Mandatory TLS + Client Certificate
Mark A. Richman
I used TinyCA to create a test CA and client cert. Then, I connected
with those certs: openssl s_client -connect markrichman.com:587 -
starttls smtp -CAfile TestCA-cacert.pem -key macpro.local-client-
key.pem -cert macpro.local-client-cert.pem
I get error: "421 4.7.1 dev.markrichman.com Error: No client
certificate presented"
Is this because my .pem files require passwords, or that i haven't
trusted them on my target postfix server?
This is the full conversation:
macpro:~ mark$ openssl s_client -connect markrichman.com:587 -starttls
smtp -CAfile TestCA-cacert.pem -key macpro.local-client-key.pem -cert
macpro.local-client-cert.pem
Enter PEM pass phrase:
CONNECTED(00000003)
depth=0 /C=US/ST=Florida/L=Parkland/O=Empire Software, Inc./
OU=Development/CN=Mark A. Richman/emailAddress=ma...@markrichman.com
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=US/ST=Florida/L=Parkland/O=Empire Software, Inc./
OU=Development/CN=Mark A. Richman/emailAddress=ma...@markrichman.com
verify return:1
---
Certificate chain
0 s:/C=US/ST=Florida/L=Parkland/O=Empire Software, Inc./
OU=Development/CN=Mark A. Richman/emailAddress=ma...@markrichman.com
i:/C=US/ST=Florida/L=Parkland/O=Empire Software, Inc./
OU=Development/CN=Mark A. Richman/emailAddress=ma...@markrichman.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICxzCCAjACCQCbEW0w5Wf8fzANBgkqhkiG9w0BAQUFADCBpzELMAkGA1UEBhMC
VVMxEDAOBgNVBAgTB0Zsb3JpZGExETAPBgNVBAcTCFBhcmtsYW5kMR4wHAYDVQQK
ExVFbXBpcmUgU29mdHdhcmUsIEluYy4xFDASBgNVBAsTC0RldmVsb3BtZW50MRgw
FgYDVQQDEw9NYXJrIEEuIFJpY2htYW4xIzAhBgkqhkiG9w0BCQEWFG1hcmtAbWFy
a3JpY2htYW4uY29tMB4XDTA4MDcyOTE3MjYxOFoXDTE4MDcyNzE3MjYxOFowgacx
CzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdGbG9yaWRhMREwDwYDVQQHEwhQYXJrbGFu
ZDEeMBwGA1UEChMVRW1waXJlIFNvZnR3YXJlLCBJbmMuMRQwEgYDVQQLEwtEZXZl
bG9wbWVudDEYMBYGA1UEAxMPTWFyayBBLiBSaWNobWFuMSMwIQYJKoZIhvcNAQkB
FhRtYXJrQG1hcmtyaWNobWFuLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
gYEAvrpD+tIuZTw6A/rY/aTUyvmX5ZKiX80SyUiw6X0iMAuEJhnkbFmuYCvOyUe4
qXyO0pUnsdlnv+jmJPWIBbAjKryMKELjMV8gfIgQH/pYx0ONGOkTZcqkKA/aU5cf
50SxpUkis1vKRf7nl7iZnImZNmuI7P99hUzV/HXZmQh3VZcCAwEAATANBgkqhkiG
9w0BAQUFAAOBgQAO5yKNEzq+UiKJOwhnAbgNT0xR0lu2hy6h14JoEPfF1aTguEsh
1+mTFZG+TxA5M0u6szY/UEYF5YQmxfWP0R/dRzGBuTezZ7w7L0GhiqFbEK7c1SEL
tZYbLrMqHHFLuxxXzgzh1U3aDoMlNIA1Ly6EVGbuuP6cpUyZ70uOCREawQ==
-----END CERTIFICATE-----
subject=/C=US/ST=Florida/L=Parkland/O=Empire Software, Inc./
OU=Development/CN=Mark A. Richman/emailAddress=ma...@markrichman.com
issuer=/C=US/ST=Florida/L=Parkland/O=Empire Software, Inc./
OU=Development/CN=Mark A. Richman/emailAddress=ma...@markrichman.com
---
No client certificate CA names sent
---
SSL handshake has read 1499 bytes and written 347 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID:
D2AD22703335CE68D7A33EEC9E720F161F7A66754DF565C87FE746DB34D5BA9C
Session-ID-ctx:
Master-Key:
307399617E5AD53BE27607A2CEB9C95DA3B23F3AB3AB2D6B0530200589586E68126A94B1C558A656695FBA92DB
Key-Arg : None
Start Time: 1224362418
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
250-dev.markrichman.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
ehlo dev.markrichman.com
421 4.7.1 dev.markrichman.com Error: No client certificate presented
read:errno=0
Henri Hennebert
> I am trying to set up postfix with mandatory TLS + client certificate.
