Loading ...
Sorry, an error occurred while loading the content.

TLS: Certificate signature failure -- what is the reason?

Expand Messages
  • Tobias Reckhard
    Hello In configuring a postfix 2.7.0 (on Ubuntu 10.04 LTS) for mandatory TLS to a couple of domains, I m running into the following oddity when sending e-mail
    Message 1 of 14 , Oct 21, 2013
    • 0 Attachment
      Hello

      In configuring a postfix 2.7.0 (on Ubuntu 10.04 LTS) for mandatory TLS
      to a couple of domains, I'm running into the following oddity when
      sending e-mail to the UniCredit servers:

      Oct 21 08:43:58 <hostname> postfix/smtp[5991]: CA certificate
      verification failed for mx10.unicredit.eu[62.122.80.93]:25:
      num=7:certificate signature failure

      This appears to be an OpenSSL error, at least I can find a similar error
      message on https://www.openssl.org/docs/apps/verify.html. However, I do
      not know what the actual problem is. The certificates presented by the
      MX hosts of unicreditgroup.eu (that answer) are somewhat problematic in
      that they are all completely identical and feature a CN of
      mucimgcc.internal.unicreditgroup.eu and no SubjectAltNames, which does
      not resemble the MX records. However, I'm not sure if that is the cause
      of the verification failure.

      If I store mx10's certificate to a file and the intermediary as well as
      the root CA certificate to /etc/postfix/cacerts (and create the
      necessary symlinks there with c_rehash), I can successfully use "openssl
      verify -CApath /etc/postfix/cacerts mx10.unicredit.eu.cert.pem" to
      verify it (result: mx10.unicredit.eu.cert.pem: OK)

      Can anyone offer any insights on this topic? I'm a bit puzzled.

      Regards,
      Tobias
    • Noel Jones
      ... Looks as if they use a private root CA. Probably the easiest fix is to use fingerprint verification. See:
      Message 2 of 14 , Oct 21, 2013
      • 0 Attachment
        On 10/21/2013 7:55 AM, Tobias Reckhard wrote:
        > Hello
        >
        > In configuring a postfix 2.7.0 (on Ubuntu 10.04 LTS) for mandatory TLS
        > to a couple of domains, I'm running into the following oddity when
        > sending e-mail to the UniCredit servers:
        >
        > Oct 21 08:43:58 <hostname> postfix/smtp[5991]: CA certificate
        > verification failed for mx10.unicredit.eu[62.122.80.93]:25:
        > num=7:certificate signature failure
        >
        > This appears to be an OpenSSL error, at least I can find a similar error
        > message on https://www.openssl.org/docs/apps/verify.html. However, I do
        > not know what the actual problem is. The certificates presented by the
        > MX hosts of unicreditgroup.eu (that answer) are somewhat problematic in
        > that they are all completely identical and feature a CN of
        > mucimgcc.internal.unicreditgroup.eu and no SubjectAltNames, which does
        > not resemble the MX records. However, I'm not sure if that is the cause
        > of the verification failure.
        >
        > If I store mx10's certificate to a file and the intermediary as well as
        > the root CA certificate to /etc/postfix/cacerts (and create the
        > necessary symlinks there with c_rehash), I can successfully use "openssl
        > verify -CApath /etc/postfix/cacerts mx10.unicredit.eu.cert.pem" to
        > verify it (result: mx10.unicredit.eu.cert.pem: OK)
        >
        > Can anyone offer any insights on this topic? I'm a bit puzzled.
        >
        > Regards,
        > Tobias
        >


        Looks as if they use a private root CA. Probably the easiest fix is
        to use "fingerprint" verification. See:
        http://www.postfix.org/postconf.5.html#smtp_tls_policy_maps



        -- Noel Jones
      • Viktor Dukhovni
        ... No, that would be a trust error not a signature error. -- Viktor.
        Message 3 of 14 , Oct 21, 2013
        • 0 Attachment
          On Mon, Oct 21, 2013 at 10:07:13AM -0500, Noel Jones wrote:

          > > Oct 21 08:43:58 <hostname> postfix/smtp[5991]: CA certificate
          > > verification failed for mx10.unicredit.eu[62.122.80.93]:25:
          > > num=7:certificate signature failure
          >
          > Looks as if they use a private root CA. Probably the easiest fix is
          > to use "fingerprint" verification. See:
          > http://www.postfix.org/postconf.5.html#smtp_tls_policy_maps

          No, that would be a trust error not a signature error.

