search

jetmore / swaks

Swaks - Swiss Army Knife for SMTP
http://jetmore.org/john/code/swaks/
GNU General Public License v2.0
847 stars 86 forks source link

Why does smtp-server.pl return the same cert multiple times #73

Open jetmore opened 7 months ago

jetmore commented 7 months ago

See test _exec-transactions/00200. smtp-server.pl is using the default cert, which is node.example.com.key/.crt

That test runs (more or less):

../../swaks --to user@host1.nodns.test.swaks.net --from recip@host1.nodns.test.swaks.net --helo hserver   --tls   --pipe '../server/smtp-server.pl --silent --domain pipe   part-0000-connect-standard.txt   part-0101-ehlo-all.txt   part-0200-starttls-basic.txt   part-0101-ehlo-all.txt   part-1000-mail-basic.txt   part-1100-rcpt-basic-accept.txt   part-2500-data-accept-basic.txt   part-3000-shutdown-accept.txt   '

And the peer certs are reported as

=== TLS peer[0]   DN="/C=US/ST=Indiana/O=Swaks Development (node.example.com, with-SAN)/CN=node.example.com/emailAddress=proj-swaks@jetmore.net"
===               notBefore=2023-11-03T14:50:10Z
===               notAfter=2033-09-11T14:50:10Z
===               subjectAltName=[ DNS:node.example.com ]
===               commonName=node.example.com
=== TLS peer[1]   DN="/C=US/ST=Indiana/O=Swaks Development (node.example.com, with-SAN)/CN=node.example.com/emailAddress=proj-swaks@jetmore.net"
===               notBefore=2023-11-03T14:50:10Z
===               notAfter=2033-09-11T14:50:10Z
===               subjectAltName=[ DNS:node.example.com ]
===               commonName=node.example.com
=== TLS peer[2]   DN="/C=US/ST=Indiana/O=Swaks Development (node.example.com, with-SAN)/CN=node.example.com/emailAddress=proj-swaks@jetmore.net"
===               notBefore=2023-11-03T14:50:10Z
===               notAfter=2033-09-11T14:50:10Z
===               subjectAltName=[ DNS:node.example.com ]
===               commonName=node.example.com

When I spin up smtp-server.pl on tcp and hit it with s_client, it also reports the same cert multiple times:

../server/smtp-server.pl --domain inet   part-0000-connect-standard.txt   part-0101-ehlo-all.txt   part-0200-starttls-basic.txt   part-0101-ehlo-all.txt   part-1000-mail-basic.txt   part-1100-rcpt-basic-accept.txt   part-2500-data-accept-basic.txt   part-3000-shutdown-accept.txt

openssl s_client -host 127.0.0.1 -port 11111 -starttls smtp
Connecting to 127.0.0.1
CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 C=US, ST=Indiana, O=Swaks Development (node.example.com, with-SAN), CN=node.example.com, emailAddress=proj-swaks@jetmore.net
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C=US, ST=Indiana, O=Swaks Development (node.example.com, with-SAN), CN=node.example.com, emailAddress=proj-swaks@jetmore.net
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 C=US, ST=Indiana, O=Swaks Development (node.example.com, with-SAN), CN=node.example.com, emailAddress=proj-swaks@jetmore.net
verify return:1

Given that, I see this as an issue w/ smtp-server.pl, not with swaks, so I'm creating this issue and dropping it into the backlog. My logic is that swaks is actually correct - as a test tool,, if the peer is returning the same cert 3 times, I want to know that. But my preference is that most tests work as expected (one cert), with only one or two "does it report the same cert multiple times when presented multiple times" tests