trusted vs. verified TLS connection

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

trusted vs. verified TLS connection

A. Schulze

Hello,

while checking TLS to a destination domain I noticed a difference.  
posttls-finger say "Verified" but log say (only) "Trusted".

# posttls-finger -c -F /etc/ssl/mail/trusted_cas.pem avira.com
posttls-finger: mx1.c01.avira.com[212.79.247.134]:25: subjectAltName:  
mx.ames.avira.net
posttls-finger: mx1.c01.avira.com[212.79.247.134]:25: subjectAltName:  
a.mx.ames.avira.net
posttls-finger: mx1.c01.avira.com[212.79.247.134]:25: subjectAltName:  
b.mx.ames.avira.net
posttls-finger: mx1.c01.avira.com[212.79.247.134]:25: Matched  
subjectAltName: mx1.c01.avira.com
posttls-finger: mx1.c01.avira.com[212.79.247.134]:25: subjectAltName:  
mx2.c01.avira.com
posttls-finger: mx1.c01.avira.com[212.79.247.134]:25 CommonName  
mx.ames.avira.net
posttls-finger: mx1.c01.avira.com[212.79.247.134]:25:  
subject_CN=mx1.c01.avira.com, issuer_CN=COMODO RSA Domain Validation  
Secure Server CA,  
fingerprint=7B:29:B8:4E:DE:65:D0:41:5B:2F:00:8C:83:E0:63:8F:0C:2A:99:D8,  
pkey_fingerprint=D5:90:CE:7B:83:66:F3:D1:14:C4:B8:8A:F7:98:9E:36:75:A4:94:48
posttls-finger: Verified TLS connection established to  
mx1.c01.avira.com[212.79.247.134]:25: TLSv1.2 with cipher  
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)

# grep "to mx1.c01.avira.com" /var/log/mail
Dec 10 12:58:19 mail postfix/smtp[2230]: Trusted TLS connection  
established to mx1.c01.avira.com[212.79.247.144]:25: TLSv1.2 with  
cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)

# postconf -h mail_version
2.11.3

# postconf -h smtp_tls_CAfile
/etc/ssl/mail/trusted_cas.pem

I would say posttls-finger is wrong. Or am I?

Andreas





Reply | Threaded
Open this post in threaded view
|

Re: trusted vs. verified TLS connection

Viktor Dukhovni
On Wed, Dec 10, 2014 at 01:13:22PM +0100, A. Schulze wrote:

> while checking TLS to a destination domain I noticed a difference.
> posttls-finger say "Verified" but log say (only) "Trusted".

The posttls-finger(1) utility defaults to the "dane" security level
when TLSA records are present and "secure" when absent.  Since it
just reports test results, routine failure at the more secure settings
is not a problem.

> posttls-finger: Verified TLS connection established to
> mx1.c01.avira.com[212.79.247.134]:25: TLSv1.2 with cipher
> ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
>
> # grep "to mx1.c01.avira.com" /var/log/mail
> Dec 10 12:58:19 mail postfix/smtp[2230]: Trusted TLS connection established
> to mx1.c01.avira.com[212.79.247.144]:25: TLSv1.2 with cipher
> ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)

The smtp(8) delivery agent is likely correctly defaulting to "may"
or "dane" when not otherwise configured for a particular destination.

Neither results in "Verified" for this domain.

> # postconf -h smtp_tls_CAfile
> /etc/ssl/mail/trusted_cas.pem
>
> I would say posttls-finger is wrong. Or am I?

Nobody's wrong, just a difference in policy settings.  It looks
you're explicitly disabling "aNULL" ciphers somewhere.  The
default for such a destination would have resulted in an
"Anonymous" connection.  To get trusted with posttls-finger
I had to use:

    $ posttls-finger -o tls_medium_cipherlist=DEFAULT -l may -c -F avira.pem avira.com
    posttls-finger: mx1.c01.avira.com[212.79.247.134]:25: subjectAltName: mx.ames.avira.net
    posttls-finger: mx1.c01.avira.com[212.79.247.134]:25: subjectAltName: a.mx.ames.avira.net
    posttls-finger: mx1.c01.avira.com[212.79.247.134]:25: subjectAltName: b.mx.ames.avira.net
    posttls-finger: mx1.c01.avira.com[212.79.247.134]:25: subjectAltName: mx1.c01.avira.com
    posttls-finger: mx1.c01.avira.com[212.79.247.134]:25: subjectAltName: mx2.c01.avira.com
    posttls-finger: mx1.c01.avira.com[212.79.247.134]:25 CommonName mx.ames.avira.net
    posttls-finger: mx1.c01.avira.com[212.79.247.134]:25: subject_CN=mx.ames.avira.net, issuer_CN=COMODO RSA Domain Validation Secure Server CA, fingerprint=7B:29:B8:4E:DE:65:D0:41:5B:2F:00:8C:83:E0:63:8F:0C:2A:99:D8, pkey_fingerprint=D5:90:CE:7B:83:66:F3:D1:14:C4:B8:8A:F7:98:9E:36:75:A4:94:48
    posttls-finger: Trusted TLS connection established to mx1.c01.avira.com[212.79.247.134]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)

--
        Viktor.