[exim-cvs] EXPERIMENTAL_CERTNAMES: Hostlist for cert name ch…

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Exim Git Commits Mailing List
Date:  
À: exim-cvs
Sujet: [exim-cvs] EXPERIMENTAL_CERTNAMES: Hostlist for cert name checks should match host
Gitweb: http://git.exim.org/exim.git/commitdiff/a320fabd09f43c02c869c90a5a5a70a49dd77f89
Commit:     a320fabd09f43c02c869c90a5a5a70a49dd77f89
Parent:     09c17790eec23907b93df1ec7cee746b28dfc836
Author:     Jeremy Harris <jgh146exb@???>
AuthorDate: Thu Nov 6 21:22:18 2014 +0000
Committer:  Jeremy Harris <jgh146exb@???>
CommitDate: Thu Nov 6 21:22:18 2014 +0000


    EXPERIMENTAL_CERTNAMES: Hostlist for cert name checks should match host
    connected-to, not be list of acceptable names.  The name checked is the
    host name.
---
 doc/doc-txt/experimental-spec.txt        |    7 +++++--
 src/src/tls-gnu.c                        |   10 +++-------
 src/src/tls-openssl.c                    |   10 +++-------
 test/confs/5440                          |   17 ++++++++++-------
 test/confs/5450                          |   17 ++++++++++-------
 test/log/5440                            |    8 ++++----
 test/log/5450                            |   14 +++++++-------
 test/scripts/5440-certnames-GnuTLS/5440  |    4 +++-
 test/scripts/5450-certnames-OpenSSL/5450 |    5 ++++-
 9 files changed, 49 insertions(+), 43 deletions(-)


diff --git a/doc/doc-txt/experimental-spec.txt b/doc/doc-txt/experimental-spec.txt
index 266e198..f6529c6 100644
--- a/doc/doc-txt/experimental-spec.txt
+++ b/doc/doc-txt/experimental-spec.txt
@@ -1154,14 +1154,17 @@ support to date has not made these checks.

If built with EXPERIMENTAL_CERTNAMES defined, code is
included to do so for server certificates, and a new smtp transport option
-"tls_verify_cert_hostnames" supported which takes a list of
-names for which the additional checks must be made.
+"tls_verify_cert_hostnames" supported which takes a hostlist
+which must match the target host for the additional checks must be made.
The option currently defaults to empty, but this may change in
the future. "*" is probably a suitable value.
Whether certificate verification is done at all, and the result of
it failing, is stll under the control of "tls_verify_hosts" nad
"tls_try_verify_hosts".

+The name being checked is that for the host, generally
+the result of an MX lookup.
+
 Both Subject and Subject-Alternate-Name certificate fields
 are supported, as are wildcard certificates (limited to
 a single wildcard being the initial component of a 3-or-more
diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index 04de02d..093b3a3 100644
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -1846,17 +1846,13 @@ if ((  state->exp_tls_verify_certificates
    )
   {
 #ifdef EXPERIMENTAL_CERTNAMES
-  if (ob->tls_verify_cert_hostnames)
+  if (verify_check_host(&ob->tls_verify_cert_hostnames) == OK)
     {
     DEBUG(D_tls)
       debug_printf("TLS: server cert incl. hostname verification required.\n");
     state->verify_requirement = VERIFY_WITHHOST;
-    if (!expand_check(ob->tls_verify_cert_hostnames,
-              US"tls_verify_cert_hostnames",
-              &state->exp_tls_verify_cert_hostnames))
-      return FAIL;
-    if (state->exp_tls_verify_cert_hostnames)
-      DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n",
+    state->exp_tls_verify_cert_hostnames = host->name;
+    DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n",
               state->exp_tls_verify_cert_hostnames);
     }
   else
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 63bf83b..6288600 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -1692,14 +1692,10 @@ if ((!ob->tls_verify_hosts && !ob->tls_try_verify_hosts) ||
   client_verify_optional = FALSE;


 #ifdef EXPERIMENTAL_CERTNAMES
-  if (ob->tls_verify_cert_hostnames)
+  if (verify_check_host(&ob->tls_verify_cert_hostnames) == OK)
     {
-    if (!expand_check(ob->tls_verify_cert_hostnames,
-              US"tls_verify_cert_hostnames",
-              &cbinfo->verify_cert_hostnames))
-      return FAIL;
-    if (cbinfo->verify_cert_hostnames)
-      DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n",
+    cbinfo->verify_cert_hostnames = host->name;
+    DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n",
               cbinfo->verify_cert_hostnames);
     }
 #endif
diff --git a/test/confs/5440 b/test/confs/5440
index 03d9916..01ba525 100644
--- a/test/confs/5440
+++ b/test/confs/5440
@@ -1,5 +1,5 @@
 # Exim test configuration 5440
-# TLS client: verify certificate from server - fails
+# TLS client: verify certificate from server - name-fails


