Re: Incoming certificate verification

2016-05-23 Thread Gilles Chehade
On Mon, May 23, 2016 at 10:19:42AM +0100, John Cox wrote:
> Hi
> 
> > [snip]
> >yes, the rationale is explained in the commit log:
> >
> > Only enable SSL_VERIFY_PEER when the verify option is set on a listener.
> > 
> > Always enabling SSL_VERIFY_PEER unnecessarily increases the number of
> > messages/bytes in the TLS handshake and increases our attack surface,
> > since we request and then process client certificates.
> 
> Well I guess I disagree with the "unnecessarily" there, but thanks for
> the info.  If I got together the effort to build a patch that gives an
> option to restore the old behaviour would:
> 
>  (a) there be any chance of the patch being accepted (i.e. is it
> against policy to allow this option to be enabled)
>  (b) you prefer it to be a global or per-connection option and what
> would you like the syntax to be?
> 
> (No guarantees that I will be able to find the time but given it is
> functionality that I want I guess I should try and put in the effort)
> 

well, one way the patch would be accepted is if it adds an optional
check feature so that:

  listen on [...] tls check
  listen on [...] tls-require check

this would be optional and require explicit setting, it's just not going
to be the default setup.


-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: Incoming certificate verification

2016-05-23 Thread John Cox
Hi

> [snip]
>yes, the rationale is explained in the commit log:
>
> Only enable SSL_VERIFY_PEER when the verify option is set on a listener.
> 
> Always enabling SSL_VERIFY_PEER unnecessarily increases the number of
> messages/bytes in the TLS handshake and increases our attack surface,
> since we request and then process client certificates.

Well I guess I disagree with the "unnecessarily" there, but thanks for
the info.  If I got together the effort to build a patch that gives an
option to restore the old behaviour would:

 (a) there be any chance of the patch being accepted (i.e. is it
against policy to allow this option to be enabled)
 (b) you prefer it to be a global or per-connection option and what
would you like the syntax to be?

(No guarantees that I will be able to find the time but given it is
functionality that I want I guess I should try and put in the effort)

Regards

JC

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: Incoming certificate verification

2016-05-23 Thread Gilles Chehade
On Mon, May 23, 2016 at 09:03:47AM +0100, John Cox wrote:
> Hi
> 
> >Hi,
> >
> >I had misunderstood your mail and the issue when I first read this
> >so here's a new answer ;-)
> >
> >
> >On Tue, May 17, 2016 at 08:47:09AM +0100, John Cox wrote:
> >> Hi
> >> 
> >> Since I upgraded to OpenBSD 5.9 (I think) I've been getting TLS
> >> validation errors in the headers:
> >> 
> >>TLS version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384
> >> bits=256 verify=NO
> >> 
> >> Prior to the upgrade I would get verify=YES. (I think it was the
> >> upgrade to OpenBSD 5.9 and whichever OpenSMTPD that comes with it that
> >> did it - it was certainly about that time)
> >> 
> >> I have now upgraded OpenSMTPD to the current 5.9.2 release and that
> >> makes no difference.
> >> 
> >
> >Following suggestions from one of ourr libressl hackers we now only request
> >client certificate when 'tls-require verify' is specified.
> >
> >You can see the commit and rationale here:
> >
> >   
> > http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/smtpd/ssl_smtpd.c?rev=1.10&content-type=text/x-cvsweb-markup
> >
> >
> >verify=NO is the default, the only cases where you'll get another value
> >is if you requested verify and it succeeded.
> 
> OK - Well at least it is working as intended.
> 
> Can you (or they) explain the rationale behind this decision?  I liked
> the old behaviour.  Could I have an option to turn it on again (global
> or otherwise) please?  I find more info is always useful when trying
> to work out what is going on.
> 

yes, the rationale is explained in the commit log:

 Only enable SSL_VERIFY_PEER when the verify option is set on a listener.
 
 Always enabling SSL_VERIFY_PEER unnecessarily increases the number of
 messages/bytes in the TLS handshake and increases our attack surface,
 since we request and then process client certificates.



