subject:"dovecot sometimes sends non\-default SSL cert if IMAP client won't send SNI"

Re: dovecot sometimes sends non-default SSL cert if IMAP client won't send SNI

2018-07-24 Thread Aki Tuomi

Well. At least I know now the cn overlaps. That should not be a problem but is 
at least something to pursue. 


---Aki TuomiDovecot oy
 Original message From: Martin Johannes Dauser 
 Date: 24/07/2018  18:03  (GMT+02:00) To: 
dovecot@dovecot.org Subject: Re: dovecot sometimes sends non-default SSL cert 
if IMAP client
  won't send SNI 
Sure, and thanks for trying to help!

These are the two correct answers when SNI is included. The
certificates are fully chained. Both certificates carry the same
subject mail.cs.sbg.ac.at but differ in Subject Alternative Name (SAN).

X509v3 Subject Alternative Name: 
  DNS:mail.cs.sbg.ac.at, DNS:smtp.cs.sbg.ac.at, DNS:imap.cs.sbg.ac.at,
DNS:pop.cs.sbg.ac.at

X509v3 Subject Alternative Name: 
  DNS:mail.cs.sbg.ac.at, DNS:mail.cosy.sbg.ac.at,
DNS:smtp.cosy.sbg.ac.at, DNS:imap.cosy.sbg.ac.at,
DNS:pop.cosy.sbg.ac.at

I thought of attaching a file with 13 outputs of command
$ openssl s_client -showcerts -connect 141.201.4.5:993
but this would certainly exceed the limit of 40kb. Anyway, except for
the SSL handshake the outputs exactly meet the two examples a few lines
below.

Statistics: Only connections 10,11,13 showed the default certificate.
So running only a few connections might end up with 100% false certs --
or the other way round.  

OpenSSL itself is always happy, as both certificates fit to the
(r)DNS records of mail.cs.sbg.ac.at/141.201.4.5.

Would it help you to run dovecot in debug mode?


