Root certificate in `/etc/ssl/certs` not found

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Root certificate in `/etc/ssl/certs` not found

Paul Menzel
Dear Postfix users,


First I am sorry, for probably bringing up a topic, which has probably
discussed to end on this list, like [1], and in the end was probably a
user error. I’ll try to provide the information requested in [1]. Thank
you for your patience and help in advance.

The goal is to set up secure server certificate verification [2] for
messages sent to the domain gwdg.de [3]. But doing that, the test
message was deferred as the certificate couldn’t be verified.

Debian 9 (Stretch/stable) with the package `postfix` has the version
3.1.4-7.

```
$ sudo postconf mail_version
mail_version = 3.1.4
$ sudo postconf smtp_tls_CAfile
smtp_tls_CAfile =
$ sudo postconf smtp_tls_CAfilesmtp_tls_CApath
postconf: warning: smtp_tls_CAfilesmtp_tls_CApath: unknown parameter
$ sudo postconf smtp_tls_CApath
smtp_tls_CApath = /etc/ssl/certs/
```

Verify with `posttls-finger`.

```
$ sudo posttls-finger -t30 -T180 -c -L verbose,summary gwdg.de
posttls-finger: initializing the client-side TLS engine
posttls-finger: setting up TLS connection to
mfilter-123-3-1.mx.srv.dfn.de[194.95.232.101]:25
posttls-finger: mfilter-123-3-1.mx.srv.dfn.de[194.95.232.101]:25: TLS
cipher list "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH:!aNULL"
posttls-finger: mfilter-123-3-1.mx.srv.dfn.de[194.95.232.101]:25:
depth=2 verify=0 subject=/C=DE/O=DFN-Verein/OU=DFN-PKI/CN=DFN-Verein PCA
Global - G01
posttls-finger: mfilter-123-3-1.mx.srv.dfn.de[194.95.232.101]:25:
depth=1 verify=1
subject=/C=DE/O=DFN-Verein/OU=Geschaeftsstelle/CN=DFN-Verein-GS-CA - G02
posttls-finger: mfilter-123-3-1.mx.srv.dfn.de[194.95.232.101]:25:
depth=0 verify=1
subject=/C=DE/ST=Berlin/L=Berlin/O=DFN-Verein/OU=Geschaeftsstelle/CN=mfilter-123-3-1.mx.srv.dfn.de
posttls-finger: certificate verification failed for
mfilter-123-3-1.mx.srv.dfn.de[194.95.232.101]:25: untrusted issuer
/C=DE/O=Deutsche Telekom AG/OU=T-TeleSec Trust Center/CN=Deutsche
Telekom Root CA 2
posttls-finger: mfilter-123-3-1.mx.srv.dfn.de[194.95.232.101]:25:
subject_CN=mfilter-123-3-1.mx.srv.dfn.de, issuer_CN=DFN-Verein-GS-CA -
G02,
fingerprint=F8:EC:1C:72:36:5B:40:E4:F0:B4:23:8C:9E:C5:E4:7B:C3:54:85:70,
pkey_fingerprint=19:CA:96:64:83:C8:90:34:B6:15:31:EF:C0:8F:26:41:99:80:17:65
posttls-finger: Untrusted TLS connection established to
mfilter-123-3-1.mx.srv.dfn.de[194.95.232.101]:25: TLSv1.2 with cipher
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
```

So judging from “untrusted issuer”, I assume the root certificate is
missing. Use `openssl`.

```
$ echo "" | openssl s_client -connect mfilter-123-3-1.mx.srv.dfn.de:25
-starttls smtp -showcerts
[…]
CONNECTED(00000003)
depth=3 C = DE, O = Deutsche Telekom AG, OU = T-TeleSec Trust Center, CN
= Deutsche Telekom Root CA 2
verify return:1
depth=2 C = DE, O = DFN-Verein, OU = DFN-PKI, CN = DFN-Verein PCA Global
- G01
verify return:1
depth=1 C = DE, O = DFN-Verein, OU = Geschaeftsstelle, CN =
DFN-Verein-GS-CA - G02
verify return:1
depth=0 C = DE, ST = Berlin, L = Berlin, O = DFN-Verein, OU =
Geschaeftsstelle, CN = mfilter-123-3-1.mx.srv.dfn.de
verify return:1[…]
     Verify return code: 0 (ok)
[…]
```

Save the certificate *C=DE/O=DFN-Verein/OU=DFN-PKI/CN=DFN-Verein PCA
Global - G01* in `issuer.pem` (attached), and verify it.

```
$ openssl verify -CApath /etc/ssl/certs -purpose crlsign issuer.pem
issuer.pem: OK
```

The server certificate also contains the correct name, right?

```
CN=mfilter-123-3-1.mx.srv.dfn.de
```

So it’s not a problem with matching the server certificate peername [4],
is it?


