fetchmail-users

[Fetchmail-users] Support pinning multiple certs

[grarpamp <gra...@gm...>]

I've mentioned this before in a pile of crypto support
stuff for fetchmail 7. Here's an example of a popular,
likely geolocated / multihomed / proxied / etc, service where
pinning one cert isn't enough in particular if the user is
using global VPN-like services.

-----BEGIN CERTIFICATE-----
MIIEfjCCA2agAwIBAgIIWvnCfNoKjzowDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTUxMjEwMTc0NjQ0WhcNMTYwMzA5MDAwMDAw
WjBnMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEWMBQGA1UEAwwNcG9w
LmdtYWlsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALl0v0j1
S96SIMojK/ACeP+MOVCS8yZdcdQkrosPQnJvgsby4kZ7ojK6vtiTZKmHkT/8BUGu
u1a69y6zL11ZR1XQfCZCQnF1xb9CV+owu4Ol9GqCk9zsNpiI4jHXoobCtkYdFiH0
HfW+WgsUpx1vBhAaAJs5BmM5STm2F/XdIeWDNENrthbeyaL8VajLgGBCBzcgTlEe
hC6m1keDIOwuFJ8JLflE+Wb4C5Nearzo5CjbLJxQzR8lxK/ctlu+rD7sZk22EMVk
nga+zclgapzBVXt0hJmEBfaZgc/q1eFQS/Q5GfyLzESIxwb0dpmuKmOK626GBtVq
KknyP7KMJxuIb/sCAwEAAaOCAUowggFGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
BgEFBQcDAjAYBgNVHREEETAPgg1wb3AuZ21haWwuY29tMGgGCCsGAQUFBwEBBFww
WjArBggrBgEFBQcwAoYfaHR0cDovL3BraS5nb29nbGUuY29tL0dJQUcyLmNydDAr
BggrBgEFBQcwAYYfaHR0cDovL2NsaWVudHMxLmdvb2dsZS5jb20vb2NzcDAdBgNV
HQ4EFgQUk9fmZ+inRFkE7LirsYW1mk2Y+xowDAYDVR0TAQH/BAIwADAfBgNVHSME
GDAWgBRK3QYWG7z2aLV29YG2u2IaulqBLzAhBgNVHSAEGjAYMAwGCisGAQQB1nkC
BQEwCAYGZ4EMAQICMDAGA1UdHwQpMCcwJaAjoCGGH2h0dHA6Ly9wa2kuZ29vZ2xl
LmNvbS9HSUFHMi5jcmwwDQYJKoZIhvcNAQELBQADggEBAElGQepKUUEZkp7D5OAL
M0QbVf65jFxSmkrdoSsOg2reuRQDDw4+COIRJe9bifnFvbTF9QHXMMpxVzn4jQze
bHje681FjnVCVuNE5sxEIwDlZuUwolN8q+T6GwriJyooKEC4ZAvHyDMK/Q6QjktZ
GLLbA7hX48/oIPkDuo1uzZfOX+Bu9tDN9os8D4th4HT5y4g7Ju6MrfEX56p1LSB8
i2/Zx6uywqwozani5PJNWD4Em/SCdgZw1UDoR7ImIFDYJGPC60CN7Z0L/9kFd2Ye
6/g4PgDHNS5DdAY1t1Dj9yXJSResuZ/C6ewIfnLZnLfBlvFPL9ArZ2p03ehCDxfr
KHY=
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
MIIEfjCCA2agAwIBAgIIZEfR3URZexYwDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTUxMjAyMTUyNjA5WhcNMTYwMzAxMDAwMDAw
WjBnMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEWMBQGA1UEAwwNcG9w
LmdtYWlsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK/wNlwT
a6QFjipNFZp9W0GbctN0PNwInZbpSvxkylmaR/MeTfBXFTkMKP/M0krhISWFbvBw
dcsap23C3aLarsgXDflleSbujy+AsRl2RcgvjdiuOO3hb/NqZbRRQ+tRn9JnRLgO
7fN4wPVVXNKSAdGOAoh9aF72k8Pct8IalryFH+Evs0MdqT1ZSAdOF1RvlMq36Oxw
C9VlpZsDZDDviFCaUDpb465l4JkAohKZlEzJbLVlcNlEvtnSshxjy6mWvXTDWM+Q
XT6ZNPkK3M4lpCLrhxB1LiaFjdHKCBqlYLOmidq+aLH6ubvpPtUZrG9GIji4nZbl
/mJMrjlQPod1SusCAwEAAaOCAUowggFGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
BgEFBQcDAjAYBgNVHREEETAPgg1wb3AuZ21haWwuY29tMGgGCCsGAQUFBwEBBFww
WjArBggrBgEFBQcwAoYfaHR0cDovL3BraS5nb29nbGUuY29tL0dJQUcyLmNydDAr
BggrBgEFBQcwAYYfaHR0cDovL2NsaWVudHMxLmdvb2dsZS5jb20vb2NzcDAdBgNV
HQ4EFgQUccsm05eNZmuy97BbLcmHvyEzZbQwDAYDVR0TAQH/BAIwADAfBgNVHSME
GDAWgBRK3QYWG7z2aLV29YG2u2IaulqBLzAhBgNVHSAEGjAYMAwGCisGAQQB1nkC
BQEwCAYGZ4EMAQICMDAGA1UdHwQpMCcwJaAjoCGGH2h0dHA6Ly9wa2kuZ29vZ2xl
LmNvbS9HSUFHMi5jcmwwDQYJKoZIhvcNAQELBQADggEBAIYejPExKoIisbMHdvFn
iOzrcCy1InNueMehndee0n7QuVI38I3f7cUn+UKZMrOiC3RTmUnsJOucO9Rp20Ob
e1sKSUNWOKqcWFxIsiIYFeTevx3E12/4xMq/NSWDI4buxjLECWZsRB1cw/Q4uPGa
SjlBp3T9/HXILvWhCVej0mplWUiiDHKnh0iXWkcpGAiI5cI6NMtSns7Y7kRI//yv
zQL3cke6+IHJPGoItqwKrtltvpxmcke7Ewe7+Qmx8wBc187L90drLsYGrhYpaoYp
JYbtsdsBZQ8QkBJ5+7+gLk3CR7ZtFsc5epCBfGD/pZtzMXzUP5tB/QoyuXl8R9/I
RwE=
-----END CERTIFICATE-----