>
> I used TinyCA to create a test CA and client cert. Then, I connected
> with those certs: openssl s_client -connect markrichman.com:587 -
> starttls smtp -CAfile TestCA-cacert.pem -key macpro.local-client-
> key.pem -cert macpro.local-client-cert.pem
>
> I get error: "421 4.7.1 dev.markrichman.com Error: No client
> certificate presented"
>
> Is this because my .pem files require passwords, or that i haven't
> trusted them on my target postfix server?
>
> This is the full conversation:
>
> macpro:~ mark$ openssl s_client -connect markrichman.com:587 -starttls
> smtp -CAfile TestCA-cacert.pem -key macpro.local-client-key.pem -cert
> macpro.local-client-cert.pem
> Enter PEM pass phrase:
> CONNECTED(00000003)
> depth=0 /C=US/ST=Florida/L=Parkland/O=Empire Software, Inc./
> OU=Development/CN=Mark A. Richman/emailAddress=ma...@markrichman.com
> verify error:num=18:self signed certificate
> verify return:1
If the cert is signed by the CAfile TestCA-cacert.pem it works for me.
On my postfix server I have:
smtpd_recipient_restrictions =
permit_mynetworks
permit_tls_clientcerts
reject_unauth_destination
reject_unknown_sender_domain
check_policy_service unix:private/policy
smtpd_tls_ask_ccert = yes
smtpd_tls_security_level = may
smtpd_tls_CAfile = /usr/local/etc/postfix/certs/ca.crt
smtpd_tls_key_file = /usr/local/etc/postfix/certs/tignes.KEY
smtpd_tls_cert_file = /usr/local/etc/postfix/certs/tignes.crt
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
relay_clientcerts = hash:/usr/local/etc/postfix/clientcerts
smtpd_tls_session_cache_database = btree:/usr/local/etc/postfix/smtpd_scache
And on the client I use -CAfile ca.crt (same as on the server) and a
cert signed with the key associated with this ca.crt.
Henri
Mark A. Richman
> Mark A. Richman wrote:
> > I am trying to set up postfix with mandatory TLS + client certificate.
>
> > I used TinyCA to create a test CA and client cert. Then, I connected
> > with those certs: openssl s_client -connect markrichman.com:587 -
> > starttls smtp -CAfile TestCA-cacert.pem -key macpro.local-client-
> > key.pem -cert macpro.local-client-cert.pem
>
> > I get error: "421 4.7.1 dev.markrichman.com Error: No client
> > certificate presented"
>
> > Is this because my .pem files require passwords, or that i haven't
> > trusted them on my target postfix server?
>
> > This is the full conversation:
>
> > macpro:~ mark$ openssl s_client -connect markrichman.com:587 -starttls
> > smtp -CAfile TestCA-cacert.pem -key macpro.local-client-key.pem -cert
> > macpro.local-client-cert.pem
> > Enter PEM pass phrase:
> > CONNECTED(00000003)
> > depth=0 /C=US/ST=Florida/L=Parkland/O=Empire Software, Inc./
> > verify error:num=18:self signed certificate
> > verify return:1
>
> You present a self-signed certificate. This seems to be the problem.
>
> If the cert is signed by the CAfile TestCA-cacert.pem it works for me.
>
> On my postfix server I have:
>
> smtpd_recipient_restrictions =
> permit_mynetworks
> permit_tls_clientcerts
> reject_unauth_destination
> reject_unknown_sender_domain
> check_policy_service unix:private/policy
>
> smtpd_tls_ask_ccert = yes
> smtpd_tls_security_level = may
> smtpd_tls_CAfile = /usr/local/etc/postfix/certs/ca.crt
> smtpd_tls_key_file = /usr/local/etc/postfix/certs/tignes.KEY
> smtpd_tls_cert_file = /usr/local/etc/postfix/certs/tignes.crt
> smtpd_tls_loglevel = 1
> smtpd_tls_received_header = yes
> relay_clientcerts = hash:/usr/local/etc/postfix/clientcerts
> smtpd_tls_session_cache_database = btree:/usr/local/etc/postfix/smtpd_scache
>
> And on the client I use -CAfile ca.crt (same as on the server) and a
> cert signed with the key associated with this ca.crt.
