subject:"Re\: logging TLS SNI hostname"

Re: logging TLS SNI hostname

2016-11-08 Thread Arkadiusz Miśkiewicz

On Tuesday 08 of November 2016, Aki Tuomi wrote:
> > On November 8, 2016 at 4:08 PM Arkadiusz Miśkiewicz 
> > wrote:
> > 
> > On Thursday 20 of October 2016, Arkadiusz Miśkiewicz wrote:
> > > On Thursday 20 of October 2016, Aki Tuomi wrote:
> > > > On 20.10.2016 15:52, Arkadiusz Miśkiewicz wrote:
> > > > > > ... -servername something
> > > > 
> > > > If you want to try out, try applying this patch...
> > > 
> > > Works, thanks!
> > 
> > But... it's easy to log fake things
> > 
> > Nov 8 15:04:01 mbox dovecot: pop3-login: Aborted login (no auth attempts
> > in 1 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1,
> > local_name=whitehouse.gov, i_can=put_anything, here=etc, TLS,
> > session=<26rEnMpAPMtb6rD0>
> > 
> > by using
> > 
> > openssl s_client -connect 127.0.0.1:110 -starttls pop3 -servername
> > "whitehouse.gov, i_can=put_anything, here=etc"
> > 
> > so some escaping here would also be needed.
> > 
> > conf:
> > login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e
> > local_name=%{local_name} %c session=<%{session}>
> > 
> > > > From 066edb5e5c14a05c90e9ae63f0b76fcfd9c1149e Mon Sep 17 00:00:00
> > > > 2001 From: Aki Tuomi 
> > > > Date: Thu, 20 Oct 2016 16:06:27 +0300
> > > > Subject: [PATCH] login-common: Include local_name in
> > > > login_var_expand_table
> > > > 
> > > > This way it can be used in login_log_format
> 
> There is escaping in the final code in 2.2.26.0.

This is on 2.2.26.0. Escaping was only added to auth code, not logging one, 
right?

-- 
Arkadiusz Miśkiewicz, arekm / ( maven.pl | pld-linux.org )

Re: logging TLS SNI hostname

2016-11-08 Thread Arkadiusz Miśkiewicz

On Thursday 20 of October 2016, Arkadiusz Miśkiewicz wrote:
> On Thursday 20 of October 2016, Aki Tuomi wrote:
> > On 20.10.2016 15:52, Arkadiusz Miśkiewicz wrote:
> > > > ... -servername something
> > 
> > If you want to try out, try applying this patch...
> 
> Works, thanks!

But... it's easy to log fake things

Nov  8 15:04:01 mbox dovecot: pop3-login: Aborted login (no auth attempts in 1 
secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, local_name=whitehouse.gov, 
i_can=put_anything, here=etc, TLS, session=<26rEnMpAPMtb6rD0>

by using

openssl s_client -connect 127.0.0.1:110 -starttls pop3 -servername 
"whitehouse.gov, i_can=put_anything, here=etc"

so some escaping here would also be needed.

conf:
login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e 
local_name=%{local_name} %c session=<%{session}>

> 
> > From 066edb5e5c14a05c90e9ae63f0b76fcfd9c1149e Mon Sep 17 00:00:00 2001
> > From: Aki Tuomi 
> > Date: Thu, 20 Oct 2016 16:06:27 +0300
> > Subject: [PATCH] login-common: Include local_name in
> > login_var_expand_table
> > 
> > This way it can be used in login_log_format


-- 
Arkadiusz Miśkiewicz, arekm / ( maven.pl | pld-linux.org )

Re: logging TLS SNI hostname

2016-10-20 Thread Aki Tuomi



On 20.10.2016 16:21, Arkadiusz Miśkiewicz wrote:
> On Thursday 20 of October 2016, Aki Tuomi wrote:
>> On 20.10.2016 15:52, Arkadiusz Miśkiewicz wrote:
 ... -servername something
>> If you want to try out, try applying this patch...
> Works, thanks!
>
>> From 066edb5e5c14a05c90e9ae63f0b76fcfd9c1149e Mon Sep 17 00:00:00 2001
>> From: Aki Tuomi 
>> Date: Thu, 20 Oct 2016 16:06:27 +0300
>> Subject: [PATCH] login-common: Include local_name in login_var_expand_table
>>
>> This way it can be used in login_log_format
Thank you for testing.

