OpenSSL: TXT_DB error number 2

[thor...@lavabit.com]

(I've already tried to ask on openssl-users. Nobody replied.)

Hello,

I'm trying to enable TLS encryption. [0]

This command

% openssl ca -out foo-cert.pem -infiles foo-req.pem

raised "TXT_DB error number 2".

There is an explanation [1] of the problem, but I haven't tried it
yet. First, I want to be sure that my usage pattern is correct.

I used the same values for all commands: [0]

Country Name (2 letter code) [AU]:.
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:.
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:mail.example.com
Email Address []:ad...@example.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Should I change something in the above? Should I follow this [1] guide
instead?

openssl.cnf (changed lines):

[ policy_match ]
countryName = optional
stateOrProvinceName = optional
organizationName = optional
ogranizationalUnitName = optional
commonName = supplied
emailAddress = optional

[snip]

default_bits = 4096

[0] http://www.postfix.org/TLS_README.html#quick-start
[1]
http://www.mad-hacking.net/documentation/linux/security/ssl-tls/signing-csr.xml

[Viktor Dukhovni]

On Tue, Nov 13, 2012 at 12:18:10AM -0500, thor...@lavabit.com wrote:

> % openssl ca -out foo-cert.pem -infiles foo-req.pem

Do you really need a CA for your SMTP server certificate? Which
SMTP clients will trust this private CA?

> raised "TXT_DB error number 2".

This means that your CA is configured to create at most one
certificate for each subject DN or you've reset the serial
number file, and are issuing a certificate with a duplicate
serial number.

For the former, set "unique_subject = no" in the appropriate
section of "openssl.cnf". For the latter, don't clobber the
serial file.

Better yet, don't bother with a CA if you don't need one.

> default_bits = 4096

DO NOT use rediculous key lengths. If you're protecting yourself
against nation states willing to spend millions of dollars cracking
your key, or want a signature from a public CA that only signs RSA
keys with at least 2048 bits, try 2048. If you want a sensible key
size try 1280 if you're really worried about 1024 not being strong
enough.

On an Intel laptop, signing is ~40 times slower with RSA 4096 than
with 1024. Verification is ~12 times slower.

sign verify sign/s verify/s
rsa 1024 bits 0.001299s 0.000066s 769.8 15188.0
rsa 4096 bits 0.052406s 0.000766s 19.1 1305.2

an SMTP server with a 4096-bit key expends a noticeable amount of
CPU just signing SSL handshakes (for clients that almost always
ignore the certificate). For modern clients that use EDH or ECDH
ciphers the certificate is not what protects the confidentiality
of the traffic (from passive eavesdropping attacks). It makes little
sense to waste CPU and risk server DoS with no upside.

--
Viktor.

[thor...@lavabit.com]

> Do you really need a CA for your SMTP server certificate? Which
> SMTP clients will trust this private CA?

What do you mean by "SMTP clients"? Are you talking about software or
people? I'm the only user of that machine. IIRC, it's possible to check
certificates in Gnus, but I haven't tried yet.

> Better yet, don't bother with a CA if you don't need one.

Hm, which steps [0] can be painlessly omitted? I thought that it's always
necessary to have (or to be) a CA.

> For modern clients that use EDH or ECDH
> ciphers the certificate is not what protects the confidentiality
> of the traffic (from passive eavesdropping attacks). It makes little
> sense to waste CPU and risk server DoS with no upside.

Does it mean that I should use ECDH if I want to prevent eavesdropping?
Could you suggest a guide?

Thank you

[0] http://www.postfix.org/TLS_README.html#quick-start

[Viktor Dukhovni]

On Thu, Nov 15, 2012 at 01:04:21AM -0500, thor...@lavabit.com wrote:

> > Do you really need a CA for your SMTP server certificate? Which
> > SMTP clients will trust this private CA?
>
> What do you mean by "SMTP clients"? Are you talking about software or
> people? I'm the only user of that machine. IIRC, it's possible to check
> certificates in Gnus, but I haven't tried yet.

Software that sends email via SMTP is an SMTP client. Any clients
that trust your private-label CA, could just as easily directly
trust the self-signed server certificate of your solitary server.

> > Better yet, don't bother with a CA if you don't need one.
>
> Hm, which steps [0] can be painlessly omitted? I thought that it's always
> necessary to have (or to be) a CA.

No, you don't need a dedicated root CA to sign a you server
certificate, your server certificate can just be self-signed, this
was covered quite a few messages ago, when you first started asking
about TLS.

openssl req -new -x509 ...

generates a self-signed certificate, you can just use that.

