Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update embedded default certificate #284

Open
jonhoo opened this issue Sep 3, 2019 · 5 comments
Open

Update embedded default certificate #284

jonhoo opened this issue Sep 3, 2019 · 5 comments
Assignees
@marcelmay

Comments

@jonhoo
Copy link

jonhoo commented Sep 3, 2019

The default certificate is rejected by modern OpenSSL clients with an error of "dh key too small". It should be updated to be at least 1024 bits long. Without updating, the Greenmail Docker image will become effectively useless as testing infrastructure gets updated.
jonhoo added a commit to jonhoo/rust-imap that referenced this issue Sep 3, 2019
@jonhoo
Don't run coverage for now
5de7a70 
We need greenmail-mail-test/greenmail#284 to
be resolved first, because native-tls uses an up-to-date openssl
version, which rejects Greenmail's cert
@marcelmay marcelmay self-assigned this Sep 6, 2019
@marcelmay marcelmay added this to the 1.5.11 milestone Sep 6, 2019
@marcelmay
Copy link
Member

@jonhoo , how can I reproduce the issue with rust-imap? Can you point me how I could run your test against greenmail?

I tried to check the TLS connection:

> openssl version
LibreSSL 2.6.5
> openssl s_client -connect localhost:3465

CONNECTED(00000005)
depth=0 C = US, O = Icegreen Technologies, OU = GreenMail, CN = GreenMail selfsigned Test Certificate
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, O = Icegreen Technologies, OU = GreenMail, CN = GreenMail selfsigned Test Certificate
verify return:1
---
Certificate chain
 0 s:/C=US/O=Icegreen Technologies/OU=GreenMail/CN=GreenMail selfsigned Test Certificate
   i:/C=US/O=Icegreen Technologies/OU=GreenMail/CN=GreenMail selfsigned Test Certificate
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDgTCCAmmgAwIBAgIERDU13TANBgkqhkiG9w0BAQsFADBxMQswCQYDVQQGEwJV
UzEeMBwGA1UEChMVSWNlZ3JlZW4gVGVjaG5vbG9naWVzMRIwEAYDVQQLEwlHcmVl
bk1haWwxLjAsBgNVBAMTJUdyZWVuTWFpbCBzZWxmc2lnbmVkIFRlc3QgQ2VydGlm
aWNhdGUwHhcNMTkwOTA4MjAzNjAyWhcNMjExMjExMjAzNjAyWjBxMQswCQYDVQQG
EwJVUzEeMBwGA1UEChMVSWNlZ3JlZW4gVGVjaG5vbG9naWVzMRIwEAYDVQQLEwlH
cmVlbk1haWwxLjAsBgNVBAMTJUdyZWVuTWFpbCBzZWxmc2lnbmVkIFRlc3QgQ2Vy
dGlmaWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCVXe9O022E
0vGKi2GJk3OCYkjW8FfOJR7Q7l0xx7OkS7TQ6sQGK2OjeANfdJb25/HonGwmDHTc
wbFDNQuO3DHsioVYyGal17WUFXu7tQa5EkaCOvGz/0o208vJM96cRl5+q2Pt3Tbp
RGP/bpD6eEQdmqSrMKCuxF5FrirU13IhxRgZCfjN9Z8lJjx0CrFTpv3aAhD4OsEU
UkGyk6RRjIgf3FjzGAjyM1XxNYa3BJSvaSrKmqYIoOZFa8KXy9SeYsja6FQY/m0d
Q/d5UTvbwTXnV+YdmWAooXpEBCpm9dj+bKjBXrXr5yRLhB/u5N7lUnQ8ZCDHVywQ
XcgDVwLpq7dRAgMBAAGjITAfMB0GA1UdDgQWBBR9k6vB0oMazQYowfDOq7GC1P1z
VjANBgkqhkiG9w0BAQsFAAOCAQEAaBwCKSJoykqyetNe6jDlcSow+DCgdo91Q2Cq
vJdC9MJssrlYTaDEMUBDLRpFsPaLC9VTEDZCR7SMb9eK0QYAAkzLzoUfO8n5YYPc
1HS95jfsrUoO//4Yt+2EVVFBZwBkTMcVZtrhGA8eEBRAHswtrBc7+hsGv52lDrXD
9HJUvPnBykmpfmDtPbIsDI/8MV0rqRzgSzuU/FqhtmpXIAMfgUYNJSPSnC9WU4c8
fvHR45ExVFS8KryWsFuZvLq8E3SIB2bAIDr8P3u0Ai8cuaybHBNHl/QrV1DJPxC5
jyu8nMDPKQw9ka7J29XAS9ITv0VVO+H3xRkriJ3SaNeSRMQGzg==
-----END CERTIFICATE-----
subject=/C=US/O=Icegreen Technologies/OU=GreenMail/CN=GreenMail selfsigned Test Certificate
issuer=/C=US/O=Icegreen Technologies/OU=GreenMail/CN=GreenMail selfsigned Test Certificate
---
No client certificate CA names sent
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1385 bytes and written 326 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384