Aki

Re: logging TLS SNI hostname

2016-10-20 Thread Arkadiusz Miśkiewicz

On Thursday 20 of October 2016, Aki Tuomi wrote:
> On 20.10.2016 15:52, Arkadiusz Miśkiewicz wrote:
> > > ... -servername something
> 
> If you want to try out, try applying this patch...

Works, thanks!

> 
> From 066edb5e5c14a05c90e9ae63f0b76fcfd9c1149e Mon Sep 17 00:00:00 2001
> From: Aki Tuomi 
> Date: Thu, 20 Oct 2016 16:06:27 +0300
> Subject: [PATCH] login-common: Include local_name in login_var_expand_table
> 
> This way it can be used in login_log_format

-- 
Arkadiusz Miśkiewicz, arekm / ( maven.pl | pld-linux.org )

Re: logging TLS SNI hostname

2016-10-20 Thread Aki Tuomi



On 20.10.2016 15:52, Arkadiusz Miśkiewicz wrote:
> > ... -servername something

If you want to try out, try applying this patch...

>From 066edb5e5c14a05c90e9ae63f0b76fcfd9c1149e Mon Sep 17 00:00:00 2001
From: Aki Tuomi 
Date: Thu, 20 Oct 2016 16:06:27 +0300
Subject: [PATCH] login-common: Include local_name in login_var_expand_table

This way it can be used in login_log_format
---
 src/login-common/client-common.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/login-common/client-common.c b/src/login-common/client-common.c
index d0a9c52..5964ec9 100644
--- a/src/login-common/client-common.c
+++ b/src/login-common/client-common.c
@@ -507,6 +507,7 @@ static struct var_expand_table login_var_expand_empty_tab[] 
= {
{ '\0', NULL, "auth_username" },
{ '\0', NULL, "auth_domain" },
{ '\0', NULL, "listener" },
+   { '\0', NULL, "local_name" },
{ '\0', NULL, NULL }
 };
 
@@ -581,6 +582,7 @@ get_var_expand_table(struct client *client)
tab[24].value = tab[21].value;
}
tab[25].value = client->listener_name;
+   tab[26].value = client->local_name == NULL ? "" : client->local_name;
return tab;
 }
 
-- 
2.7.4

Re: logging TLS SNI hostname

2016-10-20 Thread Arkadiusz Miśkiewicz

On Thursday 20 of October 2016, Aki Tuomi wrote:
> On 20.10.2016 15:41, Arkadiusz Miśkiewicz wrote:
> > On Thursday 20 of October 2016, Aki Tuomi wrote:
> >> On 18.10.2016 14:16, Arkadiusz Miśkiewicz wrote:
> >>> On Monday 17 of October 2016, KT Walrus wrote:
> > On Oct 17, 2016, at 2:41 AM, Arkadiusz Miśkiewicz 
> > wrote:
> > 
> > On Monday 30 of May 2016, Arkadiusz Miśkiewicz wrote:
> >> Is there a way to log SNI hostname used in TLS session? Info is
> >> there in SSL_CTX_set_tlsext_servername_callback, dovecot copies it
> >> to ssl_io->host.
> >> 
> >> Unfortunately I don't see it expanded to any variables (
> >> http://wiki.dovecot.org/Variables ). Please consider this to be a
> >> feature request.
> >> 
> >> The goal is to be able to see which hostname client used like:
> >> 
> >> May 30 08:21:19 xxx dovecot: pop3-login: Login: user=,
> >> method=PLAIN, rip=1.1.1.1, lip=2.2.2.2, mpid=17135, TLS,
> >> SNI=pop3.somehost.org, session=
> > 
> > Dear dovecot team, would be possible to add such variable ^ ?
> > 
> > That would be neat feature because server operator would know what
> > hostname client uses to connect to server (which is really usefull in
> > case of many hostnames pointing to single IP).
>  
>  I’d love to be able to use this SNI domain name in the Dovecot IMAP
>  proxy for use in the SQL password_query. This would allow the proxy to
>  support multiple IMAP server domains each with their own set of users.
>  And, it would save me money by using only the IP of the proxy for all
>  the IMAP server domains instead of giving each domain a unique IP.
> >>> 
> >>> It only needs to be carefuly implemented on dovecot side as TLS SNI
> >>> hostname is information passed directly by client.
> >>> 
> >>> So some fqdn name validation would need to happen in case if client has
> >>> malicious intents.
> >>> 
>  Kevin
> >> 
> >> Hi!
> >> 
> >> I wonder if this would be of any help? It provides %{local_name}
> >> passdb/userdb variable, you can use it for some logging too...
> >> 
> >> https://github.com/dovecot/core/commit/fe791e96fdf796f7d8997ee0515b163dc
> >> 5ed dd72
> > 
> > Should it work for such usage, too?
> > 
> > login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e
> > local_name=%{local_name} %c session=<%{session}>
> > 
> > Because I'm not getting local_name logged at all (dovecot -a shows its
> > there).
> > 
> >> Aki
> > 
> > Thanks,
> 
> How did you try? With openssl you need to use openssl s_client -connect
> ... -servername something

