SSL CA Trust Issues

NethServer Version: 7 Final
Module: openssl

As part of my testing to move from NS 6.8 to NS 7 I’m planning on moving from the POP3 Connector to the POP3 Proxy. However, I could not get my mail client to connect, via NS 7 with the POP Proxy. It always failed with: Error doing SSL connection: Success. (With apologies to Douglas Adams, this is obviously some strange usage of the word success that I wasn’t previously aware of).

Anyway, digging deeper, I think there is an issue with the way the ssl CA trust stores/certs have been set up. Here’s some output that I hope illustrates the problem:

Firstly, verifying the ssl connection to my mail server, via port 995 on my current NS 6.8 system:

[root@NethServer ~]# openssl s_client -connect websitesmail.att.com:995
CONNECTED(00000003)
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5
verify return:1
depth=1 C = US, O = Symantec Corporation, OU = Symantec Trust Network, CN = Symantec Class 3 Secure Server CA - G4
verify return:1
depth=0 C = US, ST = Michigan, L = Southfield, O = "AT&T Services, Inc.", OU = Internet, CN = websitesmail.att.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=Michigan/L=Southfield/O=AT&T Services, Inc./OU=Internet/CN=websitesmail.att.com
   i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
 1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
---
Server certificate
-----BEGIN CERTIFICATE-----
--snip--
-----END CERTIFICATE-----
subject=/C=US/ST=Michigan/L=Southfield/O=AT&T Services, Inc./OU=Internet/CN=websitesmail.att.com
issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4
---
No client certificate CA names sent
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 3389 bytes and written 373 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: D99AB63F716664D5C81AB6AAEAB951EC546146CBFE7F45900F56D2B6183FC105
    Session-ID-ctx:
    Master-Key: 14E06D7F680F63F50040CF5AE12EBB0DBA88D0E408F932C9D2D6013DFD2D37173774EFBF2FE403EDFCF125AAFA5B363B
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1488957285
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
+OK POP3 Bigfoot v1.0 server ready
^C
[root@NethServer ~]#

Now the same command on NS 7:

[root@Nethserver ~]$ openssl s_client -connect websitesmail.att.com:995
CONNECTED(00000003)
140587652704160:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:769:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 247 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
[root@Nethserver ~]$

As a comparison, and also to show what I think where the error is from, here’s the output from validating a secure site from NS 6.8:

[root@NethServer ~]# openssl s_client -connect mail.yahoo.com:443
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA
verify return:1
depth=0 C = US, ST = CA, L = Sunnyvale, O = Yahoo! Inc., CN = login.yahoo.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=CA/L=Sunnyvale/O=Yahoo! Inc./CN=login.yahoo.com
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
 1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
--snip--
-----END CERTIFICATE-----
subject=/C=US/ST=CA/L=Sunnyvale/O=Yahoo! Inc./CN=login.yahoo.com
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
---
No client certificate CA names sent
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 4050 bytes and written 373 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: F14529115362A67420AA742B702087BE769811660562E073226D3322B950F0A9
    Session-ID-ctx:
    Master-Key: C3EA858708033D7001AEB38E784800B524F91FCFE803B012E3CBAFB23579DB88DF6A5FE90D889534B9F9DDB11530910A
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
--snip--

    Start Time: 1488957259
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
^C
[root@NethServer ~]#

And the same site from NS 7:

[root@Nethserver ~]$ openssl s_client -connect mail.yahoo.com:443
CONNECTED(00000003)
depth=0 CN = NethServerFinal.BogoLinux.net, O = BogoLinux, ST = CA, emailAddress = root@NethServerFinal.BogoLinux.net, subjectAltName = *.BogoLinux.net, OU = Main, C = US, L = Los Angeles
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = NethServerFinal.BogoLinux.net, O = BogoLinux, ST = CA, emailAddress = root@NethServerFinal.BogoLinux.net, subjectAltName = *.BogoLinux.net, OU = Main, C = US, L = Los Angeles
verify return:1
---
Certificate chain
 0 s:/CN=NethServerFinal.BogoLinux.net/O=BogoLinux/ST=CA/emailAddress=root@NethServerFinal.BogoLinux.net/subjectAltName=*.BogoLinux.net/OU=Main/C=US/L=Los Angeles
   i:/CN=NethServerFinal.BogoLinux.net/O=BogoLinux/ST=CA/emailAddress=root@NethServerFinal.BogoLinux.net/subjectAltName=*.BogoLinux.net/OU=Main/C=US/L=Los Angeles
---
Server certificate
-----BEGIN CERTIFICATE-----
--snip--
-----END CERTIFICATE-----
subject=/CN=NethServerFinal.BogoLinux.net/O=BogoLinux/ST=CA/emailAddress=root@NethServerFinal.BogoLinux.net/subjectAltName=*.BogoLinux.net/OU=Main/C=US/L=Los Angeles
issuer=/CN=NethServerFinal.BogoLinux.net/O=BogoLinux/ST=CA/emailAddress=root@NethServerFinal.BogoLinux.net/subjectAltName=*.BogoLinux.net/OU=Main/C=US/L=Los Angeles
---
No client certificate CA names sent
Server Temp Key: ECDH, secp521r1, 521 bits
---
SSL handshake has read 1883 bytes and written 441 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: F47D32C43FE3B86B8F05E027A26BD9704519986A36B2251BD8E47042987FBE33
    Session-ID-ctx: 
    Master-Key: FE5FBA4525232594F57C1FED18B3E518AB931ED91E1F035A53CB0661522F500BD27A82806609557FDECD351A43ECCBE0
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
--snip--

    Start Time: 1488957090
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
^C
[root@Nethserver ~]$ 

The difference, that I see on these last 2 outputs, is the certificates used to validate the responses. In NS 6.8 it uses valid, known, CA certificates. But for NS 7, it’s trying to use the internal server certificate.

Now, why this doesn’t produce the same results when connecting to the POP3 port, I really don’t know. But I’m certain that the same certificate issue is behind it. Which is why the POP3 Proxy is unable to connect.

Sorry 'bout the long pastes, but I wanted to make sure all the relevant information was present.

Cheers.

1 Like

OK, you can all ignore me here. :confused:

This all appears to be caused by me daisy-chaining 3 copies of NS in order to (attempt to) build a copy of NS 7 with all the correct IP addressing in place, so I could just switch hard drives to move to NS 7.

I was forgetting about the services offered by the various copies and so they were trying to handle outbound requests that normally would go straight to the big-bad-interwebs.

Consider my wrist slapped and I promise not to do that trick again.

Cheers.

1 Like

Nice to hear, that you found your error, can you mark your topic as solved please.