I found another place to connect to it from and dumped the cert.
On Fri, Apr 10, 2020 at 10:50:11AM -0600, Theo de Raadt wrote:
> David, you should put an unfiltered reproducer on the internet.
>
> > I can't connect to that host from where I am, obviously it does some
> > sort of port 25 filtering or I would look at the certificate myself.
> > instead of grepping strings it might be helpful to show the entire
> > certificate.
> >
> > On Fri, Apr 10, 2020 at 12:13:24PM -0400, da...@goerger.info wrote:
> > > I'm running OpenBSD-current on amd64 (dmesg below). I can test patches
> > > but admit I got a bit lost this morning stepping through the certificate
> > > verification code in usr.sbin/smtpd/{cert,mta_session,ssl_verify}.c
> > > trying to debug this myself. I'll keep poking at it but would
> > > appreciate any assistance or pointers in the right direction. Thanks!
> > >
> > > >Synopsis: ssl wildcard certificate verification failure
> > > >Category: opensmtpd
> > > >Environment:
> > > System : OpenBSD 6.6
> > > Details : OpenBSD 6.6-current (GENERIC) #105: Sun Apr 5 03:03:30
> > > MDT 2020
> > >
> > > dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC
> > >
> > > Architecture: OpenBSD.amd64
> > > Machine : amd64
> > > >Description:
> > >
> > > Problem statement
> > > -----------------
> > > OpenSMTPD doesn't appear to recognise wildcard certificates as valid
> > > when validating other relays' certificates.
> > >
> > >
> > > Observation
> > > -----------
> > >
> > > When sending a message to a contact with mail hosted by
> > > e.g. "mx.hostedemail.com" (say postmas...@hostedemail.com),
> > >
> > > ===
> > > # per /var/log/maillog
> > >
> > > Apr 9 14:23:08 ersa smtpd[18389]: 7516fbee48439810 mta connecting
> > > address=smtp+tls://216.40.42.4:25 host=mx.hostedemail.com
> > > Apr 9 14:23:08 ersa smtpd[18389]: 7516fbee48439810 mta connected
> > > Apr 9 14:23:09 ersa smtpd[18389]: 7516fbee48439810 mta tls
> > > ciphers=TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128
> > > Apr 9 14:23:09 ersa smtpd[18389]: 7516fbee48439810 mta error reason=SSL
> > > certificate check failed
> > > Apr 9 14:23:09 ersa smtpd[18389]: smtp-out: Disabling route [] <->
> > > 216.40.42.4 (mx.hostedemail.com) for 15s
> > >
> > > # openssl certificate query
> > > $ echo Q | openssl s_client -starttls smtp -connect mx.hostedemail.com:25
> > > 2>/dev/null | openssl x509 -text | grep DNS
> > > DNS:*.hostedemail.com, DNS:hostedemail.com
> > > ===
> > >
> > >
> > > Expected behaviour
> > > ------------------
> > >
> > > The certificate SAN "*.hostedemail.com" should match for
> > > "mx.hostedemail.com".
> > >
> > >
> > > Relevant lines from smtpd.conf
> > > ------------------------------
> > >
> > > I think the only relevant bit is that I set "relay tls" and not "relay
> > > tls no-verify" - the latter config would pass mail outbound despite
> > > the remote certificate validation failure.
