[exim-dev] [Bug 2389] New: tls_verify_certificates - with Gn…

Top Page
Delete this message
Reply to this message
Author: admin
Date:  
To: exim-dev
New-Topics: [exim-dev] [Bug 2389] tls_verify_certificates - with GnuTLS the CA list is sent no matter whether tls_verify_certificates points to directory or file, [exim-dev] [Bug 2389] tls_verify_certificates - with GnuTLS the CA list is sent no matter whether tls_verify_certificates points to directory or file, [exim-dev] [Bug 2389] tls_verify_certificates - with GnuTLS the CA list is sent no matter whether tls_verify_certificates points to directory or file, [exim-dev] [Bug 2389] tls_verify_certificates - with GnuTLS the CA list is sent no matter whether tls_verify_certificates points to directory or file, [exim-dev] [Bug 2389] tls_verify_certificates - with GnuTLS the CA list is sent no matter whether tls_verify_certificates points to directory or file, [exim-dev] [Bug 2389] tls_verify_certificates - with GnuTLS the CA list is sent no matter whether tls_verify_certificates points to directory or file, [exim-dev] [Bug 2389] tls_verify_certificates - with GnuTLS the CA list is sent no matter whether tls_verify_certificates points to directory or file, [exim-dev] [Bug 2389] tls_verify_certificates - with GnuTLS the CA list is sent no matter whether tls_verify_certificates points to directory or file, [exim-dev] [Bug 2389] tls_verify_certificates - with GnuTLS the CA list is sent no matter whether tls_verify_certificates points to directory or file, [exim-dev] [Bug 2389] tls_verify_certificates - with GnuTLS the CA list is sent no matter whether tls_verify_certificates points to directory or file
Subject: [exim-dev] [Bug 2389] New: tls_verify_certificates - with GnuTLS the CA list is sent no mater whether tls_verify_certificates points to dir or file
https://bugs.exim.org/show_bug.cgi?id=2389

            Bug ID: 2389
           Summary: tls_verify_certificates - with GnuTLS the CA list is
                    sent no mater whether  tls_verify_certificates points
                    to dir or file
           Product: Exim
           Version: 4.91
          Hardware: x86
                OS: Linux
            Status: NEW
          Severity: bug
          Priority: medium
         Component: TLS
          Assignee: jgh146exb@???
          Reporter: eximusers@???
                CC: exim-dev@???


Hello,

spec says:
-------------------
tls_verify_certificates     Use: main     Type: string†     Default: system


The value of this option is expanded, and must then be either the word "system"
or the absolute path to a file or directory containing permitted certificates
for clients that match tls_verify_hosts or tls_try_verify_hosts.
[...]
With both OpenSSL and GnuTLS, if the value is a file then the certificates are
sent by Exim as a server to connecting clients, defining the list of accepted
certificate authorities. [...] To avoid this, use the explicit directory
version.
-------------------

For GnuTLS this is not correct. GnuTLS's behavior does not depend on whether a
dir or a file (or "system") was specified, the list is sent unless disabled by
gnutls_certificate_send_x509_rdn_sequence().

I am not sure on what the correct fix is. It would be easiest to simply mimic
the OpenSSL convention (no list for system and dir, list sent for file) and
implement what the docs say.

OTOH even for OpenSSL this is just a convention according to
https://lists.exim.org/lurker/message/20190330.035618.ee329443.en.html - Viktor
Dukhovni writes there:
8X------------------------------------------------------
Actually, it is likely not so much OpenSSL behaviour as such, but rather
the most common application practice, which obviates the need for a
separately configurable parameter to set the list of advertised CAs.

The relevant OpenSSL functions are:

    SSL_load_client_CA_file()
    SSL_CTX_set_client_CA_list()


The first extracts a list of subject DNs from a file with CA certs,
and the second configures that stack as the list of CAs to advertise.
Many appliations, including Postfix, and likely Exim just use the same
CA file used for client certificate verification as the list of CAs
to advertise. But this is not set in stone, other choices are available,
including using an empty stack.

Note however, that some clients (notably Java) will not send a client
certificate unless the list of CAs sent is non-empty, and IIRC also
includes the trust-anchor that issued the client cert. Thus sending
no CAs or a partial list might suppress client cert use in some clients.

> If you give OpenSSL a file, then it advertises them all to the client.


As explained above, this is not automatic. The OpenSSL application
chooses the file separately from the file with trusted CAs, but many
just always use the same file.

> If you give OpenSSL a directory (processed with c_rehash or equivalent)
> then it advertises none to the client, but can verify them all.


This is the common work-around, but one can also simply use a smaller
file with just the desired issuers.
8X------------------------------------------------------

So GnuTLS would offer an on/off switch and OpenSSL would even offer separate
accepted_certs and advertised_accepted_certs lists.

cu Andreas

--
You are receiving this mail because:
You are on the CC list for the bug.