SERVER=

@@ -131,11 +131,12 @@ send_to_server_crypt:
tls_verify_certificates = CA2
tls_try_verify_hosts = *

-# this will fail to verify the cert at HOSTIPV4 and fallback to unencrypted
+# this will fail to verify the cert at HOSTNAME and fallback to unencrypted
+# Fail due to lack of correct CA
send_to_server_req_fail:
driver = smtp
allow_localhost
- hosts = HOSTIPV4
+ hosts = HOSTNAME
port = PORT_D
tls_certificate = CERT2
tls_privatekey = CERT2
@@ -144,29 +145,31 @@ send_to_server_req_fail:
tls_verify_hosts = *

# this will fail to verify the cert name and fallback to unencrypted
+# fail because the cert is "server1.example.com" and the test system is something else
send_to_server_req_failname:
driver = smtp
allow_localhost
- hosts = HOSTIPV4
+ hosts = HOSTNAME
port = PORT_D
tls_certificate = CERT2
tls_privatekey = CERT2

tls_verify_certificates = CA1
- tls_verify_cert_hostnames = server1.example.net : server1.example.org
+ tls_verify_cert_hostnames = *
tls_verify_hosts = *

# this will pass the cert verify including name check
+# our stunt DNS has an A record for server1.example.com -> HOSTIPV4
send_to_server_req_passname:
driver = smtp
allow_localhost
- hosts = HOSTIPV4
+ hosts = server1.example.com
port = PORT_D
tls_certificate = CERT2
tls_privatekey = CERT2

tls_verify_certificates = CA1
- tls_verify_cert_hostnames = noway.example.com : server1.example.com
+ tls_verify_cert_hostnames = *
tls_verify_hosts = *

# End
diff --git a/test/confs/5450 b/test/confs/5450
index e737cf3..dd42a3f 100644
--- a/test/confs/5450
+++ b/test/confs/5450
@@ -1,5 +1,5 @@
# Exim test configuration 5450
-# TLS client: verify certificate from server - fails
+# TLS client: verify certificate from server - name-fails

SERVER=

@@ -131,11 +131,12 @@ send_to_server_crypt:
tls_verify_certificates = CA2
tls_try_verify_hosts = *

-# this will fail to verify the cert at HOSTIPV4 and fallback to unencrypted
+# this will fail to verify the cert at HOSTNAME and fallback to unencrypted
+# Fail due to lack of correct CA
send_to_server_req_fail:
driver = smtp
allow_localhost
- hosts = HOSTIPV4
+ hosts = HOSTNAME
port = PORT_D
tls_certificate = CERT2
tls_privatekey = CERT2
@@ -144,29 +145,31 @@ send_to_server_req_fail:
tls_verify_hosts = *

# this will fail to verify the cert name and fallback to unencrypted
+# fail because the cert is "server1.example.com" and the test system is something else
send_to_server_req_failname:
driver = smtp
allow_localhost
- hosts = HOSTIPV4
+ hosts = HOSTNAME
port = PORT_D
tls_certificate = CERT2
tls_privatekey = CERT2

tls_verify_certificates = CA1
- tls_verify_cert_hostnames = server1.example.net : server1.example.org
+ tls_verify_cert_hostnames = *
tls_verify_hosts = *

# this will pass the cert verify including name check
+# our stunt DNS has an A record for server1.example.com -> HOSTIPV4
send_to_server_req_passname:
driver = smtp
allow_localhost
- hosts = HOSTIPV4
+ hosts = server1.example.com
port = PORT_D
tls_certificate = CERT2
tls_privatekey = CERT2

tls_verify_certificates = CA1
- tls_verify_cert_hostnames = noway.example.com : server1.example.com
+ tls_verify_cert_hostnames = *
tls_verify_hosts = *

# End
diff --git a/test/log/5440 b/test/log/5440
index b90e6ed..f084e82 100644
--- a/test/log/5440
+++ b/test/log/5440
@@ -1,11 +1,11 @@
1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
1999-03-02 09:44:33 Start queue run: pid=pppp -qf
-1999-03-02 09:44:33 10HmaX-0005vi-00 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] TLS error on connection (certificate verification failed)
-1999-03-02 09:44:33 10HmaX-0005vi-00 TLS session failure: delivering unencrypted to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (not in hosts_require_tls)
-1999-03-02 09:44:33 10HmaX-0005vi-00 => userr@??? R=client_r T=send_to_server_req_failname H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] C="250 OK id=10HmaZ-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 H=the.local.host.name [ip4.ip4.ip4.ip4] TLS error on connection (certificate verification failed)
+1999-03-02 09:44:33 10HmaX-0005vi-00 TLS session failure: delivering unencrypted to the.local.host.name [ip4.ip4.ip4.ip4] (not in hosts_require_tls)
+1999-03-02 09:44:33 10HmaX-0005vi-00 => userr@??? R=client_r T=send_to_server_req_failname H=the.local.host.name [ip4.ip4.ip4.ip4] C="250 OK id=10HmaZ-0005vi-00"
1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
-1999-03-02 09:44:33 10HmaY-0005vi-00 => users@??? R=client_s T=send_to_server_req_passname H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaY-0005vi-00 => users@??? R=client_s T=send_to_server_req_passname H=server1.example.com [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00"
1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
1999-03-02 09:44:33 End queue run: pid=pppp -qf

diff --git a/test/log/5450 b/test/log/5450
index 2432153..d56307a 100644
--- a/test/log/5450
+++ b/test/log/5450
@@ -3,17 +3,17 @@
1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
1999-03-02 09:44:33 Start queue run: pid=pppp -qf
1999-03-02 09:44:33 10HmaX-0005vi-00 SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN=server1.example.com
-1999-03-02 09:44:33 10HmaX-0005vi-00 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] TLS error on connection (SSL_connect): error: <<detail omitted>>
-1999-03-02 09:44:33 10HmaX-0005vi-00 TLS session failure: delivering unencrypted to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (not in hosts_require_tls)
-1999-03-02 09:44:33 10HmaX-0005vi-00 => userq@??? R=client_q T=send_to_server_req_fail H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 H=the.local.host.name [ip4.ip4.ip4.ip4] TLS error on connection (SSL_connect): error: <<detail omitted>>
+1999-03-02 09:44:33 10HmaX-0005vi-00 TLS session failure: delivering unencrypted to the.local.host.name [ip4.ip4.ip4.ip4] (not in hosts_require_tls)
+1999-03-02 09:44:33 10HmaX-0005vi-00 => userq@??? R=client_q T=send_to_server_req_fail H=the.local.host.name [ip4.ip4.ip4.ip4] C="250 OK id=10HmbA-0005vi-00"
1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
1999-03-02 09:44:33 10HmaY-0005vi-00 SSL verify error: certificate name mismatch: "/CN=server1.example.com"

-1999-03-02 09:44:33 10HmaY-0005vi-00 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] TLS error on connection (SSL_connect): error: <<detail omitted>>
-1999-03-02 09:44:33 10HmaY-0005vi-00 TLS session failure: delivering unencrypted to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (not in hosts_require_tls)
-1999-03-02 09:44:33 10HmaY-0005vi-00 => userr@??? R=client_r T=send_to_server_req_failname H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] C="250 OK id=10HmbB-0005vi-00"
+1999-03-02 09:44:33 10HmaY-0005vi-00 H=the.local.host.name [ip4.ip4.ip4.ip4] TLS error on connection (SSL_connect): error: <<detail omitted>>
+1999-03-02 09:44:33 10HmaY-0005vi-00 TLS session failure: delivering unencrypted to the.local.host.name [ip4.ip4.ip4.ip4] (not in hosts_require_tls)
+1999-03-02 09:44:33 10HmaY-0005vi-00 => userr@??? R=client_r T=send_to_server_req_failname H=the.local.host.name [ip4.ip4.ip4.ip4] C="250 OK id=10HmbB-0005vi-00"
1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
-1999-03-02 09:44:33 10HmaZ-0005vi-00 => users@??? R=client_s T=send_to_server_req_passname H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00"
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => users@??? R=client_s T=send_to_server_req_passname H=server1.example.com [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00"
1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
1999-03-02 09:44:33 End queue run: pid=pppp -qf

diff --git a/test/scripts/5440-certnames-GnuTLS/5440 b/test/scripts/5440-certnames-GnuTLS/5440
index fea9551..2a61eb1 100644
--- a/test/scripts/5440-certnames-GnuTLS/5440
+++ b/test/scripts/5440-certnames-GnuTLS/5440
@@ -1,10 +1,12 @@
-# TLS client: verify certificate from server - fails
+# TLS client: verify certificate from server - name-fails
gnutls
exim -DSERVER=server -bd -oX PORT_D
****
+# this will fail to verify the cert name and fallback to unencrypted
exim userr@???
Testing
****
+# this will pass the cert verify including name check
exim users@???
Testing
****
diff --git a/test/scripts/5450-certnames-OpenSSL/5450 b/test/scripts/5450-certnames-OpenSSL/5450
index c94d1a5..5359096 100644
--- a/test/scripts/5450-certnames-OpenSSL/5450
+++ b/test/scripts/5450-certnames-OpenSSL/5450
@@ -1,12 +1,15 @@
-# TLS client: verify certificate from server - fails
+# TLS client: verify certificate from server - name-fails
exim -DSERVER=server -bd -oX PORT_D
****
+# this will fail to verify the cert at HOSTIPV4 and fallback to unencrypted
exim userq@???
Testing
****
+# this will fail to verify the cert name and fallback to unencrypted
exim userr@???
Testing
****
+# this will pass the cert verify including name check
exim users@???
Testing
****