gmail.com is Unsecure ssl cert ?

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

gmail.com is Unsecure ssl cert ?

Benny Pedersen-2

tested with

posttls-finger gmail.com

is it my own postfix that fails with this ?

how can i solve it ?
Reply | Threaded
Open this post in threaded view
|

Re: gmail.com is Unsecure ssl cert ?

Viktor Dukhovni
> On Mar 16, 2020, at 9:04 AM, Benny Pedersen <[hidden email]> wrote:
>
> tested with
>
> posttls-finger gmail.com
>
> is it my own postfix that fails with this ?
>
> how can i solve it ?

For opportunistic TLS, unvalidated certificates are not a failure.
There is no problem, everything is working as expected:

  $ posttls-finger -l may -c -L summary gmail.com
  posttls-finger: Untrusted TLS connection established to gmail-smtp-in.l.google.com[2607:f8b0:400d:c0f::1a]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: gmail.com is Unsecure ssl cert ?

Peter Ajamian
On 17/03/20 2:08 am, Viktor Dukhovni wrote:
> For opportunistic TLS, unvalidated certificates are not a failure.
> There is no problem, everything is working as expected:
>
>    $ posttls-finger -l may -c -L summary gmail.com
>    posttls-finger: Untrusted TLS connection established to gmail-smtp-in.l.google.com[2607:f8b0:400d:c0f::1a]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256

$ openssl s_client -connect "gmail-smtp-in.l.google.com:25" -servername
"gmail-smtp-in.l.google.com" -starttls smtp <<<"QUIT" | tee >(openssl
x509 -noout -text); sleep 0.1
...
Certificate chain
  0 s:/C=US/ST=California/L=Mountain View/O=Google LLC/CN=mx.google.com
    i:/C=US/O=Google Trust Services/CN=GTS CA 1O1
  1 s:/C=US/O=Google Trust Services/CN=GTS CA 1O1
    i:/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign
...
             Not After : May 19 20:43:24 2020 GMT
...
             X509v3 Subject Alternative Name:
...DNS:gmail-smtp-in.l.google.com,...
...

Looks valid to me, unless I'm missing something, or is posttls-finger
missing something?


Peter
Reply | Threaded
Open this post in threaded view
|

Re: gmail.com is Unsecure ssl cert ?

Wietse Venema
Peter:

> On 17/03/20 2:08 am, Viktor Dukhovni wrote:
> > For opportunistic TLS, unvalidated certificates are not a failure.
> > There is no problem, everything is working as expected:
> >
> >    $ posttls-finger -l may -c -L summary gmail.com
> >    posttls-finger: Untrusted TLS connection established to gmail-smtp-in.l.google.com[2607:f8b0:400d:c0f::1a]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
>
> $ openssl s_client -connect "gmail-smtp-in.l.google.com:25" -servername
> "gmail-smtp-in.l.google.com" -starttls smtp <<<"QUIT" | tee >(openssl
> x509 -noout -text); sleep 0.1
> ...
> Certificate chain
>   0 s:/C=US/ST=California/L=Mountain View/O=Google LLC/CN=mx.google.com
>     i:/C=US/O=Google Trust Services/CN=GTS CA 1O1
>   1 s:/C=US/O=Google Trust Services/CN=GTS CA 1O1
>     i:/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign
> ...
>              Not After : May 19 20:43:24 2020 GMT
> ...
>              X509v3 Subject Alternative Name:
> ...DNS:gmail-smtp-in.l.google.com,...
> ...
>
> Looks valid to me, unless I'm missing something, or is posttls-finger
> missing something?

Postfix code will enforce the security level that you specify.
If you want Postfix to trust the certificate, then specify that.

        posttlls-finger -l <your preferred level> ...

Ditto in main.cf and smtp_tls_policy_maps.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: gmail.com is Unsecure ssl cert ?

Viktor Dukhovni

On Mon, Mar 16, 2020 at 02:45:55PM -0400, Wietse Venema wrote:

> > Looks valid to me, unless I'm missing something, or is posttls-finger
> > missing something?
>
> Postfix code will enforce the security level that you specify.
> If you want Postfix to trust the certificate, then specify that.
>
> posttlls-finger -l <your preferred level> ...
>
> Ditto in main.cf and smtp_tls_policy_maps.

Everything is as expected.  Postfix defaults to opportunistic TLS, which
does not care about the peer certificate (does not attempt to verify
it), and *also* by default has an empty trust store.  If you want to
trust some list of random third-parties, you have to explicitly turn
that on.  And if you want "Verified", rather than "trusted" you
often have to also specify appropriate name matching:

    $ posttls-finger -c -l secure -L summary -F /etc/ssl/cert.pem gmail.com mx.google.com
    posttls-finger: Verified TLS connection established
       to gmail-smtp-in.l.google.com[172.217.197.26]:25: TLSv1.3 with
       cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519
       server-signature RSA-PSS (2048 bits) server-digest SHA256

--
    Viktor.