Kind regards,

Paul


[1]
http://postfix.1071664.n5.nabble.com/TLS-Encryption-and-Verification-issue-td72677.html
     "TLS Encryption and Verification issue"
[2] http://www.postfix.org/TLS_README.html#client_tls_secure
[3] https://ssl-tools.net/mailservers/gwdg.de
[4] http://www.postfix.org/postconf.5.html#smtp_tls_verify_cert_match

issuer.pem (2K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Root certificate in `/etc/ssl/certs` not found

Viktor Dukhovni
On Thu, Jul 06, 2017 at 08:27:35PM +0200, Paul Menzel wrote:

> $ sudo posttls-finger -t30 -T180 -c -L verbose,summary gwdg.de

There's no need to run posttls-finger as root.  And "verbose"
is just distracting.

> posttls-finger: setting up TLS connection to mfilter-123-3-1.mx.srv.dfn.de[194.95.232.101]:25
> posttls-finger: Untrusted TLS connection established to mfilter-123-3-1.mx.srv.dfn.de[194.95.232.101]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)

This is not surprising, since by default Postfix trusts no CAs,
also recent versions of posttls-finger do "dane" verification by
default.

On my system the system certificate bundle is in /etc/ssl/cert.pem,
and so the correct test is:

        $ posttls-finger -c -l secure -F /etc/ssl/cert.pem gwdg.de .mx.srv.dfn.de
        posttls-finger: mfilter-123-3-3.mx.srv.dfn.de[194.95.238.101]:25: Matched subjectAltName: mfilter-123-3-3.mx.srv.dfn.de
        posttls-finger: mfilter-123-3-3.mx.srv.dfn.de[194.95.238.101]:25 CommonName mfilter-123-3-3.mx.srv.dfn.de
        posttls-finger: mfilter-123-3-3.mx.srv.dfn.de[194.95.238.101]:25: subject_CN=mfilter-123-3-3.mx.srv.dfn.de,
        issuer_CN=DFN-Verein-GS-CA - G02, fingerprint=6D:C1:73:0B:7F:E4:CD:A5:54:CF:D8:79:7E:17:37:27:81:EF:9A:BE, pkey_fingerprint=E1:7E:4F:88:AD:09:50:54:5C:19:49:47:62:C6:64:33:A0:D7:48:35
        posttls-finger: Verified TLS connection established to mfilter-123-3-3.mx.srv.dfn.de[194.95.238.101]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)

Notes:

    1. "-l secure" selects the desired security level.

    2. "-F /etc/ssl/cert.pem" selects the correct trusted certificate bundle.
       This corresponds to smtp_tls_CAfile.  You can use "-P /some/path" to
       select a directory of trusted certs hashed in the usual way with
       c_rehash.  This corresponds to smtp_tls_CApath.

    3. The domain's MX hosts have certificates with the MX host DNS names,
       but do not contain the nexthop domain.   Since the MX hosts are
       typically obtained via insecure DNS lookups, they cannot be trusted.
       See TLS_README for details.  Therefore "secure" verification of this
       domain requires a non-default name matching strategy.  In this case
       ".mx.srv.dfn.de" is a parent domain of all the MX hosts.

Thus your TLS policy entry for this domain would be:

    # Perhaps some day the MX host certs will have gwdg.de names, so
    # include nexthop and dot-nexthop in addition to the current MX
    # provider domain.
    #
    gwdg.de secure match=nexthop:dot-nexthop:.mx.srv.dfn.de

Encourage the counter-party to deploy DANE, SMTP TLS security scales
much better with DANE (does not require per-destination manual
configuration like the above).

--
        Viktor.
Loading...