Yes, using it. -servername is mandatory for TLS SNI to work.

I'm getting correct certificate (as shown by openssl s_client). Certificate 
that's configured with local_name, so TLS SNI works fine on client and dovecot 
side.

ps. I'm using 2.2.25 + above %{local_name} patch. Could some other patch be 
needed for this to work?
 
> Aki
-- 
Arkadiusz Miśkiewicz, arekm / ( maven.pl | pld-linux.org )

Re: logging TLS SNI hostname

2016-10-20 Thread Aki Tuomi



On 20.10.2016 15:41, Arkadiusz Miśkiewicz wrote:
> On Thursday 20 of October 2016, Aki Tuomi wrote:
>> On 18.10.2016 14:16, Arkadiusz Miśkiewicz wrote:
>>> On Monday 17 of October 2016, KT Walrus wrote:
> On Oct 17, 2016, at 2:41 AM, Arkadiusz Miśkiewicz 
> wrote:
>
> On Monday 30 of May 2016, Arkadiusz Miśkiewicz wrote:
>> Is there a way to log SNI hostname used in TLS session? Info is there
>> in SSL_CTX_set_tlsext_servername_callback, dovecot copies it to
>> ssl_io->host.
>>
>> Unfortunately I don't see it expanded to any variables (
>> http://wiki.dovecot.org/Variables ). Please consider this to be a
>> feature request.
>>
>> The goal is to be able to see which hostname client used like:
>>
>> May 30 08:21:19 xxx dovecot: pop3-login: Login: user=,
>> method=PLAIN, rip=1.1.1.1, lip=2.2.2.2, mpid=17135, TLS,
>> SNI=pop3.somehost.org, session=
> Dear dovecot team, would be possible to add such variable ^ ?
>
> That would be neat feature because server operator would know what
> hostname client uses to connect to server (which is really usefull in
> case of many hostnames pointing to single IP).
 I’d love to be able to use this SNI domain name in the Dovecot IMAP
 proxy for use in the SQL password_query. This would allow the proxy to
 support multiple IMAP server domains each with their own set of users.
 And, it would save me money by using only the IP of the proxy for all
 the IMAP server domains instead of giving each domain a unique IP.
>>> It only needs to be carefuly implemented on dovecot side as TLS SNI
>>> hostname is information passed directly by client.
>>>
>>> So some fqdn name validation would need to happen in case if client has
>>> malicious intents.
>>>
 Kevin
>> Hi!
>>
>> I wonder if this would be of any help? It provides %{local_name}
>> passdb/userdb variable, you can use it for some logging too...
>>
>> https://github.com/dovecot/core/commit/fe791e96fdf796f7d8997ee0515b163dc5ed
>> dd72
> Should it work for such usage, too?
>
> login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e 
> local_name=%{local_name} %c session=<%{session}>
>
> Because I'm not getting local_name logged at all (dovecot -a shows its there).
>
>> Aki
> Thanks,

How did you try? With openssl you need to use openssl s_client -connect
... -servername something

