Re: [courier-users] TLS SNI when Courier is built with OpenSSL

Fri, 29 Apr 2016 19:02:17 -0700 

Mark Constable writes:


On 29/04/16 22:36, Sam Varshavchik wrote:
>>> I finally have a 0.76.0 ubuntu install to test and trying to get this to
>>> work...
>>>
>>> > - courier, courier-imap: add support for TLS SNI when Courier is built with OpenSSL. 
>>>
>>> I've added this vhost settings but no sign the LetsEncrypt certificate is
>>> being delivered to Thunderbird.
>>>
>>> ~ ls -1 /etc/courier/*renta.net
>>> defaultdomain.ded1649.renta.net
>>> dsnfrom.ded1649.renta.net
>>> esmtpd.pem.ded1649.renta.net -> ../ssl/ded1649.renta.net/mailserver.pem
>>> imapd.pem.ded1649.renta.net -> ../ssl/ded1649.renta.net/mailserver.pem
>>> vhost.ded1649.renta.net
>
> Find the pid that's listening on localhost, then run strace on it. In my case it's pid 15018. 
>
> # strace -s 256 -f -o z -p 15018
>
> Then, use couriertls like this:
>
> TLS_TRUSTCERTS=/etc/pki/tls/cert.pem TLS_VERIFYPEER=none couriertls \
>     -host=localhost -port=143 -protocol=imap -verify=localhost
>
> Fedora installs all trusted certs in /etc/pki/tls/cert.pem; use the equivalent for Debian, Ubuntu, etc… 
>
> The connection attempt will fail to verify the "localhost" certificate, of course. That's fine. Then: 
>
> # grep imapd.pem z
> 2734 access("/usr/lib/courier-imap/share/imapd.pem.localhost", R_OK) = -1 ENOENT (No such file or directory) 
> 2734  access("/usr/lib/courier-imap/share/imapd.pem", R_OK) = 0
> 2734  open("/usr/lib/courier-imap/share/imapd.pem", O_RDONLY) = 10
>
> That shows that the server process tried to open imapd.pem.localhost, first. 

Excellent, thank you Sam! Every variation I tried results in...


21989 access("/etc/courier/imapd.pem.xxx.xxx.104.254", R_OK) = -1 ENOENT (No  
such file or directory)

21989 open("/etc/courier/imapd.pem", O_RDONLY) = 5
21989 open("/etc/courier/imapd.pem", O_RDONLY) = 5

I don't seem to be able to use the -host=localhost parameter to couriertls.

My "netstat -tanup" gives me...


tcp6       0      0 :::465                  :::*                     
LISTEN      21926/couriertcpd
tcp6       0      0 :::25                   :::*                     
LISTEN      21895/couriertcpd
tcp6       0      0 :::993                  :::*                     
LISTEN      21947/couriertcpd
tcp6       0      1 xxx.xxx.104.254:993     xxx.xxx.99.177:54272     
FIN_WAIT1   -


Which is odd but the last field does indeed show an ip4 connection.

I used the below as I don't enable STARTTLS on 143 and -host=localhost
results in an almost empty strace dump file (like it's not even hitting
localhost at all)...

~ strace -s 256 -f -o z -p 21947

~ TLS_TRUSTCERTS=/etc/ssl/certs TLS_VERIFYPEER=none couriertls -host=xxx.xxx. 
104.254 -port=993 -protocol=imap -verify=localhost



993 is encrypted SSL, drop the -protocol option. -protocol negotiates  
STARTTLS. Using port 993:



$ TLS_TRUSTCERTS=/etc/pki/tls/cert.pem TLS_VERIFYPEER=none couriertls - 
host=localhost -port=993 -verify=example.com


This, for me, results in:

# grep imapd.pem z

30706 access("/usr/lib/courier-imap/share/imapd.pem.127.0.0.1", R_OK) = -1  
ENOENT (No such file or directory)

