What makes you believe your certificate failure is due to the wildcard DNSname and not due to some other reason (like the certificate not being trusted, or failing a critical extension, etc.)
A quick scan of the wildcard matching code in smtpd looks correct to me, but it won't get in there if the certificate doesn't validate in the first place. I can't connect to that host from where I am, obviously it does some sort of port 25 filtering or I would look at the certificate myself. instead of grepping strings it might be helpful to show the entire certificate. On Fri, Apr 10, 2020 at 12:13:24PM -0400, [email protected] wrote: > I'm running OpenBSD-current on amd64 (dmesg below). I can test patches > but admit I got a bit lost this morning stepping through the certificate > verification code in usr.sbin/smtpd/{cert,mta_session,ssl_verify}.c > trying to debug this myself. I'll keep poking at it but would > appreciate any assistance or pointers in the right direction. Thanks! > > >Synopsis: ssl wildcard certificate verification failure > >Category: opensmtpd > >Environment: > System : OpenBSD 6.6 > Details : OpenBSD 6.6-current (GENERIC) #105: Sun Apr 5 03:03:30 > MDT 2020 > > [email protected]:/usr/src/sys/arch/amd64/compile/GENERIC > > Architecture: OpenBSD.amd64 > Machine : amd64 > >Description: > > Problem statement > ----------------- > OpenSMTPD doesn't appear to recognise wildcard certificates as valid > when validating other relays' certificates. > > > Observation > ----------- > > When sending a message to a contact with mail hosted by > e.g. "mx.hostedemail.com" (say [email protected]), > > === > # per /var/log/maillog > > Apr 9 14:23:08 ersa smtpd[18389]: 7516fbee48439810 mta connecting > address=smtp+tls://216.40.42.4:25 host=mx.hostedemail.com > Apr 9 14:23:08 ersa smtpd[18389]: 7516fbee48439810 mta connected > Apr 9 14:23:09 ersa smtpd[18389]: 7516fbee48439810 mta tls > ciphers=TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128 > Apr 9 14:23:09 ersa smtpd[18389]: 7516fbee48439810 mta error reason=SSL > certificate check failed > Apr 9 14:23:09 ersa smtpd[18389]: smtp-out: Disabling route [] <-> > 216.40.42.4 (mx.hostedemail.com) for 15s > > # openssl certificate query > $ echo Q | openssl s_client -starttls smtp -connect mx.hostedemail.com:25 > 2>/dev/null | openssl x509 -text | grep DNS > DNS:*.hostedemail.com, DNS:hostedemail.com > === > > > Expected behaviour > ------------------ > > The certificate SAN "*.hostedemail.com" should match for > "mx.hostedemail.com". > > > Relevant lines from smtpd.conf > ------------------------------ > > I think the only relevant bit is that I set "relay tls" and not "relay > tls no-verify" - the latter config would pass mail outbound despite > the remote certificate validation failure. > > === > pki ersa.daemonic.life cert "/etc/ssl/ersa.daemonic.life.fullchain.pem" > pki ersa.daemonic.life key "/etc/ssl/private/ersa.daemonic.life.key" > action "outbound" relay tls pki ersa.daemonic.life > match from local for any action outbound > === > > > > dmesg: > OpenBSD 6.6-current (GENERIC) #105: Sun Apr 5 03:03:30 MDT 2020 > [email protected]:/usr/src/sys/arch/amd64/compile/GENERIC > real mem = 2130575360 (2031MB) > avail mem = 2053550080 (1958MB) > mpath0 at root > scsibus0 at mpath0: 256 targets > mainbus0 at root > bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xf5720 (9 entries) > bios0: vendor SeaBIOS version "rel-1.12.0-0-ga698c8995f-prebuilt.qemu.org" > date 04/01/2014 > bios0: QEMU Standard PC (i440FX + PIIX, 1996) > acpi0 at bios0: ACPI 1.0 > acpi0: sleep states S3 S4 S5 > acpi0: tables DSDT FACP APIC HPET > acpi0: wakeup devices > acpitimer0 at acpi0: 3579545 Hz, 24 bits > acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat > cpu0 at mainbus0: apid 0 (boot processor) > cpu0: Intel(R) Xeon(R) CPU E5-2680 v3 @ 2.50GHz, 174.27 MHz, 06-3f-02 > cpu0: > FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SS,SSE3,PCLMUL,SSSE3,FMA3,CX16,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,FSGSBASE,TSC_ADJUST,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,IBRS,IBPB,SSBD,ARAT,XSAVEOPT,MELTDOWN > cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB > 64b/line 16-way L2 cache > cpu0: ITLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped > cpu0: DTLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped > cpu0: smt 0, core 0, package 0 > mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges > cpu0: apic clock running at 1000MHz > ioapic0 at mainbus0: apid 0 pa 0xfec00000, version 11, 24 pins > acpihpet0 at acpi0: 100000000 Hz > acpiprt0 at acpi0: bus 0 (PCI0) > acpicpu0 at acpi0: C1(@1 halt!) > "ACPI0006" at acpi0 not configured > acpipci0 at acpi0 PCI0: _OSC failed > acpicmos0 at acpi0 > "PNP0A06" at acpi0 not configured > "PNP0A06" at acpi0 not configured > "PNP0A06" at acpi0 not configured > "QEMU0002" at acpi0 not configured > "ACPI0010" at acpi0 not configured > cpu0: using Broadwell MDS workaround > pvbus0 at mainbus0: KVM > pvclock0 at pvbus0 > pci0 at mainbus0 bus 0 > pchb0 at pci0 dev 0 function 0 "Intel 82441FX" rev 0x02 > pcib0 at pci0 dev 1 function 0 "Intel 82371SB ISA" rev 0x00 > pciide0 at pci0 dev 1 function 1 "Intel 82371SB IDE" rev 0x00: DMA, channel 0 > wired to compatibility, channel 1 wired to compatibility > wd0 at pciide0 channel 0 drive 0: <QEMU HARDDISK> > wd0: 16-sector PIO, LBA48, 50804MB, 104046592 sectors > wd0(pciide0:0:0): using PIO mode 4, DMA mode 2 > pciide0: channel 1 disabled (no drives) > piixpm0 at pci0 dev 1 function 3 "Intel 82371AB Power" rev 0x03: apic 0 int 9 > iic0 at piixpm0 > vga1 at pci0 dev 2 function 0 "Cirrus Logic CL-GD5446" rev 0x00 > wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) > wsdisplay0: screen 1-5 added (80x25, vt100 emulation) > em0 at pci0 dev 3 function 0 "Intel 82540EM" rev 0x03: apic 0 int 11, address > f2:3c:91:5a:d4:61 > isa0 at pcib0 > isadma0 at isa0 > fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 > com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo > com0: console > pckbc0 at isa0 port 0x60/5 irq 1 irq 12 > pckbd0 at pckbc0 (kbd slot) > wskbd0 at pckbd0: console keyboard, using wsdisplay0 > pms0 at pckbc0 (aux slot) > wsmouse0 at pms0 mux 0 > pcppi0 at isa0 port 0x61 > spkr0 at pcppi0 > vscsi0 at root > scsibus1 at vscsi0: 256 targets > softraid0 at root > scsibus2 at softraid0: 256 targets > root on wd0a (f628cab05ab35b0b.a) swap on wd0b dump on wd0b > fd0 at fdc0 drive 1: density unknown > > usbdevs: > usbdevs: no USB controllers found >
