Re: Achieving trusted TLS connection

Thu, 01 Feb 2018 08:17:49 -0800 


> On Feb 1, 2018, at 10:44 AM, Danny Horne <da...@trisect.uk> wrote:
> 
>> You report settings of:
>>  smtpd_tls_CApath = /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
>>  smtpd_tls_ask_ccert = yes
>>  smtpd_tls_ccert_verifydepth = 2
>> 
>> Surely "ca-bundle.trust.crt" is a file not a directory.  This would work as
>> a "CAfile", but I very much recommend that you use CApath instead.  Point
>> your CApath at the directory with all the certs, that "hashed" via
>> "c_rehash" or similar.  If running smtpd(8) chrooted, make sure there's
>> a copy of the CApath directory inside the jail.
> 
> I've changed smtpd_tls_CApath back to pointing at the directory.  Not
> sure what you mean by "hashed" via "c_rehash"

Well, that's the critical part of using CApath, the directory needs to
contain a separate file for each trusted CA certificate and also be
"hashed" (indexed if you like) by the OpenSSL c_rehash program or
equivalent.  Some OS distributions do this for you automatically, as
part of updating the package that delivers the CA bundle.

You can tell when this is done because the directory will contain a
bunch of hexadecimal symlinks ending in .0 and increasingly less
frequently also .1, .2, ...  For example:

        cd8c0d63.0 -> fnmt-rcm.pem

In your case the hashed directory could any of:

   /etc/pki/ca-trust/extracted/openssl/
   /etc/pki/ca-trust/extracted
   /etc/pki/ca-trust
   /etc/pki

or even some other directory that uses the above as raw sources to make
links to.  If the OpenSSL library on your system is built to expect to
find certificates in the same place where they are delivered by the
certificate bundle package, then you can run:

  openssl version -d 

which outputs something like:

   $ openssl version -d
   OPENSSLDIR: "/etc/ssl"

from which you can deduce that the built-in CAfile and CApath are:

        CAfile: /etc/ssl/cert.pem
        CApath: /etc/ssl/certs/

Adjust accordingly and look for lots of hexadecimal symlinks to
various <someca>.pem files.

>> Is "SwissSign Silver CA - G2" included in your "ca bundle"?
>> 
> Yes it is.  Is it possible that Postfix can't read that file for some
> reason?

Strictly speaking, that'd be the OpenSSL library, called by the Postfix
smtpd(8) server.  And that problem could happen if you're running it
from a chroot jail, but first figure out whether you have a suitably
prepared CApath directory anywhere...

-- 
        Viktor.

Reply via email to