[exim] Re: Follow-Up: Debug TLS/DANE problems it is GnuTLS!

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Viktor Dukhovni via Exim-users
Date:  
À: exim-users
Sujet: [exim] Re: Follow-Up: Debug TLS/DANE problems it is GnuTLS!
On Sun, Jul 07, 2024 at 09:36:48AM +0100, Jeremy Harris via Exim-users wrote:

> Basics such as who the actors are in the connection, with which roles
> (that last item because of the confusion in the message I
> responded to yesterday).


The connection is to "mx06.et.lindenberg.one" on port 25. When the TLSA
base domain "mx06.et.lindenberg.one" is sent as the SNI name, the
presented certificate chain is:

subject=CN = et.lindenberg.one
issuer=C = US, O = Let's Encrypt, CN = R3
-----BEGIN CERTIFICATE-----
MIIHFjCCBf6gAwIBAgISA2gKPw3hnIK3DhYzXdhVWUfPMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yNDA2MDIxMDM0MDZaFw0yNDA4MzExMDM0MDVaMBwxGjAYBgNVBAMT
EWV0LmxpbmRlbmJlcmcub25lMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKC
AgEAxZ+5sK0NbDi4txQsSVmWkmc7Vux3RS0EXOqAKKJRT+g44nH4b2f1P96frFkn
xFqNWSJj8RXFbNA+ru8qOHVvdmCGlv7XvfL5+OhPDuFvzJ+mMHrmeONXACmMCKmZ
18q9uGFB2M1pJltSjX9+1kNV0sBzNtk/Wcjx5rS2mRhSPi9UgoB4w8H9M0SzIQm8
o8UecYXno6ZY8fn1KOCFjGGvTxvKCg0660gYSwswAPBatICQsT3hzFXjePPBrCir
Fbipgf6A9/23kmOURZgfGV9qG4QI/ykl65jrMN+AZi2YSYADIGdcPZd23560RYZh
Mq6UIccd4cVJXdEzpvLAbESLpJ7E02YRBVOQKsMZpDVdNtuW9mh3+SbyV07ztdOB
0RnUAKQGquuZ1GG2j4hGq5hkTcGNFDy9ci4daXmMGKj3Ubiv+eNcV6y5iwVxs27n
prHJ4g/hEXpFi+nm9wfPIjRc+IjoRi4pWuPsH12G7mkzNbqrTDSCH51rKmBk8fK+
A+i3nUV8TvDfeOTsbGjk2kvKvBjqc31B0Dsrf+NfaVexWk2QYouSUx+PzybOWHfA
ODMH8SYlw7f1W7GsxKkyQJovHr5Sou4230ku/JwlTfsja1ig9dFuvPZooThKkGK9
/XZqIDwEBJxvLaLTgaQyuedB2eWQ/F0s7pKxpUA8/8HOXXUCAwEAAaOCAzowggM2
MA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw
DAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUzVB+4FF7HuY7Y4/lSIpznp/BEPQwHwYD
VR0jBBgwFoAUFC6zF7dYVsuuUAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEG
CCsGAQUFBzABhhVodHRwOi8vcjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0
dHA6Ly9yMy5pLmxlbmNyLm9yZy8wggFABgNVHREEggE3MIIBM4IRZXQubGluZGVu
YmVyZy5vbmWCFm14MDEuZXQubGluZGVuYmVyZy5vbmWCFm14MDIuZXQubGluZGVu
YmVyZy5vbmWCFm14MDMuZXQubGluZGVuYmVyZy5vbmWCFm14MDQuZXQubGluZGVu
YmVyZy5vbmWCFm14MDUuZXQubGluZGVuYmVyZy5vbmWCFm14MDYuZXQubGluZGVu
YmVyZy5vbmWCFm14MTEuZXQubGluZGVuYmVyZy5vbmWCFm14MTIuZXQubGluZGVu
YmVyZy5vbmWCFm14MTMuZXQubGluZGVuYmVyZy5vbmWCFm14MTQuZXQubGluZGVu
YmVyZy5vbmWCFm14MTUuZXQubGluZGVuYmVyZy5vbmWCFm14MTYuZXQubGluZGVu
YmVyZy5vbmUwEwYDVR0gBAwwCjAIBgZngQwBAgEwggEFBgorBgEEAdZ5AgQCBIH2
BIHzAPEAdwBIsONr2qZHNA/lagL6nTDrHFIBy1bdLIHZu7+rOdiEcwAAAY/YummV
AAAEAwBIMEYCIQCNkW2popJDezZAJNLjxFvd/0EeU9n6u/vtYTQzSWA/KgIhAMbR
SEdfyaUAqkSSsEPpJA//Z/wT5alqSNmXRMM0Ac3QAHYAdv+IPwq2+5VRwmHM9Ye6
NLSkzbsp3GhCCp/mZ0xaOnQAAAGP2Lpp6wAABAMARzBFAiEAzYDVfMxUxaWC5TsO
iDVycwshKXO9I+mY0JBIuyJyFJ8CIG7hjRhozktKY0t4QyogulfVEHdw/f3ixRbJ
9T2yBSa/MA0GCSqGSIb3DQEBCwUAA4IBAQB/bZ1MGoaB9J2L6I8r9edDFVQorvCN
xthHKt7+YpESr4/zWyiye05dukfoWFep8MFUoAdsPEin5BpKgWNxHVU+e0lSSuO8
btbkogjG3MvqfUF7RdGWQf4a2xslluf5X3ARBwI3RDzsPenx4zv0hu4UXl5/z967
NWhinVV6RxyLCdVDYRguyzljgYA7U38LmfSiuB1gtigZ8ipXXF2F+mJGfF70HNkS
5YkVCJVh3UL3LHKEtLsC9v1/CPRh2/fu0xjIj48NDzjqr31ENa22xk56hqaRAzXB
lO5QmymMYK9k2VuNDI9WKFaKfnF+LVVhYyzbyNT/uGbFdIhrhF/f5rES
-----END CERTIFICATE-----
subject=C = US, O = Let's Encrypt, CN = R3
issuer=C = US, O = Internet Security Research Group, CN = ISRG Root X1
-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----

