From: Jeremy Harris Date: Thu, 6 Nov 2014 21:22:18 +0000 (+0000) Subject: EXPERIMENTAL_CERTNAMES: Hostlist for cert name checks should match host X-Git-Tag: exim-4_85_RC1~8 X-Git-Url: https://vcs.fsf.org/?p=exim.git;a=commitdiff_plain;h=a320fabd09f43c02c869c90a5a5a70a49dd77f89 EXPERIMENTAL_CERTNAMES: Hostlist for cert name checks should match host connected-to, not be list of acceptable names. The name checked is the host name. --- diff --git a/doc/doc-txt/experimental-spec.txt b/doc/doc-txt/experimental-spec.txt index 266e19891..f6529c6e2 100644 --- a/doc/doc-txt/experimental-spec.txt +++ b/doc/doc-txt/experimental-spec.txt @@ -1154,14 +1154,17 @@ support to date has not made these checks. If built with EXPERIMENTAL_CERTNAMES defined, code is included to do so for server certificates, and a new smtp transport option -"tls_verify_cert_hostnames" supported which takes a list of -names for which the additional checks must be made. +"tls_verify_cert_hostnames" supported which takes a hostlist +which must match the target host for the additional checks must be made. The option currently defaults to empty, but this may change in the future. "*" is probably a suitable value. Whether certificate verification is done at all, and the result of it failing, is stll under the control of "tls_verify_hosts" nad "tls_try_verify_hosts". +The name being checked is that for the host, generally +the result of an MX lookup. + Both Subject and Subject-Alternate-Name certificate fields are supported, as are wildcard certificates (limited to a single wildcard being the initial component of a 3-or-more diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c index 04de02d74..093b3a375 100644 --- a/src/src/tls-gnu.c +++ b/src/src/tls-gnu.c @@ -1846,17 +1846,13 @@ if (( state->exp_tls_verify_certificates ) { #ifdef EXPERIMENTAL_CERTNAMES - if (ob->tls_verify_cert_hostnames) + if (verify_check_host(&ob->tls_verify_cert_hostnames) == OK) { DEBUG(D_tls) debug_printf("TLS: server cert incl. hostname verification required.\n"); state->verify_requirement = VERIFY_WITHHOST; - if (!expand_check(ob->tls_verify_cert_hostnames, - US"tls_verify_cert_hostnames", - &state->exp_tls_verify_cert_hostnames)) - return FAIL; - if (state->exp_tls_verify_cert_hostnames) - DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n", + state->exp_tls_verify_cert_hostnames = host->name; + DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n", state->exp_tls_verify_cert_hostnames); } else diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index 63bf83b1d..628860044 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -1692,14 +1692,10 @@ if ((!ob->tls_verify_hosts && !ob->tls_try_verify_hosts) || client_verify_optional = FALSE; #ifdef EXPERIMENTAL_CERTNAMES - if (ob->tls_verify_cert_hostnames) + if (verify_check_host(&ob->tls_verify_cert_hostnames) == OK) { - if (!expand_check(ob->tls_verify_cert_hostnames, - US"tls_verify_cert_hostnames", - &cbinfo->verify_cert_hostnames)) - return FAIL; - if (cbinfo->verify_cert_hostnames) - DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n", + cbinfo->verify_cert_hostnames = host->name; + DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n", cbinfo->verify_cert_hostnames); } #endif diff --git a/test/confs/5440 b/test/confs/5440 index 03d9916fb..01ba52532 100644 --- a/test/confs/5440 +++ b/test/confs/5440 @@ -1,5 +1,5 @@ # Exim test configuration 5440 -# TLS client: verify certificate from server - fails +# TLS client: verify certificate from server - name-fails SERVER= @@ -131,11 +131,12 @@ send_to_server_crypt: tls_verify_certificates = CA2 tls_try_verify_hosts = * -# this will fail to verify the cert at HOSTIPV4 and fallback to unencrypted +# this will fail to verify the cert at HOSTNAME and fallback to unencrypted +# Fail due to lack of correct CA send_to_server_req_fail: driver = smtp allow_localhost - hosts = HOSTIPV4 + hosts = HOSTNAME port = PORT_D tls_certificate = CERT2 tls_privatekey = CERT2 @@ -144,29 +145,31 @@ send_to_server_req_fail: tls_verify_hosts = * # this will fail to verify the cert name and fallback to unencrypted +# fail because the cert is "server1.example.com" and the test system is something