codeblog code is freedom — patching my itch

January 13, 2009

ETOOMANYCERTS

Filed under: Debian,Networking,Ubuntu,Ubuntu-Server — kees @ 10:46 pm

After upgrading an Ubuntu mail server from Hardy to Intrepid, two users could no longer connect via SSL to send email though sendmail. One was using msmtp and the other was using Outlook Express. The msmtp issue was tracked down as a supposed deficiency in msmtp. However, this left Outlook, which is neigh-impossible to debug. From the Debian msmtp bug linked from the Ubuntu bug, it seemed that the root cause was the server sending too much data during the initial connection. Packet captures of an Outlook connection seemed to back this up: Outlook negotiated STARTTLS fine, and then just never responded to the SSL handshake.

It seems that something (openssl? sendmail?) changed between Hardy and Intrepid so that instead of using the /etc/ssl/certs/ca-certificates.crt file just for verification, its contents were now being sent during the SSL handshake. (I reduced the number of configured certs with “sudo dpkg-reconfigure ca-certificates“, and checked on the size of the handshake with “openssl s_client -connect server:port | wc -l“.) It spewed 143 certs sent at every connection. Unsurprisingly, it seems some clients were choking on it (I would like to note that Thunderbird behaved correctly).

In the end, I configured my sendmail’s CAfile (“confCACERT”) to aim at just a single CA (the CA used to sign the server’s SSL key), and that fixed both msmtp and Outlook. How fun.

© 2009 – 2010, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

4 Comments

  1. Hi, please see the second part of https://www.mirbsd.org/permalinks/wlog-10_e20090114-tg.htm
    for an answer which might be able to help.

    A fellow DM

    Comment by mirabilos — January 14, 2009 @ 1:17 am

  2. Trusting tons of CA’s is the root problem here, I think. If you do not use client authentication and accept client certificates signed by all of these CAs, removing the CAs is the right thing to do. I think what changed between Hardy and Intrepid was likely the ca-certificates package. Perhaps the default was to not trust many CAs before, and this changed recently?

    Comment by Simon Josefsson — January 14, 2009 @ 5:19 am

  3. The most important change in openssl is probably enabling tls extensions. I’ve seen various reports that it breaks something, and I wouldn’t be surprised if outlooks also has a problem with it. Debian turned it on in version 0.9.8g-5, there was a security update for it (CVE-2008-1672, 0.9.8g-10.1) and then we backported a fix from 0.9.8h in 0.9.8g-13 that prevented iceweasel from connecting. Openssl upstream has changed the default to on in their latest release (a week ago) and I’ve already seen at least 2 bug reports about that since.

    Kurt

    Comment by Kurt Roeckx — January 14, 2009 @ 10:16 am

  4. Yeah, it seems that my problem stemmed from a misunderstanding about the proper use of “CAfile”. Once the TLS extensions got enable, I got spanked. :) Thanks for everyone’s details!

    Comment by kees — January 14, 2009 @ 10:43 am

Powered by WordPress