Mailing List Archive

Re: DANE(TA) doesn't work with self signed certificate
Hello Klaus,

On 09/05/2018 01:00 PM, exim-users-request@exim.org wrote:
> After I enabled (themporarily) the random CA they use, I got a
> successfull delivery with the log file saying that it was validated via
> DANE.

thank you very much for sharing your observation.

I suppose your Exim is also linked to GnuTLS?

++Michael

--
Dr. Michael Westerburg ................. http://www.rz.uni-augsburg.de
Universit?t Augsburg, Rechenzentrum ............. Tel. (0821) 598-2004
86135 Augsburg .................................. Fax. (0821) 598-2028

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: DANE(TA) doesn't work with self signed certificate [ In reply to ]
Hello Viktor,

On 09/05/2018 01:00 PM, exim-users-request@exim.org wrote:
> My advice to the user would be to use a version of Exim that
> is linked with OpenSSL and NOT GnuTLS. The Exim DANE support
> in combination with GnuTLS is not nearly as well tested or
> supported.

thank you very much for the clarification.

We are going to test our settings with Exim linked to OpenSSL. Our
findings will be presented to this list as soon as possible.

++Michael

--
Dr. Michael Westerburg ................. http://www.rz.uni-augsburg.de
Universit?t Augsburg, Rechenzentrum ............. Tel. (0821) 598-2004
86135 Augsburg .................................. Fax. (0821) 598-2028

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: DANE(TA) doesn't work with self signed certificate [ In reply to ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi Folks,

Am Mi den 5. Sep 2018 um 14:41 schrieb Michael Westerburg via Exim-users:
> On 09/05/2018 01:00 PM, exim-users-request@exim.org wrote:
> > After I enabled (themporarily) the random CA they use, I got a
> > successfull delivery with the log file saying that it was validated via
> > DANE.
>
> thank you very much for sharing your observation.
>
> I suppose your Exim is also linked to GnuTLS?

Sure, it is the common debian version and Debian is always linking
against gnutls.

Regards
Klaus
- --
Klaus Ethgen http://www.ethgen.ch/
pub 4096R/4E20AF1C 2011-05-16 Klaus Ethgen <Klaus@Ethgen.ch>
Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C
-----BEGIN PGP SIGNATURE-----
Comment: Charset: ISO-8859-1

iQGzBAEBCgAdFiEEMWF28vh4/UMJJLQEpnwKsYAZ9qwFAluP7q8ACgkQpnwKsYAZ
9qw/fwwAwgtrhek6w/vxpwn75xgNNg/GnqrhrSzlvlYmVNkZ3rsN3TE0lbms1jGt
jyaTanzEiijdA5iQsteFg1/DmRdhTGnFYWhoGvcEif6XejWFE1Nekjve86UkXb81
pGjGnjwsFsxoRN7kVE4ViXsIr7GLqvzDETA/3J+tB5y+xklKh9dmFF3DTVoShUWH
F0bUYGdL2lSR12LvSrxxrBPGnHgYd5Lx8mBrDoA7fi3jcSjlCgHDmOUWzde5EzgU
FKyQAdXPGspKy5GM0xLrAvvGZG9bcP4pEp+Ty9+NNb2tyVLlfZthlMBc5pGYg8J2
4Pmql2Hr40CTwbVAJMJh6xIy5FHqmBFWd7sEY0OiysB6SF5zbupues1cDaaGHhWb
iqaNYEdlp9ylGekGwNCNI5Zp+9IjIJ4T97MjB6xhh3Upt2bHR2qMfW9C9yWY8Rfj
ARw6Lle+6ny7qPexuy+G0vnZrQte3UYiPcPnc5zejv7YZKMotpH4DOJ9BVjQwQ1q
riJ3Fg+y
=txj4
-----END PGP SIGNATURE-----

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: DANE(TA) doesn't work with self signed certificate [ In reply to ]
On Wed, Sep 05, 2018 at 03:56:55PM +0100, Klaus Ethgen via Exim-users wrote:

> > I suppose your Exim is also linked to GnuTLS?
>
> Sure, it is the common debian version and Debian is always linking
> against gnutls.

You can rebuild the source deb against OpenSSL:

https://wiki.debian.org/PkgExim4UserFAQ#Building_against_OpenSSL

but some care is required to avoid having the resulting package
automatically replaced by a later Debian version linked against
GnuTLS. You can change the generation number, or rename the
package, specifying a conflict with the original package name.

