dkim-milter

I was planning on deploying dkim-milter but I noticed that after 
compiling and installing I got the error below on the reply from 
sa-test@....  After searches on the subject I gather that older 
versions of OpenSSL do not support rsa-sha256.  Is this correct?

(verification error: signature algorithm invalid) header.i=@sendmail.net

[static@... ~]$ dkim-filter -V
dkim-filter: Sendmail DKIM Filter v2.1.1
        Compiled with OpenSSL 0.9.7a Feb 19 2003
        Supported signing algorithms:
                rsa-sha1
        Supported canonicalization algorithms:
                relaxed
                simple

I am just surprised that the latest version of CentOS5/RHEL5 would be 
too outdated to use sa-test@....  I am pretty much stuck with 
the default openssl versions for support reasons so I am wondering how 
wide spread sha256 is used.  I know that sha1 is getting outdated and 
has issues that make it easier to crack but it seems like a bad idea to 
push an algorithm that some of the well known OS vendors do not support 
by default... especially if we want dkim-milter to get used by as many 
mail servers as we can.

Or did I do something wrong and sha256 is supported with openssl 0.9.7a?

> I was planning on deploying dkim-milter but I noticed that after 
> compiling and installing I got the error below on the reply from 
> sa-test@....  After searches on the subject I gather that older 
> versions of OpenSSL do not support rsa-sha256.  Is this correct?
>
> (verification error: signature algorithm invalid) header.i=@sendmail.net
>
> [static@... ~]$ dkim-filter -V
> dkim-filter: Sendmail DKIM Filter v2.1.1
>         Compiled with OpenSSL 0.9.7a Feb 19 2003
>         Supported signing algorithms:
>                 rsa-sha1
>         Supported canonicalization algorithms:
>                 relaxed
>                 simple
>
> I am just surprised that the latest version of CentOS5/RHEL5 would be 
> too outdated to use sa-test@....  I am pretty much stuck with 
> the default openssl versions for support reasons so I am wondering how 
> wide spread sha256 is used.  I know that sha1 is getting outdated and 
> has issues that make it easier to crack but it seems like a bad idea to 
> push an algorithm that some of the well known OS vendors do not support 
> by default... especially if we want dkim-milter to get used by as many 
> mail servers as we can.
>
> Or did I do something wrong and sha256 is supported with openssl 0.9.7a?
Greetings! You need openssl 0.9.8 to do sha256. I have this running in 
production on a Fedora Core 3 box, and was able to accomplish it by 
building and installing the openssl 0.9.8 libraries and header files 
into a separate directory, like /usr/openssl-0.9.8e:
./Configure -DSSL_ALLOW_ADH -DSHA256_ASM --prefix=/usr/openssl-0.9.8e 
--openssldir=/usr/openssl-0.9.8e/share/openssl linux-elf shared
make install build-shared
echo "/usr/openssl-0.9.8e/lib" >> /etc/ld.so.conf.d/openssl-0.9.8e.conf
ldconfig

The rest of your existing CentOS binaries will continue to function 
linked against 0.9.7, and you have to simply build dkim-milter to link 
against the openssl libraries in your separate directory.

APPENDDEF(`confLIBS', `-lssl -lcrypto')
APPENDDEF(`confINCDIRS', `-I/usr/openssl-0.9.8e/include')
APPENDDEF(`confLIBDIRS', `-L/usr/openssl-0.9.8e/lib')

The resulting binary should link like this:
ldd obj.Linux.2.6.12-1.1381_FC3smp.i686/dkim-filter/dkim-filter
<snip>
libssl.so.0.9.8 => /usr/openssl-0.9.8e/lib/libssl.so.0.9.8 (0x00111000)
libcrypto.so.0.9.8 => /usr/openssl-0.9.8e/lib/libcrypto.so.0.9.8 
(0x002e9000)
<snip>

And the proof is in the pudding:
dkim-filter -V
<snip>
Supported signing algorithms:
rsa-sha1
rsa-sha256
<snip>

FWIW, I have built my production verification systems to support both 
rsa-sha1 and sha256, while I am intentionally running my signing systems 
in rsa-sha1 mode for maximum backward compatibility with systems like 
your's. This is done using the -S dkim-filter parameter, or the 
SignatureAlgorithm dkim-filter.conf parameter.

I am actually curious how others are solving this problem.

Ben Lentz wrote:
>> I was planning on deploying dkim-milter but I noticed that after 
>> compiling and installing I got the error below on the reply from 
>> sa-test@....  After searches on the subject I gather that older 
>> versions of OpenSSL do not support rsa-sha256.  Is this correct?
>>
>>
>>     
--- CUT ---
> Greetings! You need openssl 0.9.8 to do sha256. I have this running in 
> production on a Fedora Core 3 box, and was able to accomplish it by 
> building and installing the openssl 0.9.8 libraries and header files 
> into a separate directory, like /usr/openssl-0.9.8e:
> ./Configure -DSSL_ALLOW_ADH -DSHA256_ASM --prefix=/usr/openssl-0.9.8e 
> --openssldir=/usr/openssl-0.9.8e/share/openssl linux-elf shared
> make install build-shared
>   
--- CUT ---
> FWIW, I have built my production verification systems to support both 
> rsa-sha1 and sha256, while I am intentionally running my signing systems 
> in rsa-sha1 mode for maximum backward compatibility with systems like 
> your's. This is done using the -S dkim-filter parameter, or the 
> SignatureAlgorithm dkim-filter.conf parameter.
>   
Thanks for the info.  That sure saves some time if I want to go that 
route but regardless I will also use rsa-sha1 to be compatible with more 
systems.

