[Bug 264324] mail/sendmail: Add support MTA-STS and TLS_USE_CERTIFICATE_CHAIN_FILE, and fix some options and a bug

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: <bugzilla-noreply_at_freebsd.org>
Date: Sun, 29 May 2022 07:50:10 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=264324

            Bug ID: 264324
           Summary: mail/sendmail: Add support MTA-STS and
                    TLS_USE_CERTIFICATE_CHAIN_FILE, and fix some options
                    and a bug
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: Individual Port(s)
          Assignee: dinoex@FreeBSD.org
          Reporter: nork@ninth-nine.com
             Flags: maintainer-feedback?(dinoex@FreeBSD.org)
          Assignee: dinoex@FreeBSD.org

Created attachment 234304
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=234304&action=edit
a patch for sendmail port

Hi.
I hope to add support MTA-STS and TLS_USE_CERTIFICATE_CHAIN_FILE features.
And I organize some TLS related features, I found a bug for MTA-STS.

[OPTIONS]
Add MTA-STS and TLS_CERT_CHAIN.

[OPTIONS DEPENDENCY]
MTA-STS -> SOCKETMAP and TLS.
TLS_CERT_CHAIN -> TLS
CYRUSLOOKUP -> SOCKETMAP (fix)

[BUG FIX]
ports/mail/py-postfix-mta-sts-resolver's default port number is 8461, not 5461.

[TLS FEATURE]
Define TLS_EC -> Define TLS_EC=2
 * ECDH's feature, Only specified prime256v1 to OpenSSL default EC like X25519
and others.

Define _FFR_TLS_ALTNAMES.
 * Add support Subject Alternative Name, not only Common Name.
   https://cabforum.org/wp-content/uploads/BRv1.1.7.pdf Page#9, 9.2.1 Subject
Alternative Name Extension.

Define _FFR_VRFY_TRUSTED_FIRST.
 * Enable X509_V_FLAG_TRUSTED_FIRST option for X509_VERIFY_PARAM_set_flags()
function[1], to deal with the DST ROOT CA X3 expiration problem[2].
  [1] https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/
  [2] https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

[TLS_USE_CERTIFICATE_CHAIN_FILE]
NOT COMPATIBLE how to specify `confCACERT*`, and behavior changes
`confSERVER_CERT` and `confCLIENT_CERT`, So I don't think enable DEFAULT
option.

This option enabled:
 confCACERT_PATH -> Use only server mode, and verify client certificates.
 confCACERT      -> Use only server mode, and verify a client certificate.
 confSERVER_CERT -> Add support certificate chain file, like Apache.
 confCLIENT_CERT -> Add support certificate chain file, like Apache.

This option disabled:
 confCACERT_PATH -> Use only server mode, and verify client certificates.
 confCACERT      -> Use server and client mode, verify client certificates and
add intermediate certificates. Oh My God!
 confSERVER_CERT -> Use only a server certificate.
 confCLIENT_CERT -> Use only a client certificate. 


[P.S.]
If you are interested in MTA-STS, catch up two following reports too.
 * https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=262251
 * https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=262254

-- 
You are receiving this mail because:
You are the assignee for the bug.