This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 479484 - ca-bundle.crt breaks SSL/TLS SMTP communication with MS clients
ca-bundle.crt breaks SSL/TLS SMTP communication with MS clients
Status: CLOSED WONTFIX
Product: Fedora
Classification: Fedora
Component: sendmail (Show other bugs)
12
All Linux
low Severity high
: ---
: ---
Assigned To: Jaroslav Škarvada
Fedora Extras Quality Assurance
:
: 526534 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-01-09 17:59 EST by Frantisek Hanzlik
Modified: 2015-07-15 13:43 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-12-05 02:02:57 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
sendmail - OE6 SSL communication captured by Wireshark (40 bytes, text/plain)
2009-01-09 17:59 EST, Frantisek Hanzlik
no flags Details

  None (edit)
Description Frantisek Hanzlik 2009-01-09 17:59:41 EST
Created attachment 328602 [details]
sendmail - OE6 SSL communication captured by Wireshark

Description of problem:
After upgrade to Fedora 10, isn't possible sent e-mail from Outlook and OE.
After replacing F10 "/etc/pki/certs/ca-bundle.crt" by file from Fedora 7, all work fine.

Version-Release number of selected component (if applicable):
ca-certificates-2008-7.noarch

How reproducible:
I tested it on 3 servers with F10 in LAN and internet too, on all was this problem. No matter when was used SMTP port 25 (Outlook/OE does STARTTLS) or SSL port 465.
Interestingly, SSL/TLS communication from same clients to dovecot IMAP servers
work fine winh F10 ca-bundle. Thunderbird and Seamonkey also have not problem with F10 ca-bundle, IMAPS and SMTP over both SSL and TLS work fine too.

Client OS was windows XP SP2 and XP SP3.

Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
On attached URL I put by Wireshark captured communication
sendmail-8.14.3-3.fc10.i386 <-> Outlook Express v6, with both F7 and F10 ca-bundle. There are binary libpcap files and export to ASCII too (with decrypted SSL)
Comment 1 Frantisek Hanzlik 2009-01-10 10:33:15 EST
SSL communication with F10, ca-bundle.crt from F9, sendmail-8.14.3-3.fc10.i386, WinXP and works fine too with OE6, Outlook 2003 and Outlook 2007. And isn't working with OE successor Vista Mail and Windows Mobile phone.

Interesting piece of knowledge - when I took F9 ca-bundle.crt and began add certificates from F10, which was additional, then things stop working after
adding second certificate (in my case GeoTrust Inc. certificate (line 9895) or 
thawte, Inc. certificate (line 9976 of original F10 ca-bundle)).
And these two certificates are probably valid, as when I did ca-bundle.crt only from them, SSL works fine.

Thus I think about any theory of "above critical amount" volume of certificates,
that Windos mail clients can process.
Comment 2 Frantisek Hanzlik 2009-01-10 14:53:11 EST
Little refinement: Vista Mail works with F9 ca-bundle.crt well on both STARTTLS/25 and SSL/465.
With F10 ca-bundle not work at none of them, sendmail maillog say insignificant message (as with OE and Outlook): "..did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA" (or wit 465 SSL port "..did not issue MAIL/EXPN/VRFY/ETRN during connection to TLSMTA")

And regarding nonfunctional Windows Mobile SSL connection - it may be Mrkvosoft problem, bug described at:
http://www.microsoft.com/downloads/details.aspx?FamilyID=d9d71b2e-d2dd-44f2-86e5-1e53aad7fb7a&DisplayLang=en

I will try add here some other infos, but in my neighbourhood is very few subjects with Windos machines. Maybe yet now nobody use them? Then it would be simpler not solve this all problem :))
Comment 3 Frantisek Hanzlik 2009-01-11 09:58:06 EST
last knowledge: Windos Mobile was affected here mentioned bug - http://support.microsoft.com/kb/958639 , after patched they behave as other M$ mail client - with certificates from F7 and F9 works fine, with F10 ca-bundle not.
Comment 4 Nate S. 2009-10-13 12:05:29 EDT
This appears to still exist in Fedora 11.  
Using the instructions in sendmail.mc to create TLS certificates and enabling the default TLS directives, Outlook Express (OE) appeared to connect, but Sendmail's maillog reported that OE immediately disconnected after initiating STARTTLS.  
OE then displayed a warning that the SMTP server has not responded in 60 seconds, asking if I wanted to 'wait' or 'stop'.

