Mailing List Archive: exim: users

outgoing TLS - verifying certificates

Index | Next | Previous | View Threaded

wbreyha at gmx

Jul 22, 2013, 8:45 AM

Post #1 of 9 (114 views)
Permalink

outgoing TLS - verifying certificates

Hi!

I recently changed our configuration to verify SSL certificates.

I recognized that this changed the behaviour of exim on outgoing connections.
If verification fails he cancels the connection and sends it on a clear
channel. The only way to avoid that is to set host_require_tls = *. But this
means that there is no fallback then.

I primarily activated verification to be able to log that part of information.
But since I can't get the same behaviour as without verification I think I've
to deactivate it again since I care more about encryption on the wire. Or is
there something I missed in the documentation of the smtp transport?

In case I didn't, wouldn't it be practical to be able to encrypt even if
verification fails on outgoing delivery?

Greetings, Wolfgang
--
Wolfgang Breyha <wbreyha [at] gmx> | http://www.blafasel.at/
Vienna University Computer Center | Austria

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

exim-users at spodhuis

Jul 22, 2013, 9:07 AM

Post #2 of 9 (112 views)
Permalink

Re: outgoing TLS - verifying certificates [In reply to]

On 2013-07-22 at 17:45 +0200, Wolfgang Breyha wrote:
> I recently changed our configuration to verify SSL certificates.
>
> I recognized that this changed the behaviour of exim on outgoing connections.
> If verification fails he cancels the connection and sends it on a clear
> channel. The only way to avoid that is to set host_require_tls = *. But this
> means that there is no fallback then.
>
> I primarily activated verification to be able to log that part of information.
> But since I can't get the same behaviour as without verification I think I've
> to deactivate it again since I care more about encryption on the wire. Or is
> there something I missed in the documentation of the smtp transport?

Not that I know of; I wanted to do the same thing, a while back, haven't
fixed it yet. Really, want tls_try_verify_hosts for Exim-as-client, not
just Exim-as-server.

> In case I didn't, wouldn't it be practical to be able to encrypt even if
> verification fails on outgoing delivery?

Yes, especially since Exim is only validating the certificate chain, not
the claimed hostname.

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

wbreyha at gmx

Jul 22, 2013, 11:15 AM

Post #3 of 9 (108 views)
Permalink

Re: outgoing TLS - verifying certificates [In reply to]

On 2013-07-22 18:07, Phil Pennock wrote:
> Yes, especially since Exim is only validating the certificate chain, not
> the claimed hostname.

Both tls-gnutls.c and tls-openssl.c look well prepared looking at
tls_client_start(), right? openssl needs a TRUE as last parameter for
setup_certs() and gnutls needs "some" more if statements to implement a
try_verify. Should I try my luck?

Greetings, Wolfgang
--
Wolfgang Breyha <wbreyha [at] gmx> | http://www.blafasel.at/
Vienna University Computer Center | Austria

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

jgh at wizmail

Jul 22, 2013, 11:37 AM

Post #4 of 9 (107 views)
Permalink

Re: outgoing TLS - verifying certificates [In reply to]

On 22/07/13 19:15, Wolfgang Breyha wrote:
> On 2013-07-22 18:07, Phil Pennock wrote:
>> Yes, especially since Exim is only validating the certificate chain, not
>> the claimed hostname.
>
> Both tls-gnutls.c and tls-openssl.c look well prepared looking at
> tls_client_start(), right? openssl needs a TRUE as last parameter for
> setup_certs() and gnutls needs "some" more if statements to implement a
> try_verify. Should I try my luck?