          --
          Viktor.
        • Viktor Dukhovni
          ... This organization uses SHA256 signatures for their certificates, even though these are not widely supported. The most recent patch levels of Postfix 2.7,
          Message 4 of 14 , Oct 21, 2013
          • 0 Attachment
            On Mon, Oct 21, 2013 at 02:55:22PM +0200, Tobias Reckhard wrote:

            > Oct 21 08:43:58 <hostname> postfix/smtp[5991]: CA certificate
            > verification failed for mx10.unicredit.eu[62.122.80.93]:25:
            > num=7:certificate signature failure

            This organization uses SHA256 signatures for their certificates, even
            though these are not widely supported. The most recent patch levels
            of Postfix 2.7, 2.8, 2.9 and 2.10 have support for SHA256 turned for
            SSL/TLS. You need to upgrade to one of these, may as well be 2.10.2, but
            one of the others will suffice, see http://www.postfix.org/download.html

            $ posttls-finger -t30 -T 180 -cC -Lsummary "[62.122.80.93]:25" |
            openssl crl2pkcs7 -nocrl -certfile /dev/stdin |
            openssl pkcs7 -print_certs -text
            Certificate:
            Data:
            Version: 3 (0x2)
            Serial Number:
            2b:b0:95:be:00:00:00:03:59:e0
            Signature Algorithm: sha256WithRSAEncryption
            Issuer: DC=EU, DC=UNICREDITGROUP, DC=root, CN=UniCredit Subordinate Internal
            Validity
            Not Before: Aug 5 14:42:54 2013 GMT
            Not After : Aug 5 14:42:54 2015 GMT
            Subject: C=IT, ST=Italy, L=n.a., O=UniCredit Business Integrated Solutions S.C.p.A., OU=US91922, CN=mucimgcc.internal.unicreditgroup.eu/emailAddress=edgesec.ubis@...
            [...]
            -----BEGIN CERTIFICATE-----
            MIIGyjCCBbKgAwIBAgIKK7CVvgAAAANZ4DANBgkqhkiG9w0BAQsFADBzMRIwEAYK
            CZImiZPyLGQBGRYCRVUxHjAcBgoJkiaJk/IsZAEZFg5VTklDUkVESVRHUk9VUDEU
            MBIGCgmSJomT8ixkARkWBHJvb3QxJzAlBgNVBAMTHlVuaUNyZWRpdCBTdWJvcmRp
            bmF0ZSBJbnRlcm5hbDAeFw0xMzA4MDUxNDQyNTRaFw0xNTA4MDUxNDQyNTRaMIHR
            MQswCQYDVQQGEwJJVDEOMAwGA1UECBMFSXRhbHkxDTALBgNVBAcTBG4uYS4xOTA3
            BgNVBAoTMFVuaUNyZWRpdCBCdXNpbmVzcyBJbnRlZ3JhdGVkIFNvbHV0aW9ucyBT
            LkMucC5BLjEQMA4GA1UECxMHVVM5MTkyMjEsMCoGA1UEAxMjbXVjaW1nY2MuaW50
