: 658D 1342 B762 F484 2DDF 1E88 38A5 4346 D727 94E5

Reply | Threaded
Open this post in threaded view
|

Re: CAfile problem with OpenSSL-1.1.1c

A. Schulze

Christian Rößner:

Hello Christian,

> By changing *_CAfile parameters to *_CApath, everything started  
> working again.

nothing specific to your OpenSSL version but: do you run postfix chroot?
from http://www.postfix.org/postconf.5.html#smtpd_tls_CApath:

   "To use smtpd_tls_CApath in chroot mode, this directory (or a copy)  
must be inside the chroot jail."

Andreas

OT:
> tls_ssl_options = NO_COMPRESSION

as you're using latest postfix+openssl, you may want to add "no_renegotiation"


Reply | Threaded
Open this post in threaded view
|

Re: CAfile problem with OpenSSL-1.1.1c

Christian Rößner
Hi Andreas,

> Am 14.08.2019 um 10:01 schrieb A. Schulze <[hidden email]>:
>
>
> Christian Rößner:
>
> Hello Christian,
>
>> By changing *_CAfile parameters to *_CApath, everything started working again.
>
> nothing specific to your OpenSSL version but: do you run postfix chroot?
> from http://www.postfix.org/postconf.5.html#smtpd_tls_CApath:

The system is not running chroot.

>
>  "To use smtpd_tls_CApath in chroot mode, this directory (or a copy) must be inside the chroot jail."
>
> Andreas
>
> OT:
>> tls_ssl_options = NO_COMPRESSION
>
> as you're using latest postfix+openssl, you may want to add "no_renegotiation"

Thanks, I will add this :-)

Christian
--
Rößner-Network-Solutions
Karl-Bröger-Str. 10, 36304 Alsfeld
Fax: +49 6631 78823409, Mobil: +49 171 9905345
USt-IdNr.: DE225643613, https://roessner.website
PGP fingerprint: 658D 1342 B762 F484 2DDF 1E88 38A5 4346 D727 94E5