###
$ openssl s_client -showcerts -connect 141.201.4.5:993 -servername
imap.cs.sbg.ac.at


CONNECTED(0003)
---
Certificate chain
 0 s:/C=AT/ST=Salzburg/L=Salzburg/O=University of
Salzburg/OU=Department of Computer Science/CN=mail.cs.sbg.ac.at
   i:/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA SSL CA 3
-BEGIN CERTIFICATE-
MIIGjDCCBXSgAwIBAgIQApnSP3xZbyr6dGTMvuxaSDANBgkqhkiG9w0BAQ0FADBk
MQswCQYDVQQGEwJOTDEWMBQGA1UECBMNTm9vcmQtSG9sbGFuZDESMBAGA1UEBxMJ
QW1zdGVyZGFtMQ8wDQYDVQQKEwZURVJFTkExGDAWBgNVBAMTD1RFUkVOQSBTU0wg
Q0EgMzAeFw0xNzAxMjQwMDAwMDBaFw0yMDAxMjgxMjAwMDBaMIGZMQswCQYDVQQG
EwJBVDERMA8GA1UECBMIU2FsemJ1cmcxETAPBgNVBAcTCFNhbHpidXJnMR8wHQYD
VQQKExZVbml2ZXJzaXR5IG9mIFNhbHpidXJnMScwJQYDVQQLEx5EZXBhcnRtZW50
IG9mIENvbXB1dGVyIFNjaWVuY2UxGjAYBgNVBAMTEW1haWwuY3Muc2JnLmFjLmF0
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAus33Jb+HE64oJvBEwpeh
7cwyMAknhE5k/49eUG7/E0j2ffEo1APzxYooZ1hlHcf7meH7h1KYD3lSXw5RX0Mi
KtuUHSUIqYE1U3+pyussB11r18ucHk8MoFQqPnJDeuSPaHozmdQtJJHRVDabddHz
5l4RVEUduUjzl7vnfFrBhbHV/LpYcLMsNgdlg5I0TXU99Y8paMeF32cWiR2dCeyN
t2AajjMpHYRDaJ9DGed8nWOeqK0YRQuaEGF68VBVdygDcOQ0eBflwYEjJChJHhN4
UsQSmwoXYj5ZRvyhcAxxPDYveNhM4oVox67Nvw1AgHz/spaWgJVMKrTU4hFDYcnO
0F6KkumLke0t4IvoLEU7ScAm6d3ttQ5ZBbSIX811kWHC/ddu12AhRiq3y5fN2o3n
6pbRrqljyg4Mu0Tj9UEuwC8bJnCJreo32HQwo82vD1xU8jPUci4UoD21PfkjFssm
qbtwwWs1KAIvX52U79u6CC7hvsPNtCiMK0K6/9jg8OyKMraBWvIUV6YxgnuJZ4Mi
so/OD6uqdpqCYuq5LLZVAVcBu/vGTzfcckkz71nN2eZSO870rnxyHeTWmepQv4nc
gxN49JeReO4zZMio6eC5N9D+SYc5Ae5mS8qyHe/gur6VmbmbWk/vRt/m75lcGLgR
A4FRqRvu+GIWNh0uCP9SlkUCAwEAAaOCAgIwggH+MB8GA1UdIwQYMBaAFGf9iCAU
J5jHCdIlGbvpURFjdVBiMB0GA1UdDgQWBBR6nRddyu+D1h42fba+bgkBi6OipzBU
BgNVHREETTBLghFtYWlsLmNzLnNiZy5hYy5hdIIRc210cC5jcy5zYmcuYWMuYXSC
EWltYXAuY3Muc2JnLmFjLmF0ghBwb3AuY3Muc2JnLmFjLmF0MA4GA1UdDwEB/wQE
AwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwawYDVR0fBGQwYjAv
oC2gK4YpaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL1RFUkVOQVNTTENBMy5jcmww
L6AtoCuGKWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9URVJFTkFTU0xDQTMuY3Js
MEwGA1UdIARFMEMwNwYJYIZIAYb9bAEBMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8v
d3d3LmRpZ2ljZXJ0LmNvbS9DUFMwCAYGZ4EMAQICMG4GCCsGAQUFBwEBBGIwYDAk
BggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMDgGCCsGAQUFBzAC
hixodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vVEVSRU5BU1NMQ0EzLmNydDAM
BgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBDQUAA4IBAQA6Xbkobv3hQAr532wf0NsZ
kYErQebiMLCrKDAhtLc7Z/bO/srUgOs0x9uoIU5ErjLnPcWrPK0eFQevjZ+6CUry
NgAcf6f1z9g1IejuapXb6F41YAteJzo+QkvAtQFkOaq9AADXNo6iIOIDyE1M8hWW
W0gcwx6h4+UUSLac0LN/i+Q2LcHa6fg/kH59Yt2oIzkJrVRSHn11R8iUHiLgW3X2
XL9BgCZHqI8t3OaJpXLHmvA0pKDIvjFK9+CDcXZWQbZyLlMzGxVyrZfK+rBjL05h
QQ3CTy9JJ3/1//AD1mSgog3qSejMQ7ZK01ZZv4lDoEU8ADGFA6VKlV/CiaYz5Ztk
-END CERTIFICATE-
 1 s:/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA SSL CA 3
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID
Root CA
-BEGIN CERTIFICATE-

MIIE+zCCA+OgAwIBAgIQCHC8xa8/25Wakctq7u/kZTANBgkqhkiG9w0BAQsFADBl
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJv
b3QgQ0EwHhcNMTQxMTE4MTIwMDAwWhcNMjQxMTE4MTIwMDAwWjBkMQswCQYDVQQG
EwJOTDEWMBQGA1UECBMNTm9vcmQtSG9sbGFuZDESMBAGA1UEBxMJQW1zdGVyZGFt
MQ8wDQYDVQQKEwZURVJFTkExGDAWBgNVBAMTD1RFUkVOQSBTU0wgQ0EgMzCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMV2Dw/ZQyk7bG3RR63eEL8jwnio
Snc18SNb4EweQefCMQC9iDdFdd25AhCAHo/tZCMERaegOTuBTc9jP8JJ/yKeiLDS
lrlcinQfkioq8hLIt2hUtVhBgUBoBhpPhSn7tU08D08/QJYbzqjMXjX/ZJj1dd10
VAWgNhEEEiRVY++Udy538RV27tOkWUUhn6i+0SftCuirOMo/h9Ha8Y

Re: dovecot sometimes sends non-default SSL cert if IMAP client won't send SNI

2018-07-24 Thread Martin Johannes Dauser

Sure, and thanks for trying to help!

