NetBSD Problem Report #52918

From hf@Bounce.nt.e-technik.tu-darmstadt.de  Thu Jan 11 14:48:45 2018
Return-Path: <hf@Bounce.nt.e-technik.tu-darmstadt.de>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
	by mollari.NetBSD.org (Postfix) with ESMTPS id 277647A16F
	for <gnats-bugs@gnats.NetBSD.org>; Thu, 11 Jan 2018 14:48:45 +0000 (UTC)
Message-Id: <201801111444.w0BEiRgv005416@Bounce.nt.e-technik.tu-darmstadt.de>
Date: Thu, 11 Jan 2018 15:44:27 +0100 (CET)
From: Hauke Fath <hf@spg.tu-darmstadt.de>
Reply-To: Hauke Fath <hf@spg.tu-darmstadt.de>
To: gnats-bugs@NetBSD.org
Cc: Hauke Fath <hf@spg.tu-darmstadt.de>
Subject: mail/dovecot does not supply intermediate CA certs 
X-Send-Pr-Version: 3.95

>Number:         52918
>Category:       pkg
>Synopsis:       mail/dovecot does not supply intermediate CA certs
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Jan 11 14:50:00 +0000 2018
>Last-Modified:  Thu Jan 11 18:50:01 +0000 2018
>Originator:     Hauke Fath
>Release:        NetBSD 7.1_STABLE
>Organization:
Technische Universitaet Darmstadt
>Environment:


System: NetBSD Bounce 7.1_STABLE NetBSD 7.1_STABLE (DMZ_DOMU) #2: Thu Jan 4 11:54:10 CET 2018 hf@Hochstuhl:/var/obj/netbsd-builds/7/amd64/sys/arch/amd64/compile/DMZ_DOMU amd64
Architecture: x86_64
Machine: amd64
>Description:

	The new mail/dovecot2 v2.3.0 fails to supply clients with
	configured intermediate CA TLS certificates. This is a
	regression from c2.2.33.2.



>How-To-Repeat:

	With the following TLS setup

ssl_cert = </etc/openssl/certs/server.cert
ssl_key = </etc/openssl/private/server.key
ssl_ca = </etc/openssl/certs/ca-cert-chain.pem

	an s_client call against 2.3.0 will give

% openssl s_client -connect XXX:993
CONNECTED(00000006)
depth=0 C = DE, ST = Hessen, L = Darmstadt, O = Technische Universitaet 
Darmstadt, OU = XXX, CN = XXX.tu-darmstadt.de
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = DE, ST = Hessen, L = Darmstadt, O = Technische Universitaet 
Darmstadt, OU = XXX, CN = XXX.tu-darmstadt.de
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/C=DE/ST=Hessen/L=Darmstadt/O=Technische Universitaet 
Darmstadt/OU=XXX/CN=XXX.tu-darmstadt.de
   i:/C=DE/ST=Hessen/L=Darmstadt/O=Technische Universitaet 
Darmstadt/CN=TUD CA G01/emailAddress=tud-ca@hrz.tu-darmstadt.de
---
Server certificate
-----BEGIN CERTIFICATE-----
[...]
%

	and clients will complain about an unverifiable server cert.

	The same configuration works fine with 2.2.x.


>Fix:

	I have reported the problem upstream; the question is whether
	the package should be rolled back until they provide a fix.

	We have rolled back the local installation for now.



>Audit-Trail:
From: Filip Hajny <filip@joyent.com>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: pkg/52918: mail/dovecot does not supply intermediate CA certs
Date: Thu, 11 Jan 2018 17:20:50 +0100

 > ssl_cert =3D </etc/openssl/certs/server.cert
 > ssl_key =3D </etc/openssl/private/server.key
 > ssl_ca =3D </etc/openssl/certs/ca-cert-chain.pem

 The way I understand the docs, ssl_ca was intended for client =
 certificate authentication only. In my years old config file, I still =
 have the original upstream comment that says

 "PEM encoded trusted certificate authority. Set this only if you intend =
 to use ssl_verify_client_cert=3Dyes.=E2=80=9D

 And I have always bundled my CA intermediate certificates with the one =
 specified using ssl_cert, because that worked for me in the past.

 I=E2=80=99d wait for a confirmation from upstream, it doesn=E2=80=99t =
 feel like a reason to roll back though.

 -F=

From: Hauke Fath <hf@spg.tu-darmstadt.de>
To: gnats-bugs@NetBSD.org
Cc: pkg-manager@netbsd.org, gnats-admin@netbsd.org, filip@joyent.com
Subject: Re: pkg/52918: mail/dovecot does not supply intermediate CA certs
Date: Thu, 11 Jan 2018 19:25:19 +0100

 On Thu, 11 Jan 2018 16:25:00 +0000 (UTC), Filip Hajny wrote:
 > The way I understand the docs, ssl_ca was intended for client =3D
 >  certificate authentication only.

 Upstream's docs appear to be on your side:=20
 <https://wiki.dovecot.org/SSL/DovecotConfiguration>

 >  And I have always bundled my CA intermediate certificates with the one =
 =3D
 >  specified using ssl_cert, because that worked for me in the past.

 If that indeed (still) works (I did not check, but rolled back), there=20
 is no need for a roll-back.=20

 Still, the option used to work for chained server CA certs, and it=20
 doesn't any more on 2.3.

 Cheerio,
 hauke

 --=20
      The ASCII Ribbon Campaign                    Hauke Fath
 ()     No HTML/RTF in email            Institut f=FCr Nachrichtentechnik
 /\     No Word docs in email                     TU Darmstadt
      Respect for open standards              Ruf +49-6151-16-21344

From: Filip Hajny <filip@joyent.com>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: pkg/52918: mail/dovecot does not supply intermediate CA certs
Date: Thu, 11 Jan 2018 19:45:13 +0100

 > 11. 1. 2018 v 19:25, Hauke Fath <hf@spg.tu-darmstadt.de>:
 > 
 > On Thu, 11 Jan 2018 16:25:00 +0000 (UTC), Filip Hajny wrote:
 >> The way I understand the docs, ssl_ca was intended for client =3D
 >> certificate authentication only.
 > 
 > Upstream's docs appear to be on your side:=20
 > <https://wiki.dovecot.org/SSL/DovecotConfiguration>
 > 
 >> And I have always bundled my CA intermediate certificates with the one =
 > =3D
 >> specified using ssl_cert, because that worked for me in the past.
 > 
 > If that indeed (still) works (I did not check, but rolled back), there=20
 > is no need for a roll-back.=20

 I have not checked in 2.3.0, but that is what upstream suggested
 in your bug report.

 > Still, the option used to work for chained server CA certs, and it=20
 > doesn't any more on 2.3.

 I understood that part.

 -F

>Unformatted:

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2014 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.