Aki

Re: logging TLS SNI hostname

2016-10-20 Thread Arkadiusz Miśkiewicz

On Thursday 20 of October 2016, Aki Tuomi wrote:
> On 18.10.2016 14:16, Arkadiusz Miśkiewicz wrote:
> > On Monday 17 of October 2016, KT Walrus wrote:
> >>> On Oct 17, 2016, at 2:41 AM, Arkadiusz Miśkiewicz 
> >>> wrote:
> >>> 
> >>> On Monday 30 of May 2016, Arkadiusz Miśkiewicz wrote:
>  Is there a way to log SNI hostname used in TLS session? Info is there
>  in SSL_CTX_set_tlsext_servername_callback, dovecot copies it to
>  ssl_io->host.
>  
>  Unfortunately I don't see it expanded to any variables (
>  http://wiki.dovecot.org/Variables ). Please consider this to be a
>  feature request.
>  
>  The goal is to be able to see which hostname client used like:
>  
>  May 30 08:21:19 xxx dovecot: pop3-login: Login: user=,
>  method=PLAIN, rip=1.1.1.1, lip=2.2.2.2, mpid=17135, TLS,
>  SNI=pop3.somehost.org, session=
> >>> 
> >>> Dear dovecot team, would be possible to add such variable ^ ?
> >>> 
> >>> That would be neat feature because server operator would know what
> >>> hostname client uses to connect to server (which is really usefull in
> >>> case of many hostnames pointing to single IP).
> >> 
> >> I’d love to be able to use this SNI domain name in the Dovecot IMAP
> >> proxy for use in the SQL password_query. This would allow the proxy to
> >> support multiple IMAP server domains each with their own set of users.
> >> And, it would save me money by using only the IP of the proxy for all
> >> the IMAP server domains instead of giving each domain a unique IP.
> > 
> > It only needs to be carefuly implemented on dovecot side as TLS SNI
> > hostname is information passed directly by client.
> > 
> > So some fqdn name validation would need to happen in case if client has
> > malicious intents.
> > 
> >> Kevin
> 
> Hi!
> 
> I wonder if this would be of any help? It provides %{local_name}
> passdb/userdb variable, you can use it for some logging too...
> 
> https://github.com/dovecot/core/commit/fe791e96fdf796f7d8997ee0515b163dc5ed
> dd72

Should it work for such usage, too?

login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e 
local_name=%{local_name} %c session=<%{session}>

Because I'm not getting local_name logged at all (dovecot -a shows its there).

> Aki

Thanks,
-- 
Arkadiusz Miśkiewicz, arekm / ( maven.pl | pld-linux.org )

Re: logging TLS SNI hostname

2016-10-20 Thread Aki Tuomi



On 18.10.2016 14:16, Arkadiusz Miśkiewicz wrote:
> On Monday 17 of October 2016, KT Walrus wrote:
>>> On Oct 17, 2016, at 2:41 AM, Arkadiusz Miśkiewicz  wrote:
>>>
>>> On Monday 30 of May 2016, Arkadiusz Miśkiewicz wrote:
 Is there a way to log SNI hostname used in TLS session? Info is there in
 SSL_CTX_set_tlsext_servername_callback, dovecot copies it to
 ssl_io->host.

 Unfortunately I don't see it expanded to any variables (
 http://wiki.dovecot.org/Variables ). Please consider this to be a
 feature request.

 The goal is to be able to see which hostname client used like:

 May 30 08:21:19 xxx dovecot: pop3-login: Login: user=,
 method=PLAIN, rip=1.1.1.1, lip=2.2.2.2, mpid=17135, TLS,
 SNI=pop3.somehost.org, session=
>>> Dear dovecot team, would be possible to add such variable ^ ?
>>>
>>> That would be neat feature because server operator would know what
>>> hostname client uses to connect to server (which is really usefull in
>>> case of many hostnames pointing to single IP).
>> I’d love to be able to use this SNI domain name in the Dovecot IMAP proxy
>> for use in the SQL password_query. This would allow the proxy to support
>> multiple IMAP server domains each with their own set of users. And, it
>> would save me money by using only the IP of the proxy for all the IMAP
>> server domains instead of giving each domain a unique IP.
> It only needs to be carefuly implemented on dovecot side as TLS SNI hostname 
> is information passed directly by client.
>
> So some fqdn name validation would need to happen in case if client has 
> malicious intents.
>
>> Kevin
>
Hi!

I wonder if this would be of any help? It provides %{local_name}
passdb/userdb variable, you can use it for some logging too...