These are the two correct answers when SNI is included. The
certificates are fully chained. Both certificates carry the same
subject mail.cs.sbg.ac.at but differ in Subject Alternative Name (SAN).

X509v3 Subject Alternative Name: 
  DNS:mail.cs.sbg.ac.at, DNS:smtp.cs.sbg.ac.at, DNS:imap.cs.sbg.ac.at,
DNS:pop.cs.sbg.ac.at

X509v3 Subject Alternative Name: 
  DNS:mail.cs.sbg.ac.at, DNS:mail.cosy.sbg.ac.at,
DNS:smtp.cosy.sbg.ac.at, DNS:imap.cosy.sbg.ac.at,
DNS:pop.cosy.sbg.ac.at

I thought of attaching a file with 13 outputs of command
$ openssl s_client -showcerts -connect 141.201.4.5:993
but this would certainly exceed the limit of 40kb. Anyway, except for
the SSL handshake the outputs exactly meet the two examples a few lines
below.

Statistics: Only connections 10,11,13 showed the default certificate.
So running only a few connections might end up with 100% false certs --
or the other way round.  

OpenSSL itself is always happy, as both certificates fit to the
(r)DNS records of mail.cs.sbg.ac.at/141.201.4.5.

Would it help you to run dovecot in debug mode?


###
$ openssl s_client -showcerts -connect 141.201.4.5:993 -servername
imap.cs.sbg.ac.at


CONNECTED(0003)
---
Certificate chain
 0 s:/C=AT/ST=Salzburg/L=Salzburg/O=University of
Salzburg/OU=Department of Computer Science/CN=mail.cs.sbg.ac.at
   i:/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA SSL CA 3
-BEGIN CERTIFICATE-
MIIGjDCCBXSgAwIBAgIQApnSP3xZbyr6dGTMvuxaSDANBgkqhkiG9w0BAQ0FADBk
MQswCQYDVQQGEwJOTDEWMBQGA1UECBMNTm9vcmQtSG9sbGFuZDESMBAGA1UEBxMJ
QW1zdGVyZGFtMQ8wDQYDVQQKEwZURVJFTkExGDAWBgNVBAMTD1RFUkVOQSBTU0wg
Q0EgMzAeFw0xNzAxMjQwMDAwMDBaFw0yMDAxMjgxMjAwMDBaMIGZMQswCQYDVQQG
EwJBVDERMA8GA1UECBMIU2FsemJ1cmcxETAPBgNVBAcTCFNhbHpidXJnMR8wHQYD
VQQKExZVbml2ZXJzaXR5IG9mIFNhbHpidXJnMScwJQYDVQQLEx5EZXBhcnRtZW50
IG9mIENvbXB1dGVyIFNjaWVuY2UxGjAYBgNVBAMTEW1haWwuY3Muc2JnLmFjLmF0
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAus33Jb+HE64oJvBEwpeh
7cwyMAknhE5k/49eUG7/E0j2ffEo1APzxYooZ1hlHcf7meH7h1KYD3lSXw5RX0Mi
KtuUHSUIqYE1U3+pyussB11r18ucHk8MoFQqPnJDeuSPaHozmdQtJJHRVDabddHz
5l4RVEUduUjzl7vnfFrBhbHV/LpYcLMsNgdlg5I0TXU99Y8paMeF32cWiR2dCeyN
t2AajjMpHYRDaJ9DGed8nWOeqK0YRQuaEGF68VBVdygDcOQ0eBflwYEjJChJHhN4
UsQSmwoXYj5ZRvyhcAxxPDYveNhM4oVox67Nvw1AgHz/spaWgJVMKrTU4hFDYcnO
0F6KkumLke0t4IvoLEU7ScAm6d3ttQ5ZBbSIX811kWHC/ddu12AhRiq3y5fN2o3n
6pbRrqljyg4Mu0Tj9UEuwC8bJnCJreo32HQwo82vD1xU8jPUci4UoD21PfkjFssm
qbtwwWs1KAIvX52U79u6CC7hvsPNtCiMK0K6/9jg8OyKMraBWvIUV6YxgnuJZ4Mi
so/OD6uqdpqCYuq5LLZVAVcBu/vGTzfcckkz71nN2eZSO870rnxyHeTWmepQv4nc
gxN49JeReO4zZMio6eC5N9D+SYc5Ae5mS8qyHe/gur6VmbmbWk/vRt/m75lcGLgR
A4FRqRvu+GIWNh0uCP9SlkUCAwEAAaOCAgIwggH+MB8GA1UdIwQYMBaAFGf9iCAU
J5jHCdIlGbvpURFjdVBiMB0GA1UdDgQWBBR6nRddyu+D1h42fba+bgkBi6OipzBU
BgNVHREETTBLghFtYWlsLmNzLnNiZy5hYy5hdIIRc210cC5jcy5zYmcuYWMuYXSC
EWltYXAuY3Muc2JnLmFjLmF0ghBwb3AuY3Muc2JnLmFjLmF0MA4GA1UdDwEB/wQE
AwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwawYDVR0fBGQwYjAv
oC2gK4YpaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL1RFUkVOQVNTTENBMy5jcmww
L6AtoCuGKWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9URVJFTkFTU0xDQTMuY3Js
MEwGA1UdIARFMEMwNwYJYIZIAYb9bAEBMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8v
d3d3LmRpZ2ljZXJ0LmNvbS9DUFMwCAYGZ4EMAQICMG4GCCsGAQUFBwEBBGIwYDAk
BggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMDgGCCsGAQUFBzAC
hixodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vVEVSRU5BU1NMQ0EzLmNydDAM
BgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBDQUAA4IBAQA6Xbkobv3hQAr532wf0NsZ
kYErQebiMLCrKDAhtLc7Z/bO/srUgOs0x9uoIU5ErjLnPcWrPK0eFQevjZ+6CUry
NgAcf6f1z9g1IejuapXb6F41YAteJzo+QkvAtQFkOaq9AADXNo6iIOIDyE1M8hWW
W0gcwx6h4+UUSLac0LN/i+Q2LcHa6fg/kH59Yt2oIzkJrVRSHn11R8iUHiLgW3X2
XL9BgCZHqI8t3OaJpXLHmvA0pKDIvjFK9+CDcXZWQbZyLlMzGxVyrZfK+rBjL05h
QQ3CTy9JJ3/1//AD1mSgog3qSejMQ7ZK01ZZv4lDoEU8ADGFA6VKlV/CiaYz5Ztk
-END CERTIFICATE-
 1 s:/C=NL/ST=Noord-Holland/L=Amsterdam/O=TERENA/CN=TERENA SSL CA 3
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Assured ID
Root CA
-BEGIN CERTIFICATE-

