With "smtp_tls_loglevel = 1" and "smtpd_tls_loglevel = 1", the Postfix SMTP client and server will log TLS connection information -to the maillog file. The general logfile format is:
+to the maillog file. The general logfile format is shown below. +With TLS 1.3 there may be additional properties logged after the +cipher name and bits.@@ -414,7 +416,8 @@With "smtpd_tls_received_header = yes", the Postfix SMTP server will record TLS connection information in the Received: header in the form of comments (text inside parentheses). The general -format depends on the smtpd_tls_ask_ccert setting: +format depends on the smtpd_tls_ask_ccert setting. With TLS 1.3 there +may be additional properties logged after the cipher name and bits.
+@@ -430,6 +433,46 @@TLS 1.3 examples. Some of the new attributes may not appear when not +applicable or not available in older versions of the OpenSSL library.
+ +++ ++Received: from localhost (localhost [127.0.0.1]) + (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) + key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) + (No client certificate requested) + +Received: from localhost (localhost [127.0.0.1]) + (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) + key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 + client-signature ECDSA (P-256) client-digest SHA256) + (Client CN "example.org", Issuer "example.org" (not verified)) +++
+The "key-exchange" attribute records the type of "Diffie-Hellman" +group used for key agreement. Possible values include "DHE", "ECDHE", "X25519" +and "X448". With "DHE", the bit size of the prime will be reported in +parentheses after the algorithm name, with "ECDHE", the curve name.
+ +The "server-signature" attribute shows the public key signature +algorithm used by the server. With "RSA-PSS", the bit size of the modulus will +be reported in parentheses. With "ECDSA", the curve name. If, for example, +the server has both an RSA and an ECDSA private key and certificate, it will be +possible to track which one was used for a given connection.
+ +The new "server-digest" attribute records the digest algorithm used by +the server to prepare handshake messages for signing. The Ed25519 and Ed448 +signature algorithms do not make use of such a digest, so no "server-digest" +will be shown for these signature algorithms.
+ +When a client certificate is requested with "smtpd_tls_ask_ccert" and +the client uses a TLS client-certificate, the "client-signature" and +"client-digest" attributes will record the corresponding properties of the +client's TLS handshake signature.
The next sections will explain what cipher-name, @@ -481,6 +524,58 @@ differ for the legacy export ciphers where the actual key is artificially shortened.
+Starting with TLS 1.3 the cipher name no longer contains enough +information to determine which forward-secrecy scheme was employed, +but TLS 1.3 always uses forward-secrecy. On the client side, +up-to-date Postfix releases log additional information for TLS 1.3 +connections, reporting the signature and key exchange algorithms. +Two examples below (the long single line messages are folded across +multiple lines for readability):
+ +++ ++postfix/smtp[process-id]: + Untrusted TLS connection established to 127.0.0.1[127.0.0.1]:25: + TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) + key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 + client-signature ECDSA (P-256) client-digest SHA256 + +postfix/smtp[process-id]: + Untrusted TLS connection established to 127.0.0.1[127.0.0.1]:25: + TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) + key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256 ++In the above connections, the "key-exchange" value records the +"Diffie-Hellman" algorithm used for key agreement. The "server-signature" value +records the public key algoritm used by the server to sign the key exchange. +The "server-digest" value records any hash algorithm used to prepare the data +for signing. With "ED25519" and "ED448", no separate hash algorithm is used. +
+ +Examples of Postfix SMTP server logging:
+ ++++postfix/smtpd[process-id]: + Untrusted TLS connection established from localhost[127.0.0.1]:25: + TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) + key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 + client-signature ECDSA (P-256) client-digest SHA256 + +postfix/smtpd[process-id]: + Anonymous TLS connection established from localhost[127.0.0.1]: + TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) + server-signature RSA-PSS (2048 bits) server-digest SHA256 + +postfix/smtpd[process-id]: + Anonymous TLS connection established from localhost[127.0.0.1]: + TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) + server-signature ED25519 ++What do "Anonymous", "Untrusted", etc. in Postfix logging mean?
diff -ur --new-file /var/tmp/postfix-3.3.1/html/TLS_README.html ./html/TLS_README.html --- /var/tmp/postfix-3.3.1/html/TLS_README.html 2017-02-28 19:55:20.000000000 -0500 +++ ./html/TLS_README.html 2018-11-04 18:48:21.000000000 -0500 @@ -923,12 +923,13 @@
With Postfix 2.8 and later, the tls_disable_workarounds parameter -specifies a list or bit-mask of OpenSSL bug work-arounds to disable. This -may be necessary if one of the work-arounds enabled by default in -OpenSSL proves to pose a security risk, or introduces an unexpected -interoperability issue. Some bug work-arounds known to be problematic -are disabled in the default value of the parameter when linked with -an OpenSSL library that could be vulnerable.
+specifies a list or bit-mask of default-enabled OpenSSL bug +work-arounds to disable. This may be necessary if one of the +work-arounds enabled by default in OpenSSL proves to pose a security +risk, or introduces an unexpected interoperability issue. The list +of enabled bug work-arounds is OpenSSL-release-specific. See the +tls_disable_workarounds parameter documentation for the list of +supported values.Example:
@@ -946,19 +947,8 @@ found in the ssl.h file corresponding to the run-time OpenSSL library. While it may be reasonable to turn off all bug workarounds (see above), it is not a good idea to attempt to turn on all features. - - -Example:
diff -ur --new-file /var/tmp/postfix-3.3.1/html/index.html ./html/index.html --- /var/tmp/postfix-3.3.1/html/index.html 2014-11-26 18:25:31.000000000 -0500 +++ ./html/index.html 2018-11-18 08:24:03.000000000 -0500 @@ -46,8 +46,6 @@The range of protocols advertised by an SSL/TLS client must be contiguous. When a protocol version is enabled, disabling any -higher version implicitly disables all versions above that higher -version. Thus, for example:
+higher version implicitly disables all versions above that higher version. +Thus, for example (assuming the OpenSSL library supports both SSLv2 +and SSLv3): +smtp_tls_mandatory_protocols = !SSLv2, !TLSv1 @@ -12529,6 +12531,10 @@ versions of Postfix ≥ 2.10 can explicitly disable support for "TLSv1.1" or "TLSv1.2". +OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix +≥ 3.4 (or patch releases ≥ 3.0.14, 3.1.10, 3.2.7 and 3.3.2) +this can be disabled, if need be, via "!TLSv1.3".
+At the dane and dane-only security levels, when usable TLSA records are obtained for the remote SMTP @@ -12841,11 +12847,13 @@
The range of protocols advertised by an SSL/TLS client must be contiguous. When a protocol version is enabled, disabling any -higher version implicitly disables all versions above that higher -version. Thus, for example:
+higher version implicitly disables all versions above that higher version. +Thus, for example (assuming the OpenSSL library supports both SSLv2 +and SSLv3): +-smtp_tls_mandatory_protocols = !SSLv2, !TLSv1 +smtp_tls_protocols = !SSLv2, !TLSv1also disables any protocols version higher than TLSv1 leaving @@ -12856,6 +12864,10 @@ versions of Postfix ≥ 2.10 can explicitly disable support for "TLSv1.1" or "TLSv1.2"
+OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix +≥ 3.4 (or patch releases ≥ 3.0.14, 3.1.10, 3.2.7 and 3.3.2) +this can be disabled, if need be, via "!TLSv1.3".
+To include a protocol list its name, to exclude it, prefix the name with a "!" character. To exclude SSLv2 for opportunistic TLS set "smtp_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set @@ -16965,6 +16977,10 @@ versions of Postfix ≥ 2.10 can disable support for "TLSv1.1" or "TLSv1.2".
+OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix +≥ 3.4 (or patch releases ≥ 3.0.14, 3.1.10, 3.2.7 and 3.3.2) +this can be disabled, if need be, via "!TLSv1.3".
+Example:
@@ -16996,6 +17012,10 @@ versions of Postfix ≥ 2.10 can disable support for "TLSv1.1" or "TLSv1.2". +OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix +≥ 3.4 (or patch releases ≥ 3.0.14, 3.1.10, 3.2.7 and 3.3.2) +this can be disabled, if need be, via "!TLSv1.3".
+To include a protocol list its name, to exclude it, prefix the name with a "!" character. To exclude SSLv2 for opportunistic TLS set "smtpd_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set @@ -17735,44 +17755,46 @@
-
@@ -18146,18 +18168,39 @@ You can only enable options not already controlled by other Postfix settings. For example, you cannot disable protocols or enable server cipher preference. Do not attempt to turn all features by -specifying 0xFFFFFFFF, this is unlikely to be a good idea. +specifying 0xFFFFFFFF, this is unlikely to be a good idea. Some +bug work-arounds are also valid here, allowing them to be re-enabled +if/when they're no longer enabled by default. The supported values +include:- MICROSOFT_SESS_ID_BUG
- See SSL_CTX_set_options(3)
+- CRYPTOPRO_TLSEXT_BUG
- New with GOST support in +OpenSSL 1.0.0.
-- NETSCAPE_CHALLENGE_BUG
- See SSL_CTX_set_options(3)
+- DONT_INSERT_EMPTY_FRAGMENTS
- See +SSL_CTX_set_options(3)
- LEGACY_SERVER_CONNECT
- See SSL_CTX_set_options(3)
-- NETSCAPE_REUSE_CIPHER_CHANGE_BUG
- also aliased -as CVE-2010-4180. Postfix 2.8 disables this work-around by -default with OpenSSL versions that may predate the fix. Fixed in -OpenSSL 0.9.8q and OpenSSL 1.0.0c.
