Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

Life's the same, except for the shoes. -- The Cars

computers / comp.mail.sendmail / Re: Which dns name is checked with client certificates?

SubjectAuthor
* Which dns name is checked with client certificates?Henning Hucke
`* Re: Which dns name is checked with client certificates?Claus Aßmann
 `* Re: Which dns name is checked with client certificates?Henning Hucke
  `- Re: Which dns name is checked with client certificates?Claus Aßmann

1
Which dns name is checked with client certificates?

<slrnssb7ja.ge3.h_hucke+spam.news@romulus.aeon.icebear.cloud>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=347&group=comp.mail.sendmail#347

  copy link   Newsgroups: comp.mail.sendmail
Path: i2pn2.org!i2pn.org!news.swapon.de!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
From: h_hucke+...@newsmail.aeon.icebear.org (Henning Hucke)
Newsgroups: comp.mail.sendmail
Subject: Which dns name is checked with client certificates?
Date: Fri, 24 Dec 2021 10:18:18 -0000 (UTC)
Organization: aeon: think longer than you thought before
Lines: 15
Message-ID: <slrnssb7ja.ge3.h_hucke+spam.news@romulus.aeon.icebear.cloud>
Reply-To: Henning Hucke <h_hucke+news.reply(trick)@newsmail.aeon.icebear.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8-Bit
X-Trace: individual.net UsmKi5Fh7QaSj+U/oPfUSAdckq9gU06nqEa+GAo7HktJZ8V0FH
Keywords: dns, x.509, sendmail, verification
X-Orig-Path: news.aeon.icebear.cloud!news1.aeon.icebear.cloud!.POSTED.romulus.aeon.icebear.cloud!not-for-mail
Cancel-Lock: sha1:BLxf2BigGtKwq0Ma2PLr+nKGllg= sha1:BFv2FCOZEGkxKckBIunh8ag4BCI=
Injection-Date: Fri, 24 Dec 2021 10:18:18 -0000 (UTC)
Injection-Info: sirius.aeon.icebear.cloud; posting-host="romulus.aeon.icebear.cloud:fd09:afca:b044:1:4ecc:6aff:fecf:5c8f";
logging-data="25655"; mail-complaints-to="abuse+news@aeon.icebear.cloud"
User-Agent: slrn/1.0.3 (Linux)
 by: Henning Hucke - Fri, 24 Dec 2021 10:18 UTC

I'm sorry for just asking instead of using the source (luke). This is
another of very few times I did it this way.

Which name exactly is checked if sendmail uses the SSL library to verify
a client certificate - or is the whole channel estabishing done by the
library in which case I will ask in another (more appropriate) place?

Is it the HELO/EHLO name, the dns reverse lookup name or something else?

Best regards,
Henning
--
In the first place, God made idiots;
this was for practice; then he made school boards.
-- Mark Twain

Re: Which dns name is checked with client certificates?

<sq4rj2$ggb$1@news.misty.com>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=348&group=comp.mail.sendmail#348

  copy link   Newsgroups: comp.mail.sendmail
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!news.misty.com!.POSTED.veps.esmtp.org!not-for-mail
From: INVALID_...@esmtp.org (Claus Aßmann)
Newsgroups: comp.mail.sendmail
Subject: Re: Which dns name is checked with client certificates?
Date: Fri, 24 Dec 2021 11:13:22 -0500 (EST)
Organization: MGT Consulting
Sender: <ml+sendmail(-no-copies-please)@esmtp.org>
Message-ID: <sq4rj2$ggb$1@news.misty.com>
References: <slrnssb7ja.ge3.h_hucke+spam.news@romulus.aeon.icebear.cloud>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
Injection-Date: Fri, 24 Dec 2021 16:13:22 -0000 (UTC)
Injection-Info: news.misty.com; posting-host="veps.esmtp.org:155.138.203.148";
logging-data="16907"; mail-complaints-to="abuse@misty.com"
Mail-Copies-To: never
X-Newsreader: trn 4.0-test77 (Sep 1, 2010)
Originator: ca@x2.esmtp.org (Claus Assmann)
 by: Claus Aßmann - Fri, 24 Dec 2021 16:13 UTC

Henning Hucke wrote:

> Which name exactly is checked if sendmail uses the SSL library to verify
> a client certificate

None - certificates are verified against the list of CAs
which you specified.

However, sendmail allows you do any kind of check you want to perform
via its rulesets and some builtin features. See cf/README, section
"Allowing Connections" for the available features (and doc/op/op.*
for the rulesets)

--
Note: please read the netiquette before posting. I will almost never
reply to top-postings which include a full copy of the previous
article(s) at the end because it's annoying, shows that the poster
is too lazy to trim his article, and it's wasting the time of all readers.

Re: Which dns name is checked with client certificates?

