CAfile problem with OpenSSL-1.1.1c

Christian Rößner Wed, 14 Aug 2019 00:45:33 -0700

Hi,

I recently upgraded my systems to have full openssl-1.1.1c support. After 
upgrading my mail-server, I realized that I had problems with trusting server 
certificates. I checked that the server still uses 
/etc/ssl/certs/ca-certificates.crt, but for some reason Postfix can not work 
with this file anymore. Even running update-ca-certificates (which added 141 
CAs) did not solve the problem.


By changing *_CAfile parameters to *_CApath, everything started working again.

Is there something special woth TLSv1.3 (OpenSSL-1.1.1c) that I forgot to do 
after upgrade?

Here are some relevant logs I found while troubleshooting:
--------------------------------------------------------
Aug 12 20:32:45 mx postfix/relay/smtp[24007]: setting up TLS connection to 
mx.roessner-net.de[134.255.226.247]:25
Aug 12 20:32:45 mx postfix/relay/smtp[24007]: 
mx.roessner-net.de[134.255.226.247]:25: TLS cipher list "aNULL:-aNULL:HIGH:@STR
ENGTH:!aNULL"
Aug 12 20:32:45 mx postfix/relay/smtp[24007]: looking for session 
smtp&roessner-net.com&mx.roessner-net.de&134.255.226.247&&D
83C77C56AE6BC60C2C9E9B52C4E501B2D34BA7166F7510D567CEFBE7D30B548 in smtp cache
Aug 12 20:32:45 mx postfix/relay/tlsmgr[23993]: lookup smtp session 
id=smtp&roessner-net.com&mx.roessner-net.de&134.255.226.2
47&&D83C77C56AE6BC60C2C9E9B52C4E501B2D34BA7166F7510D567CEFBE7D30B548
Aug 12 20:32:45 mx postfix/relay/smtp[24007]: SSL_connect:before SSL 
initialization
Aug 12 20:32:45 mx postfix/relay/smtp[24007]: SSL_connect:SSLv3/TLS write 
client hello
Aug 12 20:32:45 mx postfix/relay/smtp[24007]: SSL_connect:SSLv3/TLS write 
client hello
Aug 12 20:32:45 mx postfix/relay/smtp[24004]: 466k0K1GwXzNkFw: 
to=<*****@ra-roessner-merle.de>, relay=mx.roessner-net.de[1
34.255.226.247]:25, delay=11792, delays=11792/0.16/0.26/0, dsn=4.7.5, 
status=deferred (Server certificate not trusted)
Aug 12 20:32:45 mx postfix/relay/smtp[24007]: SSL_connect:SSLv3/TLS read server 
hello
Aug 12 20:32:45 mx postfix/smtpd[24008]: disconnect from 
relay.roessner-net.de[134.255.226.249]:46037 ehlo=1 starttls=1 quit=
1 commands=3
Aug 12 20:32:45 mx postfix/relay/smtp[24007]: SSL_connect:TLSv1.3 read 
encrypted extensions
Aug 12 20:32:45 mx postfix/relay/smtp[24005]: SSL_connect:SSLv3/TLS read server 
certificate request
Aug 12 20:32:45 mx postfix/relay/smtp[24005]: 
mx.roessner-net.de[134.255.226.247]:25: depth=0 verify=0 subject=/CN=mx.roessne
r-net.de
Aug 12 20:32:45 mx postfix/relay/smtp[24005]: 
mx.roessner-net.de[134.255.226.247]:25: depth=0 verify=1 subject=/CN=mx.roessne
r-net.de
Aug 12 20:32:45 mx postfix/relay/smtp[24005]: SSL_connect:SSLv3/TLS read server 
certificate
Aug 12 20:32:45 mx postfix/relay/smtp[24005]: SSL_connect:TLSv1.3 read server 
certificate verify
Aug 12 20:32:45 mx postfix/relay/smtp[24005]: SSL_connect:SSLv3/TLS read 
finished
Aug 12 20:32:45 mx postfix/relay/smtp[24005]: SSL_connect:SSLv3/TLS write 
change cipher spec
Aug 12 20:32:45 mx postfix/relay/smtp[24005]: SSL_connect:SSLv3/TLS write 
client certificate
Aug 12 20:32:45 mx postfix/relay/smtp[24007]: SSL_connect:SSLv3/TLS read server 
certificate request
Aug 12 20:32:45 mx postfix/relay/smtp[24007]: 
mx.roessner-net.de[134.255.226.247]:25: depth=0 verify=0 subject=/CN=mx.roessne
r-net.de
Aug 12 20:32:45 mx postfix/relay/smtp[24007]: 
mx.roessner-net.de[134.255.226.247]:25: depth=0 verify=1 
subject=/CN=mx.roessner-net.de
Aug 12 20:32:45 mx postfix/relay/smtp[24007]: SSL_connect:SSLv3/TLS read server 
certificate
