On Mon, Sep 10, 2018 at 11:30:03AM +0200, Michael Westerburg wrote:
> > It seems you mean a "private" issuer CA, or any root CA that is not
> > included in the local trust store used for non-DANE verification.
>
> You are absolutely right. Sorry for my misleading description.
>
> > Your report really should also be specific about which destination
> > domain you're having trouble with and what the TLSA records were
> > at the time.
>
> The domain is : bayern.de
Thanks. That helps.
> The last command proofs that the mail-server delivers the whole chain
> which consists of a self signed certificate "CN=Bayerische DANE-CA" plus
> the server certificate "CN=mail.bayern.de". By extracting the self
> signed certificate from the output above
And yet, you persisted... :-) Let's call that the "issuer" certificate.
> one can easily confirm the
> TLSA. So everything seems to be okay, except the two log messages:
>
> 2018-09-10 11:12:24.925 1fzIF5-00070c-KS DANE attempt failed; TLS
> connection to mail.bayern.de [195.200.70.95]: (certificate verification
> failed): certificate invalid
> 2018-09-10 11:12:26.128 1fzIF5-00070c-KS DANE attempt failed; TLS
> connection to mail.bayern.de [195.200.70.104]: (certificate verification
> failed): certificate invalid
With "posttls-finger" (from Postfix, running code similar to what
happens in Exim with OpenSSL) I get:
posttls-finger: using DANE RR: _25._tcp.mail.bayern.de IN TLSA 2 0 1 32:A2:BC:1D:51:5C:DB:C4:12:B6:2B:47:A1:CC:CF:2B:B1:B8:E3:EF:30:9F:98:24:58:D3:A7:C6:17:97:42:2A
posttls-finger: mail.bayern.de[195.200.70.104]:25: depth=1 matched trust anchor certificate sha256 digest 32:A2:BC:1D:51:5C:DB:C4:12:B6:2B:47:A1:CC:CF:2B:B1:B8:E3:EF:30:9F:98:24:58:D3:A7:C6:17:97:42:2A
posttls-finger: mail.bayern.de[195.200.70.104]:25 Matched CommonName mail.bayern.de
posttls-finger: mail.bayern.de[195.200.70.104]:25: subject_CN=mail.bayern.de, issuer_CN=Bayerische DANE-CA, fingerprint=87:57:23:C0:87:D5:E7:63:1C:80:88:C6:0D:AB:A2:59:BC:82:FD:B3:9B:B3:76:1A:67:B1:94:E9:AE:D9:91:0B, pkey_fingerprint=63:AF:88:25:32:1E:8D:36:B3:7D:A6:19:1A:23:AB:61:3D:CC:29:58:AD:1D:F5:B3:32:99:F4:A8:E4:22:BF:CD
posttls-finger: Verified TLS connection established to mail.bayern.de[195.200.70.104]:25: TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Certificate chain
0 subject: /C=DE/ST=Bayern/O=Freistaat Bayern/CN=mail.bayern.de/emailAddress=Behoerdennetzdienste@???
issuer: /C=DE/ST=Bayern/O=Freistaat Bayern/CN=Bayerische DANE-CA/emailAddress=Behoerdennetzdienste@???
cert digest=87:57:23:C0:87:D5:E7:63:1C:80:88:C6:0D:AB:A2:59:BC:82:FD:B3:9B:B3:76:1A:67:B1:94:E9:AE:D9:91:0B
pkey digest=63:AF:88:25:32:1E:8D:36:B3:7D:A6:19:1A:23:AB:61:3D:CC:29:58:AD:1D:F5:B3:32:99:F4:A8:E4:22:BF:CD
-----BEGIN CERTIFICATE-----
MIIDhDCCAmwCCQDuvGbsd/4J2jANBgkqhkiG9w0BAQsFADCBhTELMAkGA1UEBhMC
REUxDzANBgNVBAgMBkJheWVybjEZMBcGA1UECgwQRnJlaXN0YWF0IEJheWVybjEb
MBkGA1UEAwwSQmF5ZXJpc2NoZSBEQU5FLUNBMS0wKwYJKoZIhvcNAQkBFh5CZWhv
ZXJkZW5uZXR6ZGllbnN0ZUBiYXllcm4uZGUwHhcNMTgwOTA5MDQyNTA2WhcNMTgx
MDA5MDQyNTA2WjCBgTELMAkGA1UEBhMCREUxDzANBgNVBAgMBkJheWVybjEZMBcG
A1UECgwQRnJlaXN0YWF0IEJheWVybjEXMBUGA1UEAwwObWFpbC5iYXllcm4uZGUx
LTArBgkqhkiG9w0BCQEWHkJlaG9lcmRlbm5ldHpkaWVuc3RlQGJheWVybi5kZTCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALUixii48OP/SBuaDf5E2RAq
WCznGU5whTcLIjBNwjw+uTGLIo6jwHSN6tf/HQQ1jQ/eZUue+kUZAtZfXhydr5yL
vZvDOykrx/QV3DDj57m1X7pscR37pZ/2GzKkqXnD4pZbxZl9Q2gBiX3cwdS8dxDC
3XKCt8r9xHWRPzdRVyK51VzfWxGmpwNNtF+DXNxKzpAIMc+xRboP/iglsYr9eIiz
mVv2LQKBOW3r/BN3wmA1x0gxGwG8rzuSIXpbuXWlltBjwTVsM+npKOxPYxqhNl9j
UsjKYIHOcYvFpTsZILIAUV5/jSopaJWBGJOQYZhw+AHrmSIr2Chr3i218zqBVPUC
AwEAATANBgkqhkiG9w0BAQsFAAOCAQEAxM6I2MkW3+8sTHpeSXqZ1fgjxlgcXR77
mMel1JKwZ3GvEGg9rCrj0sd6WTxUBu+bJo5ehH2t1Q0/el9/r4IUMMCXJ2Ou0SRp
t0ioduFJDucBF77+jW1AHTpN/6cs0xjAUpKYeHu90shIccEQ4VzY8owlq7uSydGV
d4Pch6+SRA7Rr4GQqlaDyawkx73EwJjy7OVjOUkl54h424cmD56unhYYsIybtCYp
1rDEhtCfcae1dJoNURNUJuSmuQo8EMf/gorBxgTcC7Ug18xK7Ry7MKUp42mliDuu
l2XsbNGFZtjazCyPFfabptD/lFGmyjb7CNq7N6P0EhBXgNEdkVoyHQ==
-----END CERTIFICATE-----
1 subject: /C=DE/ST=Bayern/O=Freistaat Bayern/CN=Bayerische DANE-CA/emailAddress=Behoerdennetzdienste@???
