Re: TLS: Certificate signature failure -- what is the reason?
Viktor Dukhovni wrote the following on 23.10.2013 16:23: If your Postfix version is 2.9.0--2.9.5 DO NOT USE public key fingerprints, or upgrade to 2.9.6 or later. That wasn't the problem, the documentation is quite clear in this regard. I mistakenly used the public key instructions for a pre-2.9 version of postfix. Support for public key fingerprints was added in Postfix 2.9, ... This is stated at the beginning of the section dealing with fingerprints. Further down, where the actual openssl commands are noted, there is no such note. I'm not saying there should be one there, but had there been one, I probably wouldn't have picked the wrong set of commands. [...] certificate fingerprint [...] and public-key fingerprints being [...] mutually exclusive. They are not mutually exclusive. Ah, OK, thanks for the clarification. Regards, Tobias
Re: TLS: Certificate signature failure -- what is the reason?
On Thu, Oct 24, 2013 at 07:59:46AM +0200, Tobias Reckhard wrote: Support for public key fingerprints was added in Postfix 2.9, ... This is stated at the beginning of the section dealing with fingerprints. Further down, where the actual openssl commands are noted, there is no such note. I'm not saying there should be one there, but had there been one, I probably wouldn't have picked the wrong set of commands. I'll keep that in mind for the next documentation review. You can submit documentation patches (as I was recently reminded, after passing the final documents through an HTML validator). [...] certificate fingerprint [...] and public-key fingerprints being [...] mutually exclusive. They are not mutually exclusive. Ah, OK, thanks for the clarification. That is a match=... attribute in a tls policy table fingerprint entry will match either the peer public key or the peer certificate. Assuming that 2nd-preimage attacks on your digest function are computationally infeasible (still true IIRC even for md5), there is no risk of confusion. An attacker should not be able to independently construct a certificate with the same digest as a given public key or a public key with the same digest as a given certificate. All known collision attacks against md5 are I believe extension attacks where two messages are built with a common prefix. -- Viktor.
Re: TLS: Certificate signature failure -- what is the reason?
On Wed, Oct 23, 2013 at 09:39:36AM +0200, Tobias Reckhard wrote: with instructions on how to extract public key digests from X.509 certs also at: http://www.postfix.org/postconf.5.html#smtp_tls_fingerprint_digest Those instructions had me confused a bit, I think I now see why. I'd used the concatenation of openssl x509 ... | openssl rsa ... | openssl dgst ... to compute the fingerprint at first, which resulted in a mismatch when connecting to the server in question. If your Postfix version is 2.9.0--2.9.5 DO NOT USE public key fingerprints, or upgrade to 2.9.6 or later. Support for public key fingerprints was added in Postfix 2.9, but was using the wrong public key digest function until 2.9.6. Since then I've noticed that the documentation does state that the computation of the fingerprint changed with Postfix 2.9, I'd missed that bit previously. I probably had read the sentence about certificate fingerprint verification being available since Postfix 2.5, and public-key fingerprints being supported since Postfix 2.9, but obviously I hadn't taken them to be mutually exclusive. They are not mutually exclusive. With 2.9.6 you can use either correctly computed certificate fingerprints or correctly computed public key fingerprints. With anything earlier you get only correctly computed certificate fingerprints, and with 2.9.0--2.9.5 broken support for public key fingerprints. BTW, are there any plans for the Postfix TLS code to support CRL and/or OCSP checks? Not at this time. -- Viktor.
Re: TLS: Certificate signature failure -- what is the reason?
Viktor Dukhovni wrote the following on 21.10.2013 17:30: This organization uses SHA256 signatures for their certificates, even though these are not widely supported. Ah, OK, thanks for the explanation. The most recent patch levels of Postfix 2.7, 2.8, 2.9 and 2.10 have support for SHA256 turned for SSL/TLS. postfix 2.8.5 is available as a backport for Ubuntu 10.04 LTS. I've suggested upgrading to that, since it should be rather painless. Persuading the decision makers to upgrade the OS will be somewhat more difficult. You need to upgrade to one of these, may as well be 2.10.2, but one of the others will suffice, see http://www.postfix.org/download.html Thanks for the suggestion. We prefer to stick with packaged and supported software where possible, though, as is probably the case in many corporate settings. Not my decision to make. But I do very much appreciate your suggestions, don't get me wrong. :) Cheers, Tobias
Re: TLS: Certificate signature failure -- what is the reason?
