Re: [exim] DANE(TA) doesn't work with self signed certificat…

Top Page

Reply to this message
Author: Viktor Dukhovni
Date:  
To: exim-users
Subject: Re: [exim] DANE(TA) doesn't work with self signed certificates
On Mon, Sep 10, 2018 at 11:30:03AM +0200, Michael Westerburg wrote:

> > It seems you mean a "private" issuer CA, or any root CA that is not
> > included in the local trust store used for non-DANE verification.
>
> You are absolutely right. Sorry for my misleading description.
>
> > Your report really should also be specific about which destination
> > domain you're having trouble with and what the TLSA records were
> > at the time.
>
> The domain is : bayern.de


Thanks. That helps.

> The last command proofs that the mail-server delivers the whole chain
> which consists of a self signed certificate "CN=Bayerische DANE-CA" plus
> the server certificate "CN=mail.bayern.de". By extracting the self
> signed certificate from the output above


And yet, you persisted... :-) Let's call that the "issuer" certificate.

> one can easily confirm the
> TLSA. So everything seems to be okay, except the two log messages:
>
> 2018-09-10 11:12:24.925 1fzIF5-00070c-KS DANE attempt failed; TLS
> connection to mail.bayern.de [195.200.70.95]: (certificate verification
> failed): certificate invalid
> 2018-09-10 11:12:26.128 1fzIF5-00070c-KS DANE attempt failed; TLS
> connection to mail.bayern.de [195.200.70.104]: (certificate verification
> failed): certificate invalid


With "posttls-finger" (from Postfix, running code similar to what
happens in Exim with OpenSSL) I get:

    posttls-finger: using DANE RR: _25._tcp.mail.bayern.de IN TLSA 2 0 1 32:A2:BC:1D:51:5C:DB:C4:12:B6:2B:47:A1:CC:CF:2B:B1:B8:E3:EF:30:9F:98:24:58:D3:A7:C6:17:97:42:2A
    posttls-finger: mail.bayern.de[195.200.70.104]:25: depth=1 matched trust anchor certificate sha256 digest 32:A2:BC:1D:51:5C:DB:C4:12:B6:2B:47:A1:CC:CF:2B:B1:B8:E3:EF:30:9F:98:24:58:D3:A7:C6:17:97:42:2A
    posttls-finger: mail.bayern.de[195.200.70.104]:25 Matched CommonName mail.bayern.de
    posttls-finger: mail.bayern.de[195.200.70.104]:25: subject_CN=mail.bayern.de, issuer_CN=Bayerische DANE-CA, fingerprint=87:57:23:C0:87:D5:E7:63:1C:80:88:C6:0D:AB:A2:59:BC:82:FD:B3:9B:B3:76:1A:67:B1:94:E9:AE:D9:91:0B, pkey_fingerprint=63:AF:88:25:32:1E:8D:36:B3:7D:A6:19:1A:23:AB:61:3D:CC:29:58:AD:1D:F5:B3:32:99:F4:A8:E4:22:BF:CD
    posttls-finger: Verified TLS connection established to mail.bayern.de[195.200.70.104]:25: TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)