            ZXJuYWwudW5pY3JlZGl0Z3JvdXAuZXUxKDAmBgkqhkiG9w0BCQEWGWVkZ2VzZWMu
            dWJpc0B1bmljcmVkaXQuZXUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
            AQDBZwU+EoauB9eLXCl/f7fBt9g9T7XdfA1EksavXEmZ5BiJ+VK+mcL9+DsMLuZQ
            aZjUASoVQzDpjWBUq9/ha+YGzhIEsjGZ773q3Mg8A61IkNidXzDC1vS4YvyEGF+f
            ZCH7bZyTFaqGf+PTHv+O1jmPwphwOMc5JdBg3Ua2tYRDN9e1cGcYHPrlGLwZV46f
            huJ3ZwzhkA1tUJQOaf3xSotDkNc7k0yWJVwtl7Jx/cqtrRcG+a42JFxyfOEJiERW
            eqDgbHGzWljUlQu1Bk4au0qR5u1tknvkzifFDTpUAYMjB3T9mkL8xCtjjkFzy6Vm
            RbVjqz2I3gTH5vwA7HLtPhrVAgMBAAGjggL/MIIC+zAdBgNVHQ4EFgQUGqOYmnyp
            HIMUth1Y61c/Oh6Fd3AwHwYDVR0jBBgwFoAUpmMomLWl6ZWmfZDUIMi5ujlJoZsw
            ggEcBgNVHR8EggETMIIBDzCCAQugggEHoIIBA4aB2mxkYXA6Ly8vQ049VW5pQ3Jl
            ZGl0JTIwU3Vib3JkaW5hdGUlMjBJbnRlcm5hbCxDTj1VU1BLSVBXMDAxLENOPUNE
            UCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25m
            aWd1cmF0aW9uLERDPXJvb3QsREM9VU5JQ1JFRElUR1JPVVAsREM9RVU/Y2VydGlm
            aWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1
            dGlvblBvaW50hiRodHRwOi8vY2EudW5pY3JlZGl0LmV1L0lOVC9pbnRjYS5jcmww
            ggEWBggrBgEFBQcBAQSCAQgwggEEMIHPBggrBgEFBQcwAoaBwmxkYXA6Ly8vQ049
            VW5pQ3JlZGl0JTIwU3Vib3JkaW5hdGUlMjBJbnRlcm5hbCxDTj1BSUEsQ049UHVi
            bGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlv
            bixEQz1yb290LERDPVVOSUNSRURJVEdST1VQLERDPUVVP2NBQ2VydGlmaWNhdGU/
            YmFzZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MDAGCCsGAQUF
            BzAChiRodHRwOi8vY2EudW5pY3JlZGl0LmV1L0lOVC9pbnRjYS5jcnQwDgYDVR0P
            AQH/BAQDAgWgMD0GCSsGAQQBgjcVBwQwMC4GJisGAQQBgjcVCMO2J4Gj+HWG+Z8g
            he2jNYaR6GmBKobx7y+FkeVgAgFkAgEKMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBsG
            CSsGAQQBgjcVCgQOMAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQELBQADggEBACzY
            yZMq+UwAp+jTwLxUEwKl+QjUO9PDkZSj+GByLtw+6wplX/6CCCPTApKXgBzlz59J
            C+xJ9/YBQkzaKoyliZMG9DDLnjRztan/kfPTdLVlg0JfB6AOctpDt/whepxABIBi
            rYt94M6lGIeJ6Xb/0mmTwOclYid8aSb7NffmOy3nmrUFLKOkkjgx+8V8w4G8RbM/
            5ueIJbv3cwobuVgdRWYgkifXPTMK1nPU7dia9/TTL2wiIu2iPjkg9NeMF08vXE1V
            EMjV49T0ocjacRMJnC7kBtqwwNgXlL1sDktk+MUaC/QKXbmQJmoadwdUZApcEhTR
            5OA3+kzG7dFfJoSYkwI=
            -----END CERTIFICATE-----