Viktor Dukhovni wrote the following on 21.10.2013 17:21: On Mon, Oct 21, 2013 at 10:07:13AM -0500, Noel Jones wrote: Looks as if they use a private root CA. Probably the easiest fix is to use fingerprint verification. See: http://www.postfix.org/postconf.5.html#smtp_tls_policy_maps No, that would be a trust error not a signature error. I've already got one fingerprint and one verify policy in place on the system in question, and I hadn't run across this error in my trial and error effort involved in getting those working. Yes, they do use a private root CA, but the MX hosts present the connecting client with the entire certificate chain, so that is not the problem. Maybe fingerprinting would work, though. I'll give it a shot on a test system. Thanks for the suggestion. Cheers, Tobias
Re: TLS: Certificate signature failure -- what is the reason?
On Tue, Oct 22, 2013 at 11:07:07AM +0200, Tobias Reckhard wrote: Maybe fingerprinting would work, though. I'll give it a shot on a test system. Thanks for the suggestion. Fingerprinting the leaf certificate will work until the next time they deploy a new leaf certificate without notifying you in advance. This is because fingerprint security does not rely on a valid chain of signatures from a trusted root, but does depend on matching the exact certificate or public key. -- Viktor.
Re: TLS: Certificate signature failure -- what is the reason?
On Tue, Oct 22, 2013 at 11:01:22AM +0200, Tobias Reckhard wrote: The most recent patch levels of Postfix 2.7, 2.8, 2.9 and 2.10 have support for SHA256 turned for SSL/TLS. postfix 2.8.5 is available as a backport for Ubuntu 10.04 LTS. I've suggested upgrading to that, since it should be rather painless. Persuading the decision makers to upgrade the OS will be somewhat more difficult. It needs to be a sufficiently high patch level (at this time the latest for the four supported official releases): * = 2.7.15, or * = 2.8.16, or * = 2.9.8, or * = 2.10.2, or * = 2.11-20130616 I don't know what is actually in Ubuntu's 2.8.5, they may keep the .deb package name fixed, while applying patches from later Postfix releases. Ideally postconf mail_version will not lie. -- Viktor.
Re: TLS: Certificate signature failure -- what is the reason?
Viktor Dukhovni: On Tue, Oct 22, 2013 at 11:07:07AM +0200, Tobias Reckhard wrote: Maybe fingerprinting would work, though. I'll give it a shot on a test system. Thanks for the suggestion. Fingerprinting the leaf certificate will work until the next time they deploy a new leaf certificate without notifying you in advance. This is because fingerprint security does not rely on a valid chain of signatures from a trusted root, but does depend on matching the exact certificate or public key. Presumably, this would not be a problem with public-key fingerprints until they change the key itself. Wietse
Re: TLS: Certificate signature failure -- what is the reason?
On Tue, Oct 22, 2013 at 10:58:46AM -0400, Wietse Venema wrote: Fingerprinting the leaf certificate will work until the next time they deploy a new leaf certificate without notifying you in advance. This is because fingerprint security does not rely on a valid chain of signatures from a trusted root, but does depend on matching the exact certificate or public key. Presumably, this would not be a problem with public-key fingerprints until they change the key itself. Yes, as documented: http://www.postfix.org/TLS_README.html#client_tls_fprint with instructions on how to extract public key digests from X.509 certs also at: http://www.postfix.org/postconf.5.html#smtp_tls_fingerprint_digest -- Viktor.
Re: TLS: Certificate signature failure -- what is the reason?
On 10/21/2013 7:55 AM, Tobias Reckhard wrote: Hello In configuring a postfix 2.7.0 (on Ubuntu 10.04 LTS) for mandatory TLS to a couple of domains, I'm running into the following oddity when sending e-mail to the UniCredit servers: Oct 21 08:43:58 hostname postfix/smtp[5991]: CA certificate verification failed for mx10.unicredit.eu[62.122.80.93]:25: num=7:certificate signature failure This appears to be an OpenSSL error, at least I can find a similar error message on https://www.openssl.org/docs/apps/verify.html. However, I do not know what the actual problem is. The certificates presented by the MX hosts of unicreditgroup.eu (that answer) are somewhat problematic in that they are all completely identical and feature a CN of mucimgcc.internal.unicreditgroup.eu and no SubjectAltNames, which does not resemble the MX records. However, I'm not sure if that is the cause of the verification failure. If I store mx10's certificate to a file and the intermediary as well as the root CA certificate to /etc/postfix/cacerts (and create the necessary symlinks there with c_rehash), I can successfully use openssl verify -CApath /etc/postfix/cacerts mx10.unicredit.eu.cert.pem to verify it (result: mx10.unicredit.eu.cert.pem: OK) Can anyone offer any insights on this topic? I'm a bit puzzled. Regards, Tobias Looks as if they use a private root CA. Probably the easiest fix is to use fingerprint verification. See: http://www.postfix.org/postconf.5.html#smtp_tls_policy_maps -- Noel Jones
Re: TLS: Certificate signature failure -- what is the reason?
