Quick DANE / self-signed question

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Quick DANE / self-signed question

Alice Wonder
I *think* the answer to this is that I am fine.

Last year I only used CA issued certificates.

This year, I am wanting to move to self-signed for SMTP and for
infrastructure domains that are not intended for the public where DANE
can validate. I am convinced DANE does a better job at validating a host
is who it says it is than CA certs do.

I just updated one of my mail servers to self-signed. The signed
certificate expires in few weeks so I can switch back if I did something
wrong.

https://ssl-tools.net/mailservers/deviant.email

That gives a red flag for Unknown Authority. Which being self-signed it
is, so I assume that red flag is meaningless?

I know most SMTP servers never bother with validating CA certificates, I
have personally found many that even have hostname mismatch yet other
SMTP servers still connect to them securely, so I think I am fine.

My other DANE enforcing mail servers did connect.

However is there a way to check that my self-signed cert "does things
right" as far as what *should* be in a SMTP self-signed cert?
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Quick DANE / self-signed question

Alice Wonder
On 04/05/2017 07:33 PM, Alice Wonder wrote:

> I *think* the answer to this is that I am fine.
>
> Last year I only used CA issued certificates.
>
> This year, I am wanting to move to self-signed for SMTP and for
> infrastructure domains that are not intended for the public where DANE
> can validate. I am convinced DANE does a better job at validating a host
> is who it says it is than CA certs do.
>
> I just updated one of my mail servers to self-signed. The signed
> certificate expires in few weeks so I can switch back if I did something
> wrong.
>
> https://ssl-tools.net/mailservers/deviant.email
>
> That gives a red flag for Unknown Authority. Which being self-signed it
> is, so I assume that red flag is meaningless?
>
> I know most SMTP servers never bother with validating CA certificates, I
> have personally found many that even have hostname mismatch yet other
> SMTP servers still connect to them securely, so I think I am fine.
>
> My other DANE enforcing mail servers did connect.
>
> However is there a way to check that my self-signed cert "does things
> right" as far as what *should* be in a SMTP self-signed cert?

Oh - looks like I do have an error, it says sha1WithRSAEncryption

I suspect it should be sha256 not sha1
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Quick DANE / self-signed question

Viktor Dukhovni
In reply to this post by Alice Wonder

> On Apr 5, 2017, at 10:33 PM, Alice Wonder <[hidden email]> wrote:
>
> I just updated one of my mail servers to self-signed. The signed certificate
> expires in few weeks so I can switch back if I did something wrong.
>
> https://ssl-tools.net/mailservers/deviant.email
>
> That gives a red flag for Unknown Authority. Which being self-signed it is,
> so I assume that red flag is meaningless?

Yes, largely meaningless.  There is a handful of broken sending systems that
abort TLS when the peer certificate does not verify, and achieve their lofty
security goals by sending in the clear instead.  Go figure.  Just ignore them.

> I know most SMTP servers never bother with validating CA certificates, I have
> personally found many that even have hostname mismatch yet other SMTP servers
> still connect to them securely, so I think I am fine.

Yes.

> However is there a way to check that my self-signed cert "does things right"
> as far as what *should* be in a SMTP self-signed cert?

For best interoperability its subjectAltNames should include any DNS name of
the host that is used in the MX records of any domain.  The public should be
RSA (or you can deploy both RSA and ECDSA keys), a popular strength is 2048
bits.  The signature algorithm should be SHA2-256.

What I see with your certificate (trimmed of all hex data key and signature
data) is:

  Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, ST=California, L=Redding, O=Alice Wonder Miscreations, CN=mail.deviant.email/emailAddress=[hidden email]
        Validity
            Not Before: Apr  5 12:31:43 2017 GMT
            Not After : Apr  5 12:31:43 2018 GMT
        Subject: C=US, ST=California, L=Redding, O=Alice Wonder Miscreations, CN=mail.deviant.email/emailAddress=[hidden email]
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha1WithRSAEncryption

You should probably switch from SHA1 to SHA2-256, and mint a version 3,
certificate.  For extensions, I'd set subjectAltName, basicConstraints
and extendedKeyUsage.  A "bash" "one-liner" for all the above is:

    $ (
        umask 077
        fqdn=mail.deviant.email
        rm certkey.pem; exec >> certkey.pem
        openssl req \
            -new -newkey rsa:2048 -nodes -keyout /dev/stdout \
            -x509 -days 36525 -extensions ext \
            -config <(
                echo "[req]"
                echo "prompt = no"
                echo "distinguished_name = dn"
                echo "[dn]"
                echo "CN = $fqdn"
                echo "[ext]"
                echo "basicConstraints = critical,CA:false"
                echo "extendedKeyUsage = serverAuth,clientAuth"
                echo "subjectAltName = @san"
                echo "[san]"
                echo "DNS.1 = $fqdn"
                )
        )

which yields a certificate resembling:

  Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=mail.deviant.email
        Validity
            Not Before: Apr  6 03:20:52 2017 GMT
            Not After : Apr  7 03:20:52 2117 GMT
        Subject: CN=mail.deviant.email
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Subject Alternative Name:
                DNS:mail.deviant.email
    Signature Algorithm: sha256WithRSAEncryption

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Quick DANE / self-signed question

Alice Wonder
Thank you!

