Re: connection_reuse

Wietse Venema Wed, 17 Jun 2020 12:40:16 -0700

Viktor Dukhovni:
> On Wed, Jun 17, 2020 at 06:05:44PM +0300, Thorsten Habich wrote:
> 
> > unfortunatelly I ran into a but when trying to use the connection_reuse
> > parameter in a TLS policy maps file.
> > Attached you can find a patch, to get this option running.
> 
> Thanks for the patch, indeed the "continue" is needed.
> 
> > --- src/smtp/smtp_tls_policy.c  2018-12-26 20:21:49.000000000 +0100
> > +++ src/smtp/smtp_tls_policy.c.new      2020-06-12 14:44:28.740591359 +0200
> > @@ -389,6 +389,7 @@
> >                          WHERE, name, val);
> >                 INVALID_RETURN(tls->why, site_level);
> >             }
> > +            continue;
> >         }
> >         msg_warn("%s: invalid attribute name: \"%s\"", WHERE, name);
> >         INVALID_RETURN(tls->why, site_level);
> 
> 
> > P.S.: I think smtp_tls_connection_reuse=yes in combination with tafile
> > is broken.
> 
> I think you're saying that per-connection trust-anchors are not
> supported by the tlsproxy.  That sounds plausible.  The "tafile" is
> internally converted to a set of synthetic "DANE-TA(2)" records,
> that are used for validation with "secure/verify" instead of the
> global CAfile/CApath.  I don't think these are carried along with
> the tlsproxy protocol.


I put in a lot of work to ship an entire christmas tree of 
attributes, including:

        ret = print_fn(fp, flags | ATTR_FLAG_MORE,
                       SEND_ATTR_FUNC(tls_proxy_client_tlsa_print,
                                      (void *) dane->ta),
                       SEND_ATTR_FUNC(tls_proxy_client_tlsa_print,
                                      (void *) dane->ee),
                       SEND_ATTR_FUNC(tls_proxy_client_certs_print,
                                      (void *) dane->certs),
                       SEND_ATTR_FUNC(tls_proxy_client_pkeys_print,
                                      (void *) dane->pkeys),
                       SEND_ATTR_STR(TLS_ATTR_DOMAIN,
                                     STRING_OR_EMPTY(dane->base_domain)),
                       SEND_ATTR_INT(TLS_ATTR_FLAGS, dane->flags),
                       SEND_ATTR_LONG(TLS_ATTR_EXP, dane->expires),
                       ATTR_TYPE_END);

It would be bad if that work was done for naught.

        Wietse

> There's some internal refactoring I should do in any case that
> would make it easier to support these with connection reuse.
> 
> Ideally, we could drop (e.g. in Postfix 3.6) for OpenSSL 1.0.x, and
> require 1.1.0 or later.  Then it would make sense to refactor to use the
> built-in DANE support in OpenSSL (a tidier reworked version of the code
> originally in Postfix), and with that make sure that "tafile" works as
> expected with TLS connection reuse.
> 
> -- 
>     Viktor.
>

Re: connection_reuse

Reply via email to