            Certificate:
            Data:
            Version: 3 (0x2)
            Serial Number:
            61:7a:be:af:00:00:00:00:00:03
            Signature Algorithm: sha256WithRSAEncryption
            Issuer: C=IT, O=UniCredit S.p.A., CN=UniCredit Root
            Validity
            Not Before: May 20 09:47:25 2011 GMT
            Not After : May 20 09:57:25 2021 GMT
            Subject: DC=EU, DC=UNICREDITGROUP, DC=root, CN=UniCredit Subordinate Internal
            [...]
            -----BEGIN CERTIFICATE-----
            MIIGLDCCBRSgAwIBAgIKYXq+rwAAAAAAAzANBgkqhkiG9w0BAQsFADBBMQswCQYD
            VQQGEwJJVDEZMBcGA1UEChMQVW5pQ3JlZGl0IFMucC5BLjEXMBUGA1UEAxMOVW5p
            Q3JlZGl0IFJvb3QwHhcNMTEwNTIwMDk0NzI1WhcNMjEwNTIwMDk1NzI1WjBzMRIw
            EAYKCZImiZPyLGQBGRYCRVUxHjAcBgoJkiaJk/IsZAEZFg5VTklDUkVESVRHUk9V
            UDEUMBIGCgmSJomT8ixkARkWBHJvb3QxJzAlBgNVBAMTHlVuaUNyZWRpdCBTdWJv
            cmRpbmF0ZSBJbnRlcm5hbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
            AOhI2tUNvsJ7Go2HG2Vqrws36lz6yLVOnKkcRhalc+wuiAbJGG1JV98yMP+0I6xQ
            6mER0jaRk7soVyRtERNrSc4leCfVu2fjLqpUofAhFC3kZeDOhW3FSDlPRTmG/pRD
            XF7GnZq7NknS+d/jPCSneY1ZMwmEdTH+kt4CmArrHkj8cLZAfFt+dlVIHIf/dDez
            85v5HBIISeP+LIZSkVOziS3rSO8BxipkBsex+VrM4V9t0a/DBW0DigTMIrmNyW6M
            0WLfoSushDB25xe+nhyCXcp2iZbRR0p475HSS3U4hkfMMEZwqPHwOb6r7P3+dZ2d
            hwC/7xDzCbGKEjmDVkddTM0CAwEAAaOCAvIwggLuMBAGCSsGAQQBgjcVAQQDAgEA
            MB0GA1UdDgQWBBSmYyiYtaXplaZ9kNQgyLm6OUmhmzBMBgNVHSAERTBDMEEGDCsG
            AQQBgqEYAQEBATAxMC8GCCsGAQUFBwIBFiNodHRwOi8vY2EudW5pY3JlZGl0LmV1
            L0NQUy9jcHMuaHRtbDAZBgkrBgEEAYI3FAIEDB4KAFMAdQBiAEMAQTALBgNVHQ8E
            BAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBQ7MIjj6hkIJ65q2OmZ
            q23FXdHKVTCCAQoGA1UdHwSCAQEwgf4wgfuggfiggfWGgctsZGFwOi8vL0NOPVVu
            aUNyZWRpdCUyMFJvb3QsQ049VU5JQ1JFRElUUk9PVCxDTj1DRFAsQ049UHVibGlj
            JTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixE
            Qz1yb290LERDPVVOSUNSRURJVEdST1VQLERDPUVVP2NlcnRpZmljYXRlUmV2b2Nh
            dGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludIYl
            aHR0cDovL2NhLnVuaWNyZWRpdC5ldS9DUkwvcm9vdGNhLmNybDCCAQMGCCsGAQUF
            BwEBBIH2MIHzMIG9BggrBgEFBQcwAoaBsGxkYXA6Ly8vQ049VW5pQ3JlZGl0JTIw
            Um9vdCxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2Vydmlj
            ZXMsQ049Q29uZmlndXJhdGlvbixEQz1yb290LERDPVVOSUNSRURJVEdST1VQLERD
            PUVVP2NBQ2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9u
            QXV0aG9yaXR5MDEGCCsGAQUFBzAChiVodHRwOi8vY2EudW5pY3JlZGl0LmV1L0NS
            VC9yb290Y2EuY3J0MA0GCSqGSIb3DQEBCwUAA4IBAQChQ/peK5XDvfyi7z5dcroV
            PY+3/yMgB8Tzx8zny53JLxdXGYxNBlVrymCxpA+RJdjO18lBoOPS+vIB9Cu16BHy
            YaTcCLdEQw3Mo0ha53+jgulKC86d1gZFQosPP3xCVLgFUuZ+f6wWorU7lraE0dt1
            MEHMj3ZrEXX01V5V/DPvKq9li5SqWwzy2ozG25eGlqgWjf834NQz6AF+VWJSJvND
            ZbqgKVSIJrhwQ64Yh1Q1t53sNEYsgYj1aztP9KaSzE7fyusYcRJUdO/EBIpG8dkj
            6I0VMtAYI/Qv71250Z5id+NRQA/Px8itXoqhM4W4NVn6xqlF7P/5XJ7OCqf4/GfN
            -----END CERTIFICATE-----