OpenSSL 1.0.2s produces similiar result.
I'll try OpenSSL 1.1.1c next.

@marcelmay
Copy link
Member 

> openssl version

OpenSSL 1.1.1c  28 May 2019

> openssl s_client -connect localhost:3465

CONNECTED(00000005)
Can't use SSL_get_servername
depth=0 C = US, O = Icegreen Technologies, OU = GreenMail, CN = GreenMail selfsigned Test Certificate
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, O = Icegreen Technologies, OU = GreenMail, CN = GreenMail selfsigned Test Certificate
verify return:1
---
Certificate chain
 0 s:C = US, O = Icegreen Technologies, OU = GreenMail, CN = GreenMail selfsigned Test Certificate
   i:C = US, O = Icegreen Technologies, OU = GreenMail, CN = GreenMail selfsigned Test Certificate
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDgTCCAmmgAwIBAgIEQkr5azANBgkqhkiG9w0BAQsFADBxMQswCQYDVQQGEwJV
UzEeMBwGA1UEChMVSWNlZ3JlZW4gVGVjaG5vbG9naWVzMRIwEAYDVQQLEwlHcmVl
bk1haWwxLjAsBgNVBAMTJUdyZWVuTWFpbCBzZWxmc2lnbmVkIFRlc3QgQ2VydGlm
aWNhdGUwHhcNMTkwMzI0MjIwNTI0WhcNMjEwNjI2MjIwNTI0WjBxMQswCQYDVQQG
EwJVUzEeMBwGA1UEChMVSWNlZ3JlZW4gVGVjaG5vbG9naWVzMRIwEAYDVQQLEwlH
cmVlbk1haWwxLjAsBgNVBAMTJUdyZWVuTWFpbCBzZWxmc2lnbmVkIFRlc3QgQ2Vy
dGlmaWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCtFVKqgwZD
XFwkMsGFsC7Uru34dQIQY/pOxmOolNWLlrMb02hgbucIP+tMUIoKPq/SC4eyzxye
xiGwx3JNADcrzxD//dLhuR4XKAXd4+wO3oXBRwlejcprITHC031+1iwstqmN86jx
yTtFJ7fxjLcm64u9X+oxcZRuN53LezLy686FBxuowuEbnUELTxmTwKyhszV5LDC9
8/aRKPorC0khYTGEDBlXtU5PTdEHO/ZAn1MiP4N011YPQMNAa41ld6KzQOHXccuq
AWS3lFYQwsWtnIqRS1mKARbhcnlx2U0qMwcu+Bcxb9bwY9rCwUndVnS/wnvmvGpP
Vp3wz3uSKXpxAgMBAAGjITAfMB0GA1UdDgQWBBRKNcPsj0pRT4luBuvdO9kPakF1
ODANBgkqhkiG9w0BAQsFAAOCAQEABLeKHGDwaRwi4nsBdfAq/NK+MvM7PGdC0K8R
O2hTdgoFLsaVZKO906OgLrsPuLSYZGq2HoBtpkdW9+lDkxsZQUTgn9lQ4Bns9Vzh
vH5Wf6FdIiA1kK8/w3WqtXIFUV7G64pmc4mj/dgwWDhP+lwFGCkyr0Tgsr9JwgDt
y5DRbxMrYk9YdJGSuwCR9GPvv8sS20m3lNxb8GKXtmBUhmGnpQFM87/wJxurmw0Q
fVsXpYiXWP+t7HqkOFM/2f8ghdDNN1oZ2ROFDTHyuuHvInpgsnv0pUbylhAZZLvi
KGdT10aKSQbFXZrBZrthjVi+3zT14Y0lVW0Ln9bHKLE+AZZt8Q==
-----END CERTIFICATE-----
subject=C = US, O = Icegreen Technologies, OU = GreenMail, CN = GreenMail selfsigned Test Certificate

