[sr #107540] iPhone/iPad TLS negotiation to postfix fails with certtool certs, works with openssl certs
Michael Rommel
INVALID.NOREPLY at gnu.org
Sat Dec 4 22:07:36 CET 2010
URL:
<http://savannah.gnu.org/support/?107540>
Summary: iPhone/iPad TLS negotiation to postfix fails with
certtool certs, works with openssl certs
Project: GnuTLS
Submitted by: mr2147
Submitted on: Sat 04 Dec 2010 09:07:35 PM GMT
Category: None
Priority: 5 - Normal
Severity: 2 - Minor
Status: None
Privacy: Public
Assigned to: None
Originator Email:
Open/Closed: Open
Discussion Lock: Any
Operating System: GNU/Linux
_______________________________________________________
Details:
Setup:
iPhone/iPad shall send mails through TLS encrypted channel to postfix.
postfix is set up to authenticate clients either by username/password SASL or
by certificate authentication. Therefore postfix/main.cf includes:
# TLS parameters
smtpd_use_tls=yes
smtpd_tls_CAfile = /etc/ssl/gnutls/ca.pem
smtpd_tls_cert_file=/etc/ssl/gnutls/pelican.layer-7.net.pem
smtpd_tls_key_file=/etc/ssl/gnutls/pelican.layer-7.net.key
smtpd_tls_ask_ccert = yes
smtpd_tls_loglevel = 2
smtpd_tls_received_header = yes
The following files are generated by certtool: ca.key, ca.pem,
pelican.layer-7.net.key, pelican.layer-7.net.req
If the resulting pelican.layer-7.net.pem certificate is generated by
certtool:
/root/source/gnutls-2.10.3/src/certtool --generate-certificate
--load-ca-privkey /etc/ssl/gnutls/ca.key --load-ca-certificate
/etc/ssl/gnutls/ca.pem --load-request /etc/ssl/gnutls/pelican.layer-7.net.req
--outfile /etc/ssl/gnutls/pelican.layer-7.net.pem
the iPad receives ca.pem and pelican...pem and responds with an (possibly
invalid) answer, on which postfix chokes with:
Dec 4 20:56:11 pelican postfix/smtpd[7317]: connect from
parrot-wlan.layer-7.net[192.168.1.137]
Dec 4 20:56:11 pelican postfix/smtpd[7317]: setting up TLS connection from
parrot-wlan.layer-7.net[192.168.1.137]
Dec 4 20:56:11 pelican postfix/smtpd[7317]:
parrot-wlan.layer-7.net[192.168.1.137]: TLS cipher list
"ALL:+RC4:@STRENGTH:!aNULL"
Dec 4 20:56:11 pelican postfix/smtpd[7317]: SSL_accept:before/accept
initialization
Dec 4 20:56:11 pelican postfix/smtpd[7317]: SSL_accept:SSLv3 read client
hello B
Dec 4 20:56:11 pelican postfix/smtpd[7317]: SSL_accept:SSLv3 write server
hello A
Dec 4 20:56:11 pelican postfix/smtpd[7317]: SSL_accept:SSLv3 write
certificate A
Dec 4 20:56:11 pelican postfix/smtpd[7317]: SSL_accept:SSLv3 write
certificate request A
Dec 4 20:56:11 pelican postfix/smtpd[7317]: SSL_accept:SSLv3 flush data
Dec 4 20:56:11 pelican postfix/smtpd[7317]: SSL_accept:SSLv3 read client
certificate A
Dec 4 20:56:11 pelican postfix/smtpd[7317]: SSL_accept:SSLv3 read client key
exchange A
Dec 4 20:56:11 pelican postfix/smtpd[7317]: SSL3 alert write:fatal:bad
record mac
Dec 4 20:56:11 pelican postfix/smtpd[7317]: SSL_accept:error in SSLv3 read
certificate verify A
Dec 4 20:56:11 pelican postfix/smtpd[7317]: SSL_accept error from
parrot-wlan.layer-7.net[192.168.1.137]: -1
Dec 4 20:56:11 pelican postfix/smtpd[7317]: warning: TLS library problem:
7317:error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad
record mac:s3_pkt.c:422:
Dec 4 20:56:11 pelican postfix/smtpd[7317]: lost connection after STARTTLS
from parrot-wlan.layer-7.net[192.168.1.137]
Dec 4 20:56:11 pelican postfix/smtpd[7317]: disconnect from
parrot-wlan.layer-7.net[192.168.1.137]
The same setup with the certificate generated by openssl, using the same
ca.key, ca.pem, pelican...req using:
openssl ca -policy policy_anything -days 365 -in
gnutls/pelican.layer-7.net.req -out gnutls/pelican.layer-7.net.pem
works, so that the iPad displays the certificate for review and acceptance.
Leaving out the CAfile directive in postfix works in both cases, because the
initial server hello sends only the pelican...pem cert and not the ca.pem
cert. It must have something to do with the combination of the ca.pem and the
pelican.layer-7.net.pem. Sending a completely different ca.pem, which has not
signed the pelican...pem also works.
Using openssl s_client -starttls smtp ... works in both cases. openssl verify
could not find a flaw, too.
I couldn't identify the root cause - it possibly is iOS' fault, that it
generates an invalid response. But on the other hand, why does it work with
openssl generated certs. I have carefully reviewed both generated certs and
they look very similar. Digging down asn1parse I could only detect three
additional NULL values at positions 32, 365 and 606.
I'm at a loss here.
I am just posting it here, so that you are aware, that certtool generated
certs may cause trouble with Apple devices.
BTW: generating certs directly without the request step doesn't work too. In
fact I tried various combinations over the course of 7 hours, see table
request file generated by
| certtool | openssl | certtool | openssl
|
used CA openssl | works | works | works | works
|
generated by certtool | fails | works | works | works
|
| certtool | openssl
|
certificate creation using
Attached are the pem and req files and the openssl ca definition.
Cheers,
Michael.
_______________________________________________________
File Attachments:
-------------------------------------------------------
Date: Sat 04 Dec 2010 09:07:35 PM GMT Name: gnutls_bugreport.tar Size: 30kB
By: mr2147
<http://savannah.gnu.org/support/download.php?file_id=22124>
_______________________________________________________
Reply to this item at:
<http://savannah.gnu.org/support/?107540>
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
More information about the Gnutls-devel
mailing list