bgware: Thread: SNI on STARTTLS in mailfront


[<<] [<] Page 1 of 2 [>] [>>]
Subject: SNI on STARTTLS in mailfront
From: "John R. Levine" ####@####.####
Date: 14 Jan 2019 20:05:59 -0000
Message-Id: <alpine.OSX.2.21.1901132049050.29671@ary.qy>

The IETF recently defined RFC 8461, which defines a spec called MTA-STS 
which lets you publish mail security policies like "all of my mail servers 
do STARTTLS and these are their names."

An MTA need not have only one name, and it's fairly common for every 
domain assigned to one to have its own name, e.g. for foo.com it's 
mx.foo.com.  This makes MTA-STS harder, because the TLS certificate the 
server presents has to match the name the client expects.  Fortunately 
there is a hack called SNI, invented for multiple web sites sitting on a 
single IP, that lets the client tell the server what name it expects.

As part of my MTA-STS hackery I added SNI to the mailfront starttls code. 
There's a new environment variable TLS_CERTDIR which is where the 
directories with the SNI certs are.  You do have to generate and sign the 
certs, but with Let's Encrypt that's not too hard.

If anyone else wants it, let me know.  It's not a big deal.  I added 90 
lines to the existing 223 in starttls-gnutls.c, which includes checking 
for error conditions I forgot to check before.

Regards,
John Levine, ####@####.#### Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly
Subject: Re: [bgware] SNI on STARTTLS in mailfront
From: Giam Teck Choon ####@####.####
Date: 30 Jan 2019 03:50:34 -0000
Message-Id: <39ea41a82b78fb460a7646b032256b17@choon.net>

Hi John,

> If anyone else wants it, let me know.  It's not a big deal.  I added
> 90 lines to the existing 223 in starttls-gnutls.c, which includes
> checking for error conditions I forgot to check before.

I want it please.

Thanks.

Kindest regards,
Giam Teck Choon
Subject: Re: [bgware] SNI on STARTTLS in mailfront
From: "John Levine" ####@####.####
Date: 30 Jan 2019 04:03:10 -0000
Message-Id: <alpine.BSF.2.21.9999.1901292257090.33877@gal.iecc.com>

On Wed, 30 Jan 2019, Giam Teck Choon wrote:
>> If anyone else wants it, let me know.  It's not a big deal.  I added
>> 90 lines to the existing 223 in starttls-gnutls.c, which includes
>> checking for error conditions I forgot to check before.
>
> I want it please.

Here it is, updated starttls-gnutls.c

R's,
John

#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <bglibs/iobuf.h>
#include <bglibs/msg.h>
#include <bglibs/str.h>
#include <bglibs/wrap.h>

#include <errno.h>
#include <gnutls/abstract.h>

#include "mailfront.h"
#include "starttls.h"

static gnutls_session_t gsession;

static int tls_available = 0;

static ibuf realinbuf;			/* underlying input stream */
static obuf realoutbuf;			/* underlying output stream */

/*
 * TLS read and write functions for bglib, to fake out the rest of
 * mailfront
 */

static int tlsread(int n, void *ptr, unsigned long len)
{
  ssize_t ret;

  for(;;) {
    ret = gnutls_record_recv(gsession, ptr, (size_t)len);
    if (ret >= 0) return ret;
    if (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED) continue;
    if (ret == GNUTLS_E_PREMATURE_TERMINATION) return 0;
    msgf("{TLS error }d", ret);
    return 0;
  }
  (void)n;
}

/* write in as many chunks as needed */
static int tlswrite(int n, void *ptr, unsigned long len)
{
  size_t ret;
  size_t tret = 0;

  for(;;) {
    ret = gnutls_record_send(gsession, ptr, (size_t)len);
    if (ret <= 0)
      return ret;
    tret += ret;
    if (ret >= len)
      return tret;
    len -= ret;
    ptr = (char *)ptr + ret;
  }
  (void)n;
}

/*
 * low-level read and write functions for gnutls
 * read returns at least one char, more if they're in the buffer
 */
static ssize_t llread(gnutls_transport_ptr_t p, void* buf, size_t size)
{
  int n;
  size_t r = 1;

  n = ibuf_getc(&realinbuf, buf++);
  if (!n) return 0;
  while (r < size && realinbuf.io.bufstart < realinbuf.io.buflen) {
    n = ibuf_getc(&realinbuf, buf++);
    if (!n) return 0;
    r++;
  }
  return r;
  (void)p;
}

static ssize_t llwrite(gnutls_transport_ptr_t p, void* buf, size_t size)
{
  int n;

  n = obuf_write(&realoutbuf, buf, size);
  obuf_flush(&realoutbuf);
  if (n) return size;
  return realoutbuf.count;	/* actual amount written */
  (void)p;
}