            Certificate:
            Data:
            Version: 3 (0x2)
            Serial Number:
            16:de:d6:f6:72:44:10:ae:4c:91:a4:ad:a9:3a:ba:2b
            Signature Algorithm: sha256WithRSAEncryption
            Issuer: C=IT, O=UniCredit S.p.A., CN=UniCredit Root
            Validity
            Not Before: Mar 10 03:33:45 2011 GMT
            Not After : Mar 10 03:39:56 2031 GMT
            Subject: C=IT, O=UniCredit S.p.A., CN=UniCredit Root
            [...]
            -----BEGIN CERTIFICATE-----
            MIIDrTCCApWgAwIBAgIQFt7W9nJEEK5MkaStqTq6KzANBgkqhkiG9w0BAQsFADBB
            MQswCQYDVQQGEwJJVDEZMBcGA1UEChMQVW5pQ3JlZGl0IFMucC5BLjEXMBUGA1UE
            AxMOVW5pQ3JlZGl0IFJvb3QwHhcNMTEwMzEwMDMzMzQ1WhcNMzEwMzEwMDMzOTU2
            WjBBMQswCQYDVQQGEwJJVDEZMBcGA1UEChMQVW5pQ3JlZGl0IFMucC5BLjEXMBUG
            A1UEAxMOVW5pQ3JlZGl0IFJvb3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
            AoIBAQDSC37xO2xR2ksdBuLIdilH9BOsjKAIAiChPTe7oduwLdEGc+T34p4UXq1E
            QhZW7HdlnQWyoI/P1YHK5t7IRTCudaozFy/sTL/wMfKPjLKHgeN4BF6RG0EOn6aO
            rbmcTxyuNkXrhCgDwtBD6aNpduTc7fzlUrlQUQifuxAQMP1MytFd9zKAn9NZOOoq
            jV6TOQCjdoyLtwIiMiNqr1LKpWeUEJ97QZurOuUS6fENJufmTf8ZHY/9NY/q++NH
            ou5jqxH4WcQ9qBRVv520/pClp5P1teIhXXomzJEID57SWjAhkTH3LXn+XsGADGs3
            l3bdAPVUhLwcj4XCyk1CE1Nd96K1AgMBAAGjgaAwgZ0wCwYDVR0PBAQDAgGGMA8G
            A1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFDswiOPqGQgnrmrY6ZmrbcVd0cpVMBAG
            CSsGAQQBgjcVAQQDAgEAMEwGA1UdIARFMEMwQQYMKwYBBAGCoRgBAQEBMDEwLwYI
            KwYBBQUHAgEWI2h0dHA6Ly9jYS51bmljcmVkaXQuZXUvQ1BTL2Nwcy5odG1sMA0G
            CSqGSIb3DQEBCwUAA4IBAQBtHCNFetqoC/XhxAXj67kNWzcaqFW3vEbhRFQG2TZ1
            3yNA3Kg+uVol1DV8mr1/evFL5cuS7xy530Q55TFptTPCjRBxE/fOd+ZX3uqhDMSu
            pjJFpyoqzSHf7xTm9I9tkL9AKNIjQWTvS1mIuHImUN41tN8DsWVz+7rD02f6oNBK
            Oqr07JlE7hQnzbDr1iUoB2IvQBWf29NAIFlaJO/pYOqHgvnOu4Ig8dd0OgtpM/9o
            SJGSwRPpk1x80vzGdiif1hRJb9d6bh/WDU1Wga0xtyi59r3VW1+/H6/oTh/ySq3d
            c3F82+t73T/j1nLjUpQL6NZEwB2BjoaE4dI4BU6l2+9X
            -----END CERTIFICATE-----

            --
            Viktor.
          • Viktor Dukhovni
            ... Note, SHA256 is also enabled automatically if your OpenSSL is 1.0.0 or later. By now, you should aim to no longer use OpenSSL 0.9.8 when TLS security is
            Message 5 of 14 , Oct 21, 2013
            • 0 Attachment
              On Mon, Oct 21, 2013 at 03:30:46PM +0000, Viktor Dukhovni wrote:

              > On Mon, Oct 21, 2013 at 02:55:22PM +0200, Tobias Reckhard wrote:
              >
              > > Oct 21 08:43:58 <hostname> postfix/smtp[5991]: CA certificate
              > > verification failed for mx10.unicredit.eu[62.122.80.93]:25:
              > > num=7:certificate signature failure
              >
              > This organization uses SHA256 signatures for their certificates, even
              > though these are not widely supported. The most recent patch levels
              > of Postfix 2.7, 2.8, 2.9 and 2.10 have support for SHA256 turned for
              > SSL/TLS. You need to upgrade to one of these, may as well be 2.10.2, but
              > one of the others will suffice, see http://www.postfix.org/download.html

              Note, SHA256 is also enabled automatically if your OpenSSL is 1.0.0
              or later. By now, you should aim to no longer use OpenSSL 0.9.8
              when TLS security is required. Consider upgrading your systems to
              an O/S release where OpenSSL 1.0.0 or later is the default version
              of OpenSSL. Then you can use older versions of Postfix, but of
              course you'll probably end up with a more current version at the
              same time.

              OpenSSL 1.0.0 was released on 29-Mar-2010 ( https://www.openssl.org/news/ ).

              --
              Viktor.
            • Tobias Reckhard
              ... Ah, OK, thanks for the explanation. ... postfix 2.8.5 is available as a backport for Ubuntu 10.04 LTS. I ve suggested upgrading to that, since it should be
              Message 6 of 14 , Oct 22, 2013
              • 0 Attachment
                Viktor Dukhovni wrote the following on 21.10.2013 17:30:
                > This organization uses SHA256 signatures for their certificates, even
                > though these are not widely supported.

                Ah, OK, thanks for the explanation.

                > The most recent patch levels
                > of Postfix 2.7, 2.8, 2.9 and 2.10 have support for SHA256 turned for
                > SSL/TLS.

                postfix 2.8.5 is available as a backport for Ubuntu 10.04 LTS. I've
                suggested upgrading to that, since it should be rather painless.
                Persuading the decision makers to upgrade the OS will be somewhat more
                difficult.

                > You need to upgrade to one of these, may as well be 2.10.2, but
                > one of the others will suffice, see http://www.postfix.org/download.html

                Thanks for the suggestion. We prefer to stick with packaged and
                supported software where possible, though, as is probably the case in
                many corporate settings. Not my decision to make. But I do very much
                appreciate your suggestions, don't get me wrong. :)

                Cheers,
                Tobias
              • Tobias Reckhard
                ... I ve already got one fingerprint and one verify policy in place on the system in question, and I hadn t run across this error in my trial and error effort
                Message 7 of 14 , Oct 22, 2013
                • 0 Attachment
                  Viktor Dukhovni wrote the following on 21.10.2013 17:21:
                  > On Mon, Oct 21, 2013 at 10:07:13AM -0500, Noel Jones wrote:
                  >> Looks as if they use a private root CA. Probably the easiest fix is
                  >> to use "fingerprint" verification. See:
                  >> http://www.postfix.org/postconf.5.html#smtp_tls_policy_maps
                  >
                  > No, that would be a trust error not a signature error.

                  I've already got one fingerprint and one verify policy in place on the
                  system in question, and I hadn't run across this error in my trial and
                  error effort involved in getting those working. Yes, they do use a
                  private root CA, but the MX hosts present the connecting client with the
                  entire certificate chain, so that is not the problem.

                  Maybe fingerprinting would work, though. I'll give it a shot on a test
                  system. Thanks for the suggestion.

                  Cheers,
                  Tobias
                • Viktor Dukhovni
                  ... Fingerprinting the leaf certificate will work until the next time they deploy a new leaf certificate without notifying you in advance. This is because
                  Message 8 of 14 , Oct 22, 2013
                  • 0 Attachment
                    On Tue, Oct 22, 2013 at 11:07:07AM +0200, Tobias Reckhard wrote:

                    > Maybe fingerprinting would work, though. I'll give it a shot on a test
                    > system. Thanks for the suggestion.

