Outbound TLS Certificate Verification

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Outbound TLS Certificate Verification

Osama Al-Hassani

Hi all,

 

When verifying server certificates on outbound connections, it seems we are unable verify the IP addresses part of the SANs field. We are able to verify IPs in CNs.

 

What is the reasoning behind this behaviour?

 

Thank you,

Osama


Osama Al-Hassani

Software Engineer

Telephone +44 118 903 8607

Twitter@clearswift

<img border="0" width="134" height="44" id="clearswiftLogo" src="https://www.clearswift.com/sites/all/themes/clearswift2/img/sigfiles/clearswift-ruag- cyber-security-logo-email.png" alt="Clearswift">

1310 Waterside | Arlington Business Park | Theale | Berkshire | RG7 4SA | United Kingdom

Adaptive Adaptive Security & Data Loss Prevention solutions for email, web, cloud apps and endpoint. On-premise and Hosted deployment options available.

Secure Sharing, Redaction and Data Loss Prevention with Clearswift. Learn more here.

This e-mail and any files transmitted with it are strictly confidential, may be privileged and are intended only for use by the addressee unless otherwise indicated.  If you are not the intended recipient any use, dissemination, printing or copying is strictly prohibited and may be unlawful.  If you have received this e-mail in error, please delete it immediately and contact the sender as soon as possible.  Clearswift cannot be held liable for delays in receipt of an email or any errors in its content. Clearswift accepts no responsibility once an e-mail and any attachments leave us. Unless expressly stated, opinions in this message are those of the individual sender and not of Clearswift.

This email message has been inspected by Clearswift for inappropriate content and security threats.

To find out more about Clearswift’s solutions please visit www.clearswift.com

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Outbound TLS Certificate Verification

Viktor Dukhovni
On Wed, Jun 14, 2017 at 09:12:20PM +0000, Osama Al-Hassani wrote:

> When verifying server certificates on outbound connections, it seems we
> are unable verify the IP addresses part of the SANs field. We are able to
> verify IPs in CNs.

Email is sent to addresses of the form <local-part@domain-part>,
where the "domain-part" is DNS domain, not an IP address.  The SMTP
server is either an MX host, or the domain itself, in the absence
of MX records.   Bare IP addresses are not valid in MX records.
Most mail systems will not accept email to addresses of the form
<local-part@[NNN.NNN.NNN.NNN]> (ip-addres domain-literals).

> What is the reasoning behind this behaviour?

No useful security results from verifying IP addresses in certificates
for TLS connections to DNS hosts.  Certificates with IP addresses
are for IPsec, not for TLS with SMTP.

Postfix supports DNS subject alternative names:

    https://www.postfix.org/TLS_README.html#client_tls_secure
    https://www.postfix.org/TLS_README.html#client_tls_dane

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Outbound TLS Certificate Verification

Osama Al-Hassani
Yes. And we are using DNS SANs, but in some scenarios we need to verify against the IP address.


We can do this, if the IP address  is present in the CN but not SANs. Is there a reason for the difference in behaviour?

Thanks,
Osama

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Viktor Dukhovni
Sent: 15 June 2017 01:33
To: [hidden email]
Subject: Re: Outbound TLS Certificate Verification

On Wed, Jun 14, 2017 at 09:12:20PM +0000, Osama Al-Hassani wrote:

> When verifying server certificates on outbound connections, it seems
> we are unable verify the IP addresses part of the SANs field. We are
> able to verify IPs in CNs.

Email is sent to addresses of the form <local-part@domain-part>, where the "domain-part" is DNS domain, not an IP address.  The SMTP server is either an MX host, or the domain itself, in the absence
of MX records.   Bare IP addresses are not valid in MX records.
Most mail systems will not accept email to addresses of the form <local-part@[NNN.NNN.NNN.NNN]> (ip-addres domain-literals).

> What is the reasoning behind this behaviour?

No useful security results from verifying IP addresses in certificates for TLS connections to DNS hosts.  Certificates with IP addresses are for IPsec, not for TLS with SMTP.

Postfix supports DNS subject alternative names:

    https://www.postfix.org/TLS_README.html#client_tls_secure
    https://www.postfix.org/TLS_README.html#client_tls_dane

--
        Viktor.

----------------------------------------------------------------------------------------------
Message Processed by the Clearswift V4 Engineering Dogfood Secure Email Gateway

This e-mail and any files transmitted with it are strictly confidential, may be privileged and are intended only for use by the addressee unless otherwise indicated.  If you are not the intended recipient any use, dissemination, printing or copying is strictly prohibited and may be unlawful.  If you have received this e-mail in error, please delete it immediately and contact the sender as soon as possible.  Clearswift cannot be held liable for delays in receipt of an email or any errors in its content. Clearswift accepts no responsibility once an e-mail and any attachments leave us. Unless expressly stated, opinions in this message are those of the individual sender and not of Clearswift.

This email message has been inspected by Clearswift for inappropriate content and security threats.

