[BlueOnyx:25395] Re: another 5210R item
Michael Stauber
mstauber at blueonyx.it
Tue Apr 26 20:36:10 -05 2022
Hi Larry,
> PS: How does this name issue work with certs and SNI?
Like said: The hostname shown in the SMTP-banner is entirely irrelevant
and for SNI it also does not matter in the least.
Here is an example:
The server itself is named "5210r.smd.net" and the Vsite
"5210r1.smd.net" on it has a valid Let's Encrypt SSL certificate.
So now let us connect to SMTP on 5210r1.smd.net via TLS and see what
response we get:
----------------------------------------------------------------------
mstauber at beast:~$ openssl s_client -connect 5210r1.smd.net:25 -starttls smtp
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = 5210r1.smd.net
verify return:1
---
Certificate chain
0 s:CN = 5210r1.smd.net
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGITCCBQmgAwIBAgISAx1o23GPcl4K2vp1CIZYWqK6MA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMjAzMTYwNzEwNTRaFw0yMjA2MTQwNzEwNTNaMBkxFzAVBgNVBAMT
DjUyMTByMS5zbWQubmV0MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA
v+Ly5GJJffqiniT55pnqq86aMvjEG+G3kQcbyB0pBYDIIwZqkTG6dJh7F5YdqE3G
+BExXUk3+PvA54HWhcCgqI+mfNua3bDHi0gcfnh9vcsyAwfgu/WJdu/xxZMJsxQp
Qrm7W158p1IhjZyj8H4waJGOJOWM/X+4UtmBeXWTMAuoAmfnqi6bgTbWeOSSyLCh
/eBIutc0sbTICrKSveltkdLRS6fEe2CvOXgnNNwtTMYHsv5xOtOpecI0ycjiz2Mz
Jg6Qc1WSMFX/hkg/tsC2m4JI89Q74PyzCy3x2gU3QZXU8/4bB0KBL+hn3BsKQ1Ht
Ezu9i8X1/0Cl/UkR+xr4X+HiwFvNZUOPj7E+9rVbzwTbBT6lMS8Gc8/eR2ZvoLbg
p5e5wjjQ3MFVVXVI4k2shcjSPDn84rjM+2ouxlNuAFXTCVbeOhNbisgDEplqcHP7
mALEzdo+wgEO6+3Lwidv1j+dgvR3U44+hJKbiytf1pFGzxcvHaVRKyXZenIXwUQz
tW/UePrJi3HigL72aH8VowBv889CM9Iu42APMjDLdaeJuF5V7ddyZt7kCmy1b/gI
eFRcdypAOfv7v0YFuJAfaL2fi4JiCy37MKxCov8bNsN9Fq/t+FWEXOZDqP48sAo/
UD3XU76Ie6hLnFlvYi1q2hzviDwVTg6AGCj98Kfbe7MCAwEAAaOCAkgwggJEMA4G
A1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYD
VR0TAQH/BAIwADAdBgNVHQ4EFgQUKfCLR1C4GzhV5ipyAY4FSDuSOf4wHwYDVR0j
BBgwFoAUFC6zF7dYVsuuUAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsG
AQUFBzABhhVodHRwOi8vcjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6
Ly9yMy5pLmxlbmNyLm9yZy8wGQYDVR0RBBIwEIIONTIxMHIxLnNtZC5uZXQwTAYD
VR0gBEUwQzAIBgZngQwBAgEwNwYLKwYBBAGC3xMBAQEwKDAmBggrBgEFBQcCARYa
aHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwggEDBgorBgEEAdZ5AgQCBIH0BIHx
AO8AdQBByMqx3yJGShDGoToJQodeTjGLGwPr60vHaPCQYpYG9gAAAX+Rx6YlAAAE
AwBGMEQCIGfVYZPNdAoCJbAMlf+lLMxWbaWrkFHtEvZNB/3Gv+xeAiBi29d15U/k
UuIP+SEBwPcot1DXelzUw5i1qJUdawXi3gB2AEalVet1+pEgMLWiiWn0830RLEF0
vv1JuIWr8vxw/m1HAAABf5HHpkcAAAQDAEcwRQIhANI1+d8r89cRKDDQ2sRcoaSG
ABLAvhzdP0GGLHh/BdrJAiB8YcWu1ksUI6jqtxM3SfJgWKZsXwaGuOjBNzLJPEh1
YjANBgkqhkiG9w0BAQsFAAOCAQEARSI+FY2QfiOHeCHqw9Xl/UXhCE1n+y7J+GcK
7xOZfJWw/+ClE0zdu/cAduQxl8RTMMXcEbltep8XzXY3Px5EQPtEaofB0d7f+7yV