On Mon, Oct 21, 2013 at 02:55:22PM +0200, Tobias Reckhard wrote: Oct 21 08:43:58 hostname postfix/smtp[5991]: CA certificate verification failed for mx10.unicredit.eu[62.122.80.93]:25: num=7:certificate signature failure This organization uses SHA256 signatures for their certificates, even though these are not widely supported. The most recent patch levels of Postfix 2.7, 2.8, 2.9 and 2.10 have support for SHA256 turned for SSL/TLS. You need to upgrade to one of these, may as well be 2.10.2, but one of the others will suffice, see http://www.postfix.org/download.html $ posttls-finger -t30 -T 180 -cC -Lsummary [62.122.80.93]:25 | openssl crl2pkcs7 -nocrl -certfile /dev/stdin | openssl pkcs7 -print_certs -text Certificate: Data: Version: 3 (0x2) Serial Number: 2b:b0:95:be:00:00:00:03:59:e0 Signature Algorithm: sha256WithRSAEncryption Issuer: DC=EU, DC=UNICREDITGROUP, DC=root, CN=UniCredit Subordinate Internal Validity Not Before: Aug 5 14:42:54 2013 GMT Not After : Aug 5 14:42:54 2015 GMT Subject: C=IT, ST=Italy, L=n.a., O=UniCredit Business Integrated Solutions S.C.p.A., OU=US91922, CN=mucimgcc.internal.unicreditgroup.eu/emailAddress=edgesec.u...@unicredit.eu [...] -BEGIN CERTIFICATE- MIIGyjCCBbKgAwIBAgIKK7CVvgNZ4DANBgkqhkiG9w0BAQsFADBzMRIwEAYK CZImiZPyLGQBGRYCRVUxHjAcBgoJkiaJk/IsZAEZFg5VTklDUkVESVRHUk9VUDEU MBIGCgmSJomT8ixkARkWBHJvb3QxJzAlBgNVBAMTHlVuaUNyZWRpdCBTdWJvcmRp bmF0ZSBJbnRlcm5hbDAeFw0xMzA4MDUxNDQyNTRaFw0xNTA4MDUxNDQyNTRaMIHR MQswCQYDVQQGEwJJVDEOMAwGA1UECBMFSXRhbHkxDTALBgNVBAcTBG4uYS4xOTA3 BgNVBAoTMFVuaUNyZWRpdCBCdXNpbmVzcyBJbnRlZ3JhdGVkIFNvbHV0aW9ucyBT LkMucC5BLjEQMA4GA1UECxMHVVM5MTkyMjEsMCoGA1UEAxMjbXVjaW1nY2MuaW50 ZXJuYWwudW5pY3JlZGl0Z3JvdXAuZXUxKDAmBgkqhkiG9w0BCQEWGWVkZ2VzZWMu dWJpc0B1bmljcmVkaXQuZXUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB AQDBZwU+EoauB9eLXCl/f7fBt9g9T7XdfA1EksavXEmZ5BiJ+VK+mcL9+DsMLuZQ aZjUASoVQzDpjWBUq9/ha+YGzhIEsjGZ773q3Mg8A61IkNidXzDC1vS4YvyEGF+f ZCH7bZyTFaqGf+PTHv+O1jmPwphwOMc5JdBg3Ua2tYRDN9e1cGcYHPrlGLwZV46f huJ3ZwzhkA1tUJQOaf3xSotDkNc7k0yWJVwtl7Jx/cqtrRcG+a42JFxyfOEJiERW eqDgbHGzWljUlQu1Bk4au0qR5u1tknvkzifFDTpUAYMjB3T9mkL8xCtjjkFzy6Vm RbVjqz2I3gTH5vwA7HLtPhrVAgMBAAGjggL/MIIC+zAdBgNVHQ4EFgQUGqOYmnyp HIMUth1Y61c/Oh6Fd3AwHwYDVR0jBBgwFoAUpmMomLWl6ZWmfZDUIMi5ujlJoZsw ggEcBgNVHR8EggETMIIBDzCCAQugggEHoIIBA4aB2mxkYXA6Ly8vQ049VW5pQ3Jl ZGl0JTIwU3Vib3JkaW5hdGUlMjBJbnRlcm5hbCxDTj1VU1BLSVBXMDAxLENOPUNE UCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25m aWd1cmF0aW9uLERDPXJvb3QsREM9VU5JQ1JFRElUR1JPVVAsREM9RVU/Y2VydGlm aWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1 dGlvblBvaW50hiRodHRwOi8vY2EudW5pY3JlZGl0LmV1L0lOVC9pbnRjYS5jcmww ggEWBggrBgEFBQcBAQSCAQgwggEEMIHPBggrBgEFBQcwAoaBwmxkYXA6Ly8vQ049 VW5pQ3JlZGl0JTIwU3Vib3JkaW5hdGUlMjBJbnRlcm5hbCxDTj1BSUEsQ049UHVi bGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlv bixEQz1yb290LERDPVVOSUNSRURJVEdST1VQLERDPUVVP2NBQ2VydGlmaWNhdGU/ YmFzZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MDAGCCsGAQUF BzAChiRodHRwOi8vY2EudW5pY3JlZGl0LmV1L0lOVC9pbnRjYS5jcnQwDgYDVR0P AQH/BAQDAgWgMD0GCSsGAQQBgjcVBwQwMC4GJisGAQQBgjcVCMO2J4Gj+HWG+Z8g