Re: TLS smtp_tls_CApath and /etc/ssl/certs

Wed, 09 Jun 2010 09:12:39 -0700 

On Wed, Jun 09, 2010 at 11:25:50AM -0400, Wietse Venema wrote:

> > to sum it up, when smtp_tls_CApath is not empty, CAs from
> > /etc/ssl/certs are trusted regardless the value of smtp_tls_CApath.

This is done primarily by OpenSSL, but as Wietse observes:

> Victor will have to confirm or deny this, but we may have to update
> the main code in function tls_set_ca_certificate_info():
> 
>     if (CAfile || CApath) {
>         if (!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) {
>             msg_info("cannot load Certificate Authority data: "
>                      "disabling TLS support");
>             tls_print_errors();
>             return (-1);
>         }
> +   } else {
>         if (!SSL_CTX_set_default_verify_paths(ctx)) {
>             msg_info("cannot set certificate verification paths: "
>                      "disabling TLS support");
>             tls_print_errors();
>             return (-1);
>         }
>     }

We could make this change, but it would be an incompatibility with past
behaviour. This code dates back to the original TLS patch for Postfix
releases prior to 2.1, and augments the default system CA paths, instead
of replacing them.

I guess our documentation has never promised the use of system CAs when
CApath or CAfile are set, failing to override the system settings is
counter-intuitive, so I can support this change. We'll also have to
document the semantics of "CAfile == CApath == <empty>".

> Unfortunately OpenSSL has no documentation for the
> SSL_CTX_set_default_verify_paths() function, so it is hard to be
> sure that the function is used in a correct manner.

The function is used correctly, and sadly a large part of the OpenSSL
API that is not internal, and ought to be documented, is not.

> The change above is based on a patch for the s_client program:
> http://rt.openssl.org/Ticket/Display.html?id=2203&user=guest&pass=guest

This largely explains how Postfix came to have the code it does. Since
OpenSSL is both complex and incompletely documented, many OpenSSL client
applications are cargo-cult copies of example code in the OpenSSL apps/
directory, with SSL apps typically borrowing code snippets from s_client
and s_server.

The patch whose URL is above has not yet been adopted into OpenSSL, the
1.0.0a release still has the original code:

    if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
        (!SSL_CTX_set_default_verify_paths(ctx)))
        {
        /* BIO_printf(bio_err,"error setting default verify locations\n"); */
        ERR_print_errors(bio_err);
        /* goto end; */
        }

-- 
        Viktor.

Reply via email to