On 04/05/2017 08:28 PM, Viktor Dukhovni wrote:

>
>> On Apr 5, 2017, at 10:33 PM, Alice Wonder <[hidden email]> wrote:
>>
>> I just updated one of my mail servers to self-signed. The signed certificate
>> expires in few weeks so I can switch back if I did something wrong.
>>
>> https://ssl-tools.net/mailservers/deviant.email
>>
>> That gives a red flag for Unknown Authority. Which being self-signed it is,
>> so I assume that red flag is meaningless?
>
> Yes, largely meaningless.  There is a handful of broken sending systems that
> abort TLS when the peer certificate does not verify, and achieve their lofty
> security goals by sending in the clear instead.  Go figure.  Just ignore them.
>
>> I know most SMTP servers never bother with validating CA certificates, I have
>> personally found many that even have hostname mismatch yet other SMTP servers
>> still connect to them securely, so I think I am fine.
>
> Yes.
>
>> However is there a way to check that my self-signed cert "does things right"
>> as far as what *should* be in a SMTP self-signed cert?
>
> For best interoperability its subjectAltNames should include any DNS name of
> the host that is used in the MX records of any domain.  The public should be
> RSA (or you can deploy both RSA and ECDSA keys), a popular strength is 2048
> bits.  The signature algorithm should be SHA2-256.
>
> What I see with your certificate (trimmed of all hex data key and signature
> data) is:
>
>   Certificate:
>     Data:
>         Version: 1 (0x0)
>         Serial Number:
>     Signature Algorithm: sha1WithRSAEncryption
>         Issuer: C=US, ST=California, L=Redding, O=Alice Wonder Miscreations, CN=mail.deviant.email/emailAddress=[hidden email]
>         Validity
>             Not Before: Apr  5 12:31:43 2017 GMT
>             Not After : Apr  5 12:31:43 2018 GMT
>         Subject: C=US, ST=California, L=Redding, O=Alice Wonder Miscreations, CN=mail.deviant.email/emailAddress=[hidden email]
>         Subject Public Key Info:
>             Public Key Algorithm: rsaEncryption
>                 Public-Key: (2048 bit)
>                 Modulus:
>                 Exponent: 65537 (0x10001)
>     Signature Algorithm: sha1WithRSAEncryption
>
> You should probably switch from SHA1 to SHA2-256, and mint a version 3,
> certificate.  For extensions, I'd set subjectAltName, basicConstraints
> and extendedKeyUsage.  A "bash" "one-liner" for all the above is:
>
>     $ (
>         umask 077
>         fqdn=mail.deviant.email
>         rm certkey.pem; exec >> certkey.pem
>         openssl req \
>             -new -newkey rsa:2048 -nodes -keyout /dev/stdout \
>             -x509 -days 36525 -extensions ext \
>             -config <(
>                 echo "[req]"
>                 echo "prompt = no"
>                 echo "distinguished_name = dn"
>                 echo "[dn]"
>                 echo "CN = $fqdn"
>                 echo "[ext]"
>                 echo "basicConstraints = critical,CA:false"
>                 echo "extendedKeyUsage = serverAuth,clientAuth"
>                 echo "subjectAltName = @san"
>                 echo "[san]"
>                 echo "DNS.1 = $fqdn"
>                 )
>         )
>
> which yields a certificate resembling:
>
>   Certificate:
>     Data:
>         Version: 3 (0x2)
>         Serial Number:
>     Signature Algorithm: sha256WithRSAEncryption
>         Issuer: CN=mail.deviant.email
>         Validity
>             Not Before: Apr  6 03:20:52 2017 GMT
>             Not After : Apr  7 03:20:52 2117 GMT
>         Subject: CN=mail.deviant.email
>         Subject Public Key Info:
>             Public Key Algorithm: rsaEncryption
>                 Public-Key: (2048 bit)
>                 Modulus:
>                 Exponent: 65537 (0x10001)
>         X509v3 extensions:
>             X509v3 Basic Constraints: critical
>                 CA:FALSE
>             X509v3 Extended Key Usage:
>                 TLS Web Server Authentication, TLS Web Client Authentication
>             X509v3 Subject Alternative Name:
>                 DNS:mail.deviant.email
>     Signature Algorithm: sha256WithRSAEncryption
>

Loading...