Re: [Fetchmail-users] Support pinning multiple certs

[Matthias A. <mat...@gm...>]

Am 16.12.2015 um 09:21 schrieb grarpamp:
> I've mentioned this before in a pile of crypto support
> stuff for fetchmail 7. Here's an example of a popular,
> likely geolocated / multihomed / proxied / etc, service where
> pinning one cert isn't enough in particular if the user is
> using global VPN-like services.

Well, sure we need that - but what is the surrounding concept, what do
we need to document, what needs to be reported to the user, and how and
where do we direct support inquiries?  How do we present issues to the
user?  Do we want to do some pinning or certificate/issuer logging?

What kind of hashes do we support?  MD5 alone doesn't cut the mustard
these days any more.

What kind of other libraries to we port fetchmail onto, to alleviate
both certificate management, as well as licensing?  The GPL exemption
clauses for OpenSSL's advertising clauses are cumbersome to some.  As
end user you won't care, a distributor or someone who plans to embed
fetchmail into other applications, however, will.

I certainly don't want users asking the list with issues their ISPs
cause with underdocumentation, negligence, or otherwise, and that's not
laziness, but about putting the support efforts where they belong (and
probably also response times).

Just slapping features onto fetchmail is the easy part, casting
everything into a sound concept, however, is the work that needs to be
done before.

I am open to and soliciting input on the "concept" parts. It should not
amount to novel-like text quantities, but a few well-thought bullet
points on concept, threat scenario, user interface, "what kind of
documentation do we need", steering support load, would surely help.

I am also inviting users to review the legacy_64 and master ("7.0.0
alpha") branches in Git and have a loot at their SSL/TLS/crypto
approach. Not radically different, but noticable, and to clean up some
of the burdens of the past, when someone thought "STARTTLS means TLS
v1.0 and SSL-wrapped means SSLv2 or v3"...

Re: [Fetchmail-users] Support pinning multiple certs

[grarpamp <gra...@gm...>]

> Well, sure we need that - but what is the surrounding concept

That cert validity can overlap in time, that certs may not
be rolled out globally instantly, and many may be issued
to server clusters, behind service engines, etc.

> what do we need to document

Fetchmail only.

> what needs to be reported to the user

The fingerprint matched, or failure because of no match.
The rest is in debug or the rc.

> how and where do we direct support inquiries?

FAQ, email 'forum', open wiki.

> How do we present issues to the user?

What issues. Users have issues.

> Do we want to do some pinning or certificate/issuer logging?

Pinning fingerprints, yes.
Logging beyond fingerprint, no, there are tools for examining certs.
And without pinning any other cert params should be viewed suspect anyways.

> What kind of hashes do we support?  MD5 alone doesn't cut the mustard
> these days any more.

Legacy is md5 sha1, current is sha256, use whatever the cert world uses
so you can talk the same thing. I formerly thought to add sha2 / sha3,
that was before the cert world decided to move off broken md5 / sha1.

> What kind of other libraries to we port fetchmail onto, to alleviate
> both certificate management, as well as licensing?  The GPL exemption

https://en.wikipedia.org/wiki/Comparison_of_TLS_implementations

There have also been at least one, maybe two, recent new
libraries besides LibreSSL. Ask on metzdowd for them.

> (user support)

Offload it, give them a fetchmail wiki. torproject even has success
with generic user:pass posted on wiki front page. Fill it with
starter links to learn. Post man2html pages.

https://en.wikipedia.org/wiki/Transport_Layer_Security

> I certainly don't want users asking the list with issues their ISPs

If those kind of users are expected, punt them to their favorite
form of support, chatter and bloat... a "forum", simplemachines is
fine. Never post or read it and move yourself to a -dev list :)

> I am open to and soliciting input on the "concept" parts. It should not
> amount to novel-like text quantities, but a few well-thought bullet
> points on concept, threat scenario, user interface, "what kind of
> documentation do we need", steering support load, would surely help.

> I am also inviting users to review the legacy_64 and master ("7.0.0
> alpha") branches in Git and have a loot at their SSL/TLS/crypto
> approach. Not radically different, but noticable

I previously commented / ticketed at least at some length on
- support for TLS stuff and usage
- refactoring the fetchmail rc file

I likely owe a revisit on followup I missed.

If you expect to get a 7.x out, I'd abandon 6.x except for critical fixes.

> and to clean up some
> of the burdens of the past, when someone thought "STARTTLS means TLS
> v1.0 and SSL-wrapped means SSLv2 or v3"...

Wiki links to good definitions and examples.
Github offers wiki page, though not a end-user level thing.