/*
 * certdir: directory for SNI certs
 * certfile, keyfile: default cert and key files
 */
static char *certdir, *certfile, *keyfile;

/*
 * called during the handshake to see what cert the client wants if
 * there is a cert library
 */
static int starttls_cert_callback(gnutls_session_t session, const gnutls_datum_t* req_ca_dn,
				  int nreqs, const gnutls_pk_algorithm_t* pk_algos,
				  int pk_algos_length, gnutls_pcert_st** pcert, unsigned int *pcert_length,
				  gnutls_privkey_t * pkey)
{
  int ret;
  gnutls_certificate_credentials_t x509_cred;
  unsigned int snitype;
  char dnsname[256];	/* client's desired name */
  size_t dnslen = sizeof(dnsname);

  gnutls_certificate_allocate_credentials(&x509_cred);

  ret = gnutls_server_name_get(session, dnsname, &dnslen, &snitype, 0);
  if(ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { /* no SNI */
    /* msg1("No SNI in request, using default certificate"); */
    ret = gnutls_certificate_set_x509_key_file(x509_cred, certfile, keyfile, GNUTLS_X509_FMT_PEM);
  } else if (ret != GNUTLS_E_SUCCESS) {
    msg2("TLS SNI certificate init failed: ", gnutls_strerror(ret));
    return 0;
  } else {
    str snicertfile = {0};
    str snikeyfile = {0};
    str snidns = {0};

    wrap_str(str_copys(&snidns, dnsname));
    str_lower(&snidns);	/* make all lower case */

    wrap_str(str_copyf(&snicertfile, "s{/}S{/}S{.crt}", certdir, &snidns, &snidns));
    wrap_str(str_copyf(&snikeyfile, "s{/}S{/}S{.key}", certdir, &snidns, &snidns));
    if(!access(snicertfile.s, R_OK)) {
      if(access(snikeyfile.s, R_OK))
	 wrap_str(str_copy(&snikeyfile, &snicertfile));	/* default is same file */

      ret = gnutls_certificate_set_x509_key_file(x509_cred, snicertfile.s, snikeyfile.s, GNUTLS_X509_FMT_PEM);
      msgf("{Using SNI cert file for }S", &snidns);
      session_setstr("tls_sni", snidns.s);
    } else {
      msgf("{No SNI cert for }S{, using default}", &snidns);
      ret = gnutls_certificate_set_x509_key_file(x509_cred, certfile, keyfile, GNUTLS_X509_FMT_PEM);
    }
    str_free(&snidns);
    str_free(&snicertfile);
    str_free(&snikeyfile);
  }

  if (ret != GNUTLS_E_SUCCESS) {
    msg2("SNI TLS certificate init failed: ", gnutls_strerror(ret));
    return 0;
  }

  ret = gnutls_credentials_set(gsession, GNUTLS_CRD_CERTIFICATE, x509_cred);
  if(ret != GNUTLS_E_SUCCESS)
    msg2("SNI TLS credentials init failed: ", gnutls_strerror(ret));

  return 0;

  (void) req_ca_dn;
  (void) nreqs;
  (void) pk_algos;
  (void) pk_algos_length;
  (void) pcert;
  (void) *pcert_length;
  (void) pkey;
  return 0;
}

const response* starttls_init(void)
{
  int ret;
  gnutls_certificate_credentials_t x509_cred;
  gnutls_dh_params_t dh_params;
  const char *my_priority = getenv("TLS_PRIORITY");
  const char* dhfile = getenv("TLS_DH_PARAMS");

  certfile = getenv("TLS_CERTFILE");
  keyfile = getenv("TLS_KEYFILE");
  certdir = getenv("TLS_CERTDIR");

  if (keyfile == NULL)
    keyfile = certfile;

  if (certfile == NULL || *certfile == 0 || keyfile == NULL || *keyfile == 0)
    return NULL;

  gnutls_global_init();

  gnutls_certificate_allocate_credentials(&x509_cred);
  ret = gnutls_certificate_set_x509_key_file(x509_cred, certfile, keyfile, GNUTLS_X509_FMT_PEM);
  if (ret != GNUTLS_E_SUCCESS) {
    msg2("TLS certificate init failed: ", gnutls_strerror(ret));
    return 0;
  }

  ret = gnutls_init(&gsession, GNUTLS_SERVER);
  if (ret != GNUTLS_E_SUCCESS) {
    msg2("TLS init failed: ", gnutls_strerror(ret));
    return 0;
  }

  if (!my_priority)
    my_priority = "NORMAL";
  ret = gnutls_priority_set_direct(gsession, my_priority, NULL);
  if (ret != GNUTLS_E_SUCCESS) {
    msg2("TLS priority error: ", gnutls_strerror(ret));
    return 0;
  }

  if (dhfile != NULL) {
    str data = {0};
    gnutls_datum_t params;
    if (!ibuf_openreadclose(dhfile, &data)) {
      msg2("TLS error reading DH params: ", strerror(errno));
      return NULL;
    }
    params.data = (unsigned char*)data.s;
    params.size = data.len;
    gnutls_dh_params_init(&dh_params);
    if ((ret = gnutls_dh_params_import_pkcs3(dh_params, &params, GNUTLS_X509_FMT_PEM)) < 0) {
      msg2("TLS error parsing DH params: ", gnutls_strerror(ret));
      return NULL;
    }
    gnutls_certificate_set_dh_params(x509_cred, dh_params);
    /* Don't deinit the dh_params, since the above only stores a pointer to the params. */
  }

  if(certdir && *certdir) {
    gnutls_certificate_set_retrieve_function2(x509_cred, &starttls_cert_callback);
  }

  ret = gnutls_credentials_set(gsession, GNUTLS_CRD_CERTIFICATE, x509_cred);
  if (ret != GNUTLS_E_SUCCESS) {
    msg2("TLS credentials init failed: ", gnutls_strerror(ret));
    return 0;
  }

  if (getenv("TLS_COMPAT") != NULL)
    /* Set maximum compatibility mode. */
    gnutls_session_enable_compatibility_mode(gsession);

  tls_available = 1;

  if (getenv("TLS_IMMEDIATE")) {
    if (!starttls_start())
      exit(1);		/* not much else to do */
  }
  return NULL;
}

/* get negotiated session parameters and set session strings */
static void set_tlsparams(void)
{
  const char* protocol = gnutls_protocol_get_name(gnutls_protocol_get_version(gsession));
  const char* keyex = gnutls_kx_get_name(gnutls_kx_get(gsession));
  const char* cipher = gnutls_cipher_get_name(gnutls_cipher_get(gsession));
  const char* mac = gnutls_mac_get_name(gnutls_mac_get(gsession));
  str tlsparams = {0};
  wrap_str(str_copyf(&tlsparams, "s{ }s{ }s{ }s", protocol, keyex, cipher, mac));
  msg2("TLS handshake: ", tlsparams.s);
  session_setstr("tls_params", tlsparams.s);
  str_free(&tlsparams);
  session_setstr("tls_protocol", protocol);
  session_setstr("tls_keyex", keyex);
  session_setstr("tls_cipher", cipher);
  session_setstr("tls_mac", mac);
}

int starttls_start(void)
{
  static int didstarttls = 0;
  int ret;

  /* STARTTLS must be the last command in a pipeline, but too bad.
   * I don't think CVE-2011-0411 applies since the TLS handshake
   * consumes whtatever follows the STARTTLS command  */

  if (didstarttls) {
    msg2("already called", "gnutls global init");
    return 0;
  }
  didstarttls = 1;

  /* save input and output to feed into TLS engine via llread and llwrite */
  realinbuf = inbuf;
  realoutbuf = outbuf;

  /* Re-initialize input and output to use our local TLS-ized I/O */
  ibuf_init(&inbuf, -1, (ibuf_fn)*tlsread, 0, 0);
  obuf_init(&outbuf,-1, (obuf_fn)*tlswrite, 0, 0);

  gnutls_transport_set_pull_function(gsession, (gnutls_pull_func)llread);
  gnutls_transport_set_push_function(gsession, (gnutls_push_func)llwrite);

  msg1("Starting TLS handshake");

  ret = gnutls_handshake(gsession);
  if (ret < 0) {
    msg2("TLS handshake failed: ", gnutls_strerror(ret));
    gnutls_deinit(gsession);
    return 0;
  }
  set_tlsparams();
  return 1;
}

int starttls_available(void)
{
  return tls_available;
}

void starttls_disable(void)
{
  tls_available = 0;
}
Subject: Re: [bgware] SNI on STARTTLS in mailfront
From: Giam Teck Choon ####@####.####
Date: 30 Jan 2019 04:10:07 -0000
Message-Id: <df33594a5264660256cdfe88a366101d@choon.net>

Hi John,

On 2019-01-30 12:03, John Levine wrote:
> On Wed, 30 Jan 2019, Giam Teck Choon wrote:
>>> If anyone else wants it, let me know.  It's not a big deal.  I added
>>> 90 lines to the existing 223 in starttls-gnutls.c, which includes
>>> checking for error conditions I forgot to check before.
>> 
>> I want it please.
> 
> Here it is, updated starttls-gnutls.c

Got it. Thanks a lot.

Kindest regards,
Giam Teck Choon
Subject: Re: [bgware] SNI on STARTTLS in mailfront
From: Giam Teck Choon ####@####.####
Date: 8 Feb 2019 01:01:43 -0000
Message-Id: <124fd0d39b164a5b2c20a31f61a40672@choon.net>

On 2019-01-30 12:10, Giam Teck Choon wrote:
Hi John,

> On 2019-01-30 12:03, John Levine wrote:
>> On Wed, 30 Jan 2019, Giam Teck Choon wrote:
>>>> If anyone else wants it, let me know.  It's not a big deal.  I added
>>>> 90 lines to the existing 223 in starttls-gnutls.c, which includes
>>>> checking for error conditions I forgot to check before.
>>> 
>>> I want it please.
>> 
>> Here it is, updated starttls-gnutls.c
> 
> Got it. Thanks a lot.

I used your starttls-gnutls.c and encountered problems when TLS_CERTDIR 
is set and regardless SNI cert/key file exists will show the following 
errors:

The below error suppose to use the default TLS_CERTFILE and TLS_KEYFILE 
when SNI cert/key files not found:

@400000005c5bdf89185de07c mailfront[20072]: Starting TLS handshake
@400000005c5bdf89185df7ec mailfront[20072]: No SNI in request, using 
default certificate
@400000005c5bdf89185dffbc mailfront[20072]: TLS handshake failed: Could 
not negotiate a supported cipher suite.

The below error suppose to use the SNI cert/key files (when exists) when 
TLS_CERTDIR is set. I patched your starttls-gnutls.c to show the SNI 
key/cert files:

@400000005c5bdf91377adf8c mailfront[20075]: Starting TLS handshake
@400000005c5bdf9137d23ad4 mailfront[20075]: Using SNI cert/key file for 
rat.choon.net
@400000005c5bdf9137d24a74 mailfront[20075]: SNI certfile 
/var/qmail/ssl/rat.choon.net/rat.choon.net.crt for rat.choon.net
@400000005c5bdf9137d25244 mailfront[20075]: SNI keyfile 
/var/qmail/ssl/rat.choon.net/rat.choon.net.key for rat.choon.net
@400000005c5bdf9137d25a14 mailfront[20075]: TLS handshake failed: Could 
not negotiate a supported cipher suite.

If TLS_CERTDIR not set then everything working to use TLS_CERTFILE and 
TLS_KEYFILE.

System is CentOS 7. openssl version/release is 1.0.2k-16.el7 and gnutls 
version/release is 3.3.29-8.el7.

Thanks for file and any suggestions I can get to make SNI work in my 
system.

Kindest regards,
Giam Teck Choon
Subject: Re: [bgware] SNI on STARTTLS in mailfront
From: "John R. Levine" ####@####.####
Date: 8 Feb 2019 01:08:53 -0000
Message-Id: <alpine.OSX.2.21.1902072006380.47818@ary.qy>

Hard to say.  It works fine on my FreeBSD system, and I can't think of any 
obvious differences between BSD and Centos.  I assume you've checked the 
directory and file permissions, and your mailfront daemon can read both 
the .crt and the .key files?

> I used your starttls-gnutls.c and encountered problems when TLS_CERTDIR is 
> set and regardless SNI cert/key file exists will show the following errors:
>
> The below error suppose to use the default TLS_CERTFILE and TLS_KEYFILE when 
> SNI cert/key files not found:
>
> @ 400000005c5bdf89185de07c mailfront[20072]: Starting TLS handshake
> @ 400000005c5bdf89185df7ec mailfront[20072]: No SNI in request, using 
> default certificate
> @ 400000005c5bdf89185dffbc mailfront[20072]: TLS handshake failed: Could 
> not negotiate a supported cipher suite.
>
> The below error suppose to use the SNI cert/key files (when exists) when 
> TLS_CERTDIR is set. I patched your starttls-gnutls.c to show the SNI key/cert 
> files:
>
> @ 400000005c5bdf91377adf8c mailfront[20075]: Starting TLS handshake
> @ 400000005c5bdf9137d23ad4 mailfront[20075]: Using SNI cert/key file for 
> rat.choon.net
> @ 400000005c5bdf9137d24a74 mailfront[20075]: SNI certfile 
> /var/qmail/ssl/rat.choon.net/rat.choon.net.crt for rat.choon.net
> @ 400000005c5bdf9137d25244 mailfront[20075]: SNI keyfile 
> /var/qmail/ssl/rat.choon.net/rat.choon.net.key for rat.choon.net
> @ 400000005c5bdf9137d25a14 mailfront[20075]: TLS handshake failed: Could 
> not negotiate a supported cipher suite.
>
> If TLS_CERTDIR not set then everything working to use TLS_CERTFILE and 
> TLS_KEYFILE.
>
> System is CentOS 7. openssl version/release is 1.0.2k-16.el7 and gnutls 
> version/release is 3.3.29-8.el7.
>
> Thanks for file and any suggestions I can get to make SNI work in my system.
>
> Kindest regards,
> Giam Teck Choon
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: ####@####.####
> For additional commands, e-mail: ####@####.####
>
>
>

Regards,
John Levine, ####@####.#### Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly
Subject: Re: [bgware] SNI on STARTTLS in mailfront
From: Giam Teck Choon ####@####.####
Date: 8 Feb 2019 01:27:31 -0000
Message-Id: <f59918ac367432299a1827000917e980@choon.net>

Hi John,

Thanks a lot for taking time to reply.

On 2019-02-08 09:08, John R. Levine wrote:
> Hard to say.  It works fine on my FreeBSD system, and I can't think of
> any obvious differences between BSD and Centos.  I assume you've
> checked the directory and file permissions, and your mailfront daemon
> can read both the .crt and the .key files?

There is no permission and/or ownership issues related to those 
.crt/.key files as one of my testing is to set TLS_CERTFILE/TLS_KEYFILE 
to the same SNI cert/keyfile.

Once again, thanks.

Kindest regards,
Giam Teck Choon

> 
>> I used your starttls-gnutls.c and encountered problems when 
>> TLS_CERTDIR is set and regardless SNI cert/key file exists will show 
>> the following errors:
>> 
>> The below error suppose to use the default TLS_CERTFILE and 
>> TLS_KEYFILE when SNI cert/key files not found:
>> 
>> @ 400000005c5bdf89185de07c mailfront[20072]: Starting TLS handshake
>> @ 400000005c5bdf89185df7ec mailfront[20072]: No SNI in request, using 
>> default certificate
>> @ 400000005c5bdf89185dffbc mailfront[20072]: TLS handshake failed: 
>> Could not negotiate a supported cipher suite.
>> 
>> The below error suppose to use the SNI cert/key files (when exists) 
>> when TLS_CERTDIR is set. I patched your starttls-gnutls.c to show the 
>> SNI key/cert files:
>> 
>> @ 400000005c5bdf91377adf8c mailfront[20075]: Starting TLS handshake
>> @ 400000005c5bdf9137d23ad4 mailfront[20075]: Using SNI cert/key file 
>> for rat.choon.net
>> @ 400000005c5bdf9137d24a74 mailfront[20075]: SNI certfile 
>> /var/qmail/ssl/rat.choon.net/rat.choon.net.crt for rat.choon.net
>> @ 400000005c5bdf9137d25244 mailfront[20075]: SNI keyfile 
>> /var/qmail/ssl/rat.choon.net/rat.choon.net.key for rat.choon.net
>> @ 400000005c5bdf9137d25a14 mailfront[20075]: TLS handshake failed: 
>> Could not negotiate a supported cipher suite.
>> 
>> If TLS_CERTDIR not set then everything working to use TLS_CERTFILE and 
>> TLS_KEYFILE.
>> 
>> System is CentOS 7. openssl version/release is 1.0.2k-16.el7 and 
>> gnutls version/release is 3.3.29-8.el7.
>> 
>> Thanks for file and any suggestions I can get to make SNI work in my 
>> system.
>> 
>> Kindest regards,
>> Giam Teck Choon
>> 
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: ####@####.####
>> For additional commands, e-mail: ####@####.####
>> 
>> 
>> 
> 
> Regards,
> John Levine, ####@####.#### Primary Perpetrator of "The Internet for 
> Dummies",
> Please consider the environment before reading this e-mail. 
> https://jl.ly
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: ####@####.####
> For additional commands, e-mail: ####@####.####
Subject: Re: [bgware] SNI on STARTTLS in mailfront
From: Giam Teck Choon ####@####.####
Date: 10 Feb 2019 13:03:40 -0000
Message-Id: <7fdba39613af002470a588fc501f2d92@choon.net>

Hi John,

Many thanks for your kind assistance and precious time.

I have made the SNI work by using 
gnutls_handshake_set_post_client_hello_function() instead.  Attached is 
my modified starttls-gnutls.c for your review and comments (if any).

Greatly appreciated!

Once again, thanks.

Kindest regards,
Giam Teck Choon


On 2019-02-08 09:27, Giam Teck Choon wrote:
> Hi John,
> 
> Thanks a lot for taking time to reply.
> 
> On 2019-02-08 09:08, John R. Levine wrote:
>> Hard to say.  It works fine on my FreeBSD system, and I can't think of
>> any obvious differences between BSD and Centos.  I assume you've
>> checked the directory and file permissions, and your mailfront daemon
>> can read both the .crt and the .key files?
> 
> There is no permission and/or ownership issues related to those
> .crt/.key files as one of my testing is to set
> TLS_CERTFILE/TLS_KEYFILE to the same SNI cert/keyfile.
> 
> Once again, thanks.
> 
> Kindest regards,
> Giam Teck Choon
> 
>> 
>>> I used your starttls-gnutls.c and encountered problems when 
>>> TLS_CERTDIR is set and regardless SNI cert/key file exists will show 
>>> the following errors:
>>> 
>>> The below error suppose to use the default TLS_CERTFILE and 
>>> TLS_KEYFILE when SNI cert/key files not found:
>>> 
>>> @ 400000005c5bdf89185de07c mailfront[20072]: Starting TLS handshake
>>> @ 400000005c5bdf89185df7ec mailfront[20072]: No SNI in request, using 
>>> default certificate
>>> @ 400000005c5bdf89185dffbc mailfront[20072]: TLS handshake failed: 
>>> Could not negotiate a supported cipher suite.
>>> 
>>> The below error suppose to use the SNI cert/key files (when exists) 
>>> when TLS_CERTDIR is set. I patched your starttls-gnutls.c to show the 
>>> SNI key/cert files:
>>> 
>>> @ 400000005c5bdf91377adf8c mailfront[20075]: Starting TLS handshake
>>> @ 400000005c5bdf9137d23ad4 mailfront[20075]: Using SNI cert/key file 
>>> for rat.choon.net
>>> @ 400000005c5bdf9137d24a74 mailfront[20075]: SNI certfile 
>>> /var/qmail/ssl/rat.choon.net/rat.choon.net.crt for rat.choon.net
>>> @ 400000005c5bdf9137d25244 mailfront[20075]: SNI keyfile 
>>> /var/qmail/ssl/rat.choon.net/rat.choon.net.key for rat.choon.net
>>> @ 400000005c5bdf9137d25a14 mailfront[20075]: TLS handshake failed: 
>>> Could not negotiate a supported cipher suite.
>>> 
>>> If TLS_CERTDIR not set then everything working to use TLS_CERTFILE 
>>> and TLS_KEYFILE.
>>> 
>>> System is CentOS 7. openssl version/release is 1.0.2k-16.el7 and 
>>> gnutls version/release is 3.3.29-8.el7.
>>> 
>>> Thanks for file and any suggestions I can get to make SNI work in my 
>>> system.
>>> 
>>> Kindest regards,
>>> Giam Teck Choon
>>> 
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: ####@####.####
>>> For additional commands, e-mail: ####@####.####
>>> 
>>> 
>>> 
>> 
>> Regards,
>> John Levine, ####@####.#### Primary Perpetrator of "The Internet for 
>> Dummies",
>> Please consider the environment before reading this e-mail. 
>> https://jl.ly
>> 
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: ####@####.####
>> For additional commands, e-mail: ####@####.####
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: ####@####.####
> For additional commands, e-mail: ####@####.####

[Content type text/x-c not shown. Download]
Subject: Re: [bgware] SNI on STARTTLS in mailfront
From: Giam Teck Choon ####@####.####
Date: 10 Feb 2019 14:53:21 -0000
Message-Id: <c127f77e81fac82eea3e39524f9974cb@choon.net>

Hi,

Sorry, forgot to str_free for snicertfile and snikeyfile so attached is 
the updated file.

Thanks.

Kindest regards,
Giam Teck Choon


On 2019-02-10 21:03, Giam Teck Choon wrote:
> Hi John,
> 
> Many thanks for your kind assistance and precious time.
> 
> I have made the SNI work by using
> gnutls_handshake_set_post_client_hello_function() instead.  Attached
> is my modified starttls-gnutls.c for your review and comments (if
> any).
> 
> Greatly appreciated!
> 
> Once again, thanks.
> 
> Kindest regards,
> Giam Teck Choon
> 
> 
> On 2019-02-08 09:27, Giam Teck Choon wrote:
>> Hi John,
>> 
>> Thanks a lot for taking time to reply.
>> 
>> On 2019-02-08 09:08, John R. Levine wrote:
>>> Hard to say.  It works fine on my FreeBSD system, and I can't think 
>>> of
>>> any obvious differences between BSD and Centos.  I assume you've
>>> checked the directory and file permissions, and your mailfront daemon
>>> can read both the .crt and the .key files?
>> 
>> There is no permission and/or ownership issues related to those
>> .crt/.key files as one of my testing is to set
>> TLS_CERTFILE/TLS_KEYFILE to the same SNI cert/keyfile.
>> 
>> Once again, thanks.
>> 
>> Kindest regards,
>> Giam Teck Choon
>> 
>>> 
>>>> I used your starttls-gnutls.c and encountered problems when 
>>>> TLS_CERTDIR is set and regardless SNI cert/key file exists will show 
>>>> the following errors:
>>>> 
>>>> The below error suppose to use the default TLS_CERTFILE and 
>>>> TLS_KEYFILE when SNI cert/key files not found:
>>>> 
>>>> @ 400000005c5bdf89185de07c mailfront[20072]: Starting TLS handshake
>>>> @ 400000005c5bdf89185df7ec mailfront[20072]: No SNI in request, 
>>>> using default certificate
>>>> @ 400000005c5bdf89185dffbc mailfront[20072]: TLS handshake failed: 
>>>> Could not negotiate a supported cipher suite.
>>>> 
>>>> The below error suppose to use the SNI cert/key files (when exists) 
>>>> when TLS_CERTDIR is set. I patched your starttls-gnutls.c to show 
>>>> the SNI key/cert files:
>>>> 
>>>> @ 400000005c5bdf91377adf8c mailfront[20075]: Starting TLS handshake
>>>> @ 400000005c5bdf9137d23ad4 mailfront[20075]: Using SNI cert/key file 
>>>> for rat.choon.net
>>>> @ 400000005c5bdf9137d24a74 mailfront[20075]: SNI certfile 
>>>> /var/qmail/ssl/rat.choon.net/rat.choon.net.crt for rat.choon.net
>>>> @ 400000005c5bdf9137d25244 mailfront[20075]: SNI keyfile 
>>>> /var/qmail/ssl/rat.choon.net/rat.choon.net.key for rat.choon.net
>>>> @ 400000005c5bdf9137d25a14 mailfront[20075]: TLS handshake failed: 
>>>> Could not negotiate a supported cipher suite.
>>>> 
>>>> If TLS_CERTDIR not set then everything working to use TLS_CERTFILE 
>>>> and TLS_KEYFILE.
>>>> 
>>>> System is CentOS 7. openssl version/release is 1.0.2k-16.el7 and 
>>>> gnutls version/release is 3.3.29-8.el7.
>>>> 
>>>> Thanks for file and any suggestions I can get to make SNI work in my 
>>>> system.
>>>> 
>>>> Kindest regards,
>>>> Giam Teck Choon
>>>> 
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: ####@####.####
>>>> For additional commands, e-mail: ####@####.####
>>>> 
>>>> 
>>>> 
>>> 
>>> Regards,
>>> John Levine, ####@####.#### Primary Perpetrator of "The Internet for 
>>> Dummies",
>>> Please consider the environment before reading this e-mail. 
>>> https://jl.ly
>>> 
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: ####@####.####
>>> For additional commands, e-mail: ####@####.####
>> 
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: ####@####.####
>> For additional commands, e-mail: ####@####.####
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: ####@####.####
> For additional commands, e-mail: ####@####.####

[Content type text/x-c not shown. Download]
Subject: Re: [bgware] SNI on STARTTLS in mailfront
From: "John R. Levine" ####@####.####
Date: 10 Feb 2019 18:36:51 -0000
Message-Id: <alpine.OSX.2.21.1902101335430.9180@ary.qy>

> Sorry, forgot to str_free for snicertfile and snikeyfile so attached is the 
> updated file.

I tried it, works fine.  I see you also fixed a few minor bugs in my code.

I don't know why the callback you're using works better than the one I was 
using, but I don't see any reason not to use yours if you say it works 
better on your system.

R's,
John

> On 2019-02-10 21:03, Giam Teck Choon wrote:
>>  Hi John,
>>
>>  Many thanks for your kind assistance and precious time.
>>
>>  I have made the SNI work by using
>>  gnutls_handshake_set_post_client_hello_function() instead.  Attached
>>  is my modified starttls-gnutls.c for your review and comments (if
>>  any).
>>
>>  Greatly appreciated!
>>
>>  Once again, thanks.
>>
>>  Kindest regards,
>>  Giam Teck Choon
>>
>>
>>  On 2019-02-08 09:27, Giam Teck Choon wrote:
>>>  Hi John,
>>>
>>>  Thanks a lot for taking time to reply.
>>>
>>>  On 2019-02-08 09:08, John R. Levine wrote:
>>>>  Hard to say.  It works fine on my FreeBSD system, and I can't think of
>>>>  any obvious differences between BSD and Centos.  I assume you've
>>>>  checked the directory and file permissions, and your mailfront daemon
>>>>  can read both the .crt and the .key files?
>>>
>>>  There is no permission and/or ownership issues related to those
>>>  .crt/.key files as one of my testing is to set
>>>  TLS_CERTFILE/TLS_KEYFILE to the same SNI cert/keyfile.
>>>
>>>  Once again, thanks.
>>>
>>>  Kindest regards,
>>>  Giam Teck Choon
>>>
>>>>
>>>>>  I used your starttls-gnutls.c and encountered problems when TLS_CERTDIR
>>>>>  is set and regardless SNI cert/key file exists will show the following
>>>>>  errors:
>>>>>
>>>>>  The below error suppose to use the default TLS_CERTFILE and TLS_KEYFILE
>>>>>  when SNI cert/key files not found:
>>>>> 
>>>>> @  400000005c5bdf89185de07c mailfront[20072]: Starting TLS handshake
>>>>> @  400000005c5bdf89185df7ec mailfront[20072]: No SNI in request,
>>>>>  using default certificate
>>>>> @  400000005c5bdf89185dffbc mailfront[20072]: TLS handshake failed:
>>>>>  Could not negotiate a supported cipher suite.
>>>>>
>>>>>  The below error suppose to use the SNI cert/key files (when exists)
>>>>>  when TLS_CERTDIR is set. I patched your starttls-gnutls.c to show the
>>>>>  SNI key/cert files:
>>>>> 
>>>>> @  400000005c5bdf91377adf8c mailfront[20075]: Starting TLS handshake
>>>>> @  400000005c5bdf9137d23ad4 mailfront[20075]: Using SNI cert/key file
>>>>>  for rat.choon.net
>>>>> @  400000005c5bdf9137d24a74 mailfront[20075]: SNI certfile
>>>>>  /var/qmail/ssl/rat.choon.net/rat.choon.net.crt for rat.choon.net
>>>>> @  400000005c5bdf9137d25244 mailfront[20075]: SNI keyfile
>>>>>  /var/qmail/ssl/rat.choon.net/rat.choon.net.key for rat.choon.net
>>>>> @  400000005c5bdf9137d25a14 mailfront[20075]: TLS handshake failed:
>>>>>  Could not negotiate a supported cipher suite.
>>>>>
>>>>>  If TLS_CERTDIR not set then everything working to use TLS_CERTFILE and
>>>>>  TLS_KEYFILE.
>>>>>
>>>>>  System is CentOS 7. openssl version/release is 1.0.2k-16.el7 and gnutls
>>>>>  version/release is 3.3.29-8.el7.
>>>>>
>>>>>  Thanks for file and any suggestions I can get to make SNI work in my
>>>>>  system.
>>>>>
>>>>>  Kindest regards,
>>>>>  Giam Teck Choon
>>>>>
>>>>>  ---------------------------------------------------------------------
>>>>>  To unsubscribe, e-mail: ####@####.####
>>>>>  For additional commands, e-mail: ####@####.####
>>>>>
>>>>>
>>>>>
>>>>
>>>>  Regards,
>>>>  John Levine, ####@####.#### Primary Perpetrator of "The Internet for
>>>>  Dummies",
>>>>  Please consider the environment before reading this e-mail.
>>>>  https://jl.ly
>>>>
>>>>  ---------------------------------------------------------------------
>>>>  To unsubscribe, e-mail: ####@####.####
>>>>  For additional commands, e-mail: ####@####.####
>>>
>>>  ---------------------------------------------------------------------
>>>  To unsubscribe, e-mail: ####@####.####
>>>  For additional commands, e-mail: ####@####.####
>>
>>
>>  ---------------------------------------------------------------------
>>  To unsubscribe, e-mail: ####@####.####
>>  For additional commands, e-mail: ####@####.####
>

Regards,
John Levine, ####@####.#### Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly
[<<] [<] Page 1 of 2 [>] [>>]


Powered by ezmlm-browse 0.21.