> > >
> > > ===
> > > pki ersa.daemonic.life cert "/etc/ssl/ersa.daemonic.life.fullchain.pem"
> > > pki ersa.daemonic.life key "/etc/ssl/private/ersa.daemonic.life.key"
> > > action "outbound" relay tls pki ersa.daemonic.life
> > > match from local for any action outbound
> > > ===
> > >
> > >
> > >
> > > dmesg:
> > > OpenBSD 6.6-current (GENERIC) #105: Sun Apr 5 03:03:30 MDT 2020
> > > dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC
> > > real mem = 2130575360 (2031MB)
> > > avail mem = 2053550080 (1958MB)
> > > mpath0 at root
> > > scsibus0 at mpath0: 256 targets
> > > mainbus0 at root
> > > bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xf5720 (9 entries)
> > > bios0: vendor SeaBIOS version
> > > "rel-1.12.0-0-ga698c8995f-prebuilt.qemu.org" date 04/01/2014
> > > bios0: QEMU Standard PC (i440FX + PIIX, 1996)
> > > acpi0 at bios0: ACPI 1.0
> > > acpi0: sleep states S3 S4 S5
> > > acpi0: tables DSDT FACP APIC HPET
> > > acpi0: wakeup devices
> > > acpitimer0 at acpi0: 3579545 Hz, 24 bits
> > > acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
> > > cpu0 at mainbus0: apid 0 (boot processor)
> > > cpu0: Intel(R) Xeon(R) CPU E5-2680 v3 @ 2.50GHz, 174.27 MHz, 06-3f-02
> > > cpu0:
> > > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SS,SSE3,PCLMUL,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,FSGSBASE,TSC_ADJUST,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,IBRS,IBPB,SSBD,ARAT,XSAVEOPT,MELTDOWN
> > > cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB
> > > 64b/line 16-way L2 cache
> > > cpu0: ITLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped
> > > cpu0: DTLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped
> > > cpu0: smt 0, core 0, package 0
> > > mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
> > > cpu0: apic clock running at 1000MHz
> > > ioapic0 at mainbus0: apid 0 pa 0xfec00000, version 11, 24 pins
> > > acpihpet0 at acpi0: 100000000 Hz
> > > acpiprt0 at acpi0: bus 0 (PCI0)
> > > acpicpu0 at acpi0: C1(@1 halt!)
> > > "ACPI0006" at acpi0 not configured
> > > acpipci0 at acpi0 PCI0: _OSC failed
> > > acpicmos0 at acpi0
> > > "PNP0A06" at acpi0 not configured
> > > "PNP0A06" at acpi0 not configured
> > > "PNP0A06" at acpi0 not configured
> > > "QEMU0002" at acpi0 not configured
> > > "ACPI0010" at acpi0 not configured
> > > cpu0: using Broadwell MDS workaround
> > > pvbus0 at mainbus0: KVM
> > > pvclock0 at pvbus0
> > > pci0 at mainbus0 bus 0
> > > pchb0 at pci0 dev 0 function 0 "Intel 82441FX" rev 0x02
> > > pcib0 at pci0 dev 1 function 0 "Intel 82371SB ISA" rev 0x00
> > > pciide0 at pci0 dev 1 function 1 "Intel 82371SB IDE" rev 0x00: DMA,
> > > channel 0 wired to compatibility, channel 1 wired to compatibility
> > > wd0 at pciide0 channel 0 drive 0: <QEMU HARDDISK>
> > > wd0: 16-sector PIO, LBA48, 50804MB, 104046592 sectors
> > > wd0(pciide0:0:0): using PIO mode 4, DMA mode 2
> > > pciide0: channel 1 disabled (no drives)
> > > piixpm0 at pci0 dev 1 function 3 "Intel 82371AB Power" rev 0x03: apic 0
> > > int 9
> > > iic0 at piixpm0
> > > vga1 at pci0 dev 2 function 0 "Cirrus Logic CL-GD5446" rev 0x00
> > > wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
> > > wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
> > > em0 at pci0 dev 3 function 0 "Intel 82540EM" rev 0x03: apic 0 int 11,
> > > address f2:3c:91:5a:d4:61
> > > isa0 at pcib0
> > > isadma0 at isa0
> > > fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
> > > com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
> > > com0: console
> > > pckbc0 at isa0 port 0x60/5 irq 1 irq 12
> > > pckbd0 at pckbc0 (kbd slot)
> > > wskbd0 at pckbd0: console keyboard, using wsdisplay0
> > > pms0 at pckbc0 (aux slot)
> > > wsmouse0 at pms0 mux 0
> > > pcppi0 at isa0 port 0x61
> > > spkr0 at pcppi0
> > > vscsi0 at root
> > > scsibus1 at vscsi0: 256 targets
> > > softraid0 at root
> > > scsibus2 at softraid0: 256 targets
> > > root on wd0a (f628cab05ab35b0b.a) swap on wd0b dump on wd0b
> > > fd0 at fdc0 drive 1: density unknown
> > >
> > > usbdevs:
> > > usbdevs: no USB controllers found
> > >
> >