Perhaps call it exim4-openssl. Ideally, someone should curate
detailed build instructions that take care of all the loose ends.
Perhaps that's already been done...

--
Viktor.

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: DANE(TA) doesn't work with self signed certificate [ In reply to ]
On Wed, Sep 5, 2018 at 5:04 PM Klaus Ethgen via Exim-users <
exim-users@exim.org> wrote:

> Sure, it is the common debian version and Debian is always linking
> against gnutls.
>

Please, if you have not already done so, file a bug report with Debian,
this is a pretty major bug.
--
Jan
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: DANE(TA) doesn't work with self signed certificate [ In reply to ]
> On Sep 7, 2018, at 3:33 AM, Jan Ingvoldstad via Exim-users <exim-users@exim.org> wrote:
>
> Please, if you have not already done so, file a bug report with Debian,
> this is a pretty major bug.

Until there's either a fix in GnuTLS (Nikos Mavrogiannopoulos can get in touch
with me if there are questions), or a work-around in Exim that disables DANE
for domains with DANE-TA(2) records when linked with GnuTLS (supporting only
domains that use DANE-EE(3)), the only alternative is disable DANE support in
Exim when linked with GnuTLS.

Though Debian may not be in a possible to fix DANE-TA(2) support in Exim+GnuTLS,
they may of course be able to bring it to the attention of the apporpriate
GnuTLS developers. This is ultimately a GnuTLS issue.

While GnuTLS are looking at this, they should also implement a DANE
verification option that allows hostname checks in the EE certificate
to be skipped when matching DANE-EE(3) TLSA records. This is safe
and needed for SMTP. It can run into a subtle issue with cross-origin
policy for web browsing in HTTPS, so the checks need to be on by default,
with the application able to selectively disable them when appropriate.

--
Viktor.


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: DANE(TA) doesn't work with self signed certificate [ In reply to ]
On Fri, Sep 7, 2018 at 5:50 PM Viktor Dukhovni via Exim-users <
exim-users@exim.org> wrote:

>
>
> Though Debian may not be in a possible to fix DANE-TA(2) support in
> Exim+GnuTLS,
> they may of course be able to bring it to the attention of the apporpriate
> GnuTLS developers. This is ultimately a GnuTLS issue.
>

Debian usually wants such bugs to go through Debian channels, so that they
can both register the issue and raise the issue with upstream (GnuTLS).

Additionally, Debian is, in the longer term, in a position to use a
different TLS library than GnuTLS.
--
Jan
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: DANE(TA) doesn't work with self signed certificate [ In reply to ]
On 2018-09-07 Viktor Dukhovni via Exim-users <exim-users@exim.org> wrote:
[...]
> Until there's either a fix in GnuTLS (Nikos Mavrogiannopoulos can get in touch
> with me if there are questions), or a work-around in Exim that disables DANE
> for domains with DANE-TA(2) records when linked with GnuTLS (supporting only
> domains that use DANE-EE(3)), the only alternative is disable DANE support in
> Exim when linked with GnuTLS.
[...]

Hello,

Are you positive that this is a problem in GnuTLS and not in a problem
in exim's usage of gnutls-dane?

Asking, since
danetool --check=lists.gentoo.org --proto tcp --starttls-proto=smtp
succeeds. (I have verified that this succeeds without local truststore,
i.e. when "gnutls-cli --starttls-proto=smtp lists.gentoo.org" throws a
verification error.)

cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: DANE(TA) doesn't work with self signed certificate [ In reply to ]
> On Sep 7, 2018, at 1:19 PM, Jan Ingvoldstad via Exim-users <exim-users@exim.org> wrote:
>
> Additionally, Debian is, in the longer term, in a position to use a
> different TLS library than GnuTLS.

Debian has historically been ultra-conservative on the potential License
compatibility issues between GPL (Exim) and the OpenSSL license:

https://people.gnome.org/~markmc/openssl-and-the-gpl.html

IMHO, Debian's caution is excessive. They're make OpenSSL available
with the OS, as a debian package. OpenSSL is not bundled with Exim,
(though Exim might on some systems just happen to be first package
installed that has OpenSSL as a dependency) nor is the OpenSSL used
by Exim a dedicated build that accompanies Exim and not other Debian
programs that use OpenSSL.

My opinion is of course unlikely to sway Debian one way or other, IANAL.

--
Viktor.