> > For modern clients that use EDH or ECDH
> > ciphers the certificate is not what protects the confidentiality
> > of the traffic (from passive eavesdropping attacks). It makes little
> > sense to waste CPU and risk server DoS with no upside.
>
> Does it mean that I should use ECDH if I want to prevent eavesdropping?
> Could you suggest a guide?

I am talking about the subset of SSL ciphers that use Diffie-Hellman
ephemeral key agreement, either the traditional variant that uses
the multiplicative group of integers modulo a prime, or the more
modern variant that uses the group of points on an elliptic curve
over a finite field.

Neither EDH or EECDH (key exchange) have any direct bearing on the
type of certificate you generate. You should however avoid crazy-large
RSA keys, because most of the protection comes from the key-exchange
algorithm. MITM attacks on your SMTP server are rare, and I bet
noone has ever attacked an SMTP server by cracking its 1024-bit
authentication key.

To enable EDH ciphers on the server side, see:

http://www.postfix.org/TLS_README.html#server_cipher

------ snip --------

To generate your own set of DH parameters, use:

% openssl gendh -out /etc/postfix/dh_512.pem -2 512
% openssl gendh -out /etc/postfix/dh_1024.pem -2 1024

Support for elliptic curve cryptography is available with Postfix
2.6 and OpenSSL 0.9.9 or later. To enable ephemeral elliptic curve
Diffie-Hellman (EECDH) key-exchange, set "smtpd_tls_eecdh_grade =
strong" or "smtpd_tls_eecdh_grade = ultra". The "ultra" setting is
substantially more CPU intensive, and "strong" is sufficiently
secure for most situations.

Examples:

/etc/postfix/main.cf:
smtpd_tls_dh1024_param_file = /etc/postfix/dh_1024.pem
smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem
smtpd_tls_eecdh_grade = strong

------ snip --------

--
Viktor.

[thor...@lavabit.com]

Hello,

> No, you don't need a dedicated root CA to sign a you server
> certificate, your server certificate can just be self-signed, this
> was covered quite a few messages ago, when you first started asking
> about TLS.

> openssl req -new -x509 ...

> generates a self-signed certificate, you can just use that.

Could you provide the entire command? OpenSSL has many options; I
don't want to forget something.

Are you trying to say that I can use the above instead of all commands
from this [0] guide?

Could you post other commands if the above isn't enough?

> To enable EDH ciphers on the server side, see:

> http://www.postfix.org/TLS_README.html#server_cipher

Will it be safe to use RSA for some time (several months)? (I don't
have enough time to dive into EDH world right now.)

[0] http://www.postfix.org/TLS_README.html#quick-start

[Viktor Dukhovni]

On Sat, Nov 17, 2012 at 02:07:17PM -0500, thor...@lavabit.com wrote:

> > No, you don't need a dedicated root CA to sign a you server
> > certificate, your server certificate can just be self-signed, this
> > was covered quite a few messages ago, when you first started asking
> > about TLS.
>
> > openssl req -new -x509 ...
>
> > generates a self-signed certificate, you can just use that.
>
> Could you provide the entire command? OpenSSL has many options; I
> don't want to forget something.

This will write a new 1280-bit RSA key and the corresponding
self-signed certificate with server name "mail.example.com" valid
for ~10 years to the file /etc/postfix/smtpd.pem, which you can
use as the server certificate (and implicitly key) file:

# : as root
# cd /etc/postfix
# tmp=$(mktemp smtpd.pem.XXXXXX)
# openssl req -x509 -new -newkey rsa:1280 -nodes -keyout /dev/stdout \
-days $((365 * 10)) -subj "/CN=mail.example.com" > $tmp
# chmod 0600 $tmp
# mv $tmp smtpd.pem

> Are you trying to say that I can use the above instead of all commands
> from this [0] guide?

The guide is immaterial, it addresses a more general use case in
which having a CA is useful.

> > To enable EDH ciphers on the server side, see:
>
> > http://www.postfix.org/TLS_README.html#server_cipher
>
> Will it be safe to use RSA for some time (several months)? (I don't
> have enough time to dive into EDH world right now.)

You're not in a position to understand the answer to this question
(which misses the point to a good degree). Bottom line:

- Use the above recipe for a sufficiently safe 1280-bit cert.
- Add the settings at the above URL to your main.cf to also
enable EDH and EECDH key exchange. With sufficiently recent
Postfix versions compiled against OpenSSL 1.0, the EECDH
setting is a default, but for EDH support you should
generate EDH parameter files as documented.

Over and out.

--
Viktor.