NetBSD Problem Report #52918
From hf@Bounce.nt.e-technik.tu-darmstadt.de Thu Jan 11 14:48:45 2018
Return-Path: <hf@Bounce.nt.e-technik.tu-darmstadt.de>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id 277647A16F
for <gnats-bugs@gnats.NetBSD.org>; Thu, 11 Jan 2018 14:48:45 +0000 (UTC)
Message-Id: <201801111444.w0BEiRgv005416@Bounce.nt.e-technik.tu-darmstadt.de>
Date: Thu, 11 Jan 2018 15:44:27 +0100 (CET)
From: Hauke Fath <hf@spg.tu-darmstadt.de>
Reply-To: Hauke Fath <hf@spg.tu-darmstadt.de>
To: gnats-bugs@NetBSD.org
Cc: Hauke Fath <hf@spg.tu-darmstadt.de>
Subject: mail/dovecot does not supply intermediate CA certs
X-Send-Pr-Version: 3.95
>Number: 52918
>Category: pkg
>Synopsis: mail/dovecot does not supply intermediate CA certs
>Confidential: no
>Severity: serious
>Priority: low
>Responsible: pkg-manager
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Thu Jan 11 14:50:00 +0000 2018
>Last-Modified: Thu Jan 11 18:50:01 +0000 2018
>Originator: Hauke Fath
>Release: NetBSD 7.1_STABLE
>Organization:
Technische Universitaet Darmstadt
>Environment:
System: NetBSD Bounce 7.1_STABLE NetBSD 7.1_STABLE (DMZ_DOMU) #2: Thu Jan 4 11:54:10 CET 2018 hf@Hochstuhl:/var/obj/netbsd-builds/7/amd64/sys/arch/amd64/compile/DMZ_DOMU amd64
Architecture: x86_64
Machine: amd64
>Description:
The new mail/dovecot2 v2.3.0 fails to supply clients with
configured intermediate CA TLS certificates. This is a
regression from c2.2.33.2.
>How-To-Repeat:
With the following TLS setup
ssl_cert = </etc/openssl/certs/server.cert
ssl_key = </etc/openssl/private/server.key
ssl_ca = </etc/openssl/certs/ca-cert-chain.pem
an s_client call against 2.3.0 will give
% openssl s_client -connect XXX:993
CONNECTED(00000006)
depth=0 C = DE, ST = Hessen, L = Darmstadt, O = Technische Universitaet
Darmstadt, OU = XXX, CN = XXX.tu-darmstadt.de
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = DE, ST = Hessen, L = Darmstadt, O = Technische Universitaet
Darmstadt, OU = XXX, CN = XXX.tu-darmstadt.de
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=DE/ST=Hessen/L=Darmstadt/O=Technische Universitaet
Darmstadt/OU=XXX/CN=XXX.tu-darmstadt.de
i:/C=DE/ST=Hessen/L=Darmstadt/O=Technische Universitaet
Darmstadt/CN=TUD CA G01/emailAddress=tud-ca@hrz.tu-darmstadt.de
---
Server certificate
-----BEGIN CERTIFICATE-----
[...]
%
and clients will complain about an unverifiable server cert.
The same configuration works fine with 2.2.x.
>Fix:
I have reported the problem upstream; the question is whether
the package should be rolled back until they provide a fix.
We have rolled back the local installation for now.
>Audit-Trail:
From: Filip Hajny <filip@joyent.com>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: pkg/52918: mail/dovecot does not supply intermediate CA certs
Date: Thu, 11 Jan 2018 17:20:50 +0100
> ssl_cert =3D </etc/openssl/certs/server.cert
> ssl_key =3D </etc/openssl/private/server.key
> ssl_ca =3D </etc/openssl/certs/ca-cert-chain.pem
The way I understand the docs, ssl_ca was intended for client =
certificate authentication only. In my years old config file, I still =
have the original upstream comment that says
"PEM encoded trusted certificate authority. Set this only if you intend =
to use ssl_verify_client_cert=3Dyes.=E2=80=9D
And I have always bundled my CA intermediate certificates with the one =
specified using ssl_cert, because that worked for me in the past.
I=E2=80=99d wait for a confirmation from upstream, it doesn=E2=80=99t =
feel like a reason to roll back though.
-F=
From: Hauke Fath <hf@spg.tu-darmstadt.de>
To: gnats-bugs@NetBSD.org
Cc: pkg-manager@netbsd.org, gnats-admin@netbsd.org, filip@joyent.com
Subject: Re: pkg/52918: mail/dovecot does not supply intermediate CA certs
Date: Thu, 11 Jan 2018 19:25:19 +0100
On Thu, 11 Jan 2018 16:25:00 +0000 (UTC), Filip Hajny wrote:
> The way I understand the docs, ssl_ca was intended for client =3D
> certificate authentication only.
Upstream's docs appear to be on your side:=20
<https://wiki.dovecot.org/SSL/DovecotConfiguration>
> And I have always bundled my CA intermediate certificates with the one =
=3D
> specified using ssl_cert, because that worked for me in the past.
If that indeed (still) works (I did not check, but rolled back), there=20
is no need for a roll-back.=20
Still, the option used to work for chained server CA certs, and it=20
doesn't any more on 2.3.
Cheerio,
hauke
--=20
The ASCII Ribbon Campaign Hauke Fath
() No HTML/RTF in email Institut f=FCr Nachrichtentechnik
/\ No Word docs in email TU Darmstadt
Respect for open standards Ruf +49-6151-16-21344
From: Filip Hajny <filip@joyent.com>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: pkg/52918: mail/dovecot does not supply intermediate CA certs
Date: Thu, 11 Jan 2018 19:45:13 +0100
> 11. 1. 2018 v 19:25, Hauke Fath <hf@spg.tu-darmstadt.de>:
>
> On Thu, 11 Jan 2018 16:25:00 +0000 (UTC), Filip Hajny wrote:
>> The way I understand the docs, ssl_ca was intended for client =3D
>> certificate authentication only.
>
> Upstream's docs appear to be on your side:=20
> <https://wiki.dovecot.org/SSL/DovecotConfiguration>
>
>> And I have always bundled my CA intermediate certificates with the one =
> =3D
>> specified using ssl_cert, because that worked for me in the past.
>
> If that indeed (still) works (I did not check, but rolled back), there=20
> is no need for a roll-back.=20
I have not checked in 2.3.0, but that is what upstream suggested
in your bug report.
> Still, the option used to work for chained server CA certs, and it=20
> doesn't any more on 2.3.
I understood that part.
-F
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2014
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home