Not quite right for a mixed TA+EE set of TLSA records, but better than always-enforcing
*/
static BOOL
-verify_certificate(exim_gnutls_state_st *state, uschar ** errstr)
+verify_certificate(exim_gnutls_state_st * state, uschar ** errstr)
{
int rc;
uint verify;
goto badcert;
}
state->peer_dane_verified = TRUE;
+
+ /* If there were only EE-mode TLSA records present, no checks on cert anchor
+ valididation or cert names are required. For a TA record only, or a mixed
+ set, do them (we cannot tell if an EE record worked). */
+
+ if (!(tls_out.tlsa_usage & (1 << 2)))
+ {
+ state->peer_cert_verified = TRUE;
+ goto goodcert;
+ }
}
#endif
/* Handle the result of verification. INVALID is set if any others are. */
-if (rc < 0 ||
- verify & (GNUTLS_CERT_INVALID|GNUTLS_CERT_REVOKED)
- )
+if (rc < 0 || verify & (GNUTLS_CERT_INVALID|GNUTLS_CERT_REVOKED))
{
state->peer_cert_verified = FALSE;
if (!*errstr)
state->peerdn ? state->peerdn : US"<unset>");
}
-state->tlsp->peerdn = state->peerdn;
-return TRUE;
+goodcert:
+ state->tlsp->peerdn = state->peerdn;
+ return TRUE;
badcert:
gnutls_alert_send(state->session, GNUTLS_AL_FATAL, GNUTLS_A_BAD_CERTIFICATE);
send_to_server:
driver = smtp
allow_localhost
- port = ${if match {$host}{\Ntest.ex$\N} {PORT_D}{25}}
+ port = PORT_D
hosts_try_dane = *
hosts_require_dane = HOSTIPV4
send_to_server:
driver = smtp
allow_localhost
- port = ${if match {$host}{\Ntest.ex$\N} {PORT_D}{25}}
+ port = PORT_D
hosts_try_dane = *
hosts_require_dane = HOSTIPV4
server1 A HOSTIPV4
+; DANE testing
+
+; a broken dane config where the name does not match in the cert, TA-mode, dane-requested
+; NOTE: the server uses the example.net cert hence the mismatch
+;
+; openssl x509 -in aux-fixed/exim-ca/example.net/CA/CA.pem -fingerprint -sha256 -noout \
+; | awk -F= '{print $2}' | tr -d : | tr '[A-F]' '[a-f]'
+;
+;
+DNSSEC danebroken7 A 127.0.0.1
+DNSSEC _1225._tcp.danebroken7 TLSA 2 0 1 13646cc92c038932f57f752559271b893045eda39f765fc8369b05b2b9c3ac88
+
+; the same, EE-mode
+;
+; openssl x509 -in aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.pem -noout -pubkey \
+; | openssl pkey -pubin -outform DER | openssl dgst -sha256 | awk '{print $2}'
+;
+DNSSEC danebroken8 A 127.0.0.1
+DNSSEC _1225._tcp.danebroken8 TLSA 3 1 1 3cc2a6efabd847663b92f827681fd8612fd4d001ea85057d79ea541fb2de02ac
+
; End
1999-03-02 09:44:33 10HmbV-0005vi-00 ** CALLER@danebroken6.test.ex R=client T=send_to_server: DANE error: danebroken6.test.ex lookup not DNSSEC
1999-03-02 09:44:33 10HmbV-0005vi-00 CALLER@danebroken6.test.ex: error ignored
1999-03-02 09:44:33 10HmbV-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbW-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@danebroken7.example.com
+1999-03-02 09:44:33 10HmbW-0005vi-00 DANE attempt failed; TLS connection to danebroken7.example.com [127.0.0.1]: (certificate verification failed): certificate invalid
+1999-03-02 09:44:33 10HmbW-0005vi-00 == CALLER@danebroken7.example.com R=client T=send_to_server defer (-37) H=danebroken7.example.com [127.0.0.1]: TLS session: (certificate verification failed): certificate invalid
+1999-03-02 09:44:33 10HmbX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@danebroken8.example.com
+1999-03-02 09:44:33 10HmbX-0005vi-00 => CALLER@danebroken8.example.com R=client T=send_to_server H=danebroken8.example.com [127.0.0.1] X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=dane DN="CN=server1.example.net" C="250 OK id=10HmbY-0005vi-00"
+1999-03-02 09:44:33 10HmbX-0005vi-00 Completed
******** SERVER ********
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
1999-03-02 09:44:33 10HmbU-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmbT-0005vi-00@myhost.test.ex for CALLER@danebroken5.test.ex
1999-03-02 09:44:33 10HmbU-0005vi-00 => :blackhole: <CALLER@danebroken5.test.ex> R=server
1999-03-02 09:44:33 10HmbU-0005vi-00 Completed
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 TLS error on connection from localhost [127.0.0.1] (recv): A TLS fatal alert has been received.: Certificate is bad
+1999-03-02 09:44:33 TLS error on connection from localhost [127.0.0.1] (send): The specified session has been invalidated for some reason.