MIIE+zCCA+OgAwIBAgIQCHC8xa8/25Wakctq7u/kZTANBgkqhkiG9w0BAQsFADBl
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJv
b3QgQ0EwHhcNMTQxMTE4MTIwMDAwWhcNMjQxMTE4MTIwMDAwWjBkMQswCQYDVQQG
EwJOTDEWMBQGA1UECBMNTm9vcmQtSG9sbGFuZDESMBAGA1UEBxMJQW1zdGVyZGFt
MQ8wDQYDVQQKEwZURVJFTkExGDAWBgNVBAMTD1RFUkVOQSBTU0wgQ0EgMzCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMV2Dw/ZQyk7bG3RR63eEL8jwnio
Snc18SNb4EweQefCMQC9iDdFdd25AhCAHo/tZCMERaegOTuBTc9jP8JJ/yKeiLDS
lrlcinQfkioq8hLIt2hUtVhBgUBoBhpPhSn7tU08D08/QJYbzqjMXjX/ZJj1dd10
VAWgNhEEEiRVY++Udy538RV27tOkWUUhn6i+0SftCuirOMo/h9Ha8Y+5Cx9E5+Ct
85XCFk3shKM6ktTPxn3mvcsaQE+zVLHzj28NHuO+SaNW5Ae8jafOHbBbV1bRxBz8
mGXRzUYvkZS/RYVJ+G1ShxwCVgEnFqtyLvRx5GG1IKD6JmlqCvGrn223zyUCAwEA
AaOCAaYwggGiMBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMHkG
CCsGAQUFBwEBBG0wazAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQu
Y29tMEMGCCsGAQUFBzAChjdodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGln

Re: dovecot sometimes sends non-default SSL cert if IMAP client won't send SNI

2018-07-23 Thread Aki Tuomi

Can you provide some details on what those openssl commands returned?