After capturing the conversation in WireShark, I could see that OE dropped the connection as soon as Sendmail sent ca-bundle.crt.

What's funny is that OE said the server wasn't responding when OE is the one that had already disconnected.

To get around the issue, I created another CA key and used that to create the TLS keypair.

Could it be the sheer size of ca-bundle.crt?  It's over 1/2MB.  Comment #1 also supports that OE could be breaking when the cert exceeds a certain size.

Incidentally, Thunderbird worked fine.  Is this even a Fedora bug, or is it Microsoft's problem?  Given that OE doesn't even seem to know that it has disconnected, it seems more like a bug in OE.
Comment 5 Frantisek Hanzlik 2009-10-13 19:15:15 EDT
Yes, in F11 it is this bug too, see my report of bug 526534

https://bugzilla.redhat.com/show_bug.cgi?id=526534

Problem is probably cause due to huge ca-bundle.crt, Sendmail Operation Guide says plainly - I refer it in bug 526534 report
Comment 6 Bug Zapper 2009-11-18 04:45:10 EST
This message is a reminder that Fedora 10 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 10.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '10'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 10's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 10 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 7 Frantisek Hanzlik 2009-11-22 04:10:32 EST
affected Fedora verison updated from 10 to 11, as this problem exist there as well.
Comment 8 Frantisek Hanzlik 2009-12-08 16:55:57 EST
I cut-and-paste my recent comment to report 526534, as it's same bug, problem is that issue still (after year from report, when it affects F10, F11 and F12)
has no response. It seems that nonfunctional mail (with implicit Fedora MTA) isn't important.

https://bugzilla.redhat.com/show_bug.cgi?id=526534

Hello Brian, when I sent You copy of my bugzilla response:

Yes, bug still exist, and as I refere in my previous post, this bug probably affect several Fedora packages as well. But, what is interesting:
- although it issue is reported from me 9-Jan-2009, nearly year backward,
as bug 479484, see:

https://bugzilla.redhat.com/show_bug.cgi?id=479484

This issue I was at first report as bug against ca-certificate RPM package,
but:
1) as there wasn't none response about acknowledging this problem
2) and I not know exactly what is intention ca-certificate package - if it is only
set of CA certificates, then it's probably OK. Thus I report this problem as sendmail bug, as it appears as sendmail packager mistake/misunderstanding/lack of interest about solving this.

Simply, IMHO using define(`confCACERT', `/etc/pki/tls/certs/ca-bundle.crt')
in /etc/mail/sendmail.mc is unfortunate thing, sendmail manual says about it I thing clearly.

I don't see why year old problem isn't still solved. Maybe report it against "ca-certificates" nor "sendmail" isn't right, but there is no reaction in both
bugreports. I will try copy-and-past this contribution to bugreport 479484 as well, maybe there will be some feedback.

As I wrote before, solution is simple - You can cut only fraction of 
"/etc/pki/tls/certs/ca-bundle.crt" - e.g. one tenth or half of them, and sendmail works fine.
Comment 9 Bug Zapper 2010-04-27 08:42:44 EDT
This message is a reminder that Fedora 11 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 11.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '11'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 11's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 11 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 10 Frantisek Hanzlik 2010-05-21 08:13:58 EDT
affected Fedora versions updated from 11 to 13, as this problem exist there as
well (and, of course, is in F12 too).

I omit describe how it appear on client side:

- Outlook Express 6 on WXPSP3 display error message as (sorry for lax translations from Czech):
Server unexpectedly terminated connection. ... Error number: 0x800CCC0F

- Outlook 2007 on Windos Vista display error like:
Job MAILADDR - sending was reported error (0x800CCC1A): Server not support this encrypted connection type. ...

I will accordingly update bug
https://bugzilla.redhat.com/show_bug.cgi?id=526534
as still isn't clear against which package this bug should be reported.
Comment 11 Joe Orton 2010-05-21 08:22:30 EDT
Can you test with the OpenSSL 1.0.0 package in updates-testing?
 
 # yum --enablerepo=updates-testing update openssl
Comment 12 Frantisek Hanzlik 2010-05-21 18:31:03 EDT
openssl-1.0.0-4.fc13.i686 from F13 testing, build Date Tue May 18 18:14:52, behaves identically, it have no effect on this problem.

But I must say again, problem not have to be in openssl, nor ca-certificates package, but in too many certificates in this ca-bundle, which is inadequate for sendmail purposes.
MS mail clients drop communications in "Server Certificate" TLS handshake phase (RFC 2246), but they works fine when number of certificates in ca-bundle will be smaller - number which was in Fedora 9 was still OK, but from F10+ appear this bug, as this file continually increase its size.

