Discussion:
Excessive CertificateRequest messages when CAfile is configured
Adam Langley
2012-01-30 22:44:00 UTC
Permalink
When smtpd is configured to ask for client certificates and a CAfile
is configured, then the X509 names of all the CA certificates will be
sent in the CertificateRequest. That's correct behaviour as the names
in a CertificateRequest are intended to guide certificate selection:

http://tools.ietf.org/html/rfc5246#section-7.4.4

However, when CAfile consists of a complete list of public CAs, as
seems quite common, the guidance is rather superfluous and the
CertificateRequest is huge. For example, try:

$ openssl s_client -tls1 -connect mx4-sjl.mta.salesforce.com:25 -starttls smtp
...
SSL handshake has read 23311 bytes and written 332 bytes

A 23KB TLS handshake was probably not what was intended by the administrator.

The attached patch (and I don't know what I'm doing when it comes to
patching Postfix - it's mostly illustrative) disables sending the CA
list by default and adds an option (smtpd_tls_send_cas) to enable.
Although this is a change of behaviour, I think that it's the right
thing to do in most cases.


Cheers

AGL
--
Adam Langley ***@imperialviolet.org http://www.imperialviolet.org
Viktor Dukhovni
2012-01-30 23:19:52 UTC
Permalink
Post by Adam Langley
However, when CAfile consists of a complete list of public CAs, as
seems quite common, the guidance is rather superfluous and the
Don't use a large list of CAs in a CAfile, that's what CApath is for.

http://www.postfix.org/TLS_README.html#server_cert_key

...

When you configure the Postfix SMTP server to request client
certificates, the DNs of certificate authorities in $smtpd_tls_CAfile
are sent to the client, in order to allow it to choose an identity
signed by a CA you trust. If no $smtpd_tls_CAfile is specified, no
preferred CA list is sent, and the client is free to choose an
identity signed by any CA. Many clients use a fixed identity
regardless of the preferred CA list and you may be able to reduce
TLS negotiation overhead by installing client CA certificates mostly
or only in $smtpd_tls_CApath. In the latter case you need not
specify a $smtpd_tls_CAfile.

No patch is required, users should not configure huge CAfiles.
--
Viktor.
Viktor Dukhovni
2012-01-30 23:23:45 UTC
Permalink
Post by Viktor Dukhovni
Post by Adam Langley
However, when CAfile consists of a complete list of public CAs, as
seems quite common, the guidance is rather superfluous and the
Don't use a large list of CAs in a CAfile, that's what CApath is for.
http://www.postfix.org/TLS_README.html#server_cert_key
...
When you configure the Postfix SMTP server to request client
certificates, the DNs of certificate authorities in $smtpd_tls_CAfile
are sent to the client, in order to allow it to choose an identity
signed by a CA you trust. If no $smtpd_tls_CAfile is specified, no
preferred CA list is sent, and the client is free to choose an
identity signed by any CA. Many clients use a fixed identity
regardless of the preferred CA list and you may be able to reduce
TLS negotiation overhead by installing client CA certificates mostly
or only in $smtpd_tls_CApath. In the latter case you need not
specify a $smtpd_tls_CAfile.
No patch is required, users should not configure huge CAfiles.
If there is a compelling case for customizing the CA list separately
from CAfile, the right interface would I think not be a boolean to
suppress the CAfile, but rather a separate parameter to specify the
CAs to send, which defaults to "$smtpd_tls_CAfile".

Most SMTP servers don't ask for client certs, and those that do, typically
have short CAfiles that list only private-label CAs...
--
Viktor.
Adam Langley
2012-01-31 00:13:11 UTC
Permalink
On Mon, Jan 30, 2012 at 6:23 PM, Viktor Dukhovni
Post by Viktor Dukhovni
Post by Viktor Dukhovni
No patch is required, users should not configure huge CAfiles.
CApath is harder for people to use and so they often don't. It looks
like a standard Ubuntu install has a hashed directory while Fedora
doesn't. The hash function also changes between OpenSSL 0.9.8 and
1.0.0.

I agree that this is a misconfiguration, but it seems that people are
getting it wrong. I don't personally have a problem with it, it's just
something that I observed.
Post by Viktor Dukhovni
If there is a compelling case for customizing the CA list separately
from CAfile, the right interface would I think not be a boolean to
suppress the CAfile, but rather a separate parameter to specify the
CAs to send, which defaults to "$smtpd_tls_CAfile".
Yep, that makes sense to. Happy to rework the patch if folks like
that, although I suspect that a real Postfix developer would throw it
away and do it right in either case.


Cheers

AGL
--
Adam Langley ***@imperialviolet.org http://www.imperialviolet.org
Viktor Dukhovni
2012-01-31 00:25:34 UTC
Permalink
Post by Adam Langley
Post by Viktor Dukhovni
If there is a compelling case for customizing the CA list separately
from CAfile, the right interface would I think not be a boolean to
suppress the CAfile, but rather a separate parameter to specify the
CAs to send, which defaults to "$smtpd_tls_CAfile".
Yep, that makes sense to. Happy to rework the patch if folks like
that, although I suspect that a real Postfix developer would throw it
away and do it right in either case.
Your patch looked just fine, but to be complete it needs to also
patch the documentation, the code is the easy part. Before you
invest some effort in that direction, we need to answer the question
of whether this is worth the trouble.

Very few users have ask_ccert turned on, and the current CAfile is
sufficient to the task. Even with ask_ccert enabled, why list every
CA on the planet in CAfile? Just list the ones you are willing to
trust, if any and use CApath if clients don't need the CA hints. Unlike
browsers, most MUAs will likely not prompt the user for certificate
selection.

So I am not yet convinced this warrants the addition of any new parameters,
when judicious use of the existing ones (be it with a greater understanding
of their behaviour) is sufficient.
--
Viktor.
Loading...