Aki


On 20.07.2018 12:14, Martin Johannes Dauser wrote:
> Hi,
>
> I recognised some funny behaviour on my server. IMAP clients which
> won't send an Server Name Indication (SNI) sometimes get the wrong
> certificate. I would expect that those clients always get the default
> certificate (of my new domain), instead in about 20 to 50% of
> connections the certificate of my old domain will be presented.
> (sample rate was 3 times 30 connections)
>
> Clients sending SNI always get the right certificate.
>
> A user informed me that offlineIMAP complains 
> 'CA Cert verifying failed:
>    no matching domain name found in certificate'
> So at least offlineIMAP 7.0.12 from Debain stretch won't send SNI,
> there is a newer version upstream though.
>
>
> I myself checked the server's behaviour with openssl:
>
> $ openssl s_client -showcerts -connect IP-address:993
>
> and
>
> $ openssl s_client -showcerts -connect IP-address:993 -servername
> imap.domain
>
>
> I'm totally clueless about how come.
>
> Best regards
> Martin Johannes Dauser
>
>
>
>
> # 2.2.10: /etc/dovecot/dovecot.conf
> # OS: Linux 3.10.0-862.el7.x86_64 x86_64 Red Hat Enterprise Linux
> Server release 7.5 (Maipo) 
>
> ...
>
> service imap-login {
>   inet_listener imap {
> address = 127.0.0.1
> port = 143
>   }
>   inet_listener imaps {
> port = 993
> ssl = yes
>   }
>   process_min_avail = 8
>   service_count = 0
> }
>
> ...
>
> ssl = required
> # set default cert
> ssl_cert =  ssl_cipher_list = DHE-RSA-AES256-SHA:DHE-RSA-AES128-
> SHA:ALL:!LOW:!SSLv2:!EXP:!aNULL:!MD5:!RC4:!DES:!3DES:!TLSv1
>
> ssl_key =  ssl_protocols = !SSLv2 !SSLv3
>
> ...
>
> # set alternativ cert for old domain
> local_name mail.old.domain {
>   ssl_cert =    ssl_key =  }
> local_name imap.old.domain {
>   ssl_cert =    ssl_key =  }
> local_name pop.old.domain {
>   ssl_cert =    ssl_key =  }
>
> # set explicit cert for new domain
> local_name mail.new.domain {
>   ssl_cert =    ssl_key =  }
> local_name imap.new.domain {
>   ssl_cert =    ssl_key =  }
> local_name pop.new.domain {
>   ssl_cert =    ssl_key =  }
>
>
>

dovecot sometimes sends non-default SSL cert if IMAP client won't send SNI

2018-07-20 Thread Martin Johannes Dauser



Hi,

I recognised some funny behaviour on my server. IMAP clients which
won't send an Server Name Indication (SNI) sometimes get the wrong
certificate. I would expect that those clients always get the default
certificate (of my new domain), instead in about 20 to 50% of
connections the certificate of my old domain will be presented.
(sample rate was 3 times 30 connections)

Clients sending SNI always get the right certificate.

A user informed me that offlineIMAP complains 
'CA Cert verifying failed:
   no matching domain name found in certificate'
So at least offlineIMAP 7.0.12 from Debain stretch won't send SNI,
there is a newer version upstream though.


I myself checked the server's behaviour with openssl:

$ openssl s_client -showcerts -connect IP-address:993

and

$ openssl s_client -showcerts -connect IP-address:993 -servername
imap.domain


I'm totally clueless about how come.

Best regards
Martin Johannes Dauser




# 2.2.10: /etc/dovecot/dovecot.conf
# OS: Linux 3.10.0-862.el7.x86_64 x86_64 Red Hat Enterprise Linux
Server release 7.5 (Maipo) 

...

service imap-login {
  inet_listener imap {
address = 127.0.0.1
port = 143
  }
  inet_listener imaps {
port = 993
ssl = yes
  }
  process_min_avail = 8
  service_count = 0
}

...

ssl = required
# set default cert
ssl_cert =

Re: dovecot sometimes sends non-default SSL cert if IMAP client won't send SNI

Re: dovecot sometimes sends non-default SSL cert if IMAP client won't send SNI

Re: dovecot sometimes sends non-default SSL cert if IMAP client won't send SNI

dovecot sometimes sends non-default SSL cert if IMAP client won't send SNI

4 matches

Site Navigation

Mail list logo

Footer information