Bug 1019254
| Summary: | ECDHE: now supported in Fedora's OpenSSL | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Harald Reindl <h.reindl> |
| Component: | postfix | Assignee: | Jaroslav Škarvada <jskarvad> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 18 | CC: | i, jskarvad, scott-fedora |
| Target Milestone: | --- | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | postfix-2.10.2-3.fc20 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-01-07 09:43:16 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1019390 | ||
|
Description
Harald Reindl
2013-10-15 11:23:08 UTC
since OpenSSL in Fedora from now on supports ECDHE depending software needs to be rebuilt to make use of it as well as libraries like NSS/GNUTLS should do the same and depending packages like Firefox needs a rebuild against refreshed NSS to support it also on the client side i made some triage today _____________________________________________________ openssl: https://bugzilla.redhat.com/show_bug.cgi?id=319901#c108 nss-softokn https://bugzilla.redhat.com/show_bug.cgi?id=1019244 nss https://bugzilla.redhat.com/show_bug.cgi?id=1019245 firefox https://bugzilla.redhat.com/show_bug.cgi?id=1019247 thunderbird: https://bugzilla.redhat.com/show_bug.cgi?id=1019249 httpd: https://bugzilla.redhat.com/show_bug.cgi?id=1019251 dovecot: https://bugzilla.redhat.com/show_bug.cgi?id=1019253 postfix: https://bugzilla.redhat.com/show_bug.cgi?id=1019254 openssh: https://bugzilla.redhat.com/show_bug.cgi?id=1019256 dbmail: https://bugzilla.redhat.com/show_bug.cgi?id=1019259 postfix-2.10.2-2.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/postfix-2.10.2-2.fc20 postfix-2.10.2-2.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/postfix-2.10.2-2.fc19 postfix-2.9.7-2.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/postfix-2.9.7-2.fc18 Package postfix-2.10.2-2.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing postfix-2.10.2-2.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-19768/postfix-2.10.2-2.fc20 then log in and leave karma (feedback). postfix-2.10.2-2.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. postfix-2.9.7-2.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report. postfix-2.10.2-2.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. Just upgraded to F20, and tried to use ECDHE with postfix: # openssl s_client -connect localhost:25 -starttls smtp -cipher kEECDH 140691508164480:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:741: --- no peer certificate available ... Here's the relevant config: # postconf | egrep 'eecdh|cipherlist' smtpd_tls_eecdh_grade = strong tls_eecdh_strong_curve = prime256v1 tls_high_cipherlist = EECDH+AESGCM:EECDH+AES:EECDH+RC4:DH+aRSA+AES+SHA:+TLSv1+AES:RSA+AESGCM:RSA+AES:RSA+RC4+SHA:+TLSv1+RSA+AES:!aECDSA Checking the code, I should get a warning if I set smtpd_tls_eecdh_grade to an invalid value, eg: smtpd_tls_eecdh_grade = bogus But connecting with this configuration does not show a warning, so the build appears to have excluded the EEC code in src/tls/tls_dh.c -- which has the code wrapped in: #if OPENSSL_VERSION_NUMBER >= 0x1000000fL && !defined(OPENSSL_NO_ECDH) #endif Can you try building again with the correct library options? Thanks. BTW, since this was closed, should I open a new bug? don't touch config params you do not understand tls_high_cipherlist is for sure not builtin ___________________________________________________ Dec 23 11:45:09 testserver postfix/smtp[13888]: Untrusted TLS connection established to 192.168.196.1[192.168.196.1]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) Dec 23 11:45:09 testserver postfix/smtp[13888]: 3dnxz91sWWz28mQ: to=<rhsoft>, relay=192.168.196.1[192.168.196.1]:25, delay=0.59, delays=0.02/0.12/0.31/0.14, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 3dnxz95dByzBx51) Dec 23 11:45:09 testserver postfix/qmgr[979]: 3dnxz91sWWz28mQ: removed [root@testserver:~]$ cat /etc/redhat-release Fedora release 20 (Heisenbug) [root@testserver:~]$ postconf | egrep 'eecdh|cipherlist' smtpd_tls_eecdh_grade = strong tls_eecdh_strong_curve = prime256v1 tls_eecdh_ultra_curve = secp384r1 tls_export_cipherlist = aNULL:-aNULL:ALL:+RC4:@STRENGTH tls_high_cipherlist = aNULL:-aNULL:ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH tls_low_cipherlist = aNULL:-aNULL:ALL:!EXPORT:+RC4:@STRENGTH tls_medium_cipherlist = aNULL:-aNULL:ALL:!EXPORT:!LOW:+RC4:@STRENGTH tls_null_cipherlist = eNULL:!aNULL tls_preempt_cipherlist = no tlsproxy_tls_eecdh_grade = $smtpd_tls_eecdh_grade ___________________________________________________ [root@testserver:~]$ openssl s_client -connect localhost:25 -starttls smtp -cipher kEECDH CONNECTED(00000003) depth=0 C = AT, ST = Vienna, L = Vienna, O = the lounge interactive design gmbh, OU = Administration, CN = *.testserver.rhsoft.net, emailAddress = hostmaster I understand the cipherlist parameter quite well (that's why it's so carefully configured ;). Resetting to default doesn't fix the issue.
Are you using the package for x86_64? Run yum reinstall postfix and try again.
I rebuilt the rpm locally, and installed and postfix works correctly and supports EEC, however the package available via yum repos does not.
Eg.
# yum reinstall postfix
... downloads and installs postfix
# cd /usr/libexec/postfix
# ls -l smtpd
-rwxr-xr-x. 1 root root 622520 Oct 23 02:34 smtpd
# strings smtpd | grep EECDH
# (no output)
Installing local build (same release)
# yum reinstall ~devel/rpm/RPMS/x86_64/postfix-2.10.2-2.fc20.x86_64.rpm
...
# ls -l smtpd
-rwxr-xr-x. 1 root root 622616 Dec 23 11:40 smtpd
# strings smtpd | grep EECDH
Invalid TLS eecdh grade "%s": EECDH disabled
unknown curve "%s": disabling EECDH support
unable to use curve "%s": disabling EECDH support
# openssl s_client -connect localhost:25 -starttls smtp -cipher kEECDH
...
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
...
Checked the yum cache, and my repo build was from http://mirrors.kernel.org/fedora/development/20/x86_64/os/Packages/p/postfix-2.10.2-2.fc20.x86_64.rpm
For ref, rpm -qip on it has:
Signature : RSA/SHA256, Wed 23 Oct 2013 08:44:18 AM PDT, Key ID 2eb161fa24611\
0c1
Build Date : Wed 23 Oct 2013 02:34:40 AM PDT
Build Host : buildvm-14.phx2.fedoraproject.org
i build postfix without any special SSL params at my own so i do not understand what you mean with "Can you try building again with the correct library options" though i am not the fedora-maintainer Yes, but this bug was opened to request ECDHE builds of postfix. The build available is not ECDHE enabled and so the bug should really be re-opened and new builds released. I can confirm the current package in the repo doesn't support ECDHE, rebuilding again. postfix-2.10.2-3.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/postfix-2.10.2-3.fc20 Package postfix-2.10.2-3.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing postfix-2.10.2-3.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-0083/postfix-2.10.2-3.fc20 then log in and leave karma (feedback). Tested and new build does include ECDHE support. Added karma. postfix-2.10.2-3.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. |