Bug #11423
closedpfSense won't trust SMTP server TLS certificate signed by private CA
0%
Description
TL;DR¶
I was surprised to find that there is no way in the pfSense UI to add external CA certificates that are trusted by openssl (system-wide).
Problem¶
I discovered this while trying to configure E-Mail notifications to use my internal SMTP relay, which uses a certificate signed by my organization's private CA. Upon clicking Test SMTP Settings, I received this error (Note that Validate SSL/TLS is checked):
Could not send the message to test@example.com -- Error: PLAIN authentication failure [SMTP: STARTTLS failed (code: 220, response: Go ahead)]
While my org. CA cert is loaded in the Certificate Manager, there is no indication that this CA cert is trusted by the system. It can only be referenced via other components in the UI (e.g. "Peer Certificate Authority" for LDAP Server).
Indeed, openssl
does not trust this CA:
- This command gives
Verify return code: 20 (unable to get local issuer certificate)
:openssl s_client -connect smtp-relay.internal.example.com:587 -starttls smtp -crlf -verify_return_error -verify_hostname smtp-relay.internal.example.com </dev/null
- But manually specifying the CA with
-CAfile example-root-authority.crt
is fine:openssl s_client -connect smtp-relay.internal.example.com:587 -starttls smtp -crlf -verify_return_error -verify_hostname smtp-relay.internal.example.com -CAfile example-root-authority.crt </dev/null
- My CA does not show up anywhere in
/etc/ssl/cert.pem
(/usr/local/share/certs/ca-root-nss.crt
)
Workaround¶
Everything works if I uncheck Validate SSL/TLS, but this is obviously not a good solution.
Solutions¶
(1) Update system trust store¶
Allow CAs added in Certificate Manager to be added to the OpenSSL system trust store:- In the Edit CA view (
system_camanager.php?act=edit
), add a checkbox that says e.g., "Add to system trusted certificate store".- When this checkbox is checked, add this certificate to the OpenSSL trusted certificate store. (I'm not sure, either another file in
/usr/local/share/certs/
, or concatenated to the bundle.)
- When this checkbox is checked, add this certificate to the OpenSSL trusted certificate store. (I'm not sure, either another file in
- In the Certificate Authorities view (
system_camanager.php
), in the In Use column, add another usage e.g., "System Trust".
This is the first scenario I've come across where pfSense didn't have explicit CA trust wired in to the UI/config for a particular TLS client. But I imagine there are probably others, particularly when considering packages. (E.g. What if I wanted to download a blocklist for pfblocker-ng from an internal HTTPS site?) Allowing this to be trusted globally might be much easier than finding and updating all of those TLS client invocations.
(2) Add explicit CA selection for SMTP¶
Just like with the LDAP Server configuration, pfSense could provide a drop-down to select a CA to use for trusting the SMTP server.
pfSense does set $params['socket_options']['ssl']
(https://github.com/pfsense/pfsense/blob/v2.4.5_1/src/etc/inc/notices.inc#L399-L405), but only to set 'verify_peer_name' => false, 'verify_peer' => false
. This new option would have to instead set the cafile
context option (https://www.php.net/manual/en/context.ssl.php).
Related issues:
- https://redmine.pfsense.org/issues/5604 (loosely related)
Updated by Grimson Gretzleburg almost 4 years ago
https://redmine.pfsense.org/issues/4068 it's already done for 2.5.0 try the RC.
Updated by Jonathon Reinhart almost 4 years ago
Doh! Yep, I believe this issue can be closed as a duplicate of #4068.
Searching for issues regarding pfSense internally trusting CAs is really difficult, because there is so much information about pfSense and CAs in general. Thanks for pointing that out.
Updated by Renato Botelho almost 4 years ago
- Status changed from New to Duplicate