[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: smtp ssl

To: wl-en@lists.airs.net, Erik Colson <ecocode.net@gmail.com>
Subject: Re: smtp ssl
From: David Maus <maus.david@gmail.com>
Date: Mon, 15 Feb 2010 12:09:13 +0100
Delivered-to: wl-en@lists.airs.net
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:date:message-id:from:to :subject:in-reply-to:references:user-agent:mime-version:content-type :content-transfer-encoding; bh=FETUCengGLh4zBJ6SuCGBHxCF95R/S4jlTmA6bVwEUk=; b=gXcDq8CXEJuajH9jO4S8621cz825Dyixvc4lbl+o+WtlelsxeL+NxCLe7i0K/1oosz xbFiIUzbX6w3hiyK7F6KikAmBqUz5z22VntfggPq4EehVnlyoeByY8lTb8+jx6pN1Y5R GxWU2AEVQlOBaqMpRm6o0bxCaTzrk1ZLChiy4=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=date:message-id:from:to:subject:in-reply-to:references:user-agent :mime-version:content-type:content-transfer-encoding; b=BkstSr3ucF3uhDwYRvvK+W4xI6LHqHUOh6KPFCs0fFYXHEjgEiEwBhYuTzKPaJe2xC v39iPTdILbKq6V5RnJvNMw2lLHNDgLYkukB+lN8avqwTp9SFmXyzkBZyQDOp2VaD8vEr YBFkXnhgP0izTtMCi45X+BezYccOLDm54LSSo=
In-reply-to: <9381625e1002142240t4d79d859w9b6b2db5da2fae75@mail.gmail.com>
List-help: <mailto:wl-en-ctl@lists.airs.net?body=help>
List-id: wl-en.lists.airs.net
List-owner: <mailto:wl-en-admin@lists.airs.net>
List-post: <mailto:wl-en@lists.airs.net>
List-software: fml [fml stable 20011102.2100]
List-unsubscribe: <mailto:wl-en-ctl@lists.airs.net?body=unsubscribe>
References: <9381625e1002142240t4d79d859w9b6b2db5da2fae75@mail.gmail.com>
Reply-to: wl-en@lists.airs.net
User-agent: Wanderlust/2.15.9 (Almost Unreal) SEMI/1.14.6 (Maruoka) FLIM/1.14.9 (Gojō) APEL/10.7 Emacs/23.1.92 (i486-pc-linux-gnu) MULE/6.0 (HANACHIRUSATO)

Okay, the question that should be asked is, to quote the sociologist
Erving Goffman, "What the hell is going on?".

(please forgive if I tell you nothing new on ssl)

>verify depth is 0
>depth=3 /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
>verify error:num=19:self signed certificate in certificate chain
>verify return:0
>97148:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:983:

ssl.el uses OpenSSL's s_client command to establish the ssl connection
to the desired remote endpoint.  The purpose of using ssl is to secure
the communication between server and client.  Securing means two
things: Encrypt the session information so only server and client can
decipher it and, as a prerequisite, ensure that (in this case) the
client is /really/ talking to the server he want's to talk to.

The failing occurs in this prequisite: The client cannot verify the
authenticity of the remote server.  The identity of the endpoint is
given by a digital certificate that belongs to the endpoint only.  To
check the identity the client has to have the relation "certificate X
belongs to ssl.server.xxx" established outside the ssl connection.
That's how the checking works: "Is the certificate that is presented
by the remote server /truly/ the identity of ssl.server.xxx?".

Know add some more complexity: It is not reasonable to assume a client
being able to obtain and check all certificates it may encounter in
it's lifespan.  Obtaining and checking would literally mean getting a
copy of every certificate, call the company or issuer of the
certificate and compare the checksum (fingerprint) of your copy with
their original.

Therefor there is the concept of a certification authority or CA: The
CA does the checking and /digitally signs/ the servers certificate.
The client in turn now can rely on this CA's signature: You accept the
CA, so you accept all certificates signed by the CA.

Now you can have not just one CA but a CA, a sub-CA, a sub-sub-CA
etc. and you build a chain of trust: that's what the "verify depth" is
about.  Setting it to zero /would/ mean: don't check at all but due to
a bug (?) in openssl it performs the checking even if you use depth 0
(see man s_client).

I am not that familar with OpenSSL's output but this line:

>depth=3 /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
 ^^^^^^^

Looks like the certificate of ssl.server.xxx is at the end of a trust
chain of 2 other certificates.  The question is: who's on the top of
the chain?

You can try this, for example on google:

,----
| david@thinkpad ~ % openssl s_client -verify 3 -host imap.googlemail.com -port 993 -showcerts
`----

and you get a list of the complete trust chain for goolgemail
(stripped the certificate information):

,----
| CONNECTED(00000004)
| depth=1 /C=US/O=Google Inc/CN=Google Internet Authority
| verify error:num=20:unable to get local issuer certificate
| verify return:0
| ---
| Certificate chain
|  0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=imap.googlemail.com
|    i:/C=US/O=Google Inc/CN=Google Internet Authority
| -----BEGIN CERTIFICATE-----
| [...]
| -----END CERTIFICATE-----
|  1 s:/C=US/O=Google Inc/CN=Google Internet Authority
|    i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
| -----BEGIN CERTIFICATE-----
| [...]
| -----END CERTIFICATE-----
| ---
| Server certificate
| subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=imap.googlemail.com
| issuer=/C=US/O=Google Inc/CN=Google Internet Authority
`----

That's the complete trust chain for imap.googlemail.com.

This means: If you happen to have the first certificate (depth=1) you
trust the last one because the last is signed by the second that is
signed by the first, the one you trust.

Fortunatly operating systems ship with a list of common "depth 1"
certificates, e.g. in /etc/ssl/certs.  If I point openssl to this
directory using the -CApath switch:

,----
| david@thinkpad ~% openssl s_client -verify 3 -host imap.googlemail.com -port 993 -showcerts
|
| CONNECTED(00000004)
| depth=2 /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
| verify return:1
| depth=1 /C=US/O=Google Inc/CN=Google Internet Authority
| verify return:1
| depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc/CN=imap.googlemail.com
| verify return:1
`----

It happily verifies the complete chain (no verify error).


What you should try:

  1. try to set the -CApath to where the bundle of preinstalled
     certificates are

  2. if this does not work, get the whole trust chain and look who's
     on the top; if you cannot get the top-certificate by yourself
     (e.g. asking the responsible person (whoever this might be))

HTH
 -- David

--
OpenPGP... 0x99ADB83B5A4478E6
Jabber.... dmjena@jabber.org
Email..... maus.david@gmail.com

Attachment: pgpx8aa5eqyMd.pgp
Description: PGP signature

References:
- smtp ssl
  - From: Erik Colson <ecocode.net@gmail.com>

Prev by Date: Re: Gmail archive
Next by Date: Odd MIME-ish failure
Previous by thread: Re: smtp ssl
Next by thread: smtp ssl
Index(es):
- Date
- Thread