    Certificate chain
     0 subject: /C=DE/ST=Bayern/O=Freistaat Bayern/CN=mail.bayern.de/emailAddress=Behoerdennetzdienste@???
    issuer: /C=DE/ST=Bayern/O=Freistaat Bayern/CN=Bayerische DANE-CA/emailAddress=Behoerdennetzdienste@???
       cert digest=87:57:23:C0:87:D5:E7:63:1C:80:88:C6:0D:AB:A2:59:BC:82:FD:B3:9B:B3:76:1A:67:B1:94:E9:AE:D9:91:0B
       pkey digest=63:AF:88:25:32:1E:8D:36:B3:7D:A6:19:1A:23:AB:61:3D:CC:29:58:AD:1D:F5:B3:32:99:F4:A8:E4:22:BF:CD
    -----BEGIN CERTIFICATE-----
    MIIDhDCCAmwCCQDuvGbsd/4J2jANBgkqhkiG9w0BAQsFADCBhTELMAkGA1UEBhMC
    REUxDzANBgNVBAgMBkJheWVybjEZMBcGA1UECgwQRnJlaXN0YWF0IEJheWVybjEb
    MBkGA1UEAwwSQmF5ZXJpc2NoZSBEQU5FLUNBMS0wKwYJKoZIhvcNAQkBFh5CZWhv
    ZXJkZW5uZXR6ZGllbnN0ZUBiYXllcm4uZGUwHhcNMTgwOTA5MDQyNTA2WhcNMTgx
    MDA5MDQyNTA2WjCBgTELMAkGA1UEBhMCREUxDzANBgNVBAgMBkJheWVybjEZMBcG
    A1UECgwQRnJlaXN0YWF0IEJheWVybjEXMBUGA1UEAwwObWFpbC5iYXllcm4uZGUx
    LTArBgkqhkiG9w0BCQEWHkJlaG9lcmRlbm5ldHpkaWVuc3RlQGJheWVybi5kZTCC
    ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALUixii48OP/SBuaDf5E2RAq
    WCznGU5whTcLIjBNwjw+uTGLIo6jwHSN6tf/HQQ1jQ/eZUue+kUZAtZfXhydr5yL
    vZvDOykrx/QV3DDj57m1X7pscR37pZ/2GzKkqXnD4pZbxZl9Q2gBiX3cwdS8dxDC
    3XKCt8r9xHWRPzdRVyK51VzfWxGmpwNNtF+DXNxKzpAIMc+xRboP/iglsYr9eIiz
    mVv2LQKBOW3r/BN3wmA1x0gxGwG8rzuSIXpbuXWlltBjwTVsM+npKOxPYxqhNl9j
    UsjKYIHOcYvFpTsZILIAUV5/jSopaJWBGJOQYZhw+AHrmSIr2Chr3i218zqBVPUC
    AwEAATANBgkqhkiG9w0BAQsFAAOCAQEAxM6I2MkW3+8sTHpeSXqZ1fgjxlgcXR77
    mMel1JKwZ3GvEGg9rCrj0sd6WTxUBu+bJo5ehH2t1Q0/el9/r4IUMMCXJ2Ou0SRp
    t0ioduFJDucBF77+jW1AHTpN/6cs0xjAUpKYeHu90shIccEQ4VzY8owlq7uSydGV
    d4Pch6+SRA7Rr4GQqlaDyawkx73EwJjy7OVjOUkl54h424cmD56unhYYsIybtCYp
    1rDEhtCfcae1dJoNURNUJuSmuQo8EMf/gorBxgTcC7Ug18xK7Ry7MKUp42mliDuu
    l2XsbNGFZtjazCyPFfabptD/lFGmyjb7CNq7N6P0EhBXgNEdkVoyHQ==
    -----END CERTIFICATE-----
     1 subject: /C=DE/ST=Bayern/O=Freistaat Bayern/CN=Bayerische DANE-CA/emailAddress=Behoerdennetzdienste@???
    issuer: /C=DE/ST=Bayern/O=Freistaat Bayern/CN=Bayerische DANE-CA/emailAddress=Behoerdennetzdienste@???
       cert digest=32:A2:BC:1D:51:5C:DB:C4:12:B6:2B:47:A1:CC:CF:2B:B1:B8:E3:EF:30:9F:98:24:58:D3:A7:C6:17:97:42:2A
       pkey digest=02:D4:41:22:7B:2F:B8:90:78:4A:EB:7D:88:43:64:53:96:28:8B:51:0C:5B:55:F6:CA:63:EA:B4:FB:CE:B9:F9
    -----BEGIN CERTIFICATE-----
    MIID3zCCAsegAwIBAgIJAInKifW+FkGxMA0GCSqGSIb3DQEBCwUAMIGFMQswCQYD
    VQQGEwJERTEPMA0GA1UECAwGQmF5ZXJuMRkwFwYDVQQKDBBGcmVpc3RhYXQgQmF5
    ZXJuMRswGQYDVQQDDBJCYXllcmlzY2hlIERBTkUtQ0ExLTArBgkqhkiG9w0BCQEW
    HkJlaG9lcmRlbm5ldHpkaWVuc3RlQGJheWVybi5kZTAeFw0xODA3MDkwOTIwMDBa
    Fw0yODA3MTYwOTIwMDBaMIGFMQswCQYDVQQGEwJERTEPMA0GA1UECAwGQmF5ZXJu
    MRkwFwYDVQQKDBBGcmVpc3RhYXQgQmF5ZXJuMRswGQYDVQQDDBJCYXllcmlzY2hl
    IERBTkUtQ0ExLTArBgkqhkiG9w0BCQEWHkJlaG9lcmRlbm5ldHpkaWVuc3RlQGJh
    eWVybi5kZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANrMniddtbQS
    cEmtDdBR5EpsWNkYaNCJe0mEdUk5BifGTmjvUc0IBNKXbxB8BvOWWsHI7cIBl3Hw
    /KfYjjqwf/+jD9k60MWyhwmcBdo8FR1P4dbz8cyGdWmOmQ0pc4iNkxS9dGJIsP+Y
    hTmtQ/KMKuZk2DFfsdJEqoxMZrWz34m2cremRB4Afs18d4OlhCsq26YXizkow3Cq
    Z9llEXFpo0dhHo4+oMNU1eyfYzK5RboJAl0nEUcQZgSB9hDk/ASl93Jd5lBkzFby
    cL/oNmdx6PJFEmOTwb09XqefkoJhSgl6vP5K65XXt4LrB4tv1dtaXOmHQYU//Sbp
    N5sql5510jECAwEAAaNQME4wHQYDVR0OBBYEFOWP/IkeaU8GdDvH41mC/X5jCc04
    MB8GA1UdIwQYMBaAFOWP/IkeaU8GdDvH41mC/X5jCc04MAwGA1UdEwQFMAMBAf8w
    DQYJKoZIhvcNAQELBQADggEBAGAa2rbVNm2m/89RC6oQiUi0Qgc4H7F77CMTUaSf
    /DK0W3H4pec9YZh6ka5T8bTGyvHnyaczb1Q2k4Y1u1dRm354wU83/SN3W1/9sgpE
    hGMDh2SyE/Tuq3MWVQ9OlZ69FUUVTb9IdIxoPuUai+DRWq4ujcxUZNfFgJ1IRycc
    c9dTnWDTpRfq/y90snqsS4AMeJ15vASO6btGubLkrcCbdiFYHJzfp/OfVVTCEt7l
    ukdpeGYdKZ/vZkBc3ETrgMv6Ikt65QC1TuMqaieq9rdxdv+meKCDGZOn/4aVCFBw
    4nNBGePJYTXxfPMv7HpwRn2Y+DU1OcRrWYfRsSuoVE3HzMU=
    -----END CERTIFICATE-----


> Adding the self signed certificate to the local trust store solves the
> problem.


It looks like some function Exim is calling when using GnuTLS
branches into parts of GnuTLS that require a match in the local
trust store. This chain has a DANE-TA(2) match to a direct issuer
CA (that happens to be self-signed, but that's secondary) with no
intermediate certificates in the path between the EE cert and
trust-anchor.

-- 
    Viktor.