To find out more about Clearswift’s solutions please visit www.clearswift.com

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Outbound TLS Certificate Verification

Wietse Venema
Osama Al-Hassani:

> Yes. And we are using DNS SANs, but in some scenarios we need to verify against the IP address.
>
>
> We can do this, if the IP address  is present in the CN but not SANs. Is there a reason for the difference in behaviour?
>
> Thanks,
> Osama
>
> -----Original Message-----
> From: [hidden email] [mailto:[hidden email]] On Behalf Of Viktor Dukhovni
> Sent: 15 June 2017 01:33
> To: [hidden email]
> Subject: Re: Outbound TLS Certificate Verification
>
> On Wed, Jun 14, 2017 at 09:12:20PM +0000, Osama Al-Hassani wrote:
>
> > When verifying server certificates on outbound connections, it seems
> > we are unable verify the IP addresses part of the SANs field. We are
> > able to verify IPs in CNs.
>
> Email is sent to addresses of the form <local-part@domain-part>, where the "domain-part" is DNS domain, not an IP address.  The SMTP server is either an MX host, or the domain itself, in the absence
> of MX records.   Bare IP addresses are not valid in MX records.
> Most mail systems will not accept email to addresses of the form <local-part@[NNN.NNN.NNN.NNN]> (ip-addres domain-literals).
>
> > What is the reasoning behind this behaviour?
>
> No useful security results from verifying IP addresses in certificates for TLS connections to DNS hosts.  Certificates with IP addresses are for IPsec, not for TLS with SMTP.
>
> Postfix supports DNS subject alternative names:
>
>     https://www.postfix.org/TLS_README.html#client_tls_secure
>     https://www.postfix.org/TLS_README.html#client_tls_dane

Which Postfix SMTP client implementation matches server certificates
against server IP addresses?

        Wietse
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Outbound TLS Certificate Verification

Osama Al-Hassani
> Which Postfix SMTP client implementation matches server certificates against server IP addresses?

We are using 3.2.0 vanilla.

To clarify, this is when using the "match" attribute with "verify" security level. I could rephrase the question as to why anything but DNS names are ignored in the SANs field?

Thanks,
Osama
       

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Wietse Venema
Sent: 15 June 2017 21:47
To: Postfix users <[hidden email]>
Subject: Re: Outbound TLS Certificate Verification

Osama Al-Hassani:

> Yes. And we are using DNS SANs, but in some scenarios we need to verify against the IP address.
>
>
> We can do this, if the IP address  is present in the CN but not SANs. Is there a reason for the difference in behaviour?
>
> Thanks,
> Osama
>
> -----Original Message-----
> From: [hidden email]
> [mailto:[hidden email]] On Behalf Of Viktor Dukhovni
> Sent: 15 June 2017 01:33
> To: [hidden email]
> Subject: Re: Outbound TLS Certificate Verification
>
> On Wed, Jun 14, 2017 at 09:12:20PM +0000, Osama Al-Hassani wrote:
>
> > When verifying server certificates on outbound connections, it seems
> > we are unable verify the IP addresses part of the SANs field. We are
> > able to verify IPs in CNs.
>
> Email is sent to addresses of the form <local-part@domain-part>, where the "domain-part" is DNS domain, not an IP address.  The SMTP server is either an MX host, or the domain itself, in the absence
> of MX records.   Bare IP addresses are not valid in MX records.
> Most mail systems will not accept email to addresses of the form <local-part@[NNN.NNN.NNN.NNN]> (ip-addres domain-literals).
>
> > What is the reasoning behind this behaviour?
>
> No useful security results from verifying IP addresses in certificates for TLS connections to DNS hosts.  Certificates with IP addresses are for IPsec, not for TLS with SMTP.
>
> Postfix supports DNS subject alternative names:
>
>     https://www.postfix.org/TLS_README.html#client_tls_secure
>     https://www.postfix.org/TLS_README.html#client_tls_dane

Which Postfix SMTP client implementation matches server certificates against server IP addresses?

        Wietse

----------------------------------------------------------------------------------------------
Message Processed by the Clearswift V4 Engineering Dogfood Secure Email Gateway

This e-mail and any files transmitted with it are strictly confidential, may be privileged and are intended only for use by the addressee unless otherwise indicated.  If you are not the intended recipient any use, dissemination, printing or copying is strictly prohibited and may be unlawful.  If you have received this e-mail in error, please delete it immediately and contact the sender as soon as possible.  Clearswift cannot be held liable for delays in receipt of an email or any errors in its content. Clearswift accepts no responsibility once an e-mail and any attachments leave us. Unless expressly stated, opinions in this message are those of the individual sender and not of Clearswift.

This email message has been inspected by Clearswift for inappropriate content and security threats.

To find out more about Clearswift’s solutions please visit www.clearswift.com

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Outbound TLS Certificate Verification

Wietse Venema
Osama Al-Hassani:
> > Which Postfix SMTP client implementation matches server certificates against server IP addresses?
>
> We are using 3.2.0 vanilla.
>
> To clarify, this is when using the "match" attribute with "verify" security level. I could rephrase the question as to why anything but DNS names are ignored in the SANs field?
>

Perhaps because there is no support for IP address matching?

        Wietse
Loading...