What I was really trying to get at though is that if distributions 
decide to add this today and make it easier for people to install (RPM, 
etc) then they will end up using the openssl that is included by 
default.  For that reason I was just curious how wide spread the usage 
of sha256 is used.  I was just surprised that sendmail.net would use 
sha256 when other setups might not work with it and the sendmail.net 
server is what the docs say to test your setup with.

Adam Gibson wrote:
> then they will end up using the openssl that is included by default.

Well, the default version of RHEL5 is 0.9.8, so I'm wondering how you
compiled your version of dkim-milter...

Also, note that if compiled without support for rsa-sha256, dkim-milter
is not compliant with RFC 4871 (section 3.3):

> Verifiers MUST implement both rsa-sha1 and rsa-sha256.
> Signers MUST implement and SHOULD sign using rsa-sha256.

Kaspar

At 20:50 16-08-2007, Adam Gibson wrote:
>What I was really trying to get at though is that if distributions
>decide to add this today and make it easier for people to install (RPM,
>etc) then they will end up using the openssl that is included by
>default.  For that reason I was just curious how wide spread the usage
>of sha256 is used.  I was just surprised that sendmail.net would use
>sha256 when other setups might not work with it and the sendmail.net
>server is what the docs say to test your setup with.

For security reasons it's better to use sha256.  That choice is not 
dictated by what is available on widely deployed operating 
systems.  You have the option of compiling against a SSL library that 
has sha256 support.

Dkim-milter implements RFC 4871.  The specification recommends that 
Signers should sign using rsa-sha256.  It also recommends that 
Verifiers must implement rsa-sha256.

Regards,
-sm

Adam Gibson skrev, on 17-08-2007 04:13:

> I was planning on deploying dkim-milter but I noticed that after 
> compiling and installing I got the error below on the reply from 
> sa-test@....  After searches on the subject I gather that older 
> versions of OpenSSL do not support rsa-sha256.  Is this correct?
> 
> (verification error: signature algorithm invalid) header.i=@sendmail.net
> 
> [static@... ~]$ dkim-filter -V
> dkim-filter: Sendmail DKIM Filter v2.1.1
>         Compiled with OpenSSL 0.9.7a Feb 19 2003
>         Supported signing algorithms:
>                 rsa-sha1
>         Supported canonicalization algorithms:
>                 relaxed
>                 simple
> 
> I am just surprised that the latest version of CentOS5/RHEL5 would be 
> too outdated to use sa-test@....

As Kaspar points out, RHL5 has openssl 0.9.8 as standard. I'm running 
dkim-milter 2.1.1 with Postfix 2.4.5 on RHL5 and it's signing with 
rsa-sha256.

Working perfectly, by the way.

> I am pretty much stuck with 
> the default openssl versions for support reasons so I am wondering how 
> wide spread sha256 is used.  I know that sha1 is getting outdated and 
> has issues that make it easier to crack but it seems like a bad idea to 
> push an algorithm that some of the well known OS vendors do not support 
> by default... especially if we want dkim-milter to get used by as many 
> mail servers as we can.
> 
> Or did I do something wrong and sha256 is supported with openssl 0.9.7a?

If you want a RHL5 dkim-milter 2.1.1 rpm or srpm I can give you one - 
though it will be doing things my way ('cos it's my own spec), which may 
not be yours ;)

Best,

--Tonni

-- 
Tony Earnshaw
Email: tonni at hetnet dot nl

Adam Gibson --> dkim-milter-discuss (2007-08-16 23:50:31 -0400):
> Thanks for the info.  That sure saves some time if I want to go that 
> route but regardless I will also use rsa-sha1 to be compatible with more 
> systems.

...and if everybody signs using rsa-sha1 for compatibility reasons
nobody will ever be forced to support rsa-sha256 at all... ;-)


> What I was really trying to get at though is that if distributions 
> decide to add this today and make it easier for people to install (RPM, 
> etc) then they will end up using the openssl that is included by 
> default.

Distributions shipping with OpenSSL <0.9.8 and providing a dkim-milter
package should probably provide the latter statically linked with
OpenSSL 0.9.8 libraries.