- -- SSLREF2_REUSE_CERT_TYPE_BUG
- See -SSL_CTX_set_options(3)
-- MICROSOFT_BIG_SSLV3_BUFFER
- See SSL_CTX_set_options(3)
+- MICROSOFT_SESS_ID_BUG
- See SSL_CTX_set_options(3)
+- MSIE_SSLV2_RSA_PADDING
- also aliased as CVE-2005-2969. Postfix 2.8 disables this work-around by default with OpenSSL versions that may predate the fix. Fixed in OpenSSL 0.9.7h and OpenSSL 0.9.8a.
+- NETSCAPE_CHALLENGE_BUG
- See SSL_CTX_set_options(3)
+ +- NETSCAPE_REUSE_CIPHER_CHANGE_BUG
- also aliased +as CVE-2010-4180. Postfix 2.8 disables this work-around by +default with OpenSSL versions that may predate the fix. Fixed in +OpenSSL 0.9.8q and OpenSSL 1.0.0c.
+- SSLEAY_080_CLIENT_DH_BUG
- See SSL_CTX_set_options(3)
-- TLS_D5_BUG
- See SSL_CTX_set_options(3)
+- SSLREF2_REUSE_CERT_TYPE_BUG
- See +SSL_CTX_set_options(3)
- TLS_BLOCK_PADDING_BUG
- See SSL_CTX_set_options(3)
+- TLS_D5_BUG
- See SSL_CTX_set_options(3)
+- TLS_ROLLBACK_BUG
- See SSL_CTX_set_options(3). This is disabled in OpenSSL 0.9.7 and later. Nobody should still be using 0.9.6!
-- DONT_INSERT_EMPTY_FRAGMENTS
- See -SSL_CTX_set_options(3)
- -- CRYPTOPRO_TLSEXT_BUG
- New with GOST support in -OpenSSL 1.0.0.
+- TLSEXT_PADDING
- Postfix ≥ 3.4. See SSL_CTX_set_options(3).
+
- ENABLE_MIDDLEBOX_COMPAT
- Postfix ≥ 3.4. See +SSL_CTX_set_options(3).
+- LEGACY_SERVER_CONNECT
- See SSL_CTX_set_options(3).
-- NO_TICKET
- See SSL_CTX_set_options(3).
+- NO_TICKET
- Enabled by default when needed in +fully-patched Postfix ≥ 2.7. Not needed at all for Postfix ≥ +2.11, unless for some reason you do not want to support TLS session +resumption. Best not set explicitly. See SSL_CTX_set_options(3).
- NO_COMPRESSION
- Disable SSL compression even if supported by the OpenSSL library. Compression is CPU-intensive, and compression before encryption does not always improve security.
+- NO_RENEGOTIATION
- Postfix ≥ 3.4. This can +reduce opportunities for a potential CPU exhaustion attack. See +SSL_CTX_set_options(3).
+ +- NO_SESSION_RESUMPTION_ON_RENEGOTIATION
- Postfix +≥ 3.4. See SSL_CTX_set_options(3).
+ +- PRIORITIZE_CHACHA
- Postfix ≥ 3.4. See SSL_CTX_set_options(3).
+ +- TLSEXT_PADDING
- Postfix ≥ 3.4. See +SSL_CTX_set_options(3).
+This feature is available in Postfix 2.11 and later.
diff -ur --new-file /var/tmp/postfix-3.3.1/man/man5/postconf.5 ./man/man5/postconf.5 --- /var/tmp/postfix-3.3.1/man/man5/postconf.5 2018-02-04 10:40:51.000000000 -0500 +++ ./man/man5/postconf.5 2018-11-10 19:40:42.000000000 -0500 @@ -8054,8 +8054,9 @@ .PP The range of protocols advertised by an SSL/TLS client must be contiguous. When a protocol version is enabled, disabling any -higher version implicitly disables all versions above that higher -version. Thus, for example: +higher version implicitly disables all versions above that higher version. +Thus, for example (assuming the OpenSSL library supports both SSLv2 +and SSLv3): .sp .in +4 .nf @@ -8077,6 +8078,10 @@ versions of Postfix >= 2.10 can explicitly disable support for "TLSv1.1" or "TLSv1.2". .PP +OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix +>= 3.4 (or patch releases >= 3.0.14, 3.1.10, 3.2.7 and 3.3.2) +this can be disabled, if need be, via "!TLSv1.3". +.PP At the dane and dane\-only security levels, when usable TLSA records are obtained for the remote SMTP @@ -8372,14 +8377,15 @@ .PP The range of protocols advertised by an SSL/TLS client must be contiguous. When a protocol version is enabled, disabling any -higher version implicitly disables all versions above that higher -version. Thus, for example: +higher version implicitly disables all versions above that higher version. +Thus, for example (assuming the OpenSSL library supports both SSLv2 +and SSLv3): .sp .in +4 .nf .na .ft C -smtp_tls_mandatory_protocols = !SSLv2, !TLSv1 +smtp_tls_protocols = !SSLv2, !TLSv1 .fi .ad .ft R @@ -8392,6 +8398,10 @@ versions of Postfix >= 2.10 can explicitly disable support for "TLSv1.1" or "TLSv1.2" .PP +OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix +>= 3.4 (or patch releases >= 3.0.14, 3.1.10, 3.2.7 and 3.3.2) +this can be disabled, if need be, via "!TLSv1.3". +.PP To include a protocol list its name, to exclude it, prefix the name with a "!" character. To exclude SSLv2 for opportunistic TLS set "smtp_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set @@ -11669,6 +11679,10 @@ versions of Postfix >= 2.10 can disable support for "TLSv1.1" or "TLSv1.2". .PP +OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix +>= 3.4 (or patch releases >= 3.0.14, 3.1.10, 3.2.7 and 3.3.2) +this can be disabled, if need be, via "!TLSv1.3". +.PP Example: .PP .nf @@ -11698,6 +11712,10 @@ versions of Postfix >= 2.10 can disable support for "TLSv1.1" or "TLSv1.2". .PP +OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix +>= 3.4 (or patch releases >= 3.0.14, 3.1.10, 3.2.7 and 3.3.2) +this can be disabled, if need be, via "!TLSv1.3". +.PP To include a protocol list its name, to exclude it, prefix the name with a "!" character. To exclude SSLv2 for opportunistic TLS set "smtpd_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set @@ -12213,57 +12231,60 @@ is possible that your OpenSSL version includes new bug work\-arounds added after your Postfix source code was last updated, in that case you can only disable one of these via the hexadecimal syntax above. -.IP "\fBMICROSOFT_SESS_ID_BUG\fR" -See SSL_CTX_\fBset_options\fR(3) +.IP "\fBCRYPTOPRO_TLSEXT_BUG\fR" +New with GOST support in +OpenSSL 1.0.0. .br -.IP "\fBNETSCAPE_CHALLENGE_BUG\fR" -See SSL_CTX_\fBset_options\fR(3) +.IP "\fBDONT_INSERT_EMPTY_FRAGMENTS\fR" +See +SSL_CTX_\fBset_options\fR(3) .br .IP "\fBLEGACY_SERVER_CONNECT\fR" See SSL_CTX_\fBset_options\fR(3) .br -.IP "\fBNETSCAPE_REUSE_CIPHER_CHANGE_BUG\fR" -also aliased -as \fBCVE\-2010\-4180\fR. Postfix 2.8 disables this work\-around by -default with OpenSSL versions that may predate the fix. Fixed in -OpenSSL 0.9.8q and OpenSSL 1.0.0c. -.br -.IP "\fBSSLREF2_REUSE_CERT_TYPE_BUG\fR" -See -SSL_CTX_\fBset_options\fR(3) -.br .IP "\fBMICROSOFT_BIG_SSLV3_BUFFER\fR" See SSL_CTX_\fBset_options\fR(3) .br +.IP "\fBMICROSOFT_SESS_ID_BUG\fR" +See SSL_CTX_\fBset_options\fR(3) +.br .IP "\fBMSIE_SSLV2_RSA_PADDING\fR" also aliased as \fBCVE\-2005\-2969\fR. Postfix 2.8 disables this work\-around by default with OpenSSL versions that may predate the fix. Fixed in OpenSSL 0.9.7h and OpenSSL 0.9.8a. .br +.IP "\fBNETSCAPE_CHALLENGE_BUG\fR" +See SSL_CTX_\fBset_options\fR(3) +.br +.IP "\fBNETSCAPE_REUSE_CIPHER_CHANGE_BUG\fR" +also aliased +as \fBCVE\-2010\-4180\fR. Postfix 2.8 disables this work\-around by +default with OpenSSL versions that may predate the fix. Fixed in +OpenSSL 0.9.8q and OpenSSL 1.0.0c. +.br .IP "\fBSSLEAY_080_CLIENT_DH_BUG\fR" See SSL_CTX_\fBset_options\fR(3) .br -.IP "\fBTLS_D5_BUG\fR" -See SSL_CTX_\fBset_options\fR(3) +.IP "\fBSSLREF2_REUSE_CERT_TYPE_BUG\fR" +See +SSL_CTX_\fBset_options\fR(3) .br .IP "\fBTLS_BLOCK_PADDING_BUG\fR" See SSL_CTX_\fBset_options\fR(3) .br +.IP "\fBTLS_D5_BUG\fR" +See SSL_CTX_\fBset_options\fR(3) +.br .IP "\fBTLS_ROLLBACK_BUG\fR" See SSL_CTX_\fBset_options\fR(3). This is disabled in OpenSSL 0.9.7 and later. Nobody should still be using 0.9.6! .br -.IP "\fBDONT_INSERT_EMPTY_FRAGMENTS\fR" -See -SSL_CTX_\fBset_options\fR(3) -.br -.IP "\fBCRYPTOPRO_TLSEXT_BUG\fR" -New with GOST support in -OpenSSL 1.0.0. +.IP "\fBTLSEXT_PADDING\fR" +Postfix >= 3.4. See SSL_CTX_\fBset_options\fR(3). .br .br .PP @@ -12529,18 +12550,44 @@ You can only enable options not already controlled by other Postfix settings. For example, you cannot disable protocols or enable server cipher preference. Do not attempt to turn all features by -specifying 0xFFFFFFFF, this is unlikely to be a good idea. +specifying 0xFFFFFFFF, this is unlikely to be a good idea. Some +bug work\-arounds are also valid here, allowing them to be re\-enabled +if/when they're no longer enabled by default. The supported values +include: +.IP "\fBENABLE_MIDDLEBOX_COMPAT\fR" +Postfix >= 3.4. See +SSL_CTX_\fBset_options\fR(3). +.br .IP "\fBLEGACY_SERVER_CONNECT\fR" See SSL_CTX_\fBset_options\fR(3). .br .IP "\fBNO_TICKET\fR" -See SSL_CTX_\fBset_options\fR(3). +Enabled by default when needed in +fully\-patched Postfix >= 2.7. Not needed at all for Postfix >= +2.11, unless for some reason you do not want to support TLS session +resumption. Best not set explicitly. See SSL_CTX_\fBset_options\fR(3). .br .IP "\fBNO_COMPRESSION\fR" Disable SSL compression even if supported by the OpenSSL library. Compression is CPU\-intensive, and compression before encryption does not always improve security. .br +.IP "\fBNO_RENEGOTIATION\fR" +Postfix >= 3.4. This can +reduce opportunities for a potential CPU exhaustion attack. See +SSL_CTX_\fBset_options\fR(3). +.br +.IP "\fBNO_SESSION_RESUMPTION_ON_RENEGOTIATION\fR" +Postfix +>= 3.4. See SSL_CTX_\fBset_options\fR(3). +.br +.IP "\fBPRIORITIZE_CHACHA\fR" +Postfix >= 3.4. See SSL_CTX_\fBset_options\fR(3). +.br +.IP "\fBTLSEXT_PADDING\fR" +Postfix >= 3.4. See +SSL_CTX_\fBset_options\fR(3). +.br .br .PP This feature is available in Postfix 2.11 and later. diff -ur --new-file /var/tmp/postfix-3.3.1/proto/FORWARD_SECRECY_README.html ./proto/FORWARD_SECRECY_README.html --- /var/tmp/postfix-3.3.1/proto/FORWARD_SECRECY_README.html 2018-02-04 10:27:43.000000000 -0500 +++ ./proto/FORWARD_SECRECY_README.html 2018-11-17 17:40:19.000000000 -0500 @@ -397,7 +397,9 @@With "smtp_tls_loglevel = 1" and "smtpd_tls_loglevel = 1", the Postfix SMTP client and server will log TLS connection information -to the maillog file. The general logfile format is:
+to the maillog file. The general logfile format is shown below. +With TLS 1.3 there may be additional properties logged after the +cipher name and bits.@@ -414,7 +416,8 @@With "smtpd_tls_received_header = yes", the Postfix SMTP server will record TLS connection information in the Received: header in the form of comments (text inside parentheses). The general -format depends on the smtpd_tls_ask_ccert setting: +format depends on the smtpd_tls_ask_ccert setting. With TLS 1.3 there +may be additional properties logged after the cipher name and bits.
+@@ -430,6 +433,46 @@TLS 1.3 examples. Some of the new attributes may not appear when not +applicable or not available in older versions of the OpenSSL library.
+ +++ ++Received: from localhost (localhost [127.0.0.1]) + (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) + key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) + (No client certificate requested) + +Received: from localhost (localhost [127.0.0.1]) + (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) + key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 + client-signature ECDSA (P-256) client-digest SHA256) + (Client CN "example.org", Issuer "example.org" (not verified)) +++
+The "key-exchange" attribute records the type of "Diffie-Hellman" +group used for key agreement. Possible values include "DHE", "ECDHE", "X25519" +and "X448". With "DHE", the bit size of the prime will be reported in +parentheses after the algorithm name, with "ECDHE", the curve name.
+ +The "server-signature" attribute shows the public key signature +algorithm used by the server. With "RSA-PSS", the bit size of the modulus will +be reported in parentheses. With "ECDSA", the curve name. If, for example, +the server has both an RSA and an ECDSA private key and certificate, it will be +possible to track which one was used for a given connection.
+ +The new "server-digest" attribute records the digest algorithm used by +the server to prepare handshake messages for signing. The Ed25519 and Ed448 +signature algorithms do not make use of such a digest, so no "server-digest" +will be shown for these signature algorithms.
+ +When a client certificate is requested with "smtpd_tls_ask_ccert" and +the client uses a TLS client-certificate, the "client-signature" and +"client-digest" attributes will record the corresponding properties of the +client's TLS handshake signature.
The next sections will explain what cipher-name, @@ -481,6 +524,58 @@ differ for the legacy export ciphers where the actual key is artificially shortened.
+Starting with TLS 1.3 the cipher name no longer contains enough +information to determine which forward-secrecy scheme was employed, +but TLS 1.3 always uses forward-secrecy. On the client side, +up-to-date Postfix releases log additional information for TLS 1.3 +connections, reporting the signature and key exchange algorithms. +Two examples below (the long single line messages are folded across +multiple lines for readability):
+ +++ ++postfix/smtp[process-id]: + Untrusted TLS connection established to 127.0.0.1[127.0.0.1]:25: + TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) + key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 + client-signature ECDSA (P-256) client-digest SHA256 + +postfix/smtp[process-id]: + Untrusted TLS connection established to 127.0.0.1[127.0.0.1]:25: + TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) + key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256 ++In the above connections, the "key-exchange" value records the +"Diffie-Hellman" algorithm used for key agreement. The "server-signature" value +records the public key algoritm used by the server to sign the key exchange. +The "server-digest" value records any hash algorithm used to prepare the data +for signing. With "ED25519" and "ED448", no separate hash algorithm is used. +
+ +Examples of Postfix SMTP server logging:
+ ++++postfix/smtpd[process-id]: + Untrusted TLS connection established from localhost[127.0.0.1]:25: + TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) + key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 + client-signature ECDSA (P-256) client-digest SHA256 + +postfix/smtpd[process-id]: + Anonymous TLS connection established from localhost[127.0.0.1]: + TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) + server-signature RSA-PSS (2048 bits) server-digest SHA256 + +postfix/smtpd[process-id]: + Anonymous TLS connection established from localhost[127.0.0.1]: + TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) + server-signature ED25519 ++What do "Anonymous", "Untrusted", etc. in Postfix logging mean?
diff -ur --new-file /var/tmp/postfix-3.3.1/proto/TLS_README.html ./proto/TLS_README.html --- /var/tmp/postfix-3.3.1/proto/TLS_README.html 2017-02-28 19:55:17.000000000 -0500 +++ ./proto/TLS_README.html 2018-11-04 18:45:52.000000000 -0500 @@ -923,12 +923,13 @@With Postfix 2.8 and later, the tls_disable_workarounds parameter -specifies a list or bit-mask of OpenSSL bug work-arounds to disable. This -may be necessary if one of the work-arounds enabled by default in -OpenSSL proves to pose a security risk, or introduces an unexpected -interoperability issue. Some bug work-arounds known to be problematic -are disabled in the default value of the parameter when linked with -an OpenSSL library that could be vulnerable.
+specifies a list or bit-mask of default-enabled OpenSSL bug +work-arounds to disable. This may be necessary if one of the +work-arounds enabled by default in OpenSSL proves to pose a security +risk, or introduces an unexpected interoperability issue. The list +of enabled bug work-arounds is OpenSSL-release-specific. See the +tls_disable_workarounds parameter documentation for the list of +supported values.Example:
@@ -946,19 +947,8 @@ found in the ssl.h file corresponding to the run-time OpenSSL library. While it may be reasonable to turn off all bug workarounds (see above), it is not a good idea to attempt to turn on all features. - - -- -
+See the tls_ssl_options parameter documentation for the list of +supported values.- LEGACY_SERVER_CONNECT
- See SSL_CTX_set_options(3).
- -- NO_TICKET
- See SSL_CTX_set_options(3).
- -- NO_COMPRESSION
- Disable SSL compression even if -supported by the OpenSSL library. Compression is CPU-intensive, -and compression before encryption does not always improve security.
- -Example:
diff -ur --new-file /var/tmp/postfix-3.3.1/proto/postconf.proto ./proto/postconf.proto --- /var/tmp/postfix-3.3.1/proto/postconf.proto 2018-02-04 10:40:28.000000000 -0500 +++ ./proto/postconf.proto 2018-11-10 19:40:29.000000000 -0500 @@ -11191,8 +11191,10 @@The range of protocols advertised by an SSL/TLS client must be contiguous. When a protocol version is enabled, disabling any -higher version implicitly disables all versions above that higher -version. Thus, for example:
+higher version implicitly disables all versions above that higher version. +Thus, for example (assuming the OpenSSL library supports both SSLv2 +and SSLv3): +smtp_tls_mandatory_protocols = !SSLv2, !TLSv1 @@ -11209,6 +11211,10 @@ versions of Postfix ≥ 2.10 can explicitly disable support for "TLSv1.1" or "TLSv1.2". +OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix +≥ 3.4 (or patch releases ≥ 3.0.14, 3.1.10, 3.2.7 and 3.3.2) +this can be disabled, if need be, via "!TLSv1.3".
+At the dane and dane-only security levels, when usable TLSA records are obtained for the remote SMTP @@ -11406,6 +11412,10 @@ versions of Postfix ≥ 2.10 can disable support for "TLSv1.1" or "TLSv1.2".
+OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix +≥ 3.4 (or patch releases ≥ 3.0.14, 3.1.10, 3.2.7 and 3.3.2) +this can be disabled, if need be, via "!TLSv1.3".