Aug 12 20:32:45 mx postfix/relay/smtp[24005]: SSL_connect:SSLv3/TLS write 
certificate verify
Aug 12 20:32:45 mx postfix/relay/smtp[24007]: SSL_connect:TLSv1.3 read server 
certificate verify
Aug 12 20:32:45 mx postfix/relay/smtp[24005]: SSL_connect:SSLv3/TLS write 
finished
Aug 12 20:32:45 mx postfix/relay/smtp[24005]: certificate verification failed 
for mx.roessner-net.de[134.255.226.247]:25: self-signed certificate
Aug 12 20:32:45 mx postfix/relay/smtp[24005]: 
mx.roessner-net.de[134.255.226.247]:25: subject_CN=mx.roessner-net.de, 
issuer_CN=mx.roessner-net.de, 
fingerprint=1C:93:B4:39:D9:0A:3C:18:FA:84:90:55:73:77:42:2E, 
pkey_fingerprint=7C:C6:C5:59:7A:07:A4:E9:14:02:75:92:58:C3:DE:8E
Aug 12 20:32:45 mx postfix/relay/smtp[24005]: Untrusted TLS connection 
established to mx.roessner-net.de[134.255.226.247]:25: TLSv1.3 with cipher 
TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature 
ECDSA (P-256) server-digest SHA256 client-signature RSA-PSS (4096 bits) 
client-digest SHA256
Aug 12 20:32:45 mx postfix/smtpd[24006]: Trusted TLS connection established 
from relay.roessner-net.de[134.255.226.249]:47803: TLSv1.3 with cipher 
TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature 
ECDSA (P-256) server-digest SHA256 client-signature RSA-PSS (4096 bits) 
client-digest SHA256
Aug 12 20:32:45 mx postfix/relay/smtp[24007]: SSL_connect:SSLv3/TLS read 
finished
Aug 12 20:32:45 mx postfix/relay/smtp[24007]: SSL_connect:SSLv3/TLS write 
change cipher spec
Aug 12 20:32:45 mx postfix/relay/smtp[24007]: SSL_connect:SSLv3/TLS write 
client certificate
Aug 12 20:32:45 mx postfix/relay/smtp[24005]: 466kX4238lzNkFS: 
to=<postmas...@roessner-net.com>, relay=mx.roessner-net.de[134.255.226.247]:25, 
delay=1082, delays=1081/0.19/0.28/0, dsn=4.7.5, status=deferred (Server 
certificate not trusted)
Aug 12 20:32:45 mx postfix/smtpd[24006]: disconnect from 
relay.roessner-net.de[134.255.226.249]:47803 ehlo=1 starttls=1 quit=1 commands=3
Aug 12 20:32:45 mx postfix/relay/smtp[24007]: SSL_connect:SSLv3/TLS write 
certificate verify
Aug 12 20:32:45 mx postfix/relay/smtp[24007]: SSL_connect:SSLv3/TLS write 
finished
Aug 12 20:32:45 mx postfix/relay/smtp[24007]: certificate verification failed 
for mx.roessner-net.de[134.255.226.247]:25: self-signed certificate
Aug 12 20:32:45 mx postfix/relay/smtp[24007]: 
mx.roessner-net.de[134.255.226.247]:25: subject_CN=mx.roessner-net.de, 
issuer_CN=mx.roessner-net.de, 
fingerprint=1C:93:B4:39:D9:0A:3C:18:FA:84:90:55:73:77:42:2E, 
pkey_fingerprint=7C:C6:C5:59:7A:07:A4:E9:14:02:75:92:58:C3:DE:8E
Aug 12 20:32:45 mx postfix/relay/smtp[24007]: Untrusted TLS connection 
established to mx.roessner-net.de[134.255.226.247]:25: TLSv1.3 with cipher 
TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature 
ECDSA (P-256) server-digest SHA256 client-signature RSA-PSS (4096 bits) 
client-digest SHA256
Aug 12 20:32:45 mx postfix/smtpd[24012]: Trusted TLS connection established 
from relay.roessner-net.de[134.255.226.249]:60779: TLSv1.3 with cipher 
TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature 
ECDSA (P-256) server-digest SHA256 client-signature RSA-PSS (4096 bits) 
client-digest SHA256
Aug 12 20:32:45 mx postfix/relay/smtp[24007]: 466krX5vPFzNkFb: 
to=<*****@roessner-net.com>, relay=mx.roessner-net.de[134.255.226.247]:25, 
delay=225, delays=225/0.22/0.27/0, dsn=4.7.5, status=deferred (Server 
certificate not trusted)
Aug 12 20:32:45 mx postfix/smtpd[24012]: disconnect from 
relay.roessner-net.de[134.255.226.249]:60779 ehlo=1 starttls=1 quit=1 commands=3
--------------------------------------------------------