+1999-03-02 09:44:33 "rcpt ACL"
+1999-03-02 09:44:33 10HmbY-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke_RSA_AES_256_CBC_SHAnnn:256 CV=no S=sss id=E10HmbX-0005vi-00@myhost.test.ex for CALLER@danebroken8.example.com
+1999-03-02 09:44:33 10HmbY-0005vi-00 => :blackhole: <CALLER@danebroken8.example.com> R=server
+1999-03-02 09:44:33 10HmbY-0005vi-00 Completed
1999-03-02 09:44:33 10HmbX-0005vi-00 ** CALLER@danebroken6.test.ex R=client T=send_to_server: DANE error: danebroken6.test.ex lookup not DNSSEC
1999-03-02 09:44:33 10HmbX-0005vi-00 CALLER@danebroken6.test.ex: error ignored
1999-03-02 09:44:33 10HmbX-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@danebroken7.example.com
+1999-03-02 09:44:33 10HmbY-0005vi-00 DANE attempt failed; TLS connection to danebroken7.example.com [127.0.0.1]: (SSL_connect): error:xxxxxxxx:SSL routines:ssl3_get_server_certificate:certificate verify failed
+1999-03-02 09:44:33 10HmbY-0005vi-00 == CALLER@danebroken7.example.com R=client T=send_to_server defer (-37) H=danebroken7.example.com [127.0.0.1]: TLS session: (SSL_connect): error: <<detail omitted>>
+1999-03-02 09:44:33 10HmbZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for CALLER@danebroken8.example.com
+1999-03-02 09:44:33 10HmbZ-0005vi-00 => CALLER@danebroken8.example.com R=client T=send_to_server H=danebroken8.example.com [127.0.0.1] X=TLSv1:ke-RSA-AES256-SHA:xxx CV=dane DN="/CN=server1.example.net" C="250 OK id=10HmcA-0005vi-00"
+1999-03-02 09:44:33 10HmbZ-0005vi-00 Completed
******** SERVER ********
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
1999-03-02 09:44:33 10HmbW-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:ke-RSA-AES256-SHA:xxx CV=no S=sss id=E10HmbV-0005vi-00@myhost.test.ex for CALLER@danebroken5.test.ex
1999-03-02 09:44:33 10HmbW-0005vi-00 => :blackhole: <CALLER@danebroken5.test.ex> R=server
1999-03-02 09:44:33 10HmbW-0005vi-00 Completed
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
+1999-03-02 09:44:33 TLS error on connection from localhost (myhost.test.ex) [127.0.0.1] (SSL_accept): error: <<detail omitted>>
+1999-03-02 09:44:33 "rcpt ACL"
+1999-03-02 09:44:33 10HmcA-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLSv1:ke-RSA-AES256-SHA:xxx CV=no S=sss id=E10HmbZ-0005vi-00@myhost.test.ex for CALLER@danebroken8.example.com
+1999-03-02 09:44:33 10HmcA-0005vi-00 => :blackhole: <CALLER@danebroken8.example.com> R=server
+1999-03-02 09:44:33 10HmcA-0005vi-00 Completed
****
#
killdaemon
+
+
+### A server with a name not matching the cert. TA-mode; should fail
+exim -DSERVER=server -DDETAILS=cert.net -bd -oX PORT_D
+****
+exim -odf CALLER@danebroken7.example.com
+Testing
+****
+#
+### A server with a name not matching the cert. EE-mode; should deliver and claim DANE mode
+exim -odf CALLER@danebroken8.example.com
+Testing
+****
+#
+killdaemon
no_msglog_check
****
#
killdaemon
+
+
+### A server with a name not matching the cert. TA-mode; should fail
+exim -DSERVER=server -DDETAILS=cert.net -bd -oX PORT_D
+****
+exim -odf CALLER@danebroken7.example.com
+Testing
+****
+#
+### A server with a name not matching the cert. EE-mode; should deliver and claim DANE mode
+exim -odf CALLER@danebroken8.example.com
+Testing
+****
+#
+killdaemon
no_msglog_check
### A server insecurely serving a good TLSA record, dane required (delivery should fail)
### A server insecurely serving a good A record, dane requested only (should deliver, non-DANE)
### A server insecurely serving a good A record, dane required (delivery should fail)
+### A server with a name not matching the cert. TA-mode; should fail