HsTVBNy8gV8Orbu8Gcd625U+uYY5DZsxacSDAvSTEnDaBbHvf6iJc7tSpu3zYsLi
ZqoBOSIpLAzrkcFFsBBsvx3EqFXo677JwZsIrNZqbhbC0ETYkVf6AGsHj8sW6lbB
KVWdUIXP32AxNHSU1KAHuKFQg6X6pVTBVKYVGNqUJwXco4IfCCVnKbtAHOduAu/d
EoJ3lP5LoLxz6uDfALgvWT0eTa+VDgeV2G5+8d3mk/DrN3m9Nw==
-----END CERTIFICATE-----
subject=CN = 5210r1.smd.net
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 5325 bytes and written 419 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
250 CHUNKING
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID:
29B461BD324498BC269DEFDC2A024D1646D6596151061B5C018993B424AB064B
Session-ID-ctx:
Resumption PSK:
3C4ADBD1E9233058C7A471442A47BCC2554450F84641741355AE01FED790315ACFF723B93E20C5FFBBD588EBA5F55C3F
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - be d1 8f c3 ab 30 eb ab-90 65 19 6f 72 de e6 0b
.....0...e.or...
0010 - 1a bd 32 d5 c6 e3 b6 19-72 f4 2f ad fe 17 77 ab
..2.....r./...w.
0020 - 08 95 db 9a 1a 7e 80 6e-a0 46 64 22 c9 fa 58 05
.....~.n.Fd"..X.
0030 - c3 e6 f6 11 14 33 a3 7e-4d 2f 5c 56 b7 50 e1 f2
.....3.~M/\V.P..
0040 - de 2a 43 a1 35 c9 d7 fd-b4 09 d7 1d cc 7a 73 79
.*C.5........zsy
0050 - 94 57 3a d6 04 40 53 ab-d4 1c dc 05 11 a0 0d 9b
.W:.. at S.........
0060 - ae 95 9a 81 84 fe 67 c3-aa 69 66 d4 3d 61 8e f7
......g..if.=a..
0070 - 20 d7 7a 0e c1 1a 29 27-0a 73 11 4c 31 1b 3f 0e
.z...)'.s.L1.?.
0080 - 05 40 4d 4e 28 31 e6 1f-d6 64 25 6e 2f 40 72 49
. at MN(1...d%n/@rI
0090 - 83 35 02 bf 47 2a 35 db-6a 05 09 cc 1b 49 7c 67
.5..G*5.j....I|g
00a0 - f7 54 b6 11 ba 4c 32 d4-c3 e2 80 e3 74 74 06 8e
.T...L2.....tt..
00b0 - 60 d7 ce 29 ea bb 38 ec-e1 ea a3 02 27 f9 a6 bc
`..)..8.....'...
00c0 - 6e 59 78 e2 06 12 ad 88-45 d0 10 e5 c2 72 28 45
nYx.....E....r(E
00d0 - bd 76 ec 21 c4 8e 74 9e-0d af df ed 4f f3 80 7b
.v.!..t.....O..{
Start Time: 1651023005
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
HELO smd.net
250 5210r.smd.net
quit
221 2.0.0 Bye
closed
----------------------------------------------------------------------
As far as TLS goes: The certificate asked for and the one we got was for
the domain in question:
CN = 5210r1.smd.net
That the "HELO" eventually was answered with the real hostname of the
server instead causes no issue at all, as that is past the stage where
TLS checks are performed.
It would have failed if we had asked for "5210r3.smd.net". Which is a
Vsite that exists on the server, but it has no valid SSL cert. So
instead the cert for the server itself ("5210r.smd.net") would have been
used to secure the connection, but that would have caused the client to
throw the error that the offered cert was not valid for the domain that
we had asked for.
--
With best regards
Michael Stauber
More information about the Blueonyx
mailing list