>
> Henri
>
> > depth=0 /C=US/ST=Florida/L=Parkland/O=Empire Software, Inc./
> > verify return:1
> > ---
> > Certificate chain
> > 0 s:/C=US/ST=Florida/L=Parkland/O=Empire Software, Inc./
> > i:/C=US/ST=Florida/L=Parkland/O=Empire Software, Inc./
> > OU=Development/CN=Mark A. Richman/emailAddress=m...@markrichman.com
> > ---
> > Server certificate
> > -----BEGIN CERTIFICATE-----
> > MIICxzCCAjACCQCbEW0w5Wf8fzANBgkqhkiG9w0BAQUFADCBpzELMAkGA1UEBhMC
> > VVMxEDAOBgNVBAgTB0Zsb3JpZGExETAPBgNVBAcTCFBhcmtsYW5kMR4wHAYDVQQK
> > ExVFbXBpcmUgU29mdHdhcmUsIEluYy4xFDASBgNVBAsTC0RldmVsb3BtZW50MRgw
> > FgYDVQQDEw9NYXJrIEEuIFJpY2htYW4xIzAhBgkqhkiG9w0BCQEWFG1hcmtAbWFy
> > a3JpY2htYW4uY29tMB4XDTA4MDcyOTE3MjYxOFoXDTE4MDcyNzE3MjYxOFowgacx
> > CzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdGbG9yaWRhMREwDwYDVQQHEwhQYXJrbGFu
> > ZDEeMBwGA1UEChMVRW1waXJlIFNvZnR3YXJlLCBJbmMuMRQwEgYDVQQLEwtEZXZl
> > bG9wbWVudDEYMBYGA1UEAxMPTWFyayBBLiBSaWNobWFuMSMwIQYJKoZIhvcNAQkB
> > FhRtYXJrQG1hcmtyaWNobWFuLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
> > gYEAvrpD+tIuZTw6A/rY/aTUyvmX5ZKiX80SyUiw6X0iMAuEJhnkbFmuYCvOyUe4
> > qXyO0pUnsdlnv+jmJPWIBbAjKryMKELjMV8gfIgQH/pYx0ONGOkTZcqkKA/aU5cf
> > 50SxpUkis1vKRf7nl7iZnImZNmuI7P99hUzV/HXZmQh3VZcCAwEAATANBgkqhkiG
> > 9w0BAQUFAAOBgQAO5yKNEzq+UiKJOwhnAbgNT0xR0lu2hy6h14JoEPfF1aTguEsh
> > 1+mTFZG+TxA5M0u6szY/UEYF5YQmxfWP0R/dRzGBuTezZ7w7L0GhiqFbEK7c1SEL
> > tZYbLrMqHHFLuxxXzgzh1U3aDoMlNIA1Ly6EVGbuuP6cpUyZ70uOCREawQ==
> > -----END CERTIFICATE-----
> > subject=/C=US/ST=Florida/L=Parkland/O=Empire Software, Inc./
> > issuer=/C=US/ST=Florida/L=Parkland/O=Empire Software, Inc./
> > OU=Development/CN=Mark A. Richman/emailAddress=m...@markrichman.com
So the only way this works is if the client cert is signed by the same
CA as the server cert? What if I don't control both endpoints?
Henri Hennebert
What if I don't control both endpoints?
_To my knowledge_, it is not possible. The trust chain must be there to
authenticate the client.
By the way, you want to use TLS just for encryption, it it really usefull?
Henri
Henri Hennebert
I make some digging (in my logs) and find that a postfix server may
accept untrusted TLS connection (I don't know the constrain to be
relaxed on the server, but it must be a server parameter). This seems
not to be the case of your server.
Henri
>
> Henri
Chris Babcock
> So the only way this works is if the client cert is signed by the same
> CA as the server cert? What if I don't control both endpoints?
No, you just can't use *self* signed certs. If self-signed certs were
permitted on the client, you would have an open relay.
That's not the same as saying that you can't setup your own Certificate
Authority, but you do need to *have* a CA for both the client and
server certificates. It's easier if you can agree on a CA so you only
have to install one root cert on each machine, but that's the critical
step you skipped when using self-signed certificates.
Here's a How-to for Postfix 2.2 and CAcert.org that's probably still
relevant:
http://koti.kapsi.fi/ptk/postfix/postfix-tls-cacert.shtml
If the client isn't Postfix, the admin at that end will have to figure
out TLS configuration on his own.
Chris
--
Make a difference in the world and support more Diplomacy projects and
services then you can shake a dagger at, please read:
Mark A. Richman
Basically, this is a requirement from my client, who requires both
mandatory (not opportunistic) TLS *and* client certificates. I don't
know the reason for this, but they say it is non-negotiable. They do
say they will accept a self-signed cert, so I'm assuming they will
just add the MD5 fingerprint of my cert to their trust list. IIRC, the
FQDN of my postfix box must be the CN of the client cert ?
How I expect this all to work is that emails generated by my web app
will relay out through my postfix server. This server will present a
client cert to the remote domain's mail server (which I believe runs
sendmail, not postfix) upon STARTTLS.
Please correct me if I've got the wrong idea.
Thanks,
Mark
Henri Hennebert
>
> How I expect this all to work is that emails generated by my web app
> will relay out through my postfix server. This server will present a
> client cert to the remote domain's mail server (which I believe runs
> sendmail, not postfix) upon STARTTLS.
smtp_tls_security_level = may
smtp_tls_key_file = <key file - without encryption> [*]
smtp_tls_cert_file = <cert self signed>
smtp_tls_loglevel = 1
It is up to the server, presumably controlled by your client, to setup
the rigth config. As I say in my previous post, this may be done to
allow untrusted TLS.
[*] - use `openssl req -nodes ... ` in this case.
Or use `openssl rsa -in <encrypted-key> -out <non-encrypted-key>` to
remove the encryption.
Henri