issuer=C = US, O = Icegreen Technologies, OU = GreenMail, CN = GreenMail selfsigned Test Certificate

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1389 bytes and written 419 bytes
Verification error: self signed certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 5D76BDEBFB187E2E005A4EBEE4A69DAC58FA815315DA6FD1309D769D627DDA4D
    Session-ID-ctx: 
    Master-Key: EC9C......
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1568062955
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
    Extended master secret: yes
---
220 /127.0.0.1 GreenMail SMTP Service v1.5.10 ready

@jonhoo
Copy link
Author

jonhoo commented Sep 10, 2019

Oh, that's interesting. Looking more closely, it seems like the certificate validation does not fail if I connect to 127.0.0.1, but does fail if I connect from a different Docker container to the Greenmail one using a hostname. Specifically, see this failing test. This is using https://docs.rs/native-tls/0.2.3/native_tls/ (which just binds to OpenSSL) to connect to port 3993 with this TLS config. Azure Pipelines spins up one container for that test (https://github.com/crate-ci/azure-pipelines/blob/1833e53fcc8eb373ce401ff03a2ae3dd870814bb/azure/coverage.yml#L27), and one container for Greenmail (https://github.com/jonhoo/rust-imap/blob/281d2eb8ab50dc656ceff2ae749ca5045f334e15/azure-pipelines.yml#L80-L81 + https://github.com/jonhoo/rust-imap/blob/281d2eb8ab50dc656ceff2ae749ca5045f334e15/azure-pipelines.yml#L91-L102). The one running Greenmail is given the hostname greenmail, and that's the hostname + domain used to connect to it with OpenSSL. This is the Docker image I'm using to connect from.

Hope that helps!

@marcelmay marcelmay modified the milestones: 1.5.11, 1.5.12 Oct 22, 2019
@marcelmay marcelmay modified the milestones: 1.5.12, 1.5.13 Apr 5, 2020
@marcelmay marcelmay modified the milestones: 1.5.13, 1.5.14 Apr 13, 2020
@marcelmay marcelmay modified the milestones: 1.5.14, 1.5.15 Jul 4, 2020
@marcelmay marcelmay modified the milestones: 1.5.15, 1.6.1 Aug 16, 2020
@marcelmay marcelmay modified the milestones: 1.6.1, 1.6.2 Nov 7, 2020
@marcelmay marcelmay modified the milestones: 1.6.2, 1.6.3 Jan 31, 2021
@marcelmay marcelmay modified the milestones: 1.6.3, 1.6.4 Mar 28, 2021
@marcelmay marcelmay removed this from the 1.6.4 milestone May 16, 2021
@pwagland
Copy link

pwagland commented Feb 9, 2022

The certificate seems to have been updated between 1.6.1 and 1.6.5, does that certificate update resolve this issue?

@marcelmay
Copy link
Member

Yes, the certifiacte gets newly generated for each release.

You could use your own provided certificate by packing it as 'greenmail.p12' in the JAR (see https://github.com/greenmail-mail-test/greenmail/blob/master/greenmail-core/src/main/java/com/icegreen/greenmail/util/DummySSLSocketFactory.java for details).

I opened #421 to allow custom certificates. Alternative is to run GreenMail w/o TLS, and eg use a sidecar container exposing (brings a bit of more complexity).

@marcelmay marcelmay mentioned this issue Mar 14, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@marcelmay marcelmay

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jonhoo @marcelmay @pwagland