TL;DR¶

I was surprised to find that there is no way in the pfSense UI to add external CA certificates that are trusted by openssl (system-wide).

Problem¶

I discovered this while trying to configure E-Mail notifications to use my internal SMTP relay, which uses a certificate signed by my organization's private CA. Upon clicking Test SMTP Settings, I received this error (Note that Validate SSL/TLS is checked):

Could not send the message to test@example.com -- Error: PLAIN authentication failure [SMTP: STARTTLS failed (code: 220, response: Go ahead)]

While my org. CA cert is loaded in the Certificate Manager, there is no indication that this CA cert is trusted by the system. It can only be referenced via other components in the UI (e.g. "Peer Certificate Authority" for LDAP Server).

Indeed, openssl does not trust this CA:

• This command gives Verify return code: 20 (unable to get local issuer certificate):
  

  openssl s_client -connect smtp-relay.internal.example.com:587 -starttls smtp -crlf -verify_return_error -verify_hostname smtp-relay.internal.example.com  </dev/null
  

• But manually specifying the CA with -CAfile example-root-authority.crt is fine:
  

  openssl s_client -connect smtp-relay.internal.example.com:587 -starttls smtp -crlf -verify_return_error -verify_hostname smtp-relay.internal.example.com -CAfile example-root-authority.crt </dev/null
  

• My CA does not show up anywhere in /etc/ssl/cert.pem (/usr/local/share/certs/ca-root-nss.crt)

Workaround¶

Everything works if I uncheck Validate SSL/TLS, but this is obviously not a good solution.

Solutions¶

(1) Update system trust store¶

Allow CAs added in Certificate Manager to be added to the OpenSSL system trust store:

• In the Edit CA view (system_camanager.php?act=edit), add a checkbox that says e.g., "Add to system trusted certificate store".
  • When this checkbox is checked, add this certificate to the OpenSSL trusted certificate store. (I'm not sure, either another file in /usr/local/share/certs/, or concatenated to the bundle.)
• In the Certificate Authorities view (system_camanager.php), in the In Use column, add another usage e.g., "System Trust".

This is the first scenario I've come across where pfSense didn't have explicit CA trust wired in to the UI/config for a particular TLS client. But I imagine there are probably others, particularly when considering packages. (E.g. What if I wanted to download a blocklist for pfblocker-ng from an internal HTTPS site?) Allowing this to be trusted globally might be much easier than finding and updating all of those TLS client invocations.

(2) Add explicit CA selection for SMTP¶

Just like with the LDAP Server configuration, pfSense could provide a drop-down to select a CA to use for trusting the SMTP server.

pfSense does set $params['socket_options']['ssl'] (https://github.com/pfsense/pfsense/blob/v2.4.5_1/src/etc/inc/notices.inc#L399-L405), but only to set 'verify_peer_name' => false, 'verify_peer' => false. This new option would have to instead set the cafile context option (https://www.php.net/manual/en/context.ssl.php).

---

Related issues:

• https://redmine.pfsense.org/issues/5604 (loosely related)