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: DANE(TA) doesn't work with self signed certificate [ In reply to ]
> On Sep 7, 2018, at 1:32 PM, Andreas Metzler via Exim-users <exim-users@exim.org> wrote:
>
> Are you positive that this is a problem in GnuTLS and not in a problem
> in exim's usage of gnutls-dane?
>
> Asking, since
> danetool --check=lists.gentoo.org --proto tcp --starttls-proto=smtp
> succeeds. (I have verified that this succeeds without local truststore,
> i.e. when "gnutls-cli --starttls-proto=smtp lists.gentoo.org" throws a
> verification error.)

Is your Exim linked with GnuTLS or OpenSSL? Perhaps the version of GnuTLS
matters. I can confirm that danetool for GnuTLS 3.5.19 verifies lists.gentoo.org
without accessing the local trust store. What version of GnuTLS is on the
systems having problems?

Exim has to work with lower-level APIs than used by danetool, in order to
skip namechecks for DANE-EE(3). I can't speak to the correctness of Exim's
use of the GnuTLS DANE API. I am not sufficiently familiar with either
the Exim code or GnuTLS.

--
Viktor.


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: DANE(TA) doesn't work with self signed certificate [ In reply to ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi,

for my installation I can assure that exim is linked to gnutls
(libgnutls-dane0 + libgnutls30, currently installed with version 3.5.8).

After installing gnutls-bin (and for the undocumented dependencies
dns-root-data) and disabling of the root certificate, dane verifies
without problems with danetool:
Resolving 'lists.gentoo.org:smtp'...
Obtaining certificate from '208.92.234.80:25'...
Querying DNS for lists.gentoo.org (tcp:25)...

==== Entry 1 ====
_25._tcp.lists.gentoo.org. IN TLSA ( 02 01 01 563b3caf8cfef34c2335caf560a7a95906e8488462eb75ac59784830df9e5b2b )
Certificate usage: Local CA (02)
Certificate type: SubjectPublicKeyInfo (01)
Contents: SHA2-256 hash (01)
Data: 563b3caf8cfef34c2335caf560a7a95906e8488462eb75ac59784830df9e5b2b

Verification: Certificate matches.

==== Entry 2 ====
_25._tcp.lists.gentoo.org. IN TLSA ( 02 01 01 60b87575447dcba2a36b7d11ac09fb24a9db406fee12d2cc90180517616e8a18 )
Certificate usage: Local CA (02)
Certificate type: SubjectPublicKeyInfo (01)
Contents: SHA2-256 hash (01)
Data: 60b87575447dcba2a36b7d11ac09fb24a9db406fee12d2cc90180517616e8a18

Regards
Klaus
- --
Klaus Ethgen http://www.ethgen.ch/
pub 4096R/4E20AF1C 2011-05-16 Klaus Ethgen <Klaus@Ethgen.ch>
Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C
-----BEGIN PGP SIGNATURE-----
Comment: Charset: ISO-8859-1

iQGzBAEBCgAdFiEEMWF28vh4/UMJJLQEpnwKsYAZ9qwFAluU4XAACgkQpnwKsYAZ
9qyfyQwAnh9BFvtFpsqy6U+Nf5MXySgOKWCoW0R7tf2GEAB66NVIK3lKFIR3lOFz
B8gTDeXzaK6qt4sXk1/Zj4Q41C426QuBMd8DweMtu89HwRQxMzL2bkuKjPI4woaN
2fw1MjoKf6hUxriZn/ZXRq/+gTiZ6kDcKFjb/IOy4JcrRXYfdsy/8EMjaNUes70K
iWs+mxNqcwTSFZRqsDwjLMWuak7qpjgKRLdFFlnQ0hqLZVFxm5oyMRYLWKNHdDdm
zgGCkl6xKrJhtSX7aGOidO5q1mNcCs5j3dnHY2S0f/bAC0Uu54kwnYkFL5gRdHp/
eTIxQs+KCLI/pHKkviVg/mh2f5QgSCzfDW9Ve+Ar/eh09QvqvaRreK0XcWqv0IFy
GDpk9GtPLrNGZnLpoNwcAmGc2ZSRlxFkggDeGfFNYjnF1d5UnagUbGfy3Opy21qm
gRqB41mNLovyRk2Fp2hoIeVkzM4agPpCUvfj2a6ojRUQClu0YIUmupvu5jfOtDk+
UMPPFkSB
=f7lu
-----END PGP SIGNATURE-----

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/