<slrnsscfoe.apt.h_hucke+spam.news@romulus.aeon.icebear.cloud>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=349&group=comp.mail.sendmail#349

  copy link   Newsgroups: comp.mail.sendmail
Path: i2pn2.org!i2pn.org!news.swapon.de!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
From: h_hucke+...@newsmail.aeon.icebear.org (Henning Hucke)
Newsgroups: comp.mail.sendmail
Subject: Re: Which dns name is checked with client certificates?
Date: Fri, 24 Dec 2021 21:43:42 -0000 (UTC)
Organization: aeon: think longer than you thought before
Lines: 33
Message-ID: <slrnsscfoe.apt.h_hucke+spam.news@romulus.aeon.icebear.cloud>
References: <slrnssb7ja.ge3.h_hucke+spam.news@romulus.aeon.icebear.cloud>
<sq4rj2$ggb$1@news.misty.com>
Reply-To: Henning Hucke <h_hucke+news.reply(trick)@newsmail.aeon.icebear.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8-Bit
X-Trace: individual.net 0delxP8gqtAChvuxJd417glWO9WnHVrWc0ldXagcNZAKSeS1fL
X-Orig-Path: news.aeon.icebear.cloud!news1.aeon.icebear.cloud!.POSTED.romulus.aeon.icebear.cloud!not-for-mail
Cancel-Lock: sha1:DGTMyP/ZiNCfeG6FqYHYW4BJlG0= sha1:rMCHbTp+LGzw9fGc5g8lIJ40mw8=
Injection-Date: Fri, 24 Dec 2021 21:43:42 -0000 (UTC)
Injection-Info: sirius.aeon.icebear.cloud; posting-host="romulus.aeon.icebear.cloud:fd09:afca:b044:1:4ecc:6aff:fecf:5c8f";
logging-data="28172"; mail-complaints-to="abuse+news@aeon.icebear.cloud"
User-Agent: slrn/1.0.3 (Linux)
In-Reply-To: <sq4rj2$ggb$1@news.misty.com>
 by: Henning Hucke - Fri, 24 Dec 2021 21:43 UTC

On 2021-12-24, Claus Aßmann <INVALID_NO_CC_REMOVE_IF_YOU_DO_NOT_POST_ml+sendmail@esmtp.org> wrote:

Hi Claus,

> Henning Hucke wrote:
>
>> Which name exactly is checked if sendmail uses the SSL library to verify
>> a client certificate
>
> None - certificates are verified against the list of CAs
> which you specified.

just to verify that I understand this correct: Beside checking the
validity of a client certificate with its issuing certification authority no
further checks are processed by default? So for instance a client cloud
present a certificate for "www.google.com" even if its HELO/EHLO name is
"smtp.example.com" and its reverse lookup
"ip-65-23-15.broadband-provider.com" as long as this certificate gets
verified by one of the CA certs in the specified or default storage place?

> However, sendmail allows you do any kind of check you want to perform
> via its rulesets and some builtin features. See cf/README, section
> "Allowing Connections" for the available features (and doc/op/op.*
> for the rulesets)

Uh! I think I'll write an appropriate rule set in the next few weeks to
verify more than that! :-)

Best regards
Henning
--
Honesty is for the most part less profitable than dishonesty.
-- Plato

Re: Which dns name is checked with client certificates?

<sq67fa$5o2$1@news.misty.com>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=350&group=comp.mail.sendmail#350

  copy link   Newsgroups: comp.mail.sendmail
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!news.misty.com!.POSTED.veps.esmtp.org!not-for-mail
From: INVALID_...@esmtp.org (Claus Aßmann)
Newsgroups: comp.mail.sendmail
Subject: Re: Which dns name is checked with client certificates?
Date: Fri, 24 Dec 2021 23:42:18 -0500 (EST)
Organization: MGT Consulting
Sender: <ml+sendmail(-no-copies-please)@esmtp.org>
Message-ID: <sq67fa$5o2$1@news.misty.com>
References: <slrnssb7ja.ge3.h_hucke+spam.news@romulus.aeon.icebear.cloud> <sq4rj2$ggb$1@news.misty.com> <slrnsscfoe.apt.h_hucke+spam.news@romulus.aeon.icebear.cloud>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
Injection-Date: Sat, 25 Dec 2021 04:42:18 -0000 (UTC)
Injection-Info: news.misty.com; posting-host="veps.esmtp.org:155.138.203.148";
logging-data="5890"; mail-complaints-to="abuse@misty.com"
Mail-Copies-To: never
X-Newsreader: trn 4.0-test77 (Sep 1, 2010)
Originator: ca@x2.esmtp.org (Claus Assmann)
 by: Claus Aßmann - Sat, 25 Dec 2021 04:42 UTC

Henning Hucke wrote:

> just to verify that I understand this correct: Beside checking the
> validity of a client certificate with its issuing certification authority no
> further checks are processed by default?

Correct. And even if the cert cannot be verified the TLS handshake
is NOT aborted.

> Uh! I think I'll write an appropriate rule set in the next few weeks to
> verify more than that! :-)

What requirements do you want to enforce?
And if you enforce them for TLS what happens when the client tries
again without a cert?
AFAICT many (most?) systems do not even present a client cert.
It doesn't seem to make much sense to penalize those which do...

IMHO it only makes sense to check certain conditions so allow a
client to do more things, e.g., get around certain other (anti-spam)
requirements or allow relaying.

--
Note: please read the netiquette before posting. I will almost never
reply to top-postings which include a full copy of the previous
article(s) at the end because it's annoying, shows that the poster
is too lazy to trim his article, and it's wasting the time of all readers.

1
server_pubkey.txt

rocksolid light 0.9.81
clearnet tor