                    Fingerprinting the leaf certificate will work until the next time
                    they deploy a new leaf certificate without notifying you in advance.
                    This is because fingerprint security does not rely on a valid chain
                    of signatures from a trusted root, but does depend on matching the
                    exact certificate or public key.

                    --
                    Viktor.
                  • Viktor Dukhovni
                    ... It needs to be a sufficiently high patch level (at this time the latest for the four supported official releases): * = 2.7.15, or * = 2.8.16, or * =
                    Message 9 of 14 , Oct 22, 2013
                    • 0 Attachment
                      On Tue, Oct 22, 2013 at 11:01:22AM +0200, Tobias Reckhard wrote:

                      > > The most recent patch levels
                      > > of Postfix 2.7, 2.8, 2.9 and 2.10 have support for SHA256 turned for
                      > > SSL/TLS.
                      >
                      > postfix 2.8.5 is available as a backport for Ubuntu 10.04 LTS. I've
                      > suggested upgrading to that, since it should be rather painless.
                      > Persuading the decision makers to upgrade the OS will be somewhat more
                      > difficult.

                      It needs to be a sufficiently high patch level (at this time the
                      latest for the four supported official releases):

                      * >= 2.7.15, or
                      * >= 2.8.16, or
                      * >= 2.9.8, or
                      * >= 2.10.2, or
                      * >= 2.11-20130616

                      I don't know what is actually in Ubuntu's "2.8.5", they may keep
                      the .deb package name fixed, while applying patches from later
                      Postfix releases. Ideally "postconf mail_version" will not lie.

                      --
                      Viktor.
                    • Wietse Venema
                      ... Presumably, this would not be a problem with public-key fingerprints until they change the key itself. Wietse
                      Message 10 of 14 , Oct 22, 2013
                      • 0 Attachment
                        Viktor Dukhovni:
                        > On Tue, Oct 22, 2013 at 11:07:07AM +0200, Tobias Reckhard wrote:
                        >
                        > > Maybe fingerprinting would work, though. I'll give it a shot on a test
                        > > system. Thanks for the suggestion.
                        >
                        > Fingerprinting the leaf certificate will work until the next time
                        > they deploy a new leaf certificate without notifying you in advance.
                        > This is because fingerprint security does not rely on a valid chain
                        > of signatures from a trusted root, but does depend on matching the
                        > exact certificate or public key.

                        Presumably, this would not be a problem with public-key fingerprints
                        until they change the key itself.

                        Wietse
                      • Viktor Dukhovni
                        ... Yes, as documented: http://www.postfix.org/TLS_README.html#client_tls_fprint with instructions on how to extract public key digests from X.509 certs also
                        Message 11 of 14 , Oct 22, 2013
                        • 0 Attachment
                          On Tue, Oct 22, 2013 at 10:58:46AM -0400, Wietse Venema wrote:

                          > > Fingerprinting the leaf certificate will work until the next time
                          > > they deploy a new leaf certificate without notifying you in advance.
                          > > This is because fingerprint security does not rely on a valid chain
                          > > of signatures from a trusted root, but does depend on matching the
                          > > exact certificate or public key.
                          >
                          > Presumably, this would not be a problem with public-key fingerprints
                          > until they change the key itself.

                          Yes, as documented:

                          http://www.postfix.org/TLS_README.html#client_tls_fprint

                          with instructions on how to extract public key digests from X.509
                          certs also at:

                          http://www.postfix.org/postconf.5.html#smtp_tls_fingerprint_digest

                          --
                          Viktor.
                        • Viktor Dukhovni
                          ... If your Postfix version is 2.9.0--2.9.5 DO NOT USE public key fingerprints, or upgrade to 2.9.6 or later. Support for public key fingerprints was added in
                          Message 12 of 14 , Oct 23, 2013
                          • 0 Attachment
                            On Wed, Oct 23, 2013 at 09:39:36AM +0200, Tobias Reckhard wrote:

                            > > with instructions on how to extract public key digests from X.509
                            > > certs also at:
                            > >
                            > > http://www.postfix.org/postconf.5.html#smtp_tls_fingerprint_digest
                            >
                            > Those instructions had me confused a bit, I think I now see why. I'd
                            > used the concatenation of "openssl x509 ... | openssl rsa ... | openssl
                            > dgst ..." to compute the fingerprint at first, which resulted in a
                            > mismatch when connecting to the server in question.

