On Sun, May 02, 2021 at 04:11:30PM -0400, Viktor Dukhovni via Exim-users wrote:
> However, Postfix no longer uses my danessl library, as of Postfix 3.6
> (which I'm running), it uses the DANE code in OpenSSL 1.1.x. So there
> are a few differences here...
I built the latest snapshot of Postfix 3.5 (which uses code
fundamentally similar to the DANE library in Exim, which is
a variant of that Postfix code, carved out as a independent
library). I linked Postfix 3.5 against OpenSSL 1.1.1j (also
built from source). FWIW, though this should not matter, the
operating system was MacOS Big Sur.
This also worked:
$ posttls-finger -c "[smtp.dukhovni.org]"
posttls-finger: using DANE RR: _25._tcp.smtp.dukhovni.org IN TLSA 3 1 1
DB:95:0F:0E:00:30:90:0B:7E:5F:29:FB:80:D8:43:26:89:85:F3:86:D1:91:5E:E2:00:0D:52:7B:5F:36:9C:17
posttls-finger: smtp.dukhovni.org[100.2.39.101]:25: depth=0 matched end
entity public-key sha256
digest=DB:95:0F:0E:00:30:90:0B:7E:5F:29:FB:80:D8:43:26:89:85:F3:86:D1:91:5E:E2:00:0D:52:7B:5F:36:9C:17
posttls-finger: smtp.dukhovni.org[100.2.39.101]:25: subjectAltName:
mournblade.imrryr.org
posttls-finger: smtp.dukhovni.org[100.2.39.101]:25: Matched subjectAltName:
smtp.dukhovni.org
posttls-finger: smtp.dukhovni.org[100.2.39.101]:25: subjectAltName:
smtp.imrryr.org
posttls-finger: smtp.dukhovni.org[100.2.39.101]:25 CommonName
mournblade.imrryr.org
posttls-finger: smtp.dukhovni.org[100.2.39.101]:25:
subject_CN=smtp.dukhovni.org, issuer_CN=R3,
fingerprint=4D:6F:56:47:08:9A:69:63:1E:AE:6E:6D:DF:76:CF:6F:02:03:2E:2E,
pkey_fingerprint=5E:13:73:70:CB:0A:4C:AF:A5:3D:02:53:69:A3:FB:B0:AE:11:72:5A
posttls-finger: Verified TLS connection established to
smtp.dukhovni.org[100.2.39.101]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384
(256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)
server-digest SHA256
If the reported problem is reproducible, barring further evidence it
feels like a regression in Exim, rather than OpenSSL or the contributed
DANE code.
I am aware that this looks like passing buck, and as the guest Postfix
guy on this list, I should ideally have a stronger basis for blaming
Exim. Sorry about that, especially if I turn out to be wrong, but
that's the best lead I have at the moment...
In order to make progress, the test matrix needs to be broadened to
include OpenSSL 1.1.1k and additional versions of Exim. I don't know of
any substatial changes in the upstream contributed DANE code since it
was merged into Exim, but FWIW, it can be found at:
https://github.com/vdukhovni/ssl_dane
Commit history at:
https://github.com/vdukhovni/ssl_dane/commits/master
My impression is that the version in Exim is current, but there
could have been changes in the surrounding glue (DNS lookups, or
other plumbing of DANE policy before getting down the nuts and
bolts of actually doing the handshake) that perhaps introduced
a defect.
--
Viktor.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
