Mailing List Archive

Question regarding TLS SNI Certificates
Hello,

I am configuring exim with a number of domains to use SNI certificates.
I have domains which use lets encrypt and commercial ssl certificates.
The certificates and keys as follows,

For the domain foo.com with user foouser :

    Lets encrypt ssl certificate =
/etc/letsencrypt/live/foo.com/fullchain.pem
    Lets encrypt ssl key  = /etc/letsencrypt/live/foo.com/privkey.pem
    Commercial ssl certificate =
/var/panel/userdata/foouser/ssl/foo.com-combined.pem
    Commercial ssl key file =
/var/panel/userdata/foouser/ssl/foo.com-key.pem

So now I have the following configuration in exim.conf . I think it
won't work because using "*" inside the condition.  Can any one help on
this.  Is it ok to use a perl subroutine instead of the following

--------- Exim.conf  start ------------

tls_certificate = ${if and \
    { \
        {gt{$tls_in_sni}{}} \
        {!match{$tls_in_sni}{/}} \
    } \
    { \
      ${if exists {/etc/letsencrypt/live/${tls_in_sni}/fullchain.pem} \
        {/etc/letsencrypt/live/${tls_in_sni}/fullchain.pem} \
      } \
      ${if exists {/var/panel/userdata/*/ssl/${tls_in_sni}-combined.pem} \
        {/var/panel/userdata/*/ssl/${tls_in_sni}-combined.pem} \
      }\
    } \
    {/etc/exim/exim.crt.pem} \
}
tls_privatekey = ${if and \
    { \
        {gt{$tls_in_sni}{}} \
        {!match{$tls_in_sni}{/}} \
    } \
    { \
      ${if exists {/etc/letsencrypt/live/${tls_in_sni}/privkey.pem} \
        {/etc/letsencrypt/live/${tls_in_sni}/privkey.pem} \
      }\
      ${if exists {/var/panel/userdata/*/ssl/${tls_in_sni}-key.pem} \
        {/var/panel/userdata/*/ssl/${tls_in_sni}-key.pem} \
      }\
    } \
    {/etc/exim/exim.key.pem} \
}

--------- Exim.conf end ---------------

Any help will be appreciated

--
Regards
Sherin A


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Question regarding TLS SNI Certificates [ In reply to ]
On 16/09/2021 13:54, Sherin A via Exim-users wrote:
>     Lets encrypt ssl certificate = /etc/letsencrypt/live/foo.com/fullchain.pem
>     Lets encrypt ssl key  = /etc/letsencrypt/live/foo.com/privkey.pem
>     Commercial ssl certificate = /var/panel/userdata/foouser/ssl/foo.com-combined.pem
>     Commercial ssl key file = /var/panel/userdata/foouser/ssl/foo.com-key.pem
>
> So now I have the following configuration in exim.conf . I think it won't work because using "*" inside the condition.

Correct.

>  Can any one help on this.  Is it ok to use a perl subroutine instead of the following

Yes, assuming you built exim with embedded perl. But you probably don't need to,
so much as concisely express what you need. The obfucation above ("foo" etc.)
doesn't help us help you.

--
Cheers,
Jeremy

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Question regarding TLS SNI Certificates [ In reply to ]
Am 16.09.21 um 18:39 schrieb Jeremy Harris via Exim-users:
>
>>   Can any one help on this.  Is it ok to use a perl subroutine
>> instead of the following
>
> Yes, assuming you built exim with embedded perl.  But you probably
> don't need to,
> so much as concisely express what you need.  The obfucation above
> ("foo" etc.)
> doesn't help us help you.
>


It's obviose what he wants to do, which can only work, if he gets the
username before this condition is used,
which is not possible.

The solution is to use a sql select, which yields the path of the cert,
just by selecting for the domainname.

It also simplifies the condition, as the "path to use, if exists" part
is outsourced to whatever script inserts the data to this database table:

tls_certificate =${lockup mysql{"SELECT certpath FROM certs WHERE
domain='${quote_mysql:${tls_in_sni}}' order by commercial limit 1"}}
tls_privatekey =${lockup mysql{"SELECT keypath FROM certs WHERE
domain='${quote_mysql:${tls_in_sni}}' order by commercial limit 1"}}

In case you wanne use a default cert, use ...
'${quote_mysql:${tls_in_sni}}' REGEXP domain order by commercial, domain
limit 1

and a domain entry => ".*" with the default key and certpath. OR you
make an IF-Clause in Exim.. your choice. The sortorder in the above
query depends on how it's organized in detail, and may or may not
contain "DESC" .

Best regards,
Marius

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Question regarding TLS SNI Certificates [ In reply to ]
Sherin A via Exim-users <exim-users@exim.org> (Do 16 Sep 2021 14:54:39 CEST):
> Hello,
>
> I am configuring exim with a number of domains to use SNI certificates. I
> have domains which use lets encrypt and commercial ssl certificates. The
> certificates and keys as follows,
>
> For the domain foo.com with user foouser :
>
>     Lets encrypt ssl certificate =
> /etc/letsencrypt/live/foo.com/fullchain.pem
>     Lets encrypt ssl key  = /etc/letsencrypt/live/foo.com/privkey.pem
>     Commercial ssl certificate =
> /var/panel/userdata/foouser/ssl/foo.com-combined.pem
>     Commercial ssl key file =
> /var/panel/userdata/foouser/ssl/foo.com-key.pem

First you can save some configuration lines if you store cert, bundle,
and key in one file per certname.

And for your question: yes, the * doesn't work, as "exists" doesn't do
globbing, it simply checks the existence of a path.

But, as I suppose, you won't have colliding SNI names, why not creating
a common directory to store all the cert(+bundle+key) files? Optionally
by having a symlink forest to the physical location of the files?

Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---------------------------- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --------------- key ID: F69376CE -
Re: Question regarding TLS SNI Certificates [ In reply to ]
Hello,

 So  the only option is to use a perl function.


On 16/09/21 10:09 pm, Jeremy Harris via Exim-users wrote:
> On 16/09/2021 13:54, Sherin A via Exim-users wrote:
>>      Lets encrypt ssl certificate =
>> /etc/letsencrypt/live/foo.com/fullchain.pem
>>      Lets encrypt ssl key  = /etc/letsencrypt/live/foo.com/privkey.pem
>>      Commercial ssl certificate =
>> /var/panel/userdata/foouser/ssl/foo.com-combined.pem
>>      Commercial ssl key file =
>> /var/panel/userdata/foouser/ssl/foo.com-key.pem
>>
>> So now I have the following configuration in exim.conf . I think it
>> won't work because using "*" inside the condition.
>
> Correct.
>
>>   Can any one help on this.  Is it ok to use a perl subroutine
>> instead of the following
>
> Yes, assuming you built exim with embedded perl.  But you probably
> don't need to,
> so much as concisely express what you need.  The obfucation above
> ("foo" etc.)
> doesn't help us help you.
>
--
Regards
Sherin A


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Question regarding TLS SNI Certificates [ In reply to ]
Sherin A via Exim-users <exim-users@exim.org> (Fr 17 Sep 2021 06:41:15 CEST):
> Hello,
>
>  So  the only option is to use a perl function.

A simple ${run…} would do probably also. But be careful, there may be
security implications, as the received SNI ($tls_in_sni) is not under
your control but under control of a potential attacker.

Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---------------------------- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --------------- key ID: F69376CE -