he2jNYaR6GmBKobx7y+FkeVgAgFkAgEKMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBsG CSsGAQQBgjcVCgQOMAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggEBACzY yZMq+UwAp+jTwLxUEwKl+QjUO9PDkZSj+GByLtw+6wplX/6CCCPTApKXgBzlz59J C+xJ9/YBQkzaKoyliZMG9DDLnjRztan/kfPTdLVlg0JfB6AOctpDt/whepxABIBi rYt94M6lGIeJ6Xb/0mmTwOclYid8aSb7NffmOy3nmrUFLKOkkjgx+8V8w4G8RbM/ 5ueIJbv3cwobuVgdRWYgkifXPTMK1nPU7dia9/TTL2wiIu2iPjkg9NeMF08vXE1V EMjV49T0ocjacRMJnC7kBtqwwNgXlL1sDktk+MUaC/QKXbmQJmoadwdUZApcEhTR 5OA3+kzG7dFfJoSYkwI= -END CERTIFICATE- Certificate: Data: Version: 3 (0x2) Serial Number: 61:7a:be:af:00:00:00:00:00:03 Signature Algorithm: sha256WithRSAEncryption Issuer: C=IT, O=UniCredit S.p.A., CN=UniCredit Root Validity Not Before: May 20 09:47:25 2011 GMT Not After : May 20 09:57:25 2021 GMT Subject: DC=EU, DC=UNICREDITGROUP, DC=root, CN=UniCredit Subordinate Internal [...] -BEGIN CERTIFICATE- MIIGLDCCBRSgAwIBAgIKYXq+rwAAAzANBgkqhkiG9w0BAQsFADBBMQswCQYD VQQGEwJJVDEZMBcGA1UEChMQVW5pQ3JlZGl0IFMucC5BLjEXMBUGA1UEAxMOVW5p Q3JlZGl0IFJvb3QwHhcNMTEwNTIwMDk0NzI1WhcNMjEwNTIwMDk1NzI1WjBzMRIw EAYKCZImiZPyLGQBGRYCRVUxHjAcBgoJkiaJk/IsZAEZFg5VTklDUkVESVRHUk9V UDEUMBIGCgmSJomT8ixkARkWBHJvb3QxJzAlBgNVBAMTHlVuaUNyZWRpdCBTdWJv cmRpbmF0ZSBJbnRlcm5hbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB AOhI2tUNvsJ7Go2HG2Vqrws36lz6yLVOnKkcRhalc+wuiAbJGG1JV98yMP+0I6xQ
Re: TLS: Certificate signature failure -- what is the reason?
On Mon, Oct 21, 2013 at 10:07:13AM -0500, Noel Jones wrote: Oct 21 08:43:58 hostname postfix/smtp[5991]: CA certificate verification failed for mx10.unicredit.eu[62.122.80.93]:25: num=7:certificate signature failure Looks as if they use a private root CA. Probably the easiest fix is to use fingerprint verification. See: http://www.postfix.org/postconf.5.html#smtp_tls_policy_maps No, that would be a trust error not a signature error. -- Viktor.
Re: TLS: Certificate signature failure -- what is the reason?
On Mon, Oct 21, 2013 at 03:30:46PM +, Viktor Dukhovni wrote: On Mon, Oct 21, 2013 at 02:55:22PM +0200, Tobias Reckhard wrote: Oct 21 08:43:58 hostname postfix/smtp[5991]: CA certificate verification failed for mx10.unicredit.eu[62.122.80.93]:25: num=7:certificate signature failure This organization uses SHA256 signatures for their certificates, even though these are not widely supported. The most recent patch levels of Postfix 2.7, 2.8, 2.9 and 2.10 have support for SHA256 turned for SSL/TLS. You need to upgrade to one of these, may as well be 2.10.2, but one of the others will suffice, see http://www.postfix.org/download.html Note, SHA256 is also enabled automatically if your OpenSSL is 1.0.0 or later. By now, you should aim to no longer use OpenSSL 0.9.8 when TLS security is required. Consider upgrading your systems to an O/S release where OpenSSL 1.0.0 or later is the default version of OpenSSL. Then you can use older versions of Postfix, but of course you'll probably end up with a more current version at the same time. OpenSSL 1.0.0 was released on 29-Mar-2010 ( https://www.openssl.org/news/ ). -- Viktor.