+Example:
@@ -12547,11 +12557,13 @@The range of protocols advertised by an SSL/TLS client must be contiguous. When a protocol version is enabled, disabling any -higher version implicitly disables all versions above that higher -version. Thus, for example:
+higher version implicitly disables all versions above that higher version. +Thus, for example (assuming the OpenSSL library supports both SSLv2 +and SSLv3): +-smtp_tls_mandatory_protocols = !SSLv2, !TLSv1 +smtp_tls_protocols = !SSLv2, !TLSv1also disables any protocols version higher than TLSv1 leaving @@ -12562,6 +12574,10 @@ versions of Postfix ≥ 2.10 can explicitly disable support for "TLSv1.1" or "TLSv1.2"
+OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix +≥ 3.4 (or patch releases ≥ 3.0.14, 3.1.10, 3.2.7 and 3.3.2) +this can be disabled, if need be, via "!TLSv1.3".
+To include a protocol list its name, to exclude it, prefix the name with a "!" character. To exclude SSLv2 for opportunistic TLS set "smtp_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set @@ -12594,6 +12610,10 @@ versions of Postfix ≥ 2.10 can disable support for "TLSv1.1" or "TLSv1.2".
+OpenSSL 1.1.1 introduces support for "TLSv1.3". With Postfix +≥ 3.4 (or patch releases ≥ 3.0.14, 3.1.10, 3.2.7 and 3.3.2) +this can be disabled, if need be, via "!TLSv1.3".
+To include a protocol list its name, to exclude it, prefix the name with a "!" character. To exclude SSLv2 for opportunistic TLS set "smtpd_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set @@ -14877,44 +14897,46 @@
-
@@ -15967,18 +15989,39 @@ You can only enable options not already controlled by other Postfix settings. For example, you cannot disable protocols or enable server cipher preference. Do not attempt to turn all features by -specifying 0xFFFFFFFF, this is unlikely to be a good idea. +specifying 0xFFFFFFFF, this is unlikely to be a good idea. Some +bug work-arounds are also valid here, allowing them to be re-enabled +if/when they're no longer enabled by default. The supported values +include:- MICROSOFT_SESS_ID_BUG
- See SSL_CTX_set_options(3)
+- CRYPTOPRO_TLSEXT_BUG
- New with GOST support in +OpenSSL 1.0.0.
-- NETSCAPE_CHALLENGE_BUG
- See SSL_CTX_set_options(3)
+- DONT_INSERT_EMPTY_FRAGMENTS
- See +SSL_CTX_set_options(3)
- LEGACY_SERVER_CONNECT
- See SSL_CTX_set_options(3)
-- NETSCAPE_REUSE_CIPHER_CHANGE_BUG
- also aliased -as CVE-2010-4180. Postfix 2.8 disables this work-around by -default with OpenSSL versions that may predate the fix. Fixed in -OpenSSL 0.9.8q and OpenSSL 1.0.0c.
- -- SSLREF2_REUSE_CERT_TYPE_BUG
- See -SSL_CTX_set_options(3)
-- MICROSOFT_BIG_SSLV3_BUFFER
- See SSL_CTX_set_options(3)
+- MICROSOFT_SESS_ID_BUG
- See SSL_CTX_set_options(3)
+- MSIE_SSLV2_RSA_PADDING
- also aliased as CVE-2005-2969. Postfix 2.8 disables this work-around by default with OpenSSL versions that may predate the fix. Fixed in OpenSSL 0.9.7h and OpenSSL 0.9.8a.
+- NETSCAPE_CHALLENGE_BUG
- See SSL_CTX_set_options(3)
+ +- NETSCAPE_REUSE_CIPHER_CHANGE_BUG
- also aliased +as CVE-2010-4180. Postfix 2.8 disables this work-around by +default with OpenSSL versions that may predate the fix. Fixed in +OpenSSL 0.9.8q and OpenSSL 1.0.0c.
+- SSLEAY_080_CLIENT_DH_BUG
- See SSL_CTX_set_options(3)
-- TLS_D5_BUG
- See SSL_CTX_set_options(3)
+- SSLREF2_REUSE_CERT_TYPE_BUG
- See +SSL_CTX_set_options(3)
- TLS_BLOCK_PADDING_BUG
- See SSL_CTX_set_options(3)
+- TLS_D5_BUG
- See SSL_CTX_set_options(3)
+- TLS_ROLLBACK_BUG
- See SSL_CTX_set_options(3). This is disabled in OpenSSL 0.9.7 and later. Nobody should still be using 0.9.6!
-- DONT_INSERT_EMPTY_FRAGMENTS
- See -SSL_CTX_set_options(3)
- -- CRYPTOPRO_TLSEXT_BUG
- New with GOST support in -OpenSSL 1.0.0.
+- TLSEXT_PADDING
- Postfix ≥ 3.4. See SSL_CTX_set_options(3).
+
- ENABLE_MIDDLEBOX_COMPAT
- Postfix ≥ 3.4. See +SSL_CTX_set_options(3).
+- LEGACY_SERVER_CONNECT
- See SSL_CTX_set_options(3).
-- NO_TICKET
- See SSL_CTX_set_options(3).
+- NO_TICKET
- Enabled by default when needed in +fully-patched Postfix ≥ 2.7. Not needed at all for Postfix ≥ +2.11, unless for some reason you do not want to support TLS session +resumption. Best not set explicitly. See SSL_CTX_set_options(3).
- NO_COMPRESSION
- Disable SSL compression even if supported by the OpenSSL library. Compression is CPU-intensive, and compression before encryption does not always improve security.
+- NO_RENEGOTIATION
- Postfix ≥ 3.4. This can +reduce opportunities for a potential CPU exhaustion attack. See +SSL_CTX_set_options(3).
+ +- NO_SESSION_RESUMPTION_ON_RENEGOTIATION
- Postfix +≥ 3.4. See SSL_CTX_set_options(3).
+ +- PRIORITIZE_CHACHA
- Postfix ≥ 3.4. See SSL_CTX_set_options(3).
+ +- TLSEXT_PADDING
- Postfix ≥ 3.4. See +SSL_CTX_set_options(3).
+This feature is available in Postfix 2.11 and later.
diff -ur --new-file /var/tmp/postfix-3.3.1/src/global/ehlo_mask.c ./src/global/ehlo_mask.c --- /var/tmp/postfix-3.3.1/src/global/ehlo_mask.c 2014-07-06 19:31:07.000000000 -0400 +++ ./src/global/ehlo_mask.c 2018-11-17 17:33:15.000000000 -0500 @@ -77,6 +77,7 @@ "ENHANCEDSTATUSCODES", EHLO_MASK_ENHANCEDSTATUSCODES, "DSN", EHLO_MASK_DSN, "EHLO_MASK_SMTPUTF8", EHLO_MASK_SMTPUTF8, + "SMTPUTF8", EHLO_MASK_SMTPUTF8, "SILENT-DISCARD", EHLO_MASK_SILENT, /* XXX In-band signaling */ 0, }; diff -ur --new-file /var/tmp/postfix-3.3.1/src/global/mail_proto.h ./src/global/mail_proto.h --- /var/tmp/postfix-3.3.1/src/global/mail_proto.h 2016-06-11 19:28:46.000000000 -0400 +++ ./src/global/mail_proto.h 2018-11-17 17:33:15.000000000 -0500 @@ -293,6 +293,18 @@ #define MAIL_ATTR_CIPHER_NAME "cipher_name" #define MAIL_ATTR_CIPHER_USEBITS "cipher_usebits" #define MAIL_ATTR_CIPHER_ALGBITS "cipher_algbits" +#define MAIL_ATTR_KEX_NAME "key_exchange" +#define MAIL_ATTR_KEX_CURVE "key_exchange_curve" +#define MAIL_ATTR_KEX_BITS "key_exchange_bits" +#define MAIL_ATTR_CLNT_SIG_NAME "clnt_signature" +#define MAIL_ATTR_CLNT_SIG_CURVE "clnt_signature_curve" +#define MAIL_ATTR_CLNT_SIG_BITS "clnt_signature_bits" +#define MAIL_ATTR_CLNT_SIG_DGST "clnt_signature_digest" +#define MAIL_ATTR_SRVR_SIG_NAME "srvr_signature" +#define MAIL_ATTR_SRVR_SIG_CURVE "srvr_signature_curve" +#define MAIL_ATTR_SRVR_SIG_BITS "srvr_signature_bits" +#define MAIL_ATTR_SRVR_SIG_DGST "srvr_signature_digest" +#define MAIL_ATTR_NAMADDR "namaddr" #define MAIL_ATTR_SERVER_ID "server_id" /* diff -ur --new-file /var/tmp/postfix-3.3.1/src/postconf/extract_cfg.sh ./src/postconf/extract_cfg.sh --- /var/tmp/postfix-3.3.1/src/postconf/extract_cfg.sh 2017-07-27 17:47:58.000000000 -0400 +++ ./src/postconf/extract_cfg.sh 2018-02-24 19:44:09.000000000 -0500 @@ -38,6 +38,9 @@ # New York, NY 10011, USA #-- +# In case not installed. +m4 tls_context) { - out_fprintf(out_stream, REC_TYPE_NORM, - "\t(using %s with cipher %s (%d/%d bits))", - state->tls_context->protocol, - state->tls_context->cipher_name, - state->tls_context->cipher_usebits, - state->tls_context->cipher_algbits); + int cont = 0; + + vstring_sprintf(state->buffer, + "\t(using %s with cipher %s (%d/%d bits)", + state->tls_context->protocol, + state->tls_context->cipher_name, + state->tls_context->cipher_usebits, + state->tls_context->cipher_algbits); + if (state->tls_context->kex_name && *state->tls_context->kex_name) { + out_record(out_stream, REC_TYPE_NORM, STR(state->buffer), + LEN(state->buffer)); + vstring_sprintf(state->buffer, "\t key-exchange %s", + state->tls_context->kex_name); + if (state->tls_context->kex_curve + && *state->tls_context->kex_curve) + vstring_sprintf_append(state->buffer, " (%s)", + state->tls_context->kex_curve); + else if (state->tls_context->kex_bits > 0) + vstring_sprintf_append(state->buffer, " (%d bits)", + state->tls_context->kex_bits); + cont = 1; + } + if (state->tls_context->srvr_sig_name + && *state->tls_context->srvr_sig_name) { + if (cont) { + vstring_sprintf_append(state->buffer, " server-signature %s", + state->tls_context->srvr_sig_name); + } else { + out_record(out_stream, REC_TYPE_NORM, STR(state->buffer), + LEN(state->buffer)); + vstring_sprintf(state->buffer, "\t server-signature %s", + state->tls_context->srvr_sig_name); + } + if (state->tls_context->srvr_sig_curve + && *state->tls_context->srvr_sig_curve) + vstring_sprintf_append(state->buffer, " (%s)", + state->tls_context->srvr_sig_curve); + else if (state->tls_context->srvr_sig_bits > 0) + vstring_sprintf_append(state->buffer, " (%d bits)", + state->tls_context->srvr_sig_bits); + if (state->tls_context->srvr_sig_dgst + && *state->tls_context->srvr_sig_dgst) + vstring_sprintf_append(state->buffer, " server-digest %s", + state->tls_context->srvr_sig_dgst); + } + if (state->tls_context->clnt_sig_name + && *state->tls_context->clnt_sig_name) { + out_record(out_stream, REC_TYPE_NORM, STR(state->buffer), + LEN(state->buffer)); + vstring_sprintf(state->buffer, "\t client-signature %s", + state->tls_context->clnt_sig_name); + if (state->tls_context->clnt_sig_curve + && *state->tls_context->clnt_sig_curve) + vstring_sprintf_append(state->buffer, " (%s)", + state->tls_context->clnt_sig_curve); + else if (state->tls_context->clnt_sig_bits > 0) + vstring_sprintf_append(state->buffer, " (%d bits)", + state->tls_context->clnt_sig_bits); + if (state->tls_context->clnt_sig_dgst + && *state->tls_context->clnt_sig_dgst) + vstring_sprintf_append(state->buffer, " client-digest %s", + state->tls_context->clnt_sig_dgst); + } + out_fprintf(out_stream, REC_TYPE_NORM, "%s)", STR(state->buffer)); if (TLS_CERT_IS_PRESENT(state->tls_context)) { peer_CN = VSTRING_STRDUP(state->tls_context->peer_CN); comment_sanitize(peer_CN); diff -ur --new-file /var/tmp/postfix-3.3.1/src/tls/tls.h ./src/tls/tls.h --- /var/tmp/postfix-3.3.1/src/tls/tls.h 2017-01-01 17:22:13.000000000 -0500 +++ ./src/tls/tls.h 2018-11-17 17:55:55.000000000 -0500 @@ -109,6 +109,27 @@ #define TLS_server_method SSLv23_server_method #endif + /* Backwards compatibility with OpenSSL < 1.1.1 */ +#if OPENSSL_VERSION_NUMBER < 0x1010100fUL +#define SSL_CTX_set_num_tickets(ctx, num) ((void)0) +#endif + + /*- + * Backwards compatibility with OpenSSL < 1.1.1a. + * + * In OpenSSL 1.1.1a the client-only interface SSL_get_server_tmp_key() was + * updated to work on both the client and the server, and was renamed to + * SSL_get_peer_tmp_key(), with the original name left behind as an alias. We + * use the new name when available. + */ +#if OPENSSL_VERSION_NUMBER < 0x1010101fUL +#undef SSL_get_signature_nid +#define SSL_get_signature_nid(ssl, pnid) (NID_undef) +#define tls_get_peer_dh_pubkey SSL_get_server_tmp_key +#else +#define tls_get_peer_dh_pubkey SSL_get_peer_tmp_key +#endif + /* SSL_CIPHER_get_name() got constified in 0.9.7g */ #if OPENSSL_VERSION_NUMBER >= 0x0090707fL /* constification */ #define SSL_CIPHER_const const @@ -136,6 +157,17 @@ #include/* + * TLS role, presently for logging. + */ +typedef enum { + TLS_ROLE_CLIENT, TLS_ROLE_SERVER, +} TLS_ROLE; + +typedef enum { + TLS_USAGE_NEW, TLS_USAGE_USED, +} TLS_USAGE; + + /* * Names of valid tlsmgr(8) session caches. */ #define TLS_MGR_SCACHE_SMTPD "smtpd" @@ -234,6 +266,17 @@ const char *cipher_name; int cipher_usebits; int cipher_algbits; + const char *kex_name; /* shared key-exchange algorithm */ + const char *kex_curve; /* shared key-exchange ECDHE curve */ + int kex_bits; /* shared FFDHE key exchange bits */ + const char *clnt_sig_name; /* client's signature key algorithm */ + const char *clnt_sig_curve; /* client's ECDSA curve name */ + int clnt_sig_bits; /* client's RSA signature key bits */ + const char *clnt_sig_dgst; /* client's signature digest */ + const char *srvr_sig_name; /* server's signature key algorithm */ + const char *srvr_sig_curve; /* server's ECDSA curve name */ + int srvr_sig_bits; /* server's RSA signature key bits */ + const char *srvr_sig_dgst; /* server's signature digest */ /* Private. */ SSL *con; char *cache_type; /* tlsmgr(8) cache type if enabled */ @@ -372,10 +415,15 @@ #define SSL_OP_NO_TLSv1_2 0L /* Noop */ #endif -#ifdef SSL_TXT_TLSV1_3 + /* + * OpenSSL 1.1.1 does not define a TXT macro for TLS 1.3, so we roll our + * own. + */ +#define TLS_PROTOCOL_TXT_TLSV1_3 "TLSv1.3" + +#if defined(TLS1_3_VERSION) && defined(SSL_OP_NO_TLSv1_3) #define TLS_PROTOCOL_TLSv1_3 (1<<5) /* TLSv1_3 */ #else -#define SSL_TXT_TLSV1_3 "TLSv1.3" #define TLS_PROTOCOL_TLSv1_3 0 /* Unknown */ #undef SSL_OP_NO_TLSv1_3 #define SSL_OP_NO_TLSv1_3 0L /* Noop */ @@ -383,7 +431,7 @@ #define TLS_KNOWN_PROTOCOLS \ ( TLS_PROTOCOL_SSLv2 | TLS_PROTOCOL_SSLv3 | TLS_PROTOCOL_TLSv1 \ - | TLS_PROTOCOL_TLSv1_1 | TLS_PROTOCOL_TLSv1_2 ) + | TLS_PROTOCOL_TLSv1_1 | TLS_PROTOCOL_TLSv1_2 | TLS_PROTOCOL_TLSv1_3 ) #define TLS_SSL_OP_PROTOMASK(m) \ ((((m) & TLS_PROTOCOL_SSLv2) ? SSL_OP_NO_SSLv2 : 0L) \ | (((m) & TLS_PROTOCOL_SSLv3) ? SSL_OP_NO_SSLv3 : 0L) \ @@ -424,7 +472,12 @@ extern const char *tls_set_ciphers(TLS_APPL_STATE *, const char *, const char *, const char *); -#endif + /* + * Populate TLS context with TLS 1.3-related signature parameters. + */ +extern void tls_get_signature_params(TLS_SESS_STATE *); + +#endif /* TLS_INTERNAL */ /* * tls_client.c @@ -552,6 +605,7 @@ extern const char *tls_compile_version(void); extern const char *tls_run_version(void); extern const char **tls_pkey_algorithms(void); +extern void tls_log_summary(TLS_ROLE, TLS_USAGE, TLS_SESS_STATE *); #ifdef TLS_INTERNAL diff -ur --new-file /var/tmp/postfix-3.3.1/src/tls/tls_client.c ./src/tls/tls_client.c --- /var/tmp/postfix-3.3.1/src/tls/tls_client.c 2017-01-01 17:22:13.000000000 -0500 +++ ./src/tls/tls_client.c 2018-11-17 17:33:15.000000000 -0500 @@ -1140,16 +1140,12 @@ TLScontext->peer_status |= TLS_CERT_FLAG_SECURED; /* - * All the key facts in a single log entry. + * With the handshake done, extract TLS 1.3 signature metadata. */ + tls_get_signature_params(TLScontext); + if (log_mask & TLS_LOG_SUMMARY) - msg_info("%s TLS connection established to %s: %s with cipher %s " - "(%d/%d bits)", - !TLS_CERT_IS_PRESENT(TLScontext) ? "Anonymous" : - TLS_CERT_IS_SECURED(TLScontext) ? "Verified" : - TLS_CERT_IS_TRUSTED(TLScontext) ? "Trusted" : "Untrusted", - props->namaddr, TLScontext->protocol, TLScontext->cipher_name, - TLScontext->cipher_usebits, TLScontext->cipher_algbits); + tls_log_summary(TLS_ROLE_CLIENT, TLS_USAGE_NEW, TLScontext); tls_int_seed(); diff -ur --new-file /var/tmp/postfix-3.3.1/src/tls/tls_dane.c ./src/tls/tls_dane.c --- /var/tmp/postfix-3.3.1/src/tls/tls_dane.c 2017-12-27 16:53:13.000000000 -0500 +++ ./src/tls/tls_dane.c 2018-11-04 18:47:50.000000000 -0500 @@ -873,7 +873,6 @@ return (FILTER_RR_DROP); } } - /*- * Drop unsupported usages. * Note: NO SUPPORT for usages 0/1 which do not apply to SMTP. @@ -1346,26 +1345,20 @@ return (matched); } -/* push_ext - push extension onto certificate's stack, else free it */ - -static int