Yes! More developers can only be a good thing.
--
Cheers,
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

wbreyha at gmx

Jul 22, 2013, 3:49 PM

Post #5 of 9 (107 views)
Permalink

Re: outgoing TLS - verifying certificates [In reply to]

On 2013-07-22 20:37, Jeremy Harris wrote:
> Yes! More developers can only be a good thing.

http://bugs.exim.org/show_bug.cgi?id=1371

I hope I got it right;-)

Greetings, Wolfgang
--
Wolfgang Breyha <wbreyha [at] gmx> | http://www.blafasel.at/
Vienna University Computer Center | Austria

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

jgh at wizmail

Jul 22, 2013, 4:15 PM

Post #6 of 9 (107 views)
Permalink

Re: outgoing TLS - verifying certificates [In reply to]

On 07/22/2013 11:49 PM, Wolfgang Breyha wrote:
> On 2013-07-22 20:37, Jeremy Harris wrote:
>> Yes! More developers can only be a good thing.
>
> http://bugs.exim.org/show_bug.cgi?id=1371

[we should probably move from exim-users to exim-dev]

Will existing configs which merely set tls_verify_certificates
be disabled or still operate? That is, is the change back-compatible?

Can I interest you in adding to the twisty little passages of the test suite?
--
Cheers,
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

wbreyha at gmx

Jul 23, 2013, 5:07 AM

Post #7 of 9 (101 views)
Permalink

Re: outgoing TLS - verifying certificates [In reply to]

Jeremy Harris wrote, on 23.07.2013 01:15:
> [we should probably move from exim-users to exim-dev]

Sure. Only wanted to set a pointer to my patch in case someone (fearless
enough;-) ) wants to try it upfront.

> Will existing configs which merely set tls_verify_certificates
> be disabled or still operate? That is, is the change back-compatible?

There currently is no "tls_verify_certificates" for smtp transport. Only
"tls_certificates" which triggers the same behavior as setting
"tls_verify_hosts = *" in the global section.

As said in the bugreport. It will still work, yes. But not in the same way as
before. I tried to bring global config and transport config on par.

Setting tls_certificates only will not activate verification anymore (as in
the main section). This means, that exim will keep the SSL session alive even
if verification would fail. To get the same result as before "tls_verify_hosts
= *" must be added to the smtp_transport as well.

> Can I interest you in adding to the twisty little passages of the test suite?

Sorry, I still had no opportunity to dig into the world of the test suite. Due
to my upcoming (offline) holidays I think I'm not able to contribute in a
timely manner.

Greetings, Wolfgang
--
Wolfgang Breyha <wbreyha [at] gmx> | http://www.blafasel.at/
Vienna University Computer Center | Austria

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

wbreyha at gmx

Jul 23, 2013, 6:59 AM

Post #8 of 9 (101 views)
Permalink

Re: outgoing TLS - verifying certificates [In reply to]

Wolfgang Breyha wrote, on 23.07.2013 14:07:
> There currently is no "tls_verify_certificates" for smtp transport. Only
> "tls_certificates" which triggers the same behavior as setting
> "tls_verify_hosts = *" in the global section.

Sorry, I was terrible wrong about that. It is "tls_verify_certificates"
actually. I didn't really recognize that difference until now;-)

On the other hand that means that maybe it's possible to only deprecate it
while keeping the functionality for backward compatibility.

I will add "tls_certificates" as well.

Greetings, Wolfgang
--
Wolfgang Breyha <wbreyha [at] gmx> | http://www.blafasel.at/
Vienna University Computer Center | Austria

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

wbreyha at gmx

Jul 23, 2013, 7:11 AM

Post #9 of 9 (102 views)
Permalink

Re: outgoing TLS - verifying certificates [In reply to]

Wolfgang Breyha wrote, on 23.07.2013 15:59:
> On the other hand that means that maybe it's possible to only deprecate it
> while keeping the functionality for backward compatibility.
>
> I will add "tls_certificates" as well.

*sigh* it's too hot, sorry... it's "tls_verify_certificates" everywhere;-) So,
deprecating it is no option.

But all I said about the inexistent "tls_certificates" first goes for
"tls_verify_certificates" as well.

Greetings, Wolfgang
--
Wolfgang Breyha <wbreyha [at] gmx> | http://www.blafasel.at/
Vienna University Computer Center | Austria

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads