From: "Jan C." on
On Wed, Jun 9, 2010 at 6:35 PM, Victor Duchovni
<Victor.Duchovni(a)morganstanley.com> wrote:
> Probably, although I don't think we've reached a final decision yet...
> My preference is to not trust some random list of CAs that came with the
> O/S OpenSSL package when the user specifies an explicit CAfile/CApath,
> but this would be an incompatible change.
>
> In my case, the OpenSSL package I use is built by me, and has an empty
> default list of trusted CAs, so I never notice the extra default certs.
>

ok, could you please point me to the place where one can set those
paths while building OpenSSL ?

Jan

From: Wietse Venema on
Victor Duchovni:
> On Wed, Jun 09, 2010 at 11:25:50AM -0400, Wietse Venema wrote:
>
> > > to sum it up, when smtp_tls_CApath is not empty, CAs from
> > > /etc/ssl/certs are trusted regardless the value of smtp_tls_CApath.
>
> This is done primarily by OpenSSL, but as Wietse observes:
>
> > Victor will have to confirm or deny this, but we may have to update
> > the main code in function tls_set_ca_certificate_info():
> >
> > if (CAfile || CApath) {
> > if (!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) {
> > msg_info("cannot load Certificate Authority data: "
> > "disabling TLS support");
> > tls_print_errors();
> > return (-1);
> > }
> > + } else {
> > if (!SSL_CTX_set_default_verify_paths(ctx)) {
> > msg_info("cannot set certificate verification paths: "
> > "disabling TLS support");
> > tls_print_errors();
> > return (-1);
> > }
> > }
>
> We could make this change, but it would be an incompatibility with past
> behaviour. This code dates back to the original TLS patch for Postfix
> releases prior to 2.1, and augments the default system CA paths, instead
> of replacing them.
>
> I guess our documentation has never promised the use of system CAs when
> CApath or CAfile are set, failing to override the system settings is
> counter-intuitive, so I can support this change. We'll also have to
> document the semantics of "CAfile == CApath == <empty>".

The empty setting would correspond with the default system-supplied
CA certificates.

There is at least one Postfix feature that relies on the ability
to override the default system-supplied CA certificates:

permit_tls_all_clientcerts
Permit the request when the remote SMTP client certificate is
verified successfully. This option must be used only if a spe-
cial CA issues the certificates and only this CA is listed as
trusted CA, otherwise all clients with a recognized certificate
would be allowed to relay. This feature is available with Post-
fix version 2.2.

It would seem then that permit_tls_all_clientcerts is broken.

What else would be broken by the current practice of always including
the default CA certificates? If there is nothing else, then most
sites would not be affected, but a lot of sites could be at risk of
breaking when we change the CAfile/CApath behavior.

Therefore it would be desirable to provide a compatibility switch
that is "incompatible" for Postfix 2.8 and "compatible" for the
earlier releases.

Wietse

From: Victor Duchovni on
On Wed, Jun 09, 2010 at 01:34:53PM -0400, Wietse Venema wrote:

> > I guess our documentation has never promised the use of system CAs when
> > CApath or CAfile are set, failing to override the system settings is
> > counter-intuitive, so I can support this change. We'll also have to
> > document the semantics of "CAfile == CApath == <empty>".
>
> The empty setting would correspond with the default system-supplied
> CA certificates.
>
> There is at least one Postfix feature that relies on the ability
> to override the default system-supplied CA certificates:
>
> permit_tls_all_clientcerts
> Permit the request when the remote SMTP client certificate is
> verified successfully. This option must be used only if a spe-
> cial CA issues the certificates and only this CA is listed as
> trusted CA, otherwise all clients with a recognized certificate
> would be allowed to relay. This feature is available with Post-
> fix version 2.2.

Good point, oops! This too pre-dates Postfix 2.2, but it is rather unsafe
when the default system CA list includes all the usual suspects.

> It would seem then that permit_tls_all_clientcerts is broken.

Yes, for Postfix distributions where the vendor helpfully populates the
OpenSSL "ssl/certs/" directory.

> What else would be broken by the current practice of always including
> the default CA certificates? If there is nothing else, then most
> sites would not be affected, but a lot of sites could be at risk of
> breaking when we change the CAfile/CApath behavior.

Trusting unwanted CAs on the server side means:

1. The "Received:" header (Client CN, ... verified OK) could
be misleading.

2. The "smtpd_tls_req_ccert" feature may be more permissive
than desired.

3. As you observed "permit_tls_all_clientcerts" is unsafe.

4. Policy service requests may pass client CNs that are not
intended to be trusted.

5. Milters may process the client subject and issuer CN.

On the client side, we only use server certificates for destinations
with a "verify" or "secure" policy, so here the risk is MITM if one
of the public CAs issues certs that one has good cause to not trust.

> Therefore it would be desirable to provide a compatibility switch
> that is "incompatible" for Postfix 2.8 and "compatible" for the
> earlier releases.

Works for me. And of course a new warning in the
"permit_tls_all_clientcerts" postconf(5) entry.

--
Viktor.

From: Wietse Venema on
Victor Duchovni:
> I guess our documentation has never promised the use of system CAs when
> CApath or CAfile are set, failing to override the system settings is
> counter-intuitive, so I can support this change. We'll also have to
> document the semantics of "CAfile == CApath == <empty>".

Why do we have to document or change Postfix default behavior?

Default Postfix behavior (empty CAfile and CApath) is a NOOP.
Postfix calls neither SSL_CTX_load_verify_locations() nor
SSL_CTX_set_default_verify_paths().

First, I don't see why we should change Postfix default behavior:
the problem is with non-default settings.

Second, I don't see how we could document existing Postfix default
behavior (empty CAfile and CApath), when that behavior is not
defined by the OpenSSL API.

OpenSSL source code does not count as a definition, nor do words
from OpenSSL programmers or code examples. They can change program
behavior because they are not bound by the contract of an API.

Wietse

From: Victor Duchovni on
On Wed, Jun 09, 2010 at 07:41:51PM -0400, Wietse Venema wrote:

> Victor Duchovni:
> > I guess our documentation has never promised the use of system CAs when
> > CApath or CAfile are set, failing to override the system settings is
> > counter-intuitive, so I can support this change. We'll also have to
> > document the semantics of "CAfile == CApath == <empty>".
>
> Why do we have to document or change Postfix default behavior?

Sorry, failed to look at the code closely. We can leave the default
behaviour alone.

--
Viktor.