Regards, Jukka

-- 
bashian roulette:
$ ((RANDOM%6)) || rm -rf ~

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, Aug 17, 2007 at 08:41:58AM +0200, Tony Earnshaw wrote:

>> I was planning on deploying dkim-milter but I noticed that after 
>> compiling and installing I got the error below on the reply from 
>> sa-test@....  After searches on the subject I gather that older 
>> versions of OpenSSL do not support rsa-sha256.  Is this correct?
>If you want a RHL5 dkim-milter 2.1.1 rpm or srpm I can give you one - 
>though it will be doing things my way ('cos it's my own spec), which may 
>not be yours ;)

I do a local build of openssl 0.9.8 and then a couple of lines in the
devtools/Site/site.config.m4 makes it use that instead of the
distribution installed openssl libs (same as my sendmail-8.13.8 spec
file).  It seems like it would be pretty easy to roll those changes into
a spec file for dkim-filter as well.
- -- 
Regards...		Todd
Well, it's Karch...   --frequently heard after every amazing move he does
Linux kernel 2.6.17-6mdv   1 user,  load average: 0.42, 0.60, 0.49
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFGxczOY2VBGxIDMLwRAsS9AJ4gTUNy7bQ3rICebsyyXXaobPKwdwCbBPMV
z0vItkYrS0qIN9nUhE+4L18=
=oiej
-----END PGP SIGNATURE-----

On Thu, 16 Aug 2007, Adam Gibson wrote:
> [...] I know that sha1 is getting outdated and has issues that make it 
> easier to crack but it seems like a bad idea to push an algorithm that 
> some of the well known OS vendors do not support by default...
> especially if we want dkim-milter to get used by as many mail servers as 
> we can.

Conversely, it seems like a bad idea for OS vendors to continue to ship a 
version of OpenSSL which doesn't support hash algorithms generally 
favoured by the security community.

If however this is a truly widespread problem, I might be able to 
entertain the idea of posting static binaries compiled against current 
OpenSSL versions.

> Or did I do something wrong and sha256 is supported with openssl 0.9.7a?

It is not.

On Thu, 16 Aug 2007, Ben Lentz wrote:
> I am actually curious how others are solving this problem.

I use a slightly older OpenBSD and basically do what you did.

On Thu, 16 Aug 2007, Adam Gibson wrote:
> [...] I was just surprised that sendmail.net would use sha256 when other 
> setups might not work with it and the sendmail.net server is what the 
> docs say to test your setup with.

sendmail.net signs with rsa-sha256 (which is what's recommended by the 
DKIM RFC), but will verify either algorithm.

Todd Lyons skrev, on 17-08-2007 18:29:
[...]

> I do a local build of openssl 0.9.8 and then a couple of lines in the
> devtools/Site/site.config.m4 makes it use that instead of the
> distribution installed openssl libs (same as my sendmail-8.13.8 spec
> file).  It seems like it would be pretty easy to roll those changes into
> a spec file for dkim-filter as well.

'Taint as easy as that, dude. Or roll your own over several 
days/weeks/months.

--Tonni

-- 
Tony Earnshaw
Email: tonni at hetnet dot nl

On Fri, 17 Aug 2007, Tony Earnshaw wrote:
> 'Taint as easy as that, dude. Or roll your own over several 
> days/weeks/months.

Why?  That's what I did, and now I just have lines in site.config.m4 that 
refer to them, and then copy that file from one release to the next.

On Friday August 17 2007 20:33:27 Murray S. Kucherawy wrote:
> On Thu, 16 Aug 2007, Ben Lentz wrote:
> > I am actually curious how others are solving this problem.
>
> I use a slightly older OpenBSD and basically do what you did.

On FreeBSD it is easy too, the ports install tells you how to
in the first few displayed lines. This is what it takes:

  # cd /usr/ports/mail/dkim-milter
  # WITH_OPENSSL_PORT=yes make install

Mark

Tony Earnshaw wrote:
> Adam Gibson skrev, on 17-08-2007 04:13:
>   
--- CUT ---
>> Or did I do something wrong and sha256 is supported with openssl 0.9.7a?
>>     
>
> If you want a RHL5 dkim-milter 2.1.1 rpm or srpm I can give you one - 
> though it will be doing things my way ('cos it's my own spec), which may 
> not be yours ;)
>   

I just realized the system is latest in the Centos 4.x versions and not 
Centos 5.  Thanks for bringing that up.  I will end up upgrading that to 
Centos 5 soon anyway which will fix the problem.

Someone else mentioned that the RFC recommends rsa-sha256 which I was 
not aware of.  That is one of the bad things about stable Linux 
distributions... you end up with older libraries that end up causing you 
problems.

I was not really expecting a solution to the problem... I was just 
wondering how many servers will end up compiling with only rsa-sha1 
support.  I wonder if this should be made clearer in the INSTALL 
documentation that a certain version or newer of openssl is highly 
recommended for rsa-sha256 support to comply with the RFC and already 
deployed systems since sha1 is considered outdated and less secure.  
Maybe even explain how to get openssl installed in a separate directory 
than the system openssl and linked to there (or maybe statically linked 
into the binary) for distributions with older openssl libraries.  I 
suspect there are way more mail systems out there with older openssl 
version than there are with the rsa-sha256 capabilities.