Loïc Minier
2011-Mar-05 23:49 UTC
[Logcheck-devel] Bug#616616: TLS fingerpring log message out of date
Package: logcheck-database
Version: 1.3.13
Severity: normal
Tags: patch
Hey
I'm getting reports of log lines like:
Mar 5 22:06:54 xyz postfix/smtpd[20492]: some.host.name[88.166.229.232]:
Trusted: subject_CN=some.host.name, issuer=Some Signing Authority,
fingerprint=12:34:56:78:90:AB:CD:EF:01:23:45:67:89:AB:CD:EF:01:23:45:67
reported; this is with postfix 2.7.0-1.
Only src/tls/tls_server.c in recent Postfix versions uses fingerprint in logs;
I've looked at the source history, and the upstream log
message was changed from:
msg_info("fingerprint=%s", TLScontext->peer_fingerprint);
to:
msg_info("%s: %s: subject_CN=%s, issuer=%s, fingerprint=%s",
props->namaddr,
TLS_CERT_IS_TRUSTED(TLScontext) ? "Trusted" :
"Untrusted",
TLScontext->peer_CN, TLScontext->issuer_CN,
TