On Thu, Feb 11, 2021 at 05:04:24PM +0000, bitozoid wrote:
> > It can also contain intermediate CA certificates. Storing non-root CAs
> > carries a risk that they may expire before you remove them, and then
> > they may take precedence over non-expired intermediate CA certs that the
> > remote peer provides in the TLS handshake.
> >
> > TLS servers or clients that fail to send the required list of
> > intermediate certificates are in violation of various RFCs, and poor
> > interoperability is to be expected. Perhaps a better fix is to request
> > that the problem be fixed on the remote end.
> >
>
> That is really insightful. That would also be nice to be found in the doc.
Does the below meet your needs?
--- a/proto/postconf.proto
+++ b/proto/postconf.proto
@@ -9486,6 +9486,14 @@ file may also be used to augment the server certificate
trust chain,
but it is best to include all the required certificates directly in the
server certificate file. </p>
+<p> Intermediate CA certificates often have substantially shorter
+lifetimes than their ultimate issuing root CAs. If you choose to
+include intermediate CAs in your CAfile, make sure to replace them prior
+to expiration. Otherwise, expired intermediate certificates in the
+trust store may take precedence over fresh copies provided by a properly
+configured peer as part of the TLS handshake, this may result in failure
+to validate the peer's certificate chain. </p>
+
<p> Specify "smtpd_tls_CAfile = /path/to/system_CA_file" to use ONLY
the system-supplied default Certification Authority certificates.
</p>
@@ -9500,7 +9508,7 @@ of client certificates, the distinguished names (DNs) of
the Certification
Authorities listed in smtpd_tls_CAfile are sent to the remote SMTP client
in the client certificate request message. MUAs with multiple client
certificates may use the list of preferred Certification Authorities
-to select the correct client certificate. You may want to put your
+to select the correct client certificate. You may want to put only your
"preferred" CA or CAs in this file, and install other trusted CAs in
$smtpd_tls_CApath. </p>
@@ -9521,6 +9529,14 @@ for example, "$OPENSSL_HOME/bin/c_rehash
/etc/postfix/certs". To use
smtpd_tls_CApath in chroot mode, this directory (or a copy) must be
inside the chroot jail. </p>
+<p> Intermediate CA certificates often have substantially shorter
+lifetimes than their ultimate issuing root CAs. If you choose to
+include intermediate CAs in your CApath, make sure to replace them prior
+to expiration. Otherwise, expired intermediate certificates in the
+trust store may take precedence over fresh copies provided by a properly
+configured peer as part of the TLS handshake, this may result in failure
+to validate the peer's certificate chain. </p>
+
<p> Specify "smtpd_tls_CApath = /path/to/system_CA_directory" to
use ONLY the system-supplied default Certification Authority certificates.
</p>
@@ -9966,6 +9982,19 @@ file may also be used to augment the client certificate
trust chain,
but it is best to include all the required certificates directly in
$smtp_tls_cert_file (or, Postfix ≥ 3.4 $smtp_tls_chain_files). </p>
+<p> Intermediate CA certificates often have substantially shorter
+lifetimes than their ultimate issuing root CAs. If you choose to
+include intermediate CAs in your CAfile, make sure to replace them prior
+to expiration. Otherwise, expired intermediate certificates in the
+trust store may take precedence over fresh copies provided by a properly
+configured peer as part of the TLS handshake, this may result in failure
+to validate the peer's certificate chain. </p>
+
+<p> The choice between $smtp_tls_CAfile and $smtp_tls_CApath is a
+space/time tradeoff. If there are many trusted CAs, the cost of
+preloading them all into memory (from a CAfile) may not pay off in
+reduced access time when the certificate is needed. </p>
+
<p> Specify "smtp_tls_CAfile = /path/to/system_CA_file" to use
ONLY the system-supplied default Certification Authority certificates.
</p>
@@ -9993,6 +10022,19 @@ with, for example, "$OPENSSL_HOME/bin/c_rehash
/etc/postfix/certs".
<p> To use this option in chroot mode, this directory (or a copy)
must be inside the chroot jail. </p>
+<p> Intermediate CA certificates often have substantially shorter
+lifetimes than their ultimate issuing root CAs. If you choose to
+include intermediate CAs in your CApath, make sure to replace them prior
+to expiration. Otherwise, expired intermediate certificates in the
+trust store may take precedence over fresh copies provided by a properly
+configured peer as part of the TLS handshake, this may result in failure
+to validate the peer's certificate chain. </p>
+
+<p> The choice between $smtp_tls_CAfile and $smtp_tls_CApath is a
+space/time tradeoff. If there are many trusted CAs, the cost of
+preloading them all into memory (from a CAfile) may not pay off in
+reduced access time when the certificate is needed. </p>
+
<p> Specify "smtp_tls_CApath = /path/to/system_CA_directory" to
use ONLY the system-supplied default Certification Authority certificates.
</p>
@@ -12464,7 +12506,7 @@ SHA256
Fingerprint=D4:6A:AB:19:24:...:BB:A6:CB:66:82:C0:8E:9B:EE:29:A8:1A
you need to extract the public key from the certificate and compute
the appropriate digest of its DER (ASN.1) encoding. With OpenSSL
the "-pubkey" option of the "x509" command extracts the public
-key always in "PEM" format. We pipe the result to another OpenSSL
+key always in PEM format. We pipe the result to another OpenSSL
command that converts the key to DER and then to the "dgst" command
to compute the fingerprint. </p>
@@ -12606,7 +12648,7 @@ SHA256
Fingerprint=D4:6A:AB:19:24:...:A6:CB:66:82:C0:8E:9B:EE:29:A8:1A
you need to extract the public key from the certificate and compute
the appropriate digest of its DER (ASN.1) encoding. With OpenSSL
the "-pubkey" option of the "x509" command extracts the public
-key always in "PEM" format. We pipe the result to another OpenSSL
+key always in PEM format. We pipe the result to another OpenSSL
command that converts the key to DER and then to the "dgst" command
to compute the fingerprint. </p>
--- a/proto/TLS_README.html
+++ b/proto/TLS_README.html
@@ -150,7 +150,7 @@ key configuration </a>
key configuration </a> </h3>
<p> In order to use TLS, the Postfix SMTP server generally needs
-a certificate and a private key. Both must be in "PEM" format. The
+a certificate and a private key. Both must be in PEM format. The
private key must not be encrypted, meaning: the key must be accessible
without a password. The certificate and private key may be in the same
file, in which case the certificate file should be owned by "root" and
@@ -372,7 +372,7 @@ anonymous-cipher capable clients: </p>
<p> To verify a remote SMTP client certificate, the Postfix SMTP
server needs to trust the certificates of the issuing Certification
-Authorities. These certificates in "PEM" format can be stored in a
+Authorities. These certificates in PEM format can be stored in a
single $smtpd_tls_CAfile or in multiple files, one CA per file in
the $smtpd_tls_CApath directory. If you use a directory, don't forget
to create the necessary "hash" links with: </p>
@@ -849,7 +849,7 @@ the name of the user or host:</p>
you need to extract the public key from the certificate and compute
the appropriate digest of its DER (ASN.1) encoding. With OpenSSL
the "-pubkey" option of the "x509" command extracts the public
-key always in "PEM" format. We pipe the result to another OpenSSL
+key always in PEM format. We pipe the result to another OpenSSL
command that converts the key to DER and then to the "dgst" command
to compute the fingerprint. </p>
@@ -1551,7 +1551,7 @@ As in the example above, we show two matching
fingerprints: </p>
you need to extract the public key from the certificate and compute
the appropriate digest of its DER (ASN.1) encoding. With OpenSSL
the "-pubkey" option of the "x509" command extracts the public
-key always in "PEM" format. We pipe the result to another OpenSSL
+key always in PEM format. We pipe the result to another OpenSSL
command that converts the key to DER and then to the "dgst" command
to compute the fingerprint. </p>
@@ -1861,7 +1861,7 @@ cipher used determines which certificate is presented.
</p>
<p> It is possible for the Postfix SMTP client to use the same
key/certificate pair as the Postfix SMTP server. If a certificate
-is to be presented, it must be in "PEM" format. The private key
+is to be presented, it must be in PEM format. The private key
must not be encrypted, meaning: it must be accessible without
password. Both parts (certificate and private key) may be in the
same file. </p>
@@ -1987,7 +1987,7 @@ above. <p>
<p> To verify a remote SMTP server certificate, the Postfix SMTP
client needs to trust the certificates of the issuing Certification
-Authorities. These certificates in "pem" format can be stored in a
+Authorities. These certificates in PEM format can be stored in a
single $smtp_tls_CAfile or in multiple files, one CA per file in
the $smtp_tls_CApath directory. If you use a directory, don't forget
to create the necessary "hash" links with: </p>
--
Viktor.