-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: Incoming certificate verification

2016-05-23 Thread John Cox
Hi

>Hi,
>
>I had misunderstood your mail and the issue when I first read this
>so here's a new answer ;-)
>
>
>On Tue, May 17, 2016 at 08:47:09AM +0100, John Cox wrote:
>> Hi
>> 
>> Since I upgraded to OpenBSD 5.9 (I think) I've been getting TLS
>> validation errors in the headers:
>> 
>>  TLS version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384
>> bits=256 verify=NO
>> 
>> Prior to the upgrade I would get verify=YES. (I think it was the
>> upgrade to OpenBSD 5.9 and whichever OpenSMTPD that comes with it that
>> did it - it was certainly about that time)
>> 
>> I have now upgraded OpenSMTPD to the current 5.9.2 release and that
>> makes no difference.
>> 
>
>Following suggestions from one of ourr libressl hackers we now only request
>client certificate when 'tls-require verify' is specified.
>
>You can see the commit and rationale here:
>
>   
> http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/smtpd/ssl_smtpd.c?rev=1.10&content-type=text/x-cvsweb-markup
>
>
>verify=NO is the default, the only cases where you'll get another value
>is if you requested verify and it succeeded.

OK - Well at least it is working as intended.

Can you (or they) explain the rationale behind this decision?  I liked
the old behaviour.  Could I have an option to turn it on again (global
or otherwise) please?  I find more info is always useful when trying
to work out what is going on.

Thanks

JC

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: Incoming certificate verification

2016-05-22 Thread Gilles Chehade
Hi,

I had misunderstood your mail and the issue when I first read this
so here's a new answer ;-)


On Tue, May 17, 2016 at 08:47:09AM +0100, John Cox wrote:
> Hi
> 
> Since I upgraded to OpenBSD 5.9 (I think) I've been getting TLS
> validation errors in the headers:
> 
>   TLS version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384
> bits=256 verify=NO
> 
> Prior to the upgrade I would get verify=YES. (I think it was the
> upgrade to OpenBSD 5.9 and whichever OpenSMTPD that comes with it that
> did it - it was certainly about that time)
> 
> I have now upgraded OpenSMTPD to the current 5.9.2 release and that
> makes no difference.
> 

Following suggestions from one of ourr libressl hackers we now only request
client certificate when 'tls-require verify' is specified.

You can see the commit and rationale here:

   
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/smtpd/ssl_smtpd.c?rev=1.10&content-type=text/x-cvsweb-markup


verify=NO is the default, the only cases where you'll get another value
is if you requested verify and it succeeded.


-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: Incoming certificate verification

2016-05-17 Thread Gilles Chehade
On Tue, May 17, 2016 at 06:28:59PM +0100, John Cox wrote:
> >There is a CA Option in smtpd.conf, for example (CA-ubuntu path)
> >
> >ca NAME certificate "/etc/ssl/certs/ca-certificates.crt"
> 
> Yes - but what I want is the verification of "random" senders (I don't
> want to reject them - I just want the trace in the headers like I used
> to get previously)
> 
> ca doesn't obviously do that - quoting the man page:
> 
> ca hostname certificate cafile
> Associate a custom CA certificate located in cafile with hostname.
> 
> If we were using that syntax then what I want would be hostname = *
> (and I do use the ca keyword for my custom routes)
> 
> CApath / CAfile (and CRLfile) would normally be where to look up
> everything non-custom as used in sendmail & openssl.
> 
> Either way - this used to work and it doesn't now.  I'm perfectly
> happy to believe that I need a config file change to get it work again
> but what is wanted isn't obvious to me.
> 
> Regards
> 

i'll investigate this :/


-- 
Gilles Chehade

https://www.poolp.org  @poolpOrg

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: Incoming certificate verification

2016-05-17 Thread John Cox
>There is a CA Option in smtpd.conf, for example (CA-ubuntu path)
>
>ca NAME certificate "/etc/ssl/certs/ca-certificates.crt"

Yes - but what I want is the verification of "random" senders (I don't
want to reject them - I just want the trace in the headers like I used
to get previously)

ca doesn't obviously do that - quoting the man page:

ca hostname certificate cafile
Associate a custom CA certificate located in cafile with hostname.

If we were using that syntax then what I want would be hostname = *
(and I do use the ca keyword for my custom routes)

CApath / CAfile (and CRLfile) would normally be where to look up
everything non-custom as used in sendmail & openssl.

Either way - this used to work and it doesn't now.  I'm perfectly
happy to believe that I need a config file change to get it work again
but what is wanted isn't obvious to me.