https://github.com/dovecot/core/commit/fe791e96fdf796f7d8997ee0515b163dc5eddd72

Aki

Re: logging TLS SNI hostname

2016-10-18 Thread Arkadiusz Miśkiewicz

On Monday 17 of October 2016, KT Walrus wrote:
> > On Oct 17, 2016, at 2:41 AM, Arkadiusz Miśkiewicz  wrote:
> > 
> > On Monday 30 of May 2016, Arkadiusz Miśkiewicz wrote:
> >> Is there a way to log SNI hostname used in TLS session? Info is there in
> >> SSL_CTX_set_tlsext_servername_callback, dovecot copies it to
> >> ssl_io->host.
> >> 
> >> Unfortunately I don't see it expanded to any variables (
> >> http://wiki.dovecot.org/Variables ). Please consider this to be a
> >> feature request.
> >> 
> >> The goal is to be able to see which hostname client used like:
> >> 
> >> May 30 08:21:19 xxx dovecot: pop3-login: Login: user=,
> >> method=PLAIN, rip=1.1.1.1, lip=2.2.2.2, mpid=17135, TLS,
> >> SNI=pop3.somehost.org, session=
> > 
> > Dear dovecot team, would be possible to add such variable ^ ?
> > 
> > That would be neat feature because server operator would know what
> > hostname client uses to connect to server (which is really usefull in
> > case of many hostnames pointing to single IP).
> 
> I’d love to be able to use this SNI domain name in the Dovecot IMAP proxy
> for use in the SQL password_query. This would allow the proxy to support
> multiple IMAP server domains each with their own set of users. And, it
> would save me money by using only the IP of the proxy for all the IMAP
> server domains instead of giving each domain a unique IP.

It only needs to be carefuly implemented on dovecot side as TLS SNI hostname 
is information passed directly by client.

So some fqdn name validation would need to happen in case if client has 
malicious intents.

> Kevin


-- 
Arkadiusz Miśkiewicz, arekm / ( maven.pl | pld-linux.org )

Re: logging TLS SNI hostname

2016-10-17 Thread KT Walrus


> On Oct 17, 2016, at 2:41 AM, Arkadiusz Miśkiewicz  wrote:
> 
> On Monday 30 of May 2016, Arkadiusz Miśkiewicz wrote:
>> Is there a way to log SNI hostname used in TLS session? Info is there in
>> SSL_CTX_set_tlsext_servername_callback, dovecot copies it to
>> ssl_io->host.
>> 
>> Unfortunately I don't see it expanded to any variables (
>> http://wiki.dovecot.org/Variables ). Please consider this to be a feature
>> request.
>> 
>> The goal is to be able to see which hostname client used like:
>> 
>> May 30 08:21:19 xxx dovecot: pop3-login: Login: user=, method=PLAIN,
>> rip=1.1.1.1, lip=2.2.2.2, mpid=17135, TLS, SNI=pop3.somehost.org,
>> session=
> 
> Dear dovecot team, would be possible to add such variable ^ ?
> 
> That would be neat feature because server operator would know what hostname 
> client uses to connect to server (which is really usefull in case of many 
> hostnames pointing to single IP).

I’d love to be able to use this SNI domain name in the Dovecot IMAP proxy for 
use in the SQL password_query. This would allow the proxy to support multiple 
IMAP server domains each with their own set of users. And, it would save me 
money by using only the IP of the proxy for all the IMAP server domains instead 
of giving each domain a unique IP. 

Kevin

Re: logging TLS SNI hostname

2016-10-17 Thread Arkadiusz Miśkiewicz

On Monday 30 of May 2016, Arkadiusz Miśkiewicz wrote:
> Is there a way to log SNI hostname used in TLS session? Info is there in
> SSL_CTX_set_tlsext_servername_callback, dovecot copies it to
> ssl_io->host.
> 
> Unfortunately I don't see it expanded to any variables (
> http://wiki.dovecot.org/Variables ). Please consider this to be a feature
> request.
> 
> The goal is to be able to see which hostname client used like:
> 
> May 30 08:21:19 xxx dovecot: pop3-login: Login: user=, method=PLAIN,
> rip=1.1.1.1, lip=2.2.2.2, mpid=17135, TLS, SNI=pop3.somehost.org,
> session=

Dear dovecot team, would be possible to add such variable ^ ?

That would be neat feature because server operator would know what hostname 
client uses to connect to server (which is really usefull in case of many 
hostnames pointing to single IP).

Thanks,
-- 
Arkadiusz Miśkiewicz, arekm / ( maven.pl | pld-linux.org )

Re: logging TLS SNI hostname

Re: logging TLS SNI hostname

Re: logging TLS SNI hostname

Re: logging TLS SNI hostname

Re: logging TLS SNI hostname

Re: logging TLS SNI hostname

Re: logging TLS SNI hostname

Re: logging TLS SNI hostname

Re: logging TLS SNI hostname

Re: logging TLS SNI hostname

Re: logging TLS SNI hostname

Re: logging TLS SNI hostname

12 matches

Site Navigation

Mail list logo

Footer information