Project

General

Profile

Actions

Bug #11423

closed

pfSense won't trust SMTP server TLS certificate signed by private CA

Added by Jonathon Reinhart 10 months ago. Updated 10 months ago.

Status:
Duplicate
Priority:
Normal
Assignee:
-
Category:
Certificates
Target version:
-
Start date:
02/15/2021
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
Affected Architecture:

Description

TL;DR

I was surprised to find that there is no way in the pfSense UI to add external CA certificates that are trusted by openssl (system-wide).

Problem

I discovered this while trying to configure E-Mail notifications to use my internal SMTP relay, which uses a certificate signed by my organization's private CA. Upon clicking Test SMTP Settings, I received this error (Note that Validate SSL/TLS is checked):

Could not send the message to -- Error: PLAIN authentication failure [SMTP: STARTTLS failed (code: 220, response: Go ahead)]

While my org. CA cert is loaded in the Certificate Manager, there is no indication that this CA cert is trusted by the system. It can only be referenced via other components in the UI (e.g. "Peer Certificate Authority" for LDAP Server).

Indeed, openssl does not trust this CA:

  • This command gives Verify return code: 20 (unable to get local issuer certificate):
    openssl s_client -connect smtp-relay.internal.example.com:587 -starttls smtp -crlf -verify_return_error -verify_hostname smtp-relay.internal.example.com  </dev/null
    
  • But manually specifying the CA with -CAfile example-root-authority.crt is fine:
    openssl s_client -connect smtp-relay.internal.example.com:587 -starttls smtp -crlf -verify_return_error -verify_hostname smtp-relay.internal.example.com -CAfile example-root-authority.crt </dev/null
    
  • My CA does not show up anywhere in /etc/ssl/cert.pem (/usr/local/share/certs/ca-root-nss.crt)

Workaround

Everything works if I uncheck Validate SSL/TLS, but this is obviously not a good solution.

Solutions

(1) Update system trust store

Allow CAs added in Certificate Manager to be added to the OpenSSL system trust store:
  • In the Edit CA view (system_camanager.php?act=edit), add a checkbox that says e.g., "Add to system trusted certificate store".
    • When this checkbox is checked, add this certificate to the OpenSSL trusted certificate store. (I'm not sure, either another file in /usr/local/share/certs/, or concatenated to the bundle.)
  • In the Certificate Authorities view (system_camanager.php), in the In Use column, add another usage e.g., "System Trust".

This is the first scenario I've come across where pfSense didn't have explicit CA trust wired in to the UI/config for a particular TLS client. But I imagine there are probably others, particularly when considering packages. (E.g. What if I wanted to download a blocklist for pfblocker-ng from an internal HTTPS site?) Allowing this to be trusted globally might be much easier than finding and updating all of those TLS client invocations.

(2) Add explicit CA selection for SMTP

Just like with the LDAP Server configuration, pfSense could provide a drop-down to select a CA to use for trusting the SMTP server.

pfSense does set $params['socket_options']['ssl'] (https://github.com/pfsense/pfsense/blob/v2.4.5_1/src/etc/inc/notices.inc#L399-L405), but only to set 'verify_peer_name' => false, 'verify_peer' => false. This new option would have to instead set the cafile context option (https://www.php.net/manual/en/context.ssl.php).


Related issues:
Actions #1

Updated by Grimson Gretzleburg 10 months ago

https://redmine.pfsense.org/issues/4068 it's already done for 2.5.0 try the RC.

Actions #2

Updated by Jonathon Reinhart 10 months ago

Doh! Yep, I believe this issue can be closed as a duplicate of #4068.

Searching for issues regarding pfSense internally trusting CAs is really difficult, because there is so much information about pfSense and CAs in general. Thanks for pointing that out.

Actions #3

Updated by Renato Botelho 10 months ago

  • Status changed from New to Duplicate
Actions

Also available in: Atom PDF