Re: trusted vs. verified TLS connection

Wed, 10 Dec 2014 08:57:07 -0800 

On Wed, Dec 10, 2014 at 01:13:22PM +0100, A. Schulze wrote:

> while checking TLS to a destination domain I noticed a difference.
> posttls-finger say "Verified" but log say (only) "Trusted".

The posttls-finger(1) utility defaults to the "dane" security level
when TLSA records are present and "secure" when absent.  Since it
just reports test results, routine failure at the more secure settings
is not a problem.

> posttls-finger: Verified TLS connection established to
> mx1.c01.avira.com[212.79.247.134]:25: TLSv1.2 with cipher
> ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
> 
> # grep "to mx1.c01.avira.com" /var/log/mail
> Dec 10 12:58:19 mail postfix/smtp[2230]: Trusted TLS connection established
> to mx1.c01.avira.com[212.79.247.144]:25: TLSv1.2 with cipher
> ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)

The smtp(8) delivery agent is likely correctly defaulting to "may"
or "dane" when not otherwise configured for a particular destination.

Neither results in "Verified" for this domain.

> # postconf -h smtp_tls_CAfile
> /etc/ssl/mail/trusted_cas.pem
> 
> I would say posttls-finger is wrong. Or am I?

Nobody's wrong, just a difference in policy settings.  It looks
you're explicitly disabling "aNULL" ciphers somewhere.  The
default for such a destination would have resulted in an
"Anonymous" connection.  To get trusted with posttls-finger
I had to use:

    $ posttls-finger -o tls_medium_cipherlist=DEFAULT -l may -c -F avira.pem 
avira.com
    posttls-finger: mx1.c01.avira.com[212.79.247.134]:25: subjectAltName: 
mx.ames.avira.net
    posttls-finger: mx1.c01.avira.com[212.79.247.134]:25: subjectAltName: 
a.mx.ames.avira.net
    posttls-finger: mx1.c01.avira.com[212.79.247.134]:25: subjectAltName: 
b.mx.ames.avira.net
    posttls-finger: mx1.c01.avira.com[212.79.247.134]:25: subjectAltName: 
mx1.c01.avira.com
    posttls-finger: mx1.c01.avira.com[212.79.247.134]:25: subjectAltName: 
mx2.c01.avira.com
    posttls-finger: mx1.c01.avira.com[212.79.247.134]:25 CommonName 
mx.ames.avira.net
    posttls-finger: mx1.c01.avira.com[212.79.247.134]:25: 
subject_CN=mx.ames.avira.net, issuer_CN=COMODO RSA Domain Validation Secure 
Server CA, 
fingerprint=7B:29:B8:4E:DE:65:D0:41:5B:2F:00:8C:83:E0:63:8F:0C:2A:99:D8, 
pkey_fingerprint=D5:90:CE:7B:83:66:F3:D1:14:C4:B8:8A:F7:98:9E:36:75:A4:94:48
    posttls-finger: Trusted TLS connection established to 
mx1.c01.avira.com[212.79.247.134]:25: TLSv1.2 with cipher 
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)

-- 
        Viktor.

Reply via email to