30706 open("/usr/lib/courier-imap/share/imapd.pem", O_RDONLY) = 5
30706 open("/usr/lib/courier-imap/share/imapd.pem", O_RDONLY) = 5

30706 access("/usr/lib/courier-imap/share/imapd.pem.example.com", R_OK) = -1  
ENOENT (No such file or directory)


If I symlink it:

# ln -s imapd.pem /usr/lib/courier-imap/share/imapd.pem.example.com

Then:

# grep imapd.pem z

30727 access("/usr/lib/courier-imap/share/imapd.pem.127.0.0.1", R_OK) = -1  
ENOENT (No such file or directory)

30727 open("/usr/lib/courier-imap/share/imapd.pem", O_RDONLY) = 5
30727 open("/usr/lib/courier-imap/share/imapd.pem", O_RDONLY) = 5
30727 access("/usr/lib/courier-imap/share/imapd.pem.example.com", R_OK) = 0
30727 open("/usr/lib/courier-imap/share/imapd.pem.example.com", O_RDONLY) = 5
30727 open("/usr/lib/courier-imap/share/imapd.pem.example.com", O_RDONLY) = 5
30727 open("/usr/lib/courier-imap/share/imapd.pem.example.com", O_RDONLY) = 5

That's the server finding it, and reading it.


- is a PTR record required for ded1649.renta.net?



Whether or not it's required, that's a DNS issue. It won't have any effect  
on SSL.




- is it possible the 0.76.0 package I am using is missing a build flag?


No, there are no explicit build flags.


- anything other than vhost.ded1649.renta.net and  
imapd.pem.ded1649.renta.net needed?



imapd.pem is always needed. That loads the default certificate. Then,  
imapd.pem.<hostname> is needed, with <hostname> matching the -verify  
parameter (with the -host parameter used only to specify the hostname or the  
IP address to connect to). That should load the correct certificate after  
the server receives the TLS extension request from the client.



It's unlikely that your version of openssl is old enough not to implement  
SNI. That's possible, but unlikely. You could check the build directory,  
where Courier was compiled:


$ grep OPENSSL_SNI courier-0.76.0/libs/tcpd/config.h
#define HAVE_OPENSSL_SNI 1


There are not many possibilities either. Either there was some reason why  
the SNI extension support did not get compiled in. The configure script  
checks for it and enables it if it thinks that the version of openssl is  
recent enough to support it.



If it is enabled, and after dropping the -protocol=imap parameter, if you're  
testing port 993, you still don't see the cert getting loaded, then the  
likely answer is that this is still an older version of Courier running, and  
there's an installation problem.



Your strace shows that you have the PEM files in /etc/courier, i.e. you're  
loading /etc/courier/imapd.pem.



My example used the courier-imap build, with the certificate files in  
/usr/lib/courier-imap/share. The courier package's default certificate  
location is /usr/lib/courier/share. Repeated the same test, this time with  
the Courier package:


# grep imapd.pem z

31130 access("/usr/lib/courier/share/imapd.pem.127.0.0.1", R_OK) = -1 ENOENT  
(No such file or directory)

31130 open("/usr/lib/courier/share/imapd.pem", O_RDONLY) = 5
31130 open("/usr/lib/courier/share/imapd.pem", O_RDONLY) = 5
31130 access("/usr/lib/courier/share/imapd.pem.example.com", R_OK) = 0
31130 open("/usr/lib/courier/share/imapd.pem.example.com", O_RDONLY) = 5
31130 open("/usr/lib/courier/share/imapd.pem.example.com", O_RDONLY) = 5
31130 open("/usr/lib/courier/share/imapd.pem.example.com", O_RDONLY) = 5


So, unless you built it withe a custom --with-certsdir=/etc/courier flag,  
your strace suggests a different courier package.





Attachment:
pgpeJuRdibfh0.pgp

Description: PGP signature


------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users






















					Reply via email to