This has a valid key usage, and passes DANE checks.

> Actual debug output from the Exim system. I pointed out how best
> to do that on the 2nd (assuming that the Exim system is the
> accepting end for the connection).


On the other hand, when SNI is not sent, a different certificate
(single-element "chain") is presented, which does not match the
TLSA records, and whose keyUsage does not include "Digital Signature",
which is then not compatible with ephemeral DH and ECDH key exchange.

            X509v3 Key Usage:
                Key Encipherment, Data Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication


This "default" certificate is:

issuer=C = DE, ST = BW, L = Karlsruhe, O = Lindenberg, OU = Tests, CN = et.lindenberg.one
notBefore=Jan 22 16:08:03 2022 GMT
notAfter=Jan 17 16:08:03 2042 GMT
subject=C = DE, ST = BW, L = Karlsruhe, O = Lindenberg, OU = Tests, CN = et.lindenberg.one
-----BEGIN CERTIFICATE-----
MIIDwzCCAqugAwIBAgIUMVU6QHs/gK55HDsB/Gpcnmjww3EwDQYJKoZIhvcNAQEL
BQAwbzELMAkGA1UEBhMCREUxCzAJBgNVBAgMAkJXMRIwEAYDVQQHDAlLYXJsc3J1
aGUxEzARBgNVBAoMCkxpbmRlbmJlcmcxDjAMBgNVBAsMBVRlc3RzMRowGAYDVQQD
DBFldC5saW5kZW5iZXJnLm9uZTAeFw0yMjAxMjIxNjA4MDNaFw00MjAxMTcxNjA4
MDNaMG8xCzAJBgNVBAYTAkRFMQswCQYDVQQIDAJCVzESMBAGA1UEBwwJS2FybHNy
dWhlMRMwEQYDVQQKDApMaW5kZW5iZXJnMQ4wDAYDVQQLDAVUZXN0czEaMBgGA1UE
AwwRZXQubGluZGVuYmVyZy5vbmUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQDesbdjo7+jUX94UO8vHlKgOzT9NRJWRO4u2jln3GrW6o8nvh2PxoZB9+Yj
B8De/PF/rpVe35TAX5X1BLL23FSIw4k0xFy7xAvig8L8VO+fOt/X/yDWsEEfoWGu
WT8Z/Q40OY0luIS2OUk9fwcwffUj3D/ZiXYHGxInTTaAqAVnsvI66cIMrw2orfUD
3GcsPIhVC/gdK3XaQLAPImzn2T+pCzmpUxiKI1P5wueRjEtMlq6hFFx4BG4I6qmi
tjiQ4Unl13WtvBhKSkdGkI6u8RSboHNbYDzTlZk/ohWvUka2B0qNkCyHpohN1Tj1
G6wF2BSBJaDfdXSC6Nt2GMkKyrkHAgMBAAGjVzBVMAsGA1UdDwQEAwIEMDATBgNV
HSUEDDAKBggrBgEFBQcDATAxBgNVHREEKjAoghMqLmV0LmxpbmRlbmJlcmcub25l
ghFldC5saW5kZW5iZXJnLm9uZTANBgkqhkiG9w0BAQsFAAOCAQEAW/AmccWT7y8q
kqWII119XuWxcb+97xrV+gaACp4eoPpdHbB3Uq74U9NdTk8SWkx9ykzOSvOhTpe+
iv4/X7PaasSrtdGHB5sm5uyPRlLNgFj+/QWako3xwynrKXDDuqBjb1YGqL8odYoU
fVG5nb51PFL9WY5aNIVbxHCh9Z+xZOSHB1iUIhw+Onif3+Q2SScDaGjYfaTsoXwt
ircLih7iaa4WtWDDuyecy9odk9O/sPmnUgOQXya4CNyEPxTfUCtldM7O4hQMev2c
QfeIe45ridt/sEBzZzRt4pHC1Ja1WhQCbVhR4y7j4FPVDw0vzx4122gP3xvvU1i4
yN321Vsi2w==
-----END CERTIFICATE-----

So is sure seems like Exim DANE with GnuTLS fails to set the TLSA base
domain as the SNI name, while the Exim with OpenSSL does take care of
that...

-- 
    Viktor.


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/