Postfix is wrongly marking CA certificate expired

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

Postfix is wrongly marking CA certificate expired

phoenixsagar
This post was updated on .
CONTENTS DELETED
The author has deleted this message.
Reply | Threaded
Open this post in threaded view
|

Re: Postfix is wrongly marking CA certificate expired

Bastian Blank-3
On Mon, Jan 21, 2019 at 12:40:52AM -0700, phoenixsagar wrote:
> Logs are like :
> postfix/backend/smtp[95117]: CA certificate verification failed for
> abc-abc.mail.abc.outlook.com[111.111.111.111]:25: certificate has expired
> postfix/backend/smtp[95117]: Untrusted TLS connection established to
> abc-abc.mail.abc.outlook.com[111.111.111.111]:25: TLSv1.2 with cipher
> ECDHE-RSA-AES256-SHA384 (256/256 bits)

111.111.111.111 neither exposes SMTP, nor is something related to
outlook.com.  abc-abc.mail.abc.outlook.com does not exist.

Bastian

--
The face of war has never changed.  Surely it is more logical to heal
than to kill.
                -- Surak of Vulcan, "The Savage Curtain", stardate 5906.5
Reply | Threaded
Open this post in threaded view
|

Re: Postfix is wrongly marking CA certificate expired

phoenixsagar
Reply | Threaded
Open this post in threaded view
|

Re: Postfix is wrongly marking CA certificate expired

Viktor Dukhovni
In reply to this post by phoenixsagar
> On Jan 21, 2019, at 2:40 AM, phoenixsagar <[hidden email]> wrote:
>
> Logs are like :
> postfix/backend/smtp[95117]: CA certificate verification failed for
> abc-abc.mail.abc.outlook.com[111.111.111.111]:25: certificate has expired

The key context here is "CA certificate verification".  The expired certificate
is an issuer CA certificate, not the leaf server certificate.  This could be
either sent by the remote server, or found in the local trust store.  Not
infrequently, the problem is a stale certificate in the local trust store,
which does need to be kept up to date.  Make sure you don't have stale
intermediate CA certs in your trust store.  Also post the certificates
sent on the wire, which you can capture with:

        $ posttls-finger -cC -Lsummary example.com

FWIW, the relevant source code is below.  Perhaps the "depth" should
also have been logged to give a more complete context.

tls_verify.c:

/* tls_log_verify_error - Report final verification error status */

void    tls_log_verify_error(TLS_SESS_STATE *TLScontext)
{
...
    int     depth = TLScontext->errordepth;

#define PURPOSE ((depth>0) ? "CA": TLScontext->am_server ? "client": "server")
...
    case X509_V_ERR_CERT_HAS_EXPIRED:
    case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
        msg_info("%s certificate verification failed for %s: certificate has"
                 " expired", PURPOSE, TLScontext->namaddr);
        break;
...
}

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Postfix is wrongly marking CA certificate expired

phoenixsagar
This post was updated on .
CONTENTS DELETED
The author has deleted this message.
Reply | Threaded
Open this post in threaded view
|

Re: Postfix is wrongly marking CA certificate expired

phoenixsagar
In reply to this post by Viktor Dukhovni
Hi viktor,
See the posted certificates from wire.
I am not getting why this is random behaviour. At some time only certificate
marked as expired and after some time same certificate gets marked as valid.



--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html
Reply | Threaded
Open this post in threaded view
|

Re: Postfix is wrongly marking CA certificate expired

Viktor Dukhovni
On Mon, Jan 21, 2019 at 11:06:31PM -0700, phoenixsagar wrote:

> See the posted certificates from wire.
> I am not getting why this is random behaviour. At some time only certificate
> marked as expired and after some time same certificate gets marked as valid.

Perhaps you're reaching different backend MTAs on the receiving
side that have slightly different certificate chains.  If the issue
is random, posting single wireshark samples that have unexpired
certs proves nothing, as Postfix also sees the same much of the
time.

What's needed is the actual chain sent to Postfix *when* Postfix
reports expiration.  It would also be good to know at what depth
the expired certificate was detected, issuer, subject, dates, ...
Are you in a position to rebuild Postfix from source?  I could
provide a patch to log more information about expired certs.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Postfix is wrongly marking CA certificate expired

Peter Ajamian
In reply to this post by phoenixsagar
On 21/01/19 23:43, phoenixsagar wrote:
>                              notAfter: utcTime (0)
>                                  utcTime: 20-05-18 22:06:55 (UTC)
...
>                              notAfter: utcTime (0)
>                                  utcTime: 25-09-04 00:00:00 (UTC)

Those both look expired to me.


Peter
Reply | Threaded
Open this post in threaded view
|

Re: Postfix is wrongly marking CA certificate expired

Bill Cole-3
On 24 Jan 2019, at 21:00, Peter wrote:

> On 21/01/19 23:43, phoenixsagar wrote:
>>                              notAfter: utcTime (0)
>>                                  utcTime: 20-05-18 22:06:55 (UTC)
> ...
>>                              notAfter: utcTime (0)
>>                                  utcTime: 25-09-04 00:00:00 (UTC)
>
> Those both look expired to me.

Nope. The date format being used is yy-mm-dd


--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Available For Hire: https://linkedin.com/in/billcole
Reply | Threaded
Open this post in threaded view
|

Re: Postfix is wrongly marking CA certificate expired

phoenixsagar
In reply to this post by Viktor Dukhovni
Hi Viktor,

These wire pcap is taken at same time when issue occurred.

Above mentioned certificates are same certificates for which postfix is
marking expired. For this chain only issue occurred and after some time
marked as valid.

Issue : postfix is marking unexpired certificates as expired randomly for
these certificate chains.

Depth : As log suggest CA certificate verification failed then we can
clearly say certificate in concern is second certificate.  





--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html
Reply | Threaded
Open this post in threaded view
|

Re: Postfix is wrongly marking CA certificate expired

Viktor Dukhovni
On Thu, Jan 24, 2019 at 11:34:39PM -0700, phoenixsagar wrote:

> Issue : postfix is marking unexpired certificates as expired randomly for
> these certificate chains.

Postfix does not contain any code for verifying certificate expiration,
that's done by OpenSSL.  OpenSSL has not history of the problem
you're reporting, and it would surely have been seen by now in many
other deployments, if OpenSSL contained flawed certificate expiration
checks.

Therefore, if OpenSSL (via Postfix) is reporting that a certificate
is expired, then either you have hardware glitches that cause the
system to report incorrect clock values, or the certificate is expired.

> Depth : As log suggest CA certificate verification failed then we can
> clearly say certificate in concern is second certificate.  

No, we'd need to see the peer's chain to make that conclusion.

If you want to pursue this further, you'll need to instrument your
Postfix code to log detailed certificate metadata, and/or capture
and provide a PCAP file that demonstrably corresponds to a connection
for which OpenSSL (via Postfix) reported an expired certificate.

--
        Viktor.