push_ext(X509 *cert, X509_EXTENSION *ext) -{ - if (ext) { - if (X509_add_ext(cert, ext, -1)) - return 1; - X509_EXTENSION_free(ext); - } - return 0; -} - /* add_ext - add simple extension (no config section references) */ static int add_ext(X509 *issuer, X509 *subject, int ext_nid, char *ext_val) { + int ret = 0; X509V3_CTX v3ctx; + X509_EXTENSION *ext; X509V3_set_ctx(&v3ctx, issuer, subject, 0, 0, 0); - return push_ext(subject, X509V3_EXT_conf_nid(0, &v3ctx, ext_nid, ext_val)); + if ((ext = X509V3_EXT_conf_nid(0, &v3ctx, ext_nid, ext_val)) != 0) { + ret = X509_add_ext(subject, ext, -1); + X509_EXTENSION_free(ext); + } + return ret; } /* set_serial - set serial number to match akid or use subject's plus 1 */ @@ -1460,8 +1453,8 @@ X509_NAME *name = akid_issuer_name(akid); /* - * If subject's akid specifies an authority key identifier issuer name, we - * must use that. + * If subject's akid specifies an authority key identifier issuer name, + * we must use that. */ if (name) return (X509_set_issuer_name(cert, name)); @@ -1809,30 +1802,30 @@ static int verify_chain(SSL *ssl, x509_stack_t *chain, TLS_SESS_STATE *tctx) { - int ret; - X509 *cert; + int ret; + X509 *cert; X509_STORE_CTX *store_ctx; SSL_CTX *ssl_ctx = SSL_get_SSL_CTX(ssl); X509_STORE *store = SSL_CTX_get_cert_store(ssl_ctx); - int store_ctx_idx = SSL_get_ex_data_X509_STORE_CTX_idx(); + int store_ctx_idx = SSL_get_ex_data_X509_STORE_CTX_idx(); cert = sk_X509_value(chain, 0); if ((store_ctx = X509_STORE_CTX_new()) == NULL) { - SSLerr(SSL_F_SSL_VERIFY_CERT_CHAIN, ERR_R_MALLOC_FAILURE); - return 0; + SSLerr(SSL_F_SSL_VERIFY_CERT_CHAIN, ERR_R_MALLOC_FAILURE); + return 0; } if (!X509_STORE_CTX_init(store_ctx, store, cert, chain)) { - X509_STORE_CTX_free(store_ctx); - return 0; + X509_STORE_CTX_free(store_ctx); + return 0; } X509_STORE_CTX_set_ex_data(store_ctx, store_ctx_idx, ssl); X509_STORE_CTX_set_default(store_ctx, "ssl_server"); X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(store_ctx), - SSL_get0_param(ssl)); + SSL_get0_param(ssl)); if (SSL_get_verify_callback(ssl)) - X509_STORE_CTX_set_verify_cb(store_ctx, SSL_get_verify_callback(ssl)); + X509_STORE_CTX_set_verify_cb(store_ctx, SSL_get_verify_callback(ssl)); ret = dane_cb(store_ctx, tctx); diff -ur --new-file /var/tmp/postfix-3.3.1/src/tls/tls_misc.c ./src/tls/tls_misc.c --- /var/tmp/postfix-3.3.1/src/tls/tls_misc.c 2016-12-17 18:22:04.000000000 -0500 +++ ./src/tls/tls_misc.c 2018-11-17 17:33:15.000000000 -0500 @@ -4,6 +4,25 @@ /* SUMMARY /* miscellaneous TLS support routines /* SYNOPSIS +/* .SH Public functions +/* .nf +/* .na +/* #include +/* +/* void tls_log_summary(role, usage, TLScontext) +/* TLS_ROLE role; +/* TLS_USAGE usage; +/* TLS_SESS_STATE *TLScontext; +/* +/* const char *tls_compile_version(void) +/* +/* const char *tls_run_version(void) +/* +/* const char **tls_pkey_algorithms(void) +/* +/* .SH Internal functions +/* .nf +/* .na /* #define TLS_INTERNAL /* #include /* @@ -62,6 +81,9 @@ /* int grade; /* const char *exclusions; /* +/* void tls_get_signature_params(TLScontext) +/* TLS_SESS_STATE *TLScontext; +/* /* void tls_print_errors() /* /* void tls_info_callback(ssl, where, ret) @@ -87,15 +109,24 @@ /* /* int tls_validate_digest(dgst) /* const char *dgst; +/* DESCRIPTION +/* This module implements public and internal routines that +/* support the TLS client and server. /* -/* const char *tls_compile_version(void) +/* tls_log_summary() logs a summary of a completed TLS connection. +/* The "role" argument must be TLS_ROLE_CLIENT for outgoing client +/* connections, or TLS_ROLE_SERVER for incoming server connections, +/* and the "usage" must be TLS_USAGE_NEW or TLS_USAGE_USED. /* -/* const char *tls_run_version(void) +/* tls_compile_version() returns a text string description of +/* the compile-time TLS library. /* -/* const char **tls_pkey_algorithms(void) -/* DESCRIPTION -/* This module implements routines that support the TLS client -/* and server internals. +/* tls_run_version() is just tls_compile_version() but with the runtime +/* version instead of the compile-time version. +/* +/* tls_pkey_algorithms() returns a pointer to null-terminated +/* array of string constants with the names of the supported +/* public-key algorithms. /* /* tls_alloc_app_context() creates an application context that /* holds the SSL context for the application and related cached state. @@ -143,6 +174,12 @@ /* When the input is invalid, tls_set_ciphers() logs a warning with /* the specified context, and returns a null pointer result. /* +/* tls_get_signature_params() updates the "TLScontext" with handshake +/* signature parameters pertaining to TLS 1.3, where the ciphersuite +/* no longer describes the asymmetric algorithms employed in the +/* handshake, which are negotiated separately. This function +/* has no effect for TLS 1.2 and earlier. +/* /* tls_print_errors() queries the OpenSSL error stack, /* logs the error messages, and clears the error stack. /* @@ -163,16 +200,6 @@ /* /* tls_validate_digest() returns non-zero if the named digest /* is usable and zero otherwise. -/* -/* tls_compile_version() returns a text string description of -/* the compile-time TLS library. -/* -/* tls_run_version() is just tls_compile_version() but with the runtime -/* version instead of the compile-time version. -/* -/* tls_pkey_algorithms() returns a pointer to null-terminated -/* array of string constants with the names of the supported -/* public-key algorithms. /* LICENSE /* .ad /* .fi @@ -279,7 +306,7 @@ SSL_TXT_TLSV1, TLS_PROTOCOL_TLSv1, SSL_TXT_TLSV1_1, TLS_PROTOCOL_TLSv1_1, SSL_TXT_TLSV1_2, TLS_PROTOCOL_TLSv1_2, - SSL_TXT_TLSV1_3, TLS_PROTOCOL_TLSv1_3, + TLS_PROTOCOL_TXT_TLSV1_3, TLS_PROTOCOL_TLSv1_3, 0, TLS_PROTOCOL_INVALID, }; @@ -355,6 +382,29 @@ #define SSL_OP_CRYPTOPRO_TLSEXT_BUG 0 #endif NAMEBUG(CRYPTOPRO_TLSEXT_BUG), + +#ifndef SSL_OP_TLSEXT_PADDING +#define SSL_OP_TLSEXT_PADDING 0 +#endif + NAMEBUG(TLSEXT_PADDING), + +#if 0 + + /* + * XXX: New with OpenSSL 1.1.1, this is turned on implicitly in + * SSL_CTX_new() and is not included in SSL_OP_ALL. Allowing users to + * disable this would thus be a code change that would require clearing + * bug work-around bits in SSL_CTX, after setting SSL_OP_ALL. Since this + * is presumably required for TLS 1.3 on today's Internet, the code + * change will be done separately later. For now this implicit bug + * work-around cannot be disabled via supported Postfix mechanisms. + */ +#ifndef SSL_OP_ENABLE_MIDDLEBOX_COMPAT +#define SSL_OP_ENABLE_MIDDLEBOX_COMPAT 0 +#endif + NAMEBUG(ENABLE_MIDDLEBOX_COMPAT), +#endif + 0, 0, }; @@ -380,6 +430,27 @@ #define SSL_OP_NO_COMPRESSION 0 #endif NAME_SSL_OP(NO_COMPRESSION), + +#ifndef SSL_OP_NO_RENEGOTIATION +#define SSL_OP_NO_RENEGOTIATION 0 +#endif + NAME_SSL_OP(NO_RENEGOTIATION), + +#ifndef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION +#define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 0 +#endif + NAME_SSL_OP(NO_SESSION_RESUMPTION_ON_RENEGOTIATION), + +#ifndef SSL_OP_PRIORITIZE_CHACHA +#define SSL_OP_PRIORITIZE_CHACHA 0 +#endif + NAME_SSL_OP(PRIORITIZE_CHACHA), + +#ifndef SSL_OP_ENABLE_MIDDLEBOX_COMPAT +#define SSL_OP_ENABLE_MIDDLEBOX_COMPAT 0 +#endif + NAME_SSL_OP(ENABLE_MIDDLEBOX_COMPAT), + 0, 0, }; @@ -782,6 +853,224 @@ return (app_ctx->cipher_list = mystrdup(new_list)); } +/* tls_get_signature_params - TLS 1.3 