else send_to_server_req_failname: driver = smtp allow_localhost - hosts = HOSTIPV4 + hosts = HOSTNAME port = PORT_D tls_certificate = CERT2 tls_privatekey = CERT2 tls_verify_certificates = CA1 - tls_verify_cert_hostnames = server1.example.net : server1.example.org + tls_verify_cert_hostnames = * tls_verify_hosts = * # this will pass the cert verify including name check +# our stunt DNS has an A record for server1.example.com -> HOSTIPV4 send_to_server_req_passname: driver = smtp allow_localhost - hosts = HOSTIPV4 + hosts = server1.example.com port = PORT_D tls_certificate = CERT2 tls_privatekey = CERT2 tls_verify_certificates = CA1 - tls_verify_cert_hostnames = noway.example.com : server1.example.com + tls_verify_cert_hostnames = * tls_verify_hosts = * # End diff --git a/test/confs/5450 b/test/confs/5450 index e737cf36d..dd42a3fb1 100644 --- a/test/confs/5450 +++ b/test/confs/5450 @@ -1,5 +1,5 @@ # Exim test configuration 5450 -# TLS client: verify certificate from server - fails +# TLS client: verify certificate from server - name-fails SERVER= @@ -131,11 +131,12 @@ send_to_server_crypt: tls_verify_certificates = CA2 tls_try_verify_hosts = * -# this will fail to verify the cert at HOSTIPV4 and fallback to unencrypted +# this will fail to verify the cert at HOSTNAME and fallback to unencrypted +# Fail due to lack of correct CA send_to_server_req_fail: driver = smtp allow_localhost - hosts = HOSTIPV4 + hosts = HOSTNAME port = PORT_D tls_certificate = CERT2 tls_privatekey = CERT2 @@ -144,29 +145,31 @@ send_to_server_req_fail: tls_verify_hosts = * # this will fail to verify the cert name and fallback to unencrypted +# fail because the cert is "server1.example.com" and the test system is something else send_to_server_req_failname: driver = smtp allow_localhost - hosts = HOSTIPV4 + hosts = HOSTNAME port = PORT_D tls_certificate = CERT2 tls_privatekey = CERT2 tls_verify_certificates = CA1 - tls_verify_cert_hostnames = server1.example.net : server1.example.org + tls_verify_cert_hostnames = * tls_verify_hosts = * # this will pass the cert verify including name check +# our stunt DNS has an A record for server1.example.com -> HOSTIPV4 send_to_server_req_passname: driver = smtp allow_localhost - hosts = HOSTIPV4 + hosts = server1.example.com port = PORT_D tls_certificate = CERT2 tls_privatekey = CERT2 tls_verify_certificates = CA1 - tls_verify_cert_hostnames = noway.example.com : server1.example.com + tls_verify_cert_hostnames = * tls_verify_hosts = * # End diff --git a/test/log/5440 b/test/log/5440 index b90e6edb3..f084e82a9 100644 --- a/test/log/5440 +++ b/test/log/5440 @@ -1,11 +1,11 @@ 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss 1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss 1999-03-02 09:44:33 Start queue run: pid=pppp -qf -1999-03-02 09:44:33 10HmaX-0005vi-00 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] TLS error on connection (certificate verification failed) -1999-03-02 09:44:33 10HmaX-0005vi-00 TLS session failure: delivering unencrypted to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (not in hosts_require_tls) -1999-03-02 09:44:33 10HmaX-0005vi-00 => userr@test.ex R=client_r T=send_to_server_req_failname H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] C="250 OK id=10HmaZ-0005vi-00" +1999-03-02 09:44:33 10HmaX-0005vi-00 H=the.local.host.name [ip4.ip4.ip4.ip4] TLS error on connection (certificate verification failed) +1999-03-02 09:44:33 10HmaX-0005vi-00 TLS session failure: delivering unencrypted to the.local.host.name [ip4.ip4.ip4.ip4] (not in hosts_require_tls) +1999-03-02 09:44:33 10HmaX-0005vi-00 => userr@test.ex R=client_r T=send_to_server_req_failname H=the.local.host.name [ip4.ip4.ip4.ip4] C="250 OK id=10HmaZ-0005vi-00" 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed -1999-03-02 09:44:33 10HmaY-0005vi-00 => users@test.ex R=client_s T=send_to_server_req_passname H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00" +1999-03-02 09:44:33 10HmaY-0005vi-00 => users@test.ex R=client_s T=send_to_server_req_passname H=server1.example.com [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00" 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed 1999-03-02 09:44:33 End queue run: pid=pppp -qf diff --git a/test/log/5450 b/test/log/5450 index 243215335..d56307a19 100644 --- a/test/log/5450 +++ b/test/log/5450 @@ -3,17 +3,17 @@ 1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss 1999-03-02 09:44:33 Start queue run: pid=pppp -qf 1999-03-02 09:44:33 10HmaX-0005vi-00 SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN=server1.example.com -1999-03-02 09:44:33 10HmaX-0005vi-00 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] TLS error on connection (SSL_connect): error: <> -1999-03-02 09:44:33 10HmaX-0005vi-00 TLS session failure: delivering unencrypted to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (not in hosts_require_tls) -1999-03-02 09:44:33 10HmaX-0005vi-00 => userq@test.ex R=client_q T=send_to_server_req_fail H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] C="250 OK id=10HmbA-0005vi-00" +1999-03-02 09:44:33 10HmaX-0005vi-00 H=the.local.host.name [ip4.ip4.ip4.ip4] TLS error on connection (SSL_connect): error: <> +1999-03-02 09:44:33 10HmaX-0005vi-00 TLS session failure: delivering unencrypted to the.local.host.name [ip4.ip4.ip4.ip4] (not in hosts_require_tls) +1999-03-02 09:44:33 10HmaX-0005vi-00 => userq@test.ex R=client_q T=send_to_server_req_fail H=the.local.host.name [ip4.ip4.ip4.ip4] C="250 OK id=10HmbA-0005vi-00" 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed 1999-03-02 09:44:33 10HmaY-0005vi-00 SSL verify error: certificate name mismatch: "/CN=server1.example.com" -1999-03-02 09:44:33 10HmaY-0005vi-00 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] TLS error on connection (SSL_connect): error: <> -1999-03-02 09:44:33 10HmaY-0005vi-00 TLS session failure: delivering unencrypted to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (not in hosts_require_tls) -1999-03-02 09:44:33 10HmaY-0005vi-00 => userr@test.ex R=client_r T=send_to_server_req_failname H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] C="250 OK id=10HmbB-0005vi-00" +1999-03-02 09:44:33 10HmaY-0005vi-00 H=the.local.host.name [ip4.ip4.ip4.ip4] TLS error on connection (SSL_connect): error: <> +1999-03-02 09:44:33 10HmaY-0005vi-00 TLS session failure: delivering unencrypted to the.local.host.name [ip4.ip4.ip4.ip4] (not in hosts_require_tls) +1999-03-02 09:44:33 10HmaY-0005vi-00 => userr@test.ex R=client_r T=send_to_server_req_failname H=the.local.host.name [ip4.ip4.ip4.ip4] C="250 OK id=10HmbB-0005vi-00" 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed -1999-03-02 09:44:33 10HmaZ-0005vi-00 => users@test.ex R=client_s T=send_to_server_req_passname H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00" +1999-03-02 09:44:33 10HmaZ-0005vi-00 => users@test.ex R=client_s T=send_to_server_req_passname H=server1.example.com [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00" 1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed 1999-03-02 09:44:33 End queue run: pid=pppp -qf diff --git a/test/scripts/5440-certnames-GnuTLS/5440 b/test/scripts/5440-certnames-GnuTLS/5440 index fea9551c0..2a61eb1d0 100644 --- a/test/scripts/5440-certnames-GnuTLS/5440 +++ b/test/scripts/5440-certnames-GnuTLS/5440 @@ -1,10 +1,12 @@ -# TLS client: verify certificate from server - fails +# TLS client: verify certificate from server - name-fails gnutls exim -DSERVER=server -bd -oX PORT_D **** +# this will fail to verify the cert name and fallback to unencrypted exim userr@test.ex Testing **** +# this will pass the cert verify including name check exim users@test.ex Testing **** diff --git a/test/scripts/5450-certnames-OpenSSL/5450 b/test/scripts/5450-certnames-OpenSSL/5450 index c94d1a5b2..5359096b1 100644 --- a/test/scripts/5450-certnames-OpenSSL/5450 +++ b/test/scripts/5450-certnames-OpenSSL/5450 @@ -1,12 +1,15 @@ -# TLS client: verify certificate from server - fails +# TLS client: verify certificate from server - name-fails exim -DSERVER=server -bd -oX PORT_D **** +# this will fail to verify the cert at HOSTIPV4 and fallback to unencrypted exim userq@test.ex Testing **** +# this will fail to verify the cert name and fallback to unencrypted exim userr@test.ex Testing **** +# this will pass the cert verify including name check exim users@test.ex Testing ****