Re: [exim] DANE(TA) doesn't work with self signed certificat…

Top Page
Delete this message
Reply to this message
Author: Jeremy Harris
Date:  
To: Viktor Dukhovni via Exim-users
CC: Jeremy Harris
Subject: Re: [exim] DANE(TA) doesn't work with self signed certificates
Hi Viktor,

Looking at this reported issue, trying to set up a testcase in the Exim
testsuite for it...

I've gotten as far as a failure in the OpenSSL-linked version. It dies
apparently disliking a selfsigned cert, specifically:


21:42:14 19586 Calling SSL_connect
21:42:14 19586 SSL info: before SSL initialization
21:42:14 19586 SSL info: before SSL initialization
21:42:14 19586 SSL info: SSLv3/TLS write client hello
21:42:14 19586 SSL info: SSLv3/TLS write client hello
21:42:14 19586 SSL info: SSLv3/TLS read server hello
21:42:14 19586 Dane verify_cert
21:42:14 19586 verify_callback_client_dane: BAD depth 0 /CN=Jeremy
Harris/OU=Test Suite/O=The Exim Maintainers/C=UK
21:42:14 19586 - err 18 'self signed certificate'
21:42:14 19586 SSL info: SSLv3/TLS read server certificate
21:42:14 19586 SSL info: error
21:42:14 19586 Dane lib-cleanup
21:42:14 19586 LOG: MAIN
21:42:14 19586 DANE attempt failed; TLS connection to
dane256tas.test.ex [192.168.0.223]: (SSL_connect): error:1416F086:SSL
routines:tls_process_server_certificate:certificate verify failed


The routine verify_callback_client_dane() looks like:

static int
verify_callback_client_dane(int preverify_ok, X509_STORE_CTX * x509ctx)
{
X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
uschar dn[256];
int depth = X509_STORE_CTX_get_error_depth(x509ctx);

X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn));
dn[sizeof(dn)-1] = '\0';

DEBUG(D_tls) debug_printf("verify_callback_client_dane: %s depth %d %s\n",
preverify_ok ? "ok":"BAD", depth, dn);
...
}



I'm assuming I've missed something out from the cert I've put together?
It has
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0
            X509v3 Subject Key Identifier:
                BD:A7:5A:CD:CF:97:66:FC:52:5D:20:3D:50:A9:A6:01:09:39:48:81
            X509v3 Authority Key Identifier:


keyid:BD:A7:5A:CD:CF:97:66:FC:52:5D:20:3D:50:A9:A6:01:09:39:48:81

            X509v3 Subject Alternative Name:
                DNS:test.ex



Any ideas?
--
Thanks,
Jeremy