Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

inconsistent behaviour with DANE check website #1

Closed
Antict opened this issue Feb 1, 2022 · 3 comments
Closed

inconsistent behaviour with DANE check website #1

Antict opened this issue Feb 1, 2022 · 3 comments

Comments

@Antict
Copy link

Antict commented Feb 1, 2022
edited
Loading

When I check mail.bayern.de with the command gotls -4 -d -m dane -s smtp -r 8.8.8.8 mail.bayern.de 25, I receive the following output stating that name check failed.

#Host: mail.bayern.de Port: 25
SNI: mail.bayern.de
STARTTLS application: smtp
DNS TLSA RRset:
  qname: _25._tcp.mail.bayern.de.
  2 0 1 32a2bc1d515cdbc412b62b47a1cccf2bb1b8e3ef309f982458d3a7c61797422a
IP Addresses found:
  195.200.70.95
  195.200.70.104

## Checking mail.bayern.de 195.200.70.95 port 25
DANE TLSA 2 0 1 [32a2bc1d..]: FAIL matched TA certificate at depth 1 but name check failed
## STARTTLS Transcript:
recv: 220 mail96.bayern.de ESMTP Bavarian Mail Gateway; Tue, 1 Feb 2022 16:48:09 +0100
send: EHLO v22019048273988146
recv: 250-mail96.bayern.de Hello, pleased to meet you
recv: 250-ENHANCEDSTATUSCODES
recv: 250-PIPELINING
recv: 250-8BITMIME
recv: 250-SIZE 50000000
recv: 250-DSN
recv: 250-ETRN
recv: 250-STARTTLS
recv: 250-DELIVERBY
recv: 250 HELP
send: STARTTLS
recv: 220 2.0.0 Ready to start TLS
## Peer Certificate Chain:
   0 CN=mail.bayern.de,O=Freistaat Bayern,ST=Bayern,C=DE,1.2.840.113549.1.9.1=#0c1e4265686f657264656e6e65747a6469656e7374654062617965726e2e6465
     CN=Bayerische DANE-CA,O=Freistaat Bayern,ST=Bayern,C=DE,1.2.840.113549.1.9.1=#0c1e4265686f657264656e6e65747a6469656e7374654062617965726e2e6465
   1 CN=Bayerische DANE-CA,O=Freistaat Bayern,ST=Bayern,C=DE,1.2.840.113549.1.9.1=#0c1e4265686f657264656e6e65747a6469656e7374654062617965726e2e6465
     CN=Bayerische DANE-CA,O=Freistaat Bayern,ST=Bayern,C=DE,1.2.840.113549.1.9.1=#0c1e4265686f657264656e6e65747a6469656e7374654062617965726e2e6465
## Verified Certificate Chain 0:
   0 CN=mail.bayern.de,O=Freistaat Bayern,ST=Bayern,C=DE,1.2.840.113549.1.9.1=#0c1e4265686f657264656e6e65747a6469656e7374654062617965726e2e6465
     CN=Bayerische DANE-CA,O=Freistaat Bayern,ST=Bayern,C=DE,1.2.840.113549.1.9.1=#0c1e4265686f657264656e6e65747a6469656e7374654062617965726e2e6465
   1 CN=Bayerische DANE-CA,O=Freistaat Bayern,ST=Bayern,C=DE,1.2.840.113549.1.9.1=#0c1e4265686f657264656e6e65747a6469656e7374654062617965726e2e6465
     CN=Bayerische DANE-CA,O=Freistaat Bayern,ST=Bayern,C=DE,1.2.840.113549.1.9.1=#0c1e4265686f657264656e6e65747a6469656e7374654062617965726e2e6465
## TLS Connection Info:
   TLS version: TLS1.2
   CipherSuite: TLS_RSA_WITH_AES_256_GCM_SHA384
## End-Entity Certificate Info:
   X509 version: 1
   Serial#: eebc66ec77fe726e
   Subject: CN=mail.bayern.de,O=Freistaat Bayern,ST=Bayern,C=DE,1.2.840.113549.1.9.1=#0c1e4265686f657264656e6e65747a6469656e7374654062617965726e2e6465
   Issuer:  CN=Bayerische DANE-CA,O=Freistaat Bayern,ST=Bayern,C=DE,1.2.840.113549.1.9.1=#0c1e4265686f657264656e6e65747a6469656e7374654062617965726e2e6465
   Signature Algorithm: SHA256-RSA
   PublicKey Algorithm: RSA 2048-Bits
   Inception:  2022-01-31 05:27:22 +0000 UTC
   Expiration: 2022-03-02 05:27:22 +0000 UTC
   KU:
   EKU:
   SKI:
   AKI:
   OSCP Servers: []
   CA Issuer URL: []
   CRL Distribution: []
   Policy OIDs: []
Result: FAILED: DANE TLS authentication failed