Here are the relevant tls options for relay.roessner-net.de:
--------------------------------------------------------
smtp_tls_policy_maps =
    socketmap:inet:127.0.0.1:8461:postfix,
    ${default_database_type}:${config_directory}/maps/smtp_tls_policy_maps
smtp_tls_security_level = dane
# smtp_tls_connection_reuse = yes
smtp_tls_loglevel = 1
smtp_tls_note_starttls_offer = yes
# smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_cert_file = /etc/ssl/${myhostname}/cert/fullchain.pem
smtp_tls_key_file = /etc/ssl/${myhostname}/key/privkey.pem
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_dns_support_level = dnssec
smtp_tls_mandatory_ciphers = high
smtp_tls_ciphers = high
smtp_tls_protocols = !SSLv2 !SSLv3 !TLSv1.1
--------------------------------------------------------
Need to use CApath in sending direction.

Here are the relevant tls options for mx.roessner-net.de:
--------------------------------------------------------
# TLS receiving
smtpd_tls_security_level = may
smtpd_tls_ask_ccert = yes
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtpd_tls_cert_file = /etc/ssl/${myhostname}/cert/fullchain.pem
smtpd_tls_key_file = /etc/ssl/${myhostname}/key/privkey.pem
smtpd_tls_dh1024_param_file = ${config_directory}/ssl/dh_2048.pem
smtpd_tls_dh512_param_file = ${config_directory}/ssl/dh_512.pem
smtpd_tls_mandatory_ciphers = high
smtpd_tls_ciphers = high
smtpd_tls_fingerprint_digest = sha256
smtpd_tls_protocols = !SSLv2 !SSLv3 !TLSv1.1
#
tls_preempt_cipherlist = yes
tls_ssl_options = NO_COMPRESSION
--------------------------------------------------------

I use Let's encrypt certificates.

Postfix version is:
postconf -d mail_version
mail_version = 3.4.6

Thanks for any ideas and help in advance

Christian
-- 
Rößner-Network-Solutions
Karl-Bröger-Str. 10, 36304 Alsfeld
Fax: +49 6631 78823409, Mobil: +49 171 9905345
USt-IdNr.: DE225643613, https://roessner.website
PGP fingerprint: 658D 1342 B762 F484 2DDF 1E88 38A5 4346 D727 94E5

CAfile problem with OpenSSL-1.1.1c

Reply via email to