+### A server with a name not matching the cert. EE-mode; should deliver and claim DANE mode
******** SERVER ********
### TLSA (3 1 1)
### A server insecurely serving a good TLSA record, dane required (delivery should fail)
### A server insecurely serving a good A record, dane requested only (should deliver, non-DANE)
### A server insecurely serving a good A record, dane required (delivery should fail)
+### A server with a name not matching the cert. TA-mode; should fail
+### A server with a name not matching the cert. EE-mode; should deliver and claim DANE mode
### A server insecurely serving a good TLSA record, dane required (delivery should fail)
### A server insecurely serving a good A record, dane requested only (should deliver, non-DANE)
### A server insecurely serving a good A record, dane required (delivery should fail)
+### A server with a name not matching the cert. TA-mode; should fail
+### A server with a name not matching the cert. EE-mode; should deliver and claim DANE mode
******** SERVER ********
### TLSA (3 1 1)
### A server insecurely serving a good TLSA record, dane required (delivery should fail)
### A server insecurely serving a good A record, dane requested only (should deliver, non-DANE)
### A server insecurely serving a good A record, dane required (delivery should fail)
+### A server with a name not matching the cert. TA-mode; should fail
+### A server with a name not matching the cert. EE-mode; should deliver and claim DANE mode
### A server insecurely serving a good TLSA record, dane required (delivery should fail)
### A server insecurely serving a good A record, dane requested only (should deliver, non-DANE)
### A server insecurely serving a good A record, dane required (delivery should fail)
+### A server with a name not matching the cert. TA-mode; should fail
+### A server with a name not matching the cert. EE-mode; should deliver and claim DANE mode
******** SERVER ********
### TLSA (3 1 1)
### A server insecurely serving a good TLSA record, dane required (delivery should fail)
### A server insecurely serving a good A record, dane requested only (should deliver, non-DANE)
### A server insecurely serving a good A record, dane required (delivery should fail)
+### A server with a name not matching the cert. TA-mode; should fail
+### A server with a name not matching the cert. EE-mode; should deliver and claim DANE mode
### A server insecurely serving a good TLSA record, dane required (delivery should fail)
### A server insecurely serving a good A record, dane requested only (should deliver, non-DANE)
### A server insecurely serving a good A record, dane required (delivery should fail)
+### A server with a name not matching the cert. TA-mode; should fail
+### A server with a name not matching the cert. EE-mode; should deliver and claim DANE mode
******** SERVER ********
### TLSA (3 1 1)
### A server insecurely serving a good TLSA record, dane required (delivery should fail)
### A server insecurely serving a good A record, dane requested only (should deliver, non-DANE)
### A server insecurely serving a good A record, dane required (delivery should fail)
+### A server with a name not matching the cert. TA-mode; should fail
+### A server with a name not matching the cert. EE-mode; should deliver and claim DANE mode
git://git.exim.org / exim.git / commitdiff