And Sendmail docs (included in f13) say it clearly too:
1)
"/usr/share/doc/sendmail-8.14.4/README.cf", line 4252 from sendmail-doc RPM:
confCACERT              CACertFile      [undefined] File containing one CA
                                        cert.

2)
Sendmail Operation Guide, paragraph "6.6.1. Certificates for STARTTLS":
The file specified via CACertFile can contain several certificates of CAs. The DNs of these certificates are sent to the client during the TLS handshake (as part of the CertificateRequest) as the list of acceptable CAs. However, do not list too many root CAs in that file, otherwise the TLS handshake may fail;

There is how ca-bundle increase:
certs   in package/distro
117	ca-bundle.crt-openssl-0.9.8g-6.fc9.i386
124	ca-bundle.crt-ca-certificates-2008-7.noarch-f10
124	ca-bundle.crt-ca-certificates-2008-8.noarch-f11
138	ca-bundle.crt-ca-certificates-2009-2.fc12.noarch-f12
152	ca-bundle.crt-ca-certificates-2010-2.fc13.noarch-f13
Comment 13 Joe Orton 2010-05-22 09:43:54 EDT
Then this is something specific to sendmail or a bug in the particular clients being used.

There is nothing fundamental about TLS which will break with this many CA certs.
Comment 14 Frantisek Hanzlik 2010-05-22 12:31:12 EDT
I agree with You. I myself think it is a bit microsoft clients problem, as all other mail clients which I tried with actual ca-bundle.crt works fine (but, they all was probably linked with nss or openssl). Microsoft KB article "How TLS/SSL works":
http://technet.microsoft.com/en-us/library/cc783349(WS.10).aspx
state:

Server Certificate Message

The server sends its certificate to the client. The server certificate contains the server’s public key. The client uses this key to authenticate the server and to encrypt the Premaster Secret. The Server Certificate message includes:

    * The server’s certificate list. The first certificate in the list is the server’s X.509v3 certificate that contains the server’s public key.

    * Other validating certificates. All other validating certificates, up to but not including the root certificate from the CA, signed by the CA.
-----------------------

which is what RFC2246 say:
certificate_list
This is a sequence (chain) of X.509v3 certificates. The sender's certificate must come first in the list. Each following certificate must directly certify the one preceding it. Because certificate validation requires that root keys be distributed independently, the self-signed certificate which specifies the root certificate authority may optionally be omitted from the chain, under the assumption that the remote end must already possess it in order to validate it in any case.
-----------------------

Microsoft clients probably isn't able accept longer certificate list than some limit.

But it is sendmail bug too - sendmail should not sent this complete CA list, but only certificates signing his certificate and these up to root CA certificate - and it will be perhaps zero or any small number of certificates.
No one certificate is probably validated by chain of other 150 certificates to CA certificate.

Now it is question when with this issue should deal Fedora or Sendmail team. Right solution should be probably (from sendmail team) something like allow blank parameter in confCACERT definition/CACertFile option, in which case sendmail will send no additional validation certificates (as certificates are mostly signed directly by CA). Or on Fedora site by adjustment confCACERT definition to some file other than ca-bundle.crt, containing e.g. only one arbitrary CA certificate. (I find that isn't possible leave confCACERT parameter blank or set it to refer to empty file, as then sendmail disable SSL/TLS entirely).
Comment 15 Jaroslav Škarvada 2010-07-09 09:34:10 EDT
OK, please could anybody answer the following:

1) Is sendmail behaviour against RFC?
2) Does this happened only with Sendmail + TLS + big number of certs + MS
clients?

I would consider this to be a big problem only if answer to 1) is true. As this
behaviour is documented in upstream sendmail documentation I wouldn't call this
bug. It seems that fixing this would require non trivial change in sendmail that should be approved and implemented by upstream.
Comment 16 Jaroslav Škarvada 2010-07-09 09:42:36 EDT
*** Bug 526534 has been marked as a duplicate of this bug. ***
Comment 17 Bug Zapper 2010-11-04 07:34:06 EDT
This message is a reminder that Fedora 12 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 12.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '12'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 12's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 12 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 18 Bug Zapper 2010-12-05 02:02:57 EST
Fedora 12 changed to end-of-life (EOL) status on 2010-12-02. Fedora 12 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.