Upcoming OpenSSL security levels disable "weak" crypto.

Bitrot:  OpenSSL 1.1.0-dev (aka the "master" branch) has new security
levels ranging from 0 to 5.

  * Level "0" is backwards compatible anything goes.

  * Level "1", the new default, is roughly 80-bit or greater security
    across the board (block ciphers, EDH parameters, EC curves, RSA
    bit lengths, ...).  It also disables anonymous ciphersuites,
    breaking "smtpd_tls_cert_file = none", and in is stronger than
    we want for opportunistic TLS.

  * The remaining levels are for now too strong even for mandatory
    authenticated TLS, they disable RC4, RSA keys shorter than 2048
    bits, and SSLv3.

Therefore, (subject to the presence of the feature detected via
macro recommended by Steve Henson), we revert the default security
level back to 0 in the application SSL context.  Users can if they
wish change this by appending ":@SECURITY=<n>" to the various tls
cipherlists.  TODO: we'll shold also add a main.cf parameter and
policy table overrides for this at some point, provided we can
figure out how to explain yet another "mumble_level" to the users.

When authentication is mandatory in either the SMTP client or in
the SMTP server (smtpd_tls_req_ccert = yes) we set the security
level to 1 to ensure adequately strong parameters.

When testing this, discovered that verification error reasons are
not logged in the SMTP server, cloned and tested corresponding code
from the client.

Sample logging (when client cert has wrong EKU):

    smtpd[63016]: certificate verification failed for localhost[127.0.0.1]: not designated for use as a client certificate
    smtpd[63016]: Untrusted TLS connection established from localhost[127.0.0.1]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
    smtpd[63016]: NOQUEUE: abort: TLS from localhost[127.0.0.1]: Client certificate not trusted

diff --git a/postfix/src/tls/tls_client.c b/postfix/src/tls/tls_client.c
index 23ef24786948cadb3068ed4b4b15369bc94d26cc..6739d1f58fc0496d3df5a7a89794780f0fbbc74e 100644 (file)
--- a/postfix/src/tls/tls_client.c
+++ b/postfix/src/tls/tls_client.c
@@ -354,6 +354,11 @@ TLS_APPL_STATE *tls_client_init(const TLS_CLIENT_INIT_PROPS *props)
        return (0);
     }
 
+#ifdef SSL_SECOP_PEER
+    /* Backwards compatible security as a base for opportunistic TLS. */
+    SSL_CTX_set_security_level(client_ctx, 0);
+#endif
+
     /*
      * See the verify callback in tls_verify.c
      */
@@ -876,6 +881,12 @@ TLS_SESS_STATE *tls_client_start(const TLS_CLIENT_START_PROPS *props)
     if (protomask != 0)
        SSL_set_options(TLScontext->con, TLS_SSL_OP_PROTOMASK(protomask));
 
+#ifdef SSL_SECOP_PEER
+    /* When authenticating the peer, use 80-bit plus OpenSSL security level */
+    if (TLS_MUST_MATCH(props->tls_level))
+       SSL_set_security_level(TLScontext->con, 1);
+#endif
+
     /*
      * XXX To avoid memory leaks we must always call SSL_SESSION_free() after
      * calling SSL_set_session(), regardless of whether or not the session

diff --git a/postfix/src/tls/tls_server.c b/postfix/src/tls/tls_server.c
index 34e27ce2c41788a130e6e2e479fc257e8069bbb8..cc81376d4c0f63a7cc0ce4b4e6f6aea3f9f1e8f5 100644 (file)
--- a/postfix/src/tls/tls_server.c
+++ b/postfix/src/tls/tls_server.c
@@ -444,6 +444,11 @@ TLS_APPL_STATE *tls_server_init(const TLS_SERVER_INIT_PROPS *props)
        return (0);
     }
 
+#ifdef SSL_SECOP_PEER
+    /* Backwards compatible security as a base for opportunistic TLS. */
+    SSL_CTX_set_security_level(server_ctx, 0);
+#endif
+
     /*
      * See the verify callback in tls_verify.c
      */
@@ -742,6 +747,12 @@ TLS_SESS_STATE *tls_server_start(const TLS_SERVER_START_PROPS *props)
        return (0);
     }
 
+#ifdef SSL_SECOP_PEER
+    /* When authenticating the peer, use 80-bit plus OpenSSL security level */
+    if (props->requirecert)
+       SSL_set_security_level(TLScontext->con, 1);
+#endif
+
     /*
      * Before really starting anything, try to seed the PRNG a little bit
      * more.
@@ -871,6 +882,22 @@ TLS_SESS_STATE *tls_server_post_accept(TLS_SESS_STATE *TLScontext)
                     TLScontext->peer_pkey_fprint);
        }
        X509_free(peer);
+
+       /*
+        * Give them a clue. Problems with trust chain verification are logged
+        * when the session is first negotiated, before the session is stored
+        * into the cache. We don't want mystery failures, so log the fact the
+        * real problem is to be found in the past.
+        */
+       if (!TLS_CERT_IS_TRUSTED(TLScontext)
+           && (TLScontext->log_mask & TLS_LOG_UNTRUSTED)) {
+           if (TLScontext->session_reused == 0)
+               tls_log_verify_error(TLScontext);
+           else
+               msg_info("%s: re-using session with untrusted certificate, "
+                        "look for details earlier in the log",
+                        TLScontext->namaddr);
+       }
     } else {
        TLScontext->peer_CN = mystrdup("");
        TLScontext->issuer_CN = mystrdup("");