## Checking mail.bayern.de 195.200.70.104 port 25
DANE TLSA 2 0 1 [32a2bc1d..]: FAIL matched TA certificate at depth 1 but name check failed
## STARTTLS Transcript:
recv: 220 mail115.bayern.de ESMTP Bavarian Mail Gateway; Tue, 1 Feb 2022 16:48:10 +0100
send: EHLO v22019048273988146
recv: 250-mail115.bayern.de Hello, pleased to meet you
recv: 250-ENHANCEDSTATUSCODES
recv: 250-PIPELINING
recv: 250-8BITMIME
recv: 250-SIZE 50000000
recv: 250-DSN
recv: 250-ETRN
recv: 250-STARTTLS
recv: 250-DELIVERBY
recv: 250 HELP
send: STARTTLS
recv: 220 2.0.0 Ready to start TLS
## Peer Certificate Chain:
   0 CN=mail.bayern.de,O=Freistaat Bayern,ST=Bayern,C=DE,1.2.840.113549.1.9.1=#0c1e4265686f657264656e6e65747a6469656e7374654062617965726e2e6465
     CN=Bayerische DANE-CA,O=Freistaat Bayern,ST=Bayern,C=DE,1.2.840.113549.1.9.1=#0c1e4265686f657264656e6e65747a6469656e7374654062617965726e2e6465
   1 CN=Bayerische DANE-CA,O=Freistaat Bayern,ST=Bayern,C=DE,1.2.840.113549.1.9.1=#0c1e4265686f657264656e6e65747a6469656e7374654062617965726e2e6465
     CN=Bayerische DANE-CA,O=Freistaat Bayern,ST=Bayern,C=DE,1.2.840.113549.1.9.1=#0c1e4265686f657264656e6e65747a6469656e7374654062617965726e2e6465
## Verified Certificate Chain 0:
   0 CN=mail.bayern.de,O=Freistaat Bayern,ST=Bayern,C=DE,1.2.840.113549.1.9.1=#0c1e4265686f657264656e6e65747a6469656e7374654062617965726e2e6465
     CN=Bayerische DANE-CA,O=Freistaat Bayern,ST=Bayern,C=DE,1.2.840.113549.1.9.1=#0c1e4265686f657264656e6e65747a6469656e7374654062617965726e2e6465
   1 CN=Bayerische DANE-CA,O=Freistaat Bayern,ST=Bayern,C=DE,1.2.840.113549.1.9.1=#0c1e4265686f657264656e6e65747a6469656e7374654062617965726e2e6465
     CN=Bayerische DANE-CA,O=Freistaat Bayern,ST=Bayern,C=DE,1.2.840.113549.1.9.1=#0c1e4265686f657264656e6e65747a6469656e7374654062617965726e2e6465
## TLS Connection Info:
   TLS version: TLS1.2
   CipherSuite: TLS_RSA_WITH_AES_256_GCM_SHA384
## End-Entity Certificate Info:
   X509 version: 1
   Serial#: eebc66ec77fe7269
   Subject: CN=mail.bayern.de,O=Freistaat Bayern,ST=Bayern,C=DE,1.2.840.113549.1.9.1=#0c1e4265686f657264656e6e65747a6469656e7374654062617965726e2e6465
   Issuer:  CN=Bayerische DANE-CA,O=Freistaat Bayern,ST=Bayern,C=DE,1.2.840.113549.1.9.1=#0c1e4265686f657264656e6e65747a6469656e7374654062617965726e2e6465
   Signature Algorithm: SHA256-RSA
   PublicKey Algorithm: RSA 2048-Bits
   Inception:  2022-01-31 05:25:08 +0000 UTC
   Expiration: 2022-03-02 05:25:08 +0000 UTC
   KU:
   EKU:
   SKI:
   AKI:
   OSCP Servers: []
   CA Issuer URL: []
   CRL Distribution: []
   Policy OIDs: []
Result: FAILED: DANE TLS authentication failed

[2] Authentication failed for all (2) peers.

