Re: [exim] DANE vs unknown CA

Top Page
Delete this message
Reply to this message
Author: Heiko Schlittermann
Date:  
To: exim-users, Viktor Dukhovni
Subject: Re: [exim] DANE vs unknown CA
With the help of Wolfgang B and Jeremy we could resolve the issue.
It was introduced in d8e99d6047e709b35eabb1395c2046100d1a1dda and
relates to Exim Bug 2265 https://bugs.exim.org/show_bug.cgi?id=2265

Several conditions had to be met to trigger this bug.

- The MX of the recipient's domain supports DANE (TLSA and DNSSEC)

        atvirtual.net MX 1 serv02.atvirtual.eu.
                                            ~~~ EU!


- The MX of the recipient's domain responds to the SNI with the
recipient's domain with a certificate

        openssl s_client \
                -starttls smtp \
                -connect serv02.atvirtual.eu:25 \
                -servername atvirtual.net \
                -dane_tlsa_rrdata "3 1 1 7e95e999da41cdd250eb3f97c397bfdb087aeab914edbdf1b5b6c49457923048" \
                -dane_tlsa_domain "serv02.atvirtual.eu"


that doesn't match the TLSA record propagated for the MX:

        _25._tcp.serv02.atvirtual.eu. 3600 IN    TLSA    3 1 1 7E95E999DA41CDD250EB3F97C397BFDB087AEAB914EDBDF1B5B6C494 57923048


As far as I understand, that's totally legal. It was our fault to set
the SNI to the recipient's domain (atvirtual.net), instead of the target
host (serv02.atvirtual.eu).

Unfortunately the error message wasn't too helpful, especially the phrase "error in error":

    Dane verify_cert
    verify_callback_client_dane: BAD depth 1 /C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2
     - err 20 'unable to get local issuer certificate'
    SSL3 alert write:fatal:unknown CA
*   SSL_connect: error in error
    Dane lib-cleanup
    TLS error '(SSL_connect): error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed'
    TLS session fail: (SSL_connect): error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
    LOG: MAIN
      DANE attempt failed; TLS connection to serv02.atvirtual.eu [185.206.180.72]: (SSL_connect): error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed


I'm not sure if Exim can be improved here, of if we've to accept it. Though,
the command line is a bit more expressive here:

    SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 5D360ACF25EFD293AFA569AA64BDD24F142B863C98941873164E754D3ADDA8D5
    Session-ID-ctx:
    Master-Key: D2CC6C4D469A87CC0E4C45EC9418299A3D25EE36497BFFF6C0BA594F883AF998F6A77B55BB5CF89DD3C52BE08D566E90
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1620059017
    Timeout   : 7200 (sec)
    Verify return code: 65 (No matching DANE TLSA records)
    Extended master secret: no


For the upcoming 4.94.2 a patch is part of the 4.94.2+fixes branch
already. It will be cherry-picked to master soon.

Thank you again for your fast response yesterday.

    Best regards from Dresden/Germany
    Viele Grüße aus Dresden
    Heiko Schlittermann
--
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: F69376CE -