On Sun, May 02, 2021 at 09:13:55PM +0200, Heiko Schlittermann via Exim-users wrote:
> this is especially for Victor. I'm out of ideas.
>
> Dane verify_cert verify_callback_client_dane: BAD depth 1
> /C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2 - err 20
> 'unable to get local issuer certificate' SSL3 alert
> write:fatal:unknown CA
Do connections to my domain work (also DANE 3 1 1, be it with an LE
cert).
> LOG: MAIN
> DANE attempt failed; TLS connection to serv02.atvirtual.eu
> [185.206.180.72]: (SSL_connect): error:1416F086:SSL
> routines:tls_process_server_certificate:certificate verify
> failed
With Postfix, I get:
# posttls-finger -c "[serv02.atvirtual.eu]"
posttls-finger: serv02.atvirtual.eu[2a0b:1640:1:1:1:1:179:ba44]:25: Matched DANE EE certificate at depth 0: 3 1 1 7E95E999DA41CDD250EB3F97C397BFDB087AEAB914EDBDF1B5B6C49457923048
posttls-finger: serv02.atvirtual.eu[2a0b:1640:1:1:1:1:179:ba44]:25: subject_CN=serv02.atvirtual.eu, issuer_CN=AlphaSSL CA - SHA256 - G2, fingerprint=70:4C:CF:00:75:BF:47:BB:D4:C7:D1:B4:E6:63:2B:52:E0:40:97:4F:3E:F1:18:C5:F7:D6:B3:E6:43:25:6C:69, pkey_fingerprint=7E:95:E9:99:DA:41:CD:D2:50:EB:3F:97:C3:97:BF:DB:08:7A:EA:B9:14:ED:BD:F1:B5:B6:C4:94:57:92:30:48
posttls-finger: Verified TLS connection established to serv02.atvirtual.eu[2a0b:1640:1:1:1:1:179:ba44]:25: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
I have: openssl-1.1.1k
However, Postfix no longer uses my danessl library, as of Postfix 3.6
(which I'm running), it uses the DANE code in OpenSSL 1.1.x. So there
are a few differences here...
But I still have some Perl code lying around that uses that library and
it worked against the host in question:
serv02.atvirtual.eu. IN MX 0 serv02.atvirtual.eu.
serv02.atvirtual.eu. IN A 185.206.180.72
serv02.atvirtual.eu. IN AAAA 2a0b:1640:1:1:1:1:179:ba44
_25._tcp.serv02.atvirtual.eu. IN TLSA 3 1 1 7e95e999da41cdd250eb3f97c397bfdb087aeab914edbdf1b5b6c49457923048
;; SSL: protocol = TLSv1.2, cipher = ECDHE-RSA-AES128-GCM-SHA256 (128 bits)
;; Passed(depth 0): serv02.atvirtual.eu. IN TLSA 3 1 1 7e95e999da41cdd250eb3f97c397bfdb087aeab914edbdf1b5b6c49457923048
as did posttls-finger from Postfix 3.5 (in-situ build in the source
tree):
$ LD_LIBRARY_PATH=$PWD/lib ./bin/posttls-finger -o compatibility_level=3 -c '[serv02.atvirtual.eu]'
posttls-finger: using DANE RR: _25._tcp.serv02.atvirtual.eu IN TLSA 3 1 1 7E:95:E9:99:DA:41:CD:D2:50:EB:3F:97:C3:97:BF:DB:08:7A:EA:B9:14:ED:BD:F1:B5:B6:C4:94:57:92:30:48
posttls-finger: serv02.atvirtual.eu[185.206.180.72]:25: depth=0 matched end entity public-key sha256 digest=7E:95:E9:99:DA:41:CD:D2:50:EB:3F:97:C3:97:BF:DB:08:7A:EA:B9:14:ED:BD:F1:B5:B6:C4:94:57:92:30:48
posttls-finger: serv02.atvirtual.eu[185.206.180.72]:25: Matched subjectAltName: serv02.atvirtual.eu
posttls-finger: serv02.atvirtual.eu[185.206.180.72]:25 CommonName serv02.atvirtual.eu
posttls-finger: serv02.atvirtual.eu[185.206.180.72]:25: subject_CN=serv02.atvirtual.eu, issuer_CN=AlphaSSL CA - SHA256 - G2, fingerprint=22:72:97:BE:67:C7:33:89:8B:F8:95:02:2F:41:5F:C2:25:73:0B:8C, pkey_fingerprint=9E:6C:44:E3:C9:52:B7:F4:FA:37:D2:0D:47:31:46:38:CC:C2:D6:3A
posttls-finger: Verified TLS connection established to serv02.atvirtual.eu[185.206.180.72]:25: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
> The Exim 4.94.2 producing this uses openssl 1.1.1j With older Exim
> 4.92.3 it works (openssl 1.1.0i)
That's interesting, can you try 1.1.1k?
> Any idea? For what I understand about DANE, it shouldn't care about
> the CA cert, should it? (The TLSA record uses 3 1 1)
Correct, the "3 1 1" record should be dispositive, and with a matching
"3 1 1" there should not even be a call to the OpenSSL chain building
code, the "chain" should consist of just the leaf cert.
--
Viktor.