I can't see what exactly went wrong. To check I tried mail.bayern.de with https://dane.sys4.de/ and https://danetools.com/dane?host=mail.bayern.de&service=smtp&port=25&protocol=tcp. Both sites say that everything is ok.

Is this a bug in the gotls program or are the DANE check sites wrong?
@Antict
Copy link
Author

Antict commented Feb 1, 2022

When testing the server with https://github.com/shuque/danetls, it also says DANE OK.

./danetls -d -m dane -s smtp mail.bayern.de 25 

TLSA records found: 1
TLSA: 2 0 1 32a2bc1d515cdbc412b62b47a1cccf2bb1b8e3ef309f982458d3a7c61797422a

Connecting to IPv4 address: 195.200.70.104 port 25
recv: 220 mail105.bayern.de ESMTP Bavarian Mail Gateway; Tue, 1 Feb 2022 18:54:46 +0100
send: EHLO <my_hostname>
recv: 250-mail105.bayern.de Hello pd9e2b596.dip0.t-ipconnect.de [217.226.181.150], pleased to meet you
recv: 250-ENHANCEDSTATUSCODES
recv: 250-PIPELINING
recv: 250-8BITMIME
recv: 250-SIZE 50000000
recv: 250-DSN
recv: 250-ETRN
recv: 250-STARTTLS
recv: 250-DELIVERBY
recv: 250 HELP
send: STARTTLS
recv: 220 2.0.0 Ready to start TLS
TLSv1.2 handshake succeeded.
Cipher: TLSv1.2 DHE-RSA-AES256-GCM-SHA384
Peer Certificate chain:
 0 Subject CN: mail.bayern.de
   Issuer  CN: Bayerische DANE-CA
 1 Subject CN: Bayerische DANE-CA
   Issuer  CN: Bayerische DANE-CA
DANE TLSA 2 0 1 [32a2bc1d515c...] matched TA certificate at depth 1
Verified peername: mail.bayern.de
Validated Certificate chain:
 0 Subject CN: mail.bayern.de
   Issuer  CN: Bayerische DANE-CA
 1 Subject CN: Bayerische DANE-CA
   Issuer  CN: Bayerische DANE-CA

Connecting to IPv4 address: 195.200.70.95 port 25
recv: 220 mail103.bayern.de ESMTP Bavarian Mail Gateway; Tue, 1 Feb 2022 18:54:48 +0100
send: EHLO <my_hostname>
recv: 250-mail103.bayern.de Hello pd9e2b596.dip0.t-ipconnect.de [217.226.181.150], pleased to meet you
recv: 250-ENHANCEDSTATUSCODES
recv: 250-PIPELINING
recv: 250-8BITMIME
recv: 250-SIZE 50000000
recv: 250-DSN
recv: 250-ETRN
recv: 250-STARTTLS
recv: 250-DELIVERBY
recv: 250 HELP
send: STARTTLS
recv: 220 2.0.0 Ready to start TLS
TLSv1.2 handshake succeeded.
Cipher: TLSv1.2 DHE-RSA-AES256-GCM-SHA384
Peer Certificate chain:
 0 Subject CN: mail.bayern.de
   Issuer  CN: Bayerische DANE-CA
 1 Subject CN: Bayerische DANE-CA
   Issuer  CN: Bayerische DANE-CA
DANE TLSA 2 0 1 [32a2bc1d515c...] matched TA certificate at depth 1
Verified peername: mail.bayern.de
Validated Certificate chain:
 0 Subject CN: mail.bayern.de
   Issuer  CN: Bayerische DANE-CA
 1 Subject CN: Bayerische DANE-CA
   Issuer  CN: Bayerische DANE-CA

[0] Authentication succeeded for all (2) peers.

@shuque
Copy link
Owner

shuque commented Apr 11, 2022

Hello, the error message from gotls is:

"DANE TLSA 2 0 1 [32a2bc1d..]: FAIL matched TA certificate at depth 1 but name check failed"

The name check failed because your certificate does not include the correct name of your service (mail.bayern.de) in a Subject Alternative Name dnsName entry. It only has it in the CN (Common Name) which is deprecated. gotls is written in Go, and the Go library disabled CN checking a while back. See https://golang.google.cn/doc/go1.15#commonname

danetls apparently works, because it uses OpenSSL, which still allows common names.

I recommend re-issuing your certificate with a SAN dnsname entry. In time, most software will eliminate the use of CN.

@Antict
Copy link
Author

Antict commented Apr 12, 2022

Thanks for the explanation

@Antict Antict closed this as completed Apr 12, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@shuque @Antict