signature details */ + +void tls_get_signature_params(TLS_SESS_STATE *TLScontext) +{ +#if OPENSSL_VERSION_NUMBER >= 0x1010100fUL && defined(TLS1_3_VERSION) + const char *kex_name = 0; + const char *kex_curve = 0; + const char *locl_sig_name = 0; + const char *locl_sig_curve = 0; + const char *locl_sig_dgst = 0; + const char *peer_sig_name = 0; + const char *peer_sig_curve = 0; + const char *peer_sig_dgst = 0; + int nid; + int got_kex_key; + SSL *ssl = TLScontext->con; + int srvr = SSL_is_server(ssl); + X509 *cert; + EVP_PKEY *pkey = 0; + +#ifndef OPENSSL_NO_EC + EC_KEY *eckey; + +#endif + +#define SIG_PROP(c, s, p) (*((s) ? &c->srvr_sig_##p : &c->clnt_sig_##p)) + + if (SSL_version(ssl) < TLS1_3_VERSION) + return; + + if (tls_get_peer_dh_pubkey(ssl, &pkey)) { + switch (nid = EVP_PKEY_id(pkey)) { + default: + kex_name = OBJ_nid2sn(EVP_PKEY_type(nid)); + break; + + case EVP_PKEY_DH: + kex_name = "DHE"; + TLScontext->kex_bits = EVP_PKEY_bits(pkey); + break; + +#ifndef OPENSSL_NO_EC + case EVP_PKEY_EC: + kex_name = "ECDHE"; + eckey = EVP_PKEY_get0_EC_KEY(pkey); + nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(eckey)); + kex_curve = EC_curve_nid2nist(nid); + if (!kex_curve) + kex_curve = OBJ_nid2sn(nid); + break; +#endif + } + EVP_PKEY_free(pkey); + } + + /* + * On the client end, the certificate may be preset, but not used, so we + * check via SSL_get_signature_nid(). This means that local signature + * data on clients requires at least 1.1.1a. + */ + if (srvr || SSL_get_signature_nid(ssl, &nid)) + cert = SSL_get_certificate(ssl); + else + cert = 0; + + /* Signature algorithms for the local end of the connection */ + if (cert) { + pkey = X509_get0_pubkey(cert); + + /* + * Override the built-in name for the "ECDSA" algorithms OID, with + * the more familiar name. For "RSA" keys report "RSA-PSS", which + * must be used with TLS 1.3. + */ + if ((nid = EVP_PKEY_type(EVP_PKEY_id(pkey))) != NID_undef) { + switch (nid) { + default: + locl_sig_name = OBJ_nid2sn(nid); + break; + + case EVP_PKEY_RSA: + /* For RSA, TLS 1.3 mandates PSS signatures */ + locl_sig_name = "RSA-PSS"; + SIG_PROP(TLScontext, srvr, bits) = EVP_PKEY_bits(pkey); + break; + +#ifndef OPENSSL_NO_EC + case EVP_PKEY_EC: + locl_sig_name = "ECDSA"; + eckey = EVP_PKEY_get0_EC_KEY(pkey); + nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(eckey)); + locl_sig_curve = EC_curve_nid2nist(nid); + if (!locl_sig_curve) + locl_sig_curve = OBJ_nid2sn(nid); + break; +#endif + } + } + + /* + * With Ed25519 and Ed448 there is no pre-signature digest, but the + * accessor does not fail, rather we get NID_undef. + */ + if (SSL_get_signature_nid(ssl, &nid) && nid != NID_undef) + locl_sig_dgst = OBJ_nid2sn(nid); + } + /* Signature algorithms for the peer end of the connection */ + if ((cert = SSL_get_peer_certificate(ssl)) != 0) { + pkey = X509_get0_pubkey(cert); + + /* + * Override the built-in name for the "ECDSA" algorithms OID, with + * the more familiar name. For "RSA" keys report "RSA-PSS", which + * must be used with TLS 1.3. + */ + if ((nid = EVP_PKEY_type(EVP_PKEY_id(pkey))) != NID_undef) { + switch (nid) { + default: + peer_sig_name = OBJ_nid2sn(nid); + break; + + case EVP_PKEY_RSA: + /* For RSA, TLS 1.3 mandates PSS signatures */ + peer_sig_name = "RSA-PSS"; + SIG_PROP(TLScontext, !srvr, bits) = EVP_PKEY_bits(pkey); + break; + +#ifndef OPENSSL_NO_EC + case EVP_PKEY_EC: + peer_sig_name = "ECDSA"; + eckey = EVP_PKEY_get0_EC_KEY(pkey); + nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(eckey)); + peer_sig_curve = EC_curve_nid2nist(nid); + if (!peer_sig_curve) + peer_sig_curve = OBJ_nid2sn(nid); + break; +#endif + } + } + + /* + * With Ed25519 and Ed448 there is no pre-signature digest, but the + * accessor does not fail, rather we get NID_undef. + */ + if (SSL_get_peer_signature_nid(ssl, &nid) && nid != NID_undef) + peer_sig_dgst = OBJ_nid2sn(nid); + } + if (kex_name) { + TLScontext->kex_name = mystrdup(kex_name); + if (kex_curve) + TLScontext->kex_curve = mystrdup(kex_curve); + } + if (locl_sig_name) { + SIG_PROP(TLScontext, srvr, name) = mystrdup(locl_sig_name); + if (locl_sig_curve) + SIG_PROP(TLScontext, srvr, curve) = mystrdup(locl_sig_curve); + if (locl_sig_dgst) + SIG_PROP(TLScontext, srvr, dgst) = mystrdup(locl_sig_dgst); + } + if (peer_sig_name) { + SIG_PROP(TLScontext, !srvr, name) = mystrdup(peer_sig_name); + if (peer_sig_curve) + SIG_PROP(TLScontext, !srvr, curve) = mystrdup(peer_sig_curve); + if (peer_sig_dgst) + SIG_PROP(TLScontext, !srvr, dgst) = mystrdup(peer_sig_dgst); + } +#endif /* OPENSSL_VERSION_NUMBER ... */ +} + +/* tls_log_summary - TLS loglevel 1 one-liner, embellished with TLS 1.3 details */ + +void tls_log_summary(TLS_ROLE role, TLS_USAGE usage, TLS_SESS_STATE *ctx) +{ + VSTRING *msg = vstring_alloc(100); + const char *direction = (role == TLS_ROLE_CLIENT) ? "to" : "from"; + + vstring_sprintf(msg, "%s TLS connection %s %s %s: %s" + " with cipher %s (%d/%d bits)", + !TLS_CERT_IS_PRESENT(ctx) ? "Anonymous" : + TLS_CERT_IS_SECURED(ctx) ? "Verified" : + TLS_CERT_IS_TRUSTED(ctx) ? "Trusted" : "Untrusted", + usage == TLS_USAGE_NEW ? "established" : "reused", + direction, ctx->namaddr, ctx->protocol, ctx->cipher_name, + ctx->cipher_usebits, ctx->cipher_algbits); + + if (ctx->kex_name && *ctx->kex_name) { + vstring_sprintf_append(msg, " key-exchange %s", ctx->kex_name); + if (ctx->kex_curve && *ctx->kex_curve) + vstring_sprintf_append(msg, " (%s)", ctx->kex_curve); + else if (ctx->kex_bits > 0) + vstring_sprintf_append(msg, " (%d bits)", ctx->kex_bits); + } + if (ctx->srvr_sig_name && *ctx->srvr_sig_name) { + vstring_sprintf_append(msg, " server-signature %s", + ctx->srvr_sig_name); + if (ctx->srvr_sig_curve && *ctx->srvr_sig_curve) + vstring_sprintf_append(msg, " (%s)", ctx->srvr_sig_curve); + else if (ctx->srvr_sig_bits > 0) + vstring_sprintf_append(msg, " (%d bits)", ctx->srvr_sig_bits); + if (ctx->srvr_sig_dgst && *ctx->srvr_sig_dgst) + vstring_sprintf_append(msg, " server-digest %s", + ctx->srvr_sig_dgst); + } + if (ctx->clnt_sig_name && *ctx->clnt_sig_name) { + vstring_sprintf_append(msg, " client-signature %s", + ctx->clnt_sig_name); + if (ctx->clnt_sig_curve && *ctx->clnt_sig_curve) + vstring_sprintf_append(msg, " (%s)", ctx->clnt_sig_curve); + else if (ctx->clnt_sig_bits > 0) + vstring_sprintf_append(msg, " (%d bits)", ctx->clnt_sig_bits); + if (ctx->clnt_sig_dgst && *ctx->clnt_sig_dgst) + vstring_sprintf_append(msg, " client-digest %s", + ctx->clnt_sig_dgst); + } + msg_info("%s", vstring_str(msg)); + vstring_free(msg); +} + /* tls_alloc_app_context - allocate TLS application context */ TLS_APPL_STATE *tls_alloc_app_context(SSL_CTX *ssl_ctx, int log_mask) @@ -849,6 +1138,14 @@ TLScontext->peer_pkey_fprint = 0; TLScontext->protocol = 0; TLScontext->cipher_name = 0; + TLScontext->kex_name = 0; + TLScontext->kex_curve = 0; + TLScontext->clnt_sig_name = 0; + TLScontext->clnt_sig_curve = 0; + TLScontext->clnt_sig_dgst = 0; + TLScontext->srvr_sig_name = 0; + TLScontext->srvr_sig_curve = 0; + TLScontext->srvr_sig_dgst = 0; TLScontext->log_mask = log_mask; TLScontext->namaddr = lowercase(mystrdup(namaddr)); TLScontext->mdalg = 0; /* Alias for props->mdalg */ @@ -976,9 +1273,16 @@ tls_version_split(OPENSSL_VERSION_NUMBER, &hdr_info); tls_version_split(OpenSSL_version_num(), &lib_info); + /* + * Warn if run-time library is different from compile-time library, + * allowing later run-time "micro" versions starting with 1.1.0. + */ if (lib_info.major != hdr_info.major || lib_info.minor != hdr_info.minor - || lib_info.micro != hdr_info.micro) + || (lib_info.micro != hdr_info.micro + && (lib_info.micro < hdr_info.micro + || hdr_info.major == 0 + || (hdr_info.major == 1 && hdr_info.minor == 0)))) msg_warn("run-time library vs. compile-time header version mismatch: " "OpenSSL %d.