Regards

JC


>
>Regards,
>
>Marcel
>
>
>Am 17.05.2016 um 09:47 schrieb John Cox:
>> Hi
>>
>> Since I upgraded to OpenBSD 5.9 (I think) I've been getting TLS
>> validation errors in the headers:
>>
>>  TLS version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384
>> bits=256 verify=NO
>>
>> Prior to the upgrade I would get verify=YES. (I think it was the
>> upgrade to OpenBSD 5.9 and whichever OpenSMTPD that comes with it that
>> did it - it was certainly about that time)
>>
>> I have now upgraded OpenSMTPD to the current 5.9.2 release and that
>> makes no difference.
>>
>> All logging suggests that cert validation is OK (though I note that I
>> only ever get that message on outgoing lines, and never on incoming)
>>
>> What does OpenSMTPD use as its default cert store - as far as I can
>> tell the .conf lacks CAfile or CApath options?
>>
>> Testing with openssl s_client suggests that my certs are generally in
>> order
>>
>> Any clues?
>>
>> Many thanks
>>
>> John Cox
>>
>>
>> Log file:
>>
>>
>> May 17 08:26:58 azathoth smtpd[18872]: info: OpenSMTPD 5.9.2 starting
>> May 17 08:27:47 azathoth smtpd[10532]: smtp-in: New session
>> 31086515f45c2260 from host smtp31.cix.co.uk [77.92.64.18]
>> May 17 08:27:48 azathoth smtpd[10532]: smtp-in: Started TLS on session
>> 31086515f45c2260: version=TLSv1, cipher=DHE-RSA-AES256-SHA, bits=256
>> May 17 08:27:48 azathoth smtpd[10532]: smtp-in: Accepted message
>> daa12d76 on session 31086515f45c2260: from=,
>> to=, size=793, ndest=1, proto=ESMTP
>> May 17 08:27:48 azathoth smtpd[10532]: smtp-out: Connecting to
>> tls://10.44.0.3:25 (yidhra.outer.uphall.net) on session
>> 3108651f4a1f0980...
>> May 17 08:27:48 azathoth smtpd[10532]: smtp-in: Closing session
>> 31086515f45c2260
>> May 17 08:27:48 azathoth smtpd[10532]: smtp-out: Connected on session
>> 3108651f4a1f0980
>> May 17 08:27:48 azathoth smtpd[10532]: smtp-out: Started TLS on
>> session 3108651f4a1f0980: version=TLSv1.2,
>> cipher=ECDHE-RSA-CHACHA20-POLY1305, bits=256
>> May 17 08:27:48 azathoth smtpd[10532]: smtp-out: Server certificate
>> verification succeeded on session 3108651f4a1f0980
>> May 17 08:27:48 azathoth smtpd[10532]: relay: Ok for daa12d76fa78afb9:
>> session=3108651f4a1f0980, from=, to=,
>> rcpt=<->, source=46.235.226.138, relay=10.44.0.3
>> (yidhra.outer.uphall.net), delay=0s, stat=250 2.0.0: f8f2d286 Message
>> accepted for delivery
>> May 17 08:27:58 azathoth smtpd[10532]: smtp-out: Closing session
>> 3108651f4a1f0980: 1 message sent.
>> #
>>
>>
>> Headers:
>>
>> Return-Path: j...@cix.co.uk
>> Delivered-To: j...@uphall.net
>> Received: from azathoth.uphall.net (azathoth.uphall.net
>> [46.235.226.138])
>>  by yidhra.outer.uphall.net (OpenSMTPD) with ESMTPS id f8f2d286
>>  TLS version=TLSv1.2 cipher=ECDHE-RSA-CHACHA20-POLY1305
>> bits=256 verify=NO
>>  for ;
>>  Tue, 17 May 2016 08:27:48 +0100 (BST)
>> Received: from smtp1.cix.co.uk (smtp31.cix.co.uk [77.92.64.18])
>>  by azathoth.uphall.net (OpenSMTPD) with ESMTPS id daa12d76
>>  TLS version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO
>>  for ;
>>  Tue, 17 May 2016 08:27:48 +0100 (BST)
>> Received: (qmail 22491 invoked from network); 17 May 2016 07:27:47
>> -
>> Received: from unknown (HELO Ithaqua.outer.uphall.net) (86.21.189.18)
>>   by smtp1.cix.co.uk with ESMTPS (AES256-SHA encrypted); 17 May 2016
>> 07:27:47 -
>> From: John Cox 
>> To: John home Cox 
>> Subject: Incoming 2
>> Date: Tue, 17 May 2016 08:27:47 +0100
>> Message-ID: 
>> User-Agent: ForteAgent/7.10.32.1212
>> MIME-Version: 1.0
>> Content-Type: text/plain; charset=us-ascii
>> Content-Transfer-Encoding: 7bit
>>
>>
>>

-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Re: Incoming certificate verification

2016-05-17 Thread ultr4l33t
There is a CA Option in smtpd.conf, for example (CA-ubuntu path)

ca NAME certificate "/etc/ssl/certs/ca-certificates.crt"


Regards,

Marcel


Am 17.05.2016 um 09:47 schrieb John Cox:
> Hi
>
> Since I upgraded to OpenBSD 5.9 (I think) I've been getting TLS
> validation errors in the headers:
>
>   TLS version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384
> bits=256 verify=NO
>
> Prior to the upgrade I would get verify=YES. (I think it was the
> upgrade to OpenBSD 5.9 and whichever OpenSMTPD that comes with it that
> did it - it was certainly about that time)
>
> I have now upgraded OpenSMTPD to the current 5.9.2 release and that
> makes no difference.
>
> All logging suggests that cert validation is OK (though I note that I
> only ever get that message on outgoing lines, and never on incoming)
>
> What does OpenSMTPD use as its default cert store - as far as I can
> tell the .conf lacks CAfile or CApath options?
>
> Testing with openssl s_client suggests that my certs are generally in
> order
>
> Any clues?
>
> Many thanks
>
> John Cox
>
>
> Log file:
>
>
> May 17 08:26:58 azathoth smtpd[18872]: info: OpenSMTPD 5.9.2 starting
> May 17 08:27:47 azathoth smtpd[10532]: smtp-in: New session
> 31086515f45c2260 from host smtp31.cix.co.uk [77.92.64.18]
> May 17 08:27:48 azathoth smtpd[10532]: smtp-in: Started TLS on session
> 31086515f45c2260: version=TLSv1, cipher=DHE-RSA-AES256-SHA, bits=256
> May 17 08:27:48 azathoth smtpd[10532]: smtp-in: Accepted message
> daa12d76 on session 31086515f45c2260: from=,
> to=, size=793, ndest=1, proto=ESMTP
> May 17 08:27:48 azathoth smtpd[10532]: smtp-out: Connecting to
> tls://10.44.0.3:25 (yidhra.outer.uphall.net) on session
> 3108651f4a1f0980...
> May 17 08:27:48 azathoth smtpd[10532]: smtp-in: Closing session
> 31086515f45c2260
> May 17 08:27:48 azathoth smtpd[10532]: smtp-out: Connected on session
> 3108651f4a1f0980
> May 17 08:27:48 azathoth smtpd[10532]: smtp-out: Started TLS on
> session 3108651f4a1f0980: version=TLSv1.2,
> cipher=ECDHE-RSA-CHACHA20-POLY1305, bits=256
> May 17 08:27:48 azathoth smtpd[10532]: smtp-out: Server certificate
> verification succeeded on session 3108651f4a1f0980
> May 17 08:27:48 azathoth smtpd[10532]: relay: Ok for daa12d76fa78afb9:
> session=3108651f4a1f0980, from=, to=,
> rcpt=<->, source=46.235.226.138, relay=10.44.0.3
> (yidhra.outer.uphall.net), delay=0s, stat=250 2.0.0: f8f2d286 Message
> accepted for delivery
> May 17 08:27:58 azathoth smtpd[10532]: smtp-out: Closing session
> 3108651f4a1f0980: 1 message sent.
> #
>
>
> Headers:
>
> Return-Path: j...@cix.co.uk
> Delivered-To: j...@uphall.net
> Received: from azathoth.uphall.net (azathoth.uphall.net
> [46.235.226.138])
>   by yidhra.outer.uphall.net (OpenSMTPD) with ESMTPS id f8f2d286
>   TLS version=TLSv1.2 cipher=ECDHE-RSA-CHACHA20-POLY1305
> bits=256 verify=NO
>   for ;
>   Tue, 17 May 2016 08:27:48 +0100 (BST)
> Received: from smtp1.cix.co.uk (smtp31.cix.co.uk [77.92.64.18])
>   by azathoth.uphall.net (OpenSMTPD) with ESMTPS id daa12d76
>   TLS version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO
>   for ;
>   Tue, 17 May 2016 08:27:48 +0100 (BST)
> Received: (qmail 22491 invoked from network); 17 May 2016 07:27:47
> -
> Received: from unknown (HELO Ithaqua.outer.uphall.net) (86.21.189.18)
>   by smtp1.cix.co.uk with ESMTPS (AES256-SHA encrypted); 17 May 2016
> 07:27:47 -
> From: John Cox 
> To: John home Cox 
> Subject: Incoming 2
> Date: Tue, 17 May 2016 08:27:47 +0100
> Message-ID: 
> User-Agent: ForteAgent/7.10.32.1212
> MIME-Version: 1.0
> Content-Type: text/plain; charset=us-ascii
> Content-Transfer-Encoding: 7bit
>
>
>


-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org



Incoming certificate verification

2016-05-17 Thread John Cox
Hi

Since I upgraded to OpenBSD 5.9 (I think) I've been getting TLS
validation errors in the headers:

TLS version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384
bits=256 verify=NO

Prior to the upgrade I would get verify=YES. (I think it was the
upgrade to OpenBSD 5.9 and whichever OpenSMTPD that comes with it that
did it - it was certainly about that time)

I have now upgraded OpenSMTPD to the current 5.9.2 release and that
makes no difference.

All logging suggests that cert validation is OK (though I note that I
only ever get that message on outgoing lines, and never on incoming)

What does OpenSMTPD use as its default cert store - as far as I can
tell the .conf lacks CAfile or CApath options?

Testing with openssl s_client suggests that my certs are generally in
order

Any clues?

Many thanks

John Cox


Log file:


May 17 08:26:58 azathoth smtpd[18872]: info: OpenSMTPD 5.9.2 starting
May 17 08:27:47 azathoth smtpd[10532]: smtp-in: New session
31086515f45c2260 from host smtp31.cix.co.uk [77.92.64.18]
May 17 08:27:48 azathoth smtpd[10532]: smtp-in: Started TLS on session
31086515f45c2260: version=TLSv1, cipher=DHE-RSA-AES256-SHA, bits=256
May 17 08:27:48 azathoth smtpd[10532]: smtp-in: Accepted message
daa12d76 on session 31086515f45c2260: from=,
to=, size=793, ndest=1, proto=ESMTP
May 17 08:27:48 azathoth smtpd[10532]: smtp-out: Connecting to
tls://10.44.0.3:25 (yidhra.outer.uphall.net) on session
3108651f4a1f0980...
May 17 08:27:48 azathoth smtpd[10532]: smtp-in: Closing session
31086515f45c2260
May 17 08:27:48 azathoth smtpd[10532]: smtp-out: Connected on session
3108651f4a1f0980
May 17 08:27:48 azathoth smtpd[10532]: smtp-out: Started TLS on
session 3108651f4a1f0980: version=TLSv1.2,
cipher=ECDHE-RSA-CHACHA20-POLY1305, bits=256
May 17 08:27:48 azathoth smtpd[10532]: smtp-out: Server certificate
verification succeeded on session 3108651f4a1f0980
May 17 08:27:48 azathoth smtpd[10532]: relay: Ok for daa12d76fa78afb9:
session=3108651f4a1f0980, from=, to=,
rcpt=<->, source=46.235.226.138, relay=10.44.0.3
(yidhra.outer.uphall.net), delay=0s, stat=250 2.0.0: f8f2d286 Message
accepted for delivery
May 17 08:27:58 azathoth smtpd[10532]: smtp-out: Closing session
3108651f4a1f0980: 1 message sent.
#


Headers:

Return-Path: j...@cix.co.uk
Delivered-To: j...@uphall.net
Received: from azathoth.uphall.net (azathoth.uphall.net
[46.235.226.138])
by yidhra.outer.uphall.net (OpenSMTPD) with ESMTPS id f8f2d286
TLS version=TLSv1.2 cipher=ECDHE-RSA-CHACHA20-POLY1305
bits=256 verify=NO
for ;
Tue, 17 May 2016 08:27:48 +0100 (BST)
Received: from smtp1.cix.co.uk (smtp31.cix.co.uk [77.92.64.18])
by azathoth.uphall.net (OpenSMTPD) with ESMTPS id daa12d76
TLS version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO
for ;
Tue, 17 May 2016 08:27:48 +0100 (BST)
Received: (qmail 22491 invoked from network); 17 May 2016 07:27:47
-
Received: from unknown (HELO Ithaqua.outer.uphall.net) (86.21.189.18)
  by smtp1.cix.co.uk with ESMTPS (AES256-SHA encrypted); 17 May 2016
07:27:47 -
From: John Cox 
To: John home Cox 
Subject: Incoming 2
Date: Tue, 17 May 2016 08:27:47 +0100
Message-ID: 
User-Agent: ForteAgent/7.10.32.1212
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit



-- 
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org