Bug#973654: TLS: start_SSL fails to set SSL_verifycn_name

Brian May brian at linuxpenguins.xyz
Thu Nov 5 21:48:45 CET 2020 

Hello,

I received this bug report against amavisd-new in Debian.

For full details please see http://bugs.debian.org/

Thanks


Martina Ferrari <tina at debian.org> writes:

> Package: amavisd-new
> Version: 1:2.11.0-6.1
> Severity: important
>
> Hi,
>
> As part of a new server setup, I have installed amavisd-new. Since it is
> running in a different host than the MX, I have set up TLS between every part
> of the system, but amavis fails to connect back to the MX, with the following
> error:
>
> (!!)Upgrading socket to TLS failed (in ssl_upgrade): hostname verification failed\n
>
> After some investigation, I found that amavis is not using the IO::Socket::SSL
> library correctly. The default (and reasonable) SSL parameters for the client
> TLS connection are:
>
>   %smtp_tls_client_options = (
>     SSL_verifycn_scheme => 'smtp',
>   );
>
> When the `$tls_security_level_out` variable is set to 'may' or 'encrypt', the
> socket is upgraded to TLS using the `start_SSL` method and the options set by
> the user but without any way for the library to determine the hostname of the
> server, and therefore its identity can't be verified.
>
> The documentation for the `SSL_verifycn_name` option of the `start_SSL` method
> states (https://metacpan.org/pod/IO::Socket::SSL#SSL_verifycn_name):
>
>   SSL_verifycn_name
>
>     Set the name which is used in verification of hostname. If
>     SSL_verifycn_scheme is set and no SSL_verifycn_name is given it will try to
>     use SSL_hostname or PeerHost and PeerAddr settings and fail if no name can
>     be determined. If SSL_verifycn_scheme is not set it will use a default
>     scheme and warn if it cannot determine a hostname, but it will not fail.
>
>     Using PeerHost or PeerAddr works only if you create the connection directly
>     with IO::Socket::SSL->new, if an IO::Socket::INET object is upgraded with
>     start_SSL the name has to be given in SSL_verifycn_name or SSL_hostname.
>
> The solution for this is pretty simple: `SSL_verifycn_name` has to be set by
> the calling function using the same hostname used to connect the TCP socket in
> the first place. A workaround is to pass this option manually in the
> configuration, but that fails to work if there is more than one SSL target (for
> example, different hostnames for `notify_method` and `forward_method`).
>
> -- System Information:
> Debian Release: 10.6
>   APT prefers stable-updates
>   APT policy: (500, 'stable-updates'), (500, 'stable')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 4.19.0-9-amd64 (SMP w/1 CPU core)
> Locale: LANG=en_IE.UTF-8, LC_CTYPE=en_IE.UTF-8 (charmap=UTF-8), LANGUAGE=en_IE:en (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
>
> Versions of packages amavisd-new depends on:
> ii  adduser                                  3.118
> ii  debconf [debconf-2.0]                    1.5.71
> ii  file                                     1:5.35-4+deb10u1
> ii  init-system-helpers                      1.56+nmu1
> ii  libarchive-zip-perl                      1.64-1
> ii  libberkeleydb-perl                       0.55-2
> ii  libconvert-tnef-perl                     0.18-1
> ii  libconvert-uulib-perl                    1:1.5~dfsg-1+b1
> pn  libdigest-md5-perl                       <none>
> ii  libio-stringy-perl                       2.111-3
> ii  libmail-dkim-perl                        0.54-1
> ii  libmailtools-perl                        2.18-1
> pn  libmime-base64-perl                      <none>
> ii  libmime-tools-perl                       5.509-1
> ii  libnet-libidn-perl                       0.12.ds-3+b1
> ii  libnet-server-perl                       2.009-1
> ii  libunix-syslog-perl                      1.1-3+b1
> ii  lsb-base                                 10.2019051400
> ii  pax                                      1:20190224-1
> ii  perl [libtime-hires-perl]                5.28.1-6+deb10u1
> ii  perl-modules-5.24 [libarchive-tar-perl]  5.24.1-3+deb9u6
>
> Versions of packages amavisd-new recommends:
> pn  altermime             <none>
> ii  libnet-patricia-perl  1.22-1+b5
> ii  ripole                0.2.0+20081101.0215-3
>
> Versions of packages amavisd-new suggests:
> ii  apt-listchanges      3.19
> ii  arj                  3.10.22-18
> ii  cabextract           1.9-1
> pn  clamav               <none>
> ii  clamav-daemon        0.102.4+dfsg-0+deb10u1
> ii  cpio                 2.12+dfsg-9
> pn  dspam                <none>
> ii  lhasa                0.3.1-3
> pn  libauthen-sasl-perl  <none>
> ii  libdbi-perl          1.642-1+deb10u1
> ii  libmail-dkim-perl    0.54-1
> pn  libnet-ldap-perl     <none>
> pn  libsnmp-perl         <none>
> pn  libzeromq-perl       <none>
> ii  lzop                 1.03-4+b1
> ii  nomarch              1.4-3+b2
> ii  p7zip                16.02+dfsg-6
> pn  rpm                  <none>
> ii  spamassassin         3.4.2-1+deb10u2
> ii  unrar                1:5.6.6-1
>
> -- Configuration Files:
> /etc/amavis/conf.d/05-node_id changed [not included]
> /etc/amavis/conf.d/15-content_filter_mode changed [not included]
> /etc/amavis/conf.d/50-user changed [not included]
> /etc/init.d/amavis changed [not included]
>
> -- no debconf information
-- 
Brian May <brian at linuxpenguins.xyz>
https://linuxpenguins.xyz/brian/

More information about the amavis-users mailing list