%d.%d may not be compatible with OpenSSL %d.%d.%d", lib_info.major, lib_info.minor, lib_info.micro, diff -ur --new-file /var/tmp/postfix-3.3.1/src/tls/tls_proxy_clnt.c ./src/tls/tls_proxy_clnt.c --- /var/tmp/postfix-3.3.1/src/tls/tls_proxy_clnt.c 2014-12-25 11:47:17.000000000 -0500 +++ ./src/tls/tls_proxy_clnt.c 2018-11-17 17:33:15.000000000 -0500 @@ -239,6 +239,24 @@ myfree((void *) tls_context->protocol); if (tls_context->cipher_name) myfree((void *) tls_context->cipher_name); + if (tls_context->kex_name) + myfree((void *) tls_context->kex_name); + if (tls_context->kex_curve) + myfree((void *) tls_context->kex_curve); + if (tls_context->clnt_sig_name) + myfree((void *) tls_context->clnt_sig_name); + if (tls_context->clnt_sig_curve) + myfree((void *) tls_context->clnt_sig_curve); + if (tls_context->clnt_sig_dgst) + myfree((void *) tls_context->clnt_sig_dgst); + if (tls_context->srvr_sig_name) + myfree((void *) tls_context->srvr_sig_name); + if (tls_context->srvr_sig_curve) + myfree((void *) tls_context->srvr_sig_curve); + if (tls_context->srvr_sig_dgst) + myfree((void *) tls_context->srvr_sig_dgst); + if (tls_context->namaddr) + myfree((void *) tls_context->namaddr); myfree((void *) tls_context); } diff -ur --new-file /var/tmp/postfix-3.3.1/src/tls/tls_proxy_print.c ./src/tls/tls_proxy_print.c --- /var/tmp/postfix-3.3.1/src/tls/tls_proxy_print.c 2014-12-14 13:22:06.000000000 -0500 +++ ./src/tls/tls_proxy_print.c 2018-11-17 17:33:15.000000000 -0500 @@ -79,6 +79,30 @@ tp->cipher_usebits), SEND_ATTR_INT(MAIL_ATTR_CIPHER_ALGBITS, tp->cipher_algbits), + SEND_ATTR_STR(MAIL_ATTR_KEX_NAME, + STRING_OR_EMPTY(tp->kex_name)), + SEND_ATTR_STR(MAIL_ATTR_KEX_CURVE, + STRING_OR_EMPTY(tp->kex_curve)), + SEND_ATTR_INT(MAIL_ATTR_KEX_BITS, + tp->kex_bits), + SEND_ATTR_STR(MAIL_ATTR_CLNT_SIG_NAME, + STRING_OR_EMPTY(tp->clnt_sig_name)), + SEND_ATTR_STR(MAIL_ATTR_CLNT_SIG_CURVE, + STRING_OR_EMPTY(tp->clnt_sig_curve)), + SEND_ATTR_INT(MAIL_ATTR_CLNT_SIG_BITS, + tp->clnt_sig_bits), + SEND_ATTR_STR(MAIL_ATTR_CLNT_SIG_DGST, + STRING_OR_EMPTY(tp->clnt_sig_dgst)), + SEND_ATTR_STR(MAIL_ATTR_SRVR_SIG_NAME, + STRING_OR_EMPTY(tp->srvr_sig_name)), + SEND_ATTR_STR(MAIL_ATTR_SRVR_SIG_CURVE, + STRING_OR_EMPTY(tp->srvr_sig_curve)), + SEND_ATTR_INT(MAIL_ATTR_SRVR_SIG_BITS, + tp->srvr_sig_bits), + SEND_ATTR_STR(MAIL_ATTR_SRVR_SIG_DGST, + STRING_OR_EMPTY(tp->srvr_sig_dgst)), + SEND_ATTR_STR(MAIL_ATTR_NAMADDR, + STRING_OR_EMPTY(tp->namaddr)), ATTR_TYPE_END); return (ret); } diff -ur --new-file /var/tmp/postfix-3.3.1/src/tls/tls_proxy_scan.c ./src/tls/tls_proxy_scan.c --- /var/tmp/postfix-3.3.1/src/tls/tls_proxy_scan.c 2014-12-14 13:22:06.000000000 -0500 +++ ./src/tls/tls_proxy_scan.c 2018-11-17 17:33:15.000000000 -0500 @@ -63,6 +63,15 @@ VSTRING *peer_pkey_fprint = vstring_alloc(60); /* 60 for SHA-1 */ VSTRING *protocol = vstring_alloc(25); VSTRING *cipher_name = vstring_alloc(25); + VSTRING *kex_name = vstring_alloc(25); + VSTRING *kex_curve = vstring_alloc(25); + VSTRING *clnt_sig_name = vstring_alloc(25); + VSTRING *clnt_sig_curve = vstring_alloc(25); + VSTRING *clnt_sig_dgst = vstring_alloc(25); + VSTRING *srvr_sig_name = vstring_alloc(25); + VSTRING *srvr_sig_curve = vstring_alloc(25); + VSTRING *srvr_sig_dgst = vstring_alloc(25); + VSTRING *namaddr = vstring_alloc(100); /* * Note: memset() is not a portable way to initialize non-integer types. @@ -81,6 +90,18 @@ &tls_context->cipher_usebits), RECV_ATTR_INT(MAIL_ATTR_CIPHER_ALGBITS, &tls_context->cipher_algbits), + RECV_ATTR_STR(MAIL_ATTR_KEX_NAME, kex_name), + RECV_ATTR_STR(MAIL_ATTR_KEX_CURVE, kex_curve), + RECV_ATTR_INT(MAIL_ATTR_KEX_BITS, &tls_context->kex_bits), + RECV_ATTR_STR(MAIL_ATTR_CLNT_SIG_NAME, clnt_sig_name), + RECV_ATTR_STR(MAIL_ATTR_CLNT_SIG_CURVE, clnt_sig_curve), + RECV_ATTR_INT(MAIL_ATTR_CLNT_SIG_BITS, &tls_context->clnt_sig_bits), + RECV_ATTR_STR(MAIL_ATTR_CLNT_SIG_DGST, clnt_sig_dgst), + RECV_ATTR_STR(MAIL_ATTR_SRVR_SIG_NAME, srvr_sig_name), + RECV_ATTR_STR(MAIL_ATTR_SRVR_SIG_CURVE, srvr_sig_curve), + RECV_ATTR_INT(MAIL_ATTR_SRVR_SIG_BITS, &tls_context->srvr_sig_bits), + RECV_ATTR_STR(MAIL_ATTR_SRVR_SIG_DGST, srvr_sig_dgst), + RECV_ATTR_STR(MAIL_ATTR_NAMADDR, namaddr), ATTR_TYPE_END); tls_context->peer_CN = vstring_export(peer_CN); tls_context->issuer_CN = vstring_export(issuer_CN); @@ -88,7 +109,16 @@ tls_context->peer_pkey_fprint = vstring_export(peer_pkey_fprint); tls_context->protocol = vstring_export(protocol); tls_context->cipher_name = vstring_export(cipher_name); - return (ret == 9 ? 1 : -1); + tls_context->kex_name = vstring_export(kex_name); + tls_context->kex_curve = vstring_export(kex_curve); + tls_context->clnt_sig_name = vstring_export(clnt_sig_name); + tls_context->clnt_sig_curve = vstring_export(clnt_sig_curve); + tls_context->clnt_sig_dgst = vstring_export(clnt_sig_dgst); + tls_context->srvr_sig_name = vstring_export(srvr_sig_name); + tls_context->srvr_sig_curve = vstring_export(srvr_sig_curve); + tls_context->srvr_sig_dgst = vstring_export(srvr_sig_dgst); + tls_context->namaddr = vstring_export(namaddr); + return (ret == 21 ? 1 : -1); } #endif diff -ur --new-file /var/tmp/postfix-3.3.1/src/tls/tls_server.c ./src/tls/tls_server.c --- /var/tmp/postfix-3.3.1/src/tls/tls_server.c 2017-01-01 17:22:13.000000000 -0500 +++ ./src/tls/tls_server.c 2018-11-17 17:33:15.000000000 -0500 @@ -502,8 +502,23 @@ ticketable = 0; } } - if (ticketable) + if (ticketable) { SSL_CTX_set_tlsext_ticket_key_cb(server_ctx, ticket_cb); + + /* + * OpenSSL 1.1.1 introduces support for TLS 1.3, which can issue more + * than one ticket per handshake. While this may be appropriate for + * communication between browsers and webservers, it is not terribly + * useful for MTAs, many of which other than Postfix don't do TLS + * session caching at all, and Postfix has no mechanism for storing + * multiple session tickets, if more than one sent, the second + * clobbers the first. OpenSSL 1.1.1 servers default to issuing two + * tickets for non-resumption handshakes, we reduce this to one. Our + * ticket decryption callback already (since 2.11) asks OpenSSL to + * avoid issuing new tickets when the presented ticket is re-usable. + */ + SSL_CTX_set_num_tickets(server_ctx, 1); + } #endif if (!ticketable) off |= SSL_OP_NO_TICKET; @@ -938,14 +953,12 @@ tls_stream_start(TLScontext->stream, TLScontext); /* - * All the key facts in a single log entry. + * With the handshake done, extract TLS 1.3 signature metadata. */ + tls_get_signature_params(TLScontext); + if (TLScontext->log_mask & TLS_LOG_SUMMARY) - msg_info("%s TLS connection established from %s: %s with cipher %s " - "(%d/%d bits)", !TLS_CERT_IS_PRESENT(TLScontext) ? "Anonymous" - : TLS_CERT_IS_TRUSTED(TLScontext) ? "Trusted" : "Untrusted", - TLScontext->namaddr, TLScontext->protocol, TLScontext->cipher_name, - TLScontext->cipher_usebits, TLScontext->cipher_algbits); + tls_log_summary(TLS_ROLE_SERVER, TLS_USAGE_NEW, TLScontext); tls_int_seed();