I'm running OpenBSD-current on amd64 (dmesg below). I can test patches
but admit I got a bit lost this morning stepping through the certificate
verification code in usr.sbin/smtpd/{cert,mta_session,ssl_verify}.c
trying to debug this myself. I'll keep poking at it but would
appreciate any assistance or pointers in the right direction. Thanks!
>Synopsis: ssl wildcard certificate verification failure
>Category: opensmtpd
>Environment:
System : OpenBSD 6.6
Details : OpenBSD 6.6-current (GENERIC) #105: Sun Apr 5 03:03:30
MDT 2020
[email protected]:/usr/src/sys/arch/amd64/compile/GENERIC
Architecture: OpenBSD.amd64
Machine : amd64
>Description:
Problem statement
-----------------
OpenSMTPD doesn't appear to recognise wildcard certificates as valid
when validating other relays' certificates.
Observation
-----------
When sending a message to a contact with mail hosted by
e.g. "mx.hostedemail.com" (say [email protected]),
===
# per /var/log/maillog
Apr 9 14:23:08 ersa smtpd[18389]: 7516fbee48439810 mta connecting
address=smtp+tls://216.40.42.4:25 host=mx.hostedemail.com
Apr 9 14:23:08 ersa smtpd[18389]: 7516fbee48439810 mta connected
Apr 9 14:23:09 ersa smtpd[18389]: 7516fbee48439810 mta tls
ciphers=TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128
Apr 9 14:23:09 ersa smtpd[18389]: 7516fbee48439810 mta error reason=SSL
certificate check failed
Apr 9 14:23:09 ersa smtpd[18389]: smtp-out: Disabling route [] <-> 216.40.42.4
(mx.hostedemail.com) for 15s
# openssl certificate query
$ echo Q | openssl s_client -starttls smtp -connect mx.hostedemail.com:25
2>/dev/null | openssl x509 -text | grep DNS
DNS:*.hostedemail.com, DNS:hostedemail.com
===
Expected behaviour
------------------
The certificate SAN "*.hostedemail.com" should match for
"mx.hostedemail.com".
Relevant lines from smtpd.conf
------------------------------
I think the only relevant bit is that I set "relay tls" and not "relay
tls no-verify" - the latter config would pass mail outbound despite
the remote certificate validation failure.
===
pki ersa.daemonic.life cert "/etc/ssl/ersa.daemonic.life.fullchain.pem"
pki ersa.daemonic.life key "/etc/ssl/private/ersa.daemonic.life.key"
action "outbound" relay tls pki ersa.daemonic.life
match from local for any action outbound
===
dmesg:
OpenBSD 6.6-current (GENERIC) #105: Sun Apr 5 03:03:30 MDT 2020
[email protected]:/usr/src/sys/arch/amd64/compile/GENERIC
real mem = 2130575360 (2031MB)
avail mem = 2053550080 (1958MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xf5720 (9 entries)
bios0: vendor SeaBIOS version "rel-1.12.0-0-ga698c8995f-prebuilt.qemu.org" date
04/01/2014
bios0: QEMU Standard PC (i440FX + PIIX, 1996)
acpi0 at bios0: ACPI 1.0
acpi0: sleep states S3 S4 S5
acpi0: tables DSDT FACP APIC HPET
acpi0: wakeup devices
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Xeon(R) CPU E5-2680 v3 @ 2.50GHz, 174.27 MHz, 06-3f-02
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SS,SSE3,PCLMUL,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,FSGSBASE,TSC_ADJUST,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,IBRS,IBPB,SSBD,ARAT,XSAVEOPT,MELTDOWN
cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line
16-way L2 cache
cpu0: ITLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped
cpu0: DTLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 1000MHz
ioapic0 at mainbus0: apid 0 pa 0xfec00000, version 11, 24 pins
acpihpet0 at acpi0: 100000000 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpicpu0 at acpi0: C1(@1 halt!)
"ACPI0006" at acpi0 not configured
acpipci0 at acpi0 PCI0: _OSC failed
acpicmos0 at acpi0
"PNP0A06" at acpi0 not configured
"PNP0A06" at acpi0 not configured
"PNP0A06" at acpi0 not configured
"QEMU0002" at acpi0 not configured
"ACPI0010" at acpi0 not configured
cpu0: using Broadwell MDS workaround
pvbus0 at mainbus0: KVM
pvclock0 at pvbus0
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel 82441FX" rev 0x02
pcib0 at pci0 dev 1 function 0 "Intel 82371SB ISA" rev 0x00
pciide0 at pci0 dev 1 function 1 "Intel 82371SB IDE" rev 0x00: DMA, channel 0
wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0: <QEMU HARDDISK>
wd0: 16-sector PIO, LBA48, 50804MB, 104046592 sectors
wd0(pciide0:0:0): using PIO mode 4, DMA mode 2
pciide0: channel 1 disabled (no drives)
piixpm0 at pci0 dev 1 function 3 "Intel 82371AB Power" rev 0x03: apic 0 int 9
iic0 at piixpm0
vga1 at pci0 dev 2 function 0 "Cirrus Logic CL-GD5446" rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
em0 at pci0 dev 3 function 0 "Intel 82540EM" rev 0x03: apic 0 int 11, address
f2:3c:91:5a:d4:61
isa0 at pcib0
isadma0 at isa0
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com0: console
pckbc0 at isa0 port 0x60/5 irq 1 irq 12
pckbd0 at pckbc0 (kbd slot)
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
wsmouse0 at pms0 mux 0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
vscsi0 at root
scsibus1 at vscsi0: 256 targets
softraid0 at root
scsibus2 at softraid0: 256 targets
root on wd0a (f628cab05ab35b0b.a) swap on wd0b dump on wd0b
fd0 at fdc0 drive 1: density unknown
usbdevs:
usbdevs: no USB controllers found