issuer: /C=DE/ST=Bayern/O=Freistaat Bayern/CN=Bayerische DANE-CA/emailAddress=Behoerdennetzdienste@???
cert digest=32:A2:BC:1D:51:5C:DB:C4:12:B6:2B:47:A1:CC:CF:2B:B1:B8:E3:EF:30:9F:98:24:58:D3:A7:C6:17:97:42:2A
pkey digest=02:D4:41:22:7B:2F:B8:90:78:4A:EB:7D:88:43:64:53:96:28:8B:51:0C:5B:55:F6:CA:63:EA:B4:FB:CE:B9:F9
-----BEGIN CERTIFICATE-----
MIID3zCCAsegAwIBAgIJAInKifW+FkGxMA0GCSqGSIb3DQEBCwUAMIGFMQswCQYD
VQQGEwJERTEPMA0GA1UECAwGQmF5ZXJuMRkwFwYDVQQKDBBGcmVpc3RhYXQgQmF5
ZXJuMRswGQYDVQQDDBJCYXllcmlzY2hlIERBTkUtQ0ExLTArBgkqhkiG9w0BCQEW
HkJlaG9lcmRlbm5ldHpkaWVuc3RlQGJheWVybi5kZTAeFw0xODA3MDkwOTIwMDBa
Fw0yODA3MTYwOTIwMDBaMIGFMQswCQYDVQQGEwJERTEPMA0GA1UECAwGQmF5ZXJu
MRkwFwYDVQQKDBBGcmVpc3RhYXQgQmF5ZXJuMRswGQYDVQQDDBJCYXllcmlzY2hl
IERBTkUtQ0ExLTArBgkqhkiG9w0BCQEWHkJlaG9lcmRlbm5ldHpkaWVuc3RlQGJh
eWVybi5kZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANrMniddtbQS
cEmtDdBR5EpsWNkYaNCJe0mEdUk5BifGTmjvUc0IBNKXbxB8BvOWWsHI7cIBl3Hw
/KfYjjqwf/+jD9k60MWyhwmcBdo8FR1P4dbz8cyGdWmOmQ0pc4iNkxS9dGJIsP+Y
hTmtQ/KMKuZk2DFfsdJEqoxMZrWz34m2cremRB4Afs18d4OlhCsq26YXizkow3Cq
Z9llEXFpo0dhHo4+oMNU1eyfYzK5RboJAl0nEUcQZgSB9hDk/ASl93Jd5lBkzFby
cL/oNmdx6PJFEmOTwb09XqefkoJhSgl6vP5K65XXt4LrB4tv1dtaXOmHQYU//Sbp
N5sql5510jECAwEAAaNQME4wHQYDVR0OBBYEFOWP/IkeaU8GdDvH41mC/X5jCc04
MB8GA1UdIwQYMBaAFOWP/IkeaU8GdDvH41mC/X5jCc04MAwGA1UdEwQFMAMBAf8w
DQYJKoZIhvcNAQELBQADggEBAGAa2rbVNm2m/89RC6oQiUi0Qgc4H7F77CMTUaSf
/DK0W3H4pec9YZh6ka5T8bTGyvHnyaczb1Q2k4Y1u1dRm354wU83/SN3W1/9sgpE
hGMDh2SyE/Tuq3MWVQ9OlZ69FUUVTb9IdIxoPuUai+DRWq4ujcxUZNfFgJ1IRycc
c9dTnWDTpRfq/y90snqsS4AMeJ15vASO6btGubLkrcCbdiFYHJzfp/OfVVTCEt7l
ukdpeGYdKZ/vZkBc3ETrgMv6Ikt65QC1TuMqaieq9rdxdv+meKCDGZOn/4aVCFBw
4nNBGePJYTXxfPMv7HpwRn2Y+DU1OcRrWYfRsSuoVE3HzMU=
-----END CERTIFICATE-----
> Adding the self signed certificate to the local trust store solves the
> problem.
It looks like some function Exim is calling when using GnuTLS
branches into parts of GnuTLS that require a match in the local
trust store. This chain has a DANE-TA(2) match to a direct issuer
CA (that happens to be self-signed, but that's secondary) with no
intermediate certificates in the path between the EE cert and
trust-anchor.
--
Viktor.