                            If your Postfix version is 2.9.0--2.9.5 DO NOT USE public key
                            fingerprints, or upgrade to 2.9.6 or later. Support for public
                            key fingerprints was added in Postfix 2.9, but was using the wrong
                            public key digest function until 2.9.6.

                            > Since then I've noticed that the
                            > documentation does state that the computation of the fingerprint changed
                            > with Postfix 2.9, I'd missed that bit previously. I probably had read
                            > the sentence about certificate fingerprint verification being available
                            > since Postfix 2.5, and public-key fingerprints being supported since
                            > Postfix 2.9, but obviously I hadn't taken them to be mutually exclusive.

                            They are not mutually exclusive. With 2.9.6 you can use either
                            correctly computed certificate fingerprints or correctly computed
                            public key fingerprints. With anything earlier you get only
                            correctly computed certificate fingerprints, and with 2.9.0--2.9.5
                            broken support for public key fingerprints.

                            > BTW, are there any plans for the Postfix TLS code to support CRL and/or
                            > OCSP checks?

                            Not at this time.

                            --
                            Viktor.
                          • Tobias Reckhard
                            ... That wasn t the problem, the documentation is quite clear in this regard. I mistakenly used the public key instructions for a pre-2.9 version of postfix.
                            Message 13 of 14 , Oct 23, 2013
                            • 0 Attachment
                              Viktor Dukhovni wrote the following on 23.10.2013 16:23:
                              > If your Postfix version is 2.9.0--2.9.5 DO NOT USE public key
                              > fingerprints, or upgrade to 2.9.6 or later.

                              That wasn't the problem, the documentation is quite clear in this
                              regard. I mistakenly used the public key instructions for a pre-2.9
                              version of postfix.

                              > Support for public key fingerprints was added in Postfix 2.9, ...

                              This is stated at the beginning of the section dealing with
                              fingerprints. Further down, where the actual openssl commands are noted,
                              there is no such note. I'm not saying there should be one there, but had
                              there been one, I probably wouldn't have picked the wrong set of commands.

                              >> [...] certificate fingerprint [...] and public-key fingerprints being
                              >> [...] mutually exclusive.
                              >
                              > They are not mutually exclusive.

                              Ah, OK, thanks for the clarification.

                              Regards,
                              Tobias
                            • Viktor Dukhovni
                              ... I ll keep that in mind for the next documentation review. You can submit documentation patches (as I was recently reminded, after passing the final
                              Message 14 of 14 , Oct 24, 2013
                              • 0 Attachment
                                On Thu, Oct 24, 2013 at 07:59:46AM +0200, Tobias Reckhard wrote:

                                > > Support for public key fingerprints was added in Postfix 2.9, ...
                                >
                                > This is stated at the beginning of the section dealing with
                                > fingerprints. Further down, where the actual openssl commands are noted,
                                > there is no such note. I'm not saying there should be one there, but had
                                > there been one, I probably wouldn't have picked the wrong set of commands.

                                I'll keep that in mind for the next documentation review. You can
                                submit documentation patches (as I was recently reminded, after
                                passing the final documents through an HTML validator).

                                > >> [...] certificate fingerprint [...] and public-key fingerprints being
                                > >> [...] mutually exclusive.
                                > >
                                > > They are not mutually exclusive.
                                >
                                > Ah, OK, thanks for the clarification.

                                That is a "match=..." attribute in a tls policy table fingerprint
                                entry will match either the peer public key or the peer certificate.

                                Assuming that 2nd-preimage attacks on your digest function are
                                computationally infeasible (still true IIRC even for md5), there
                                is no risk of confusion. An attacker should not be able to
                                independently construct a certificate with the same digest as a
                                given public key or a public key with the same digest as a given
                                certificate. All known collision attacks against md5 are I believe
                                extension attacks where two messages are built with a common prefix.

                                --
                                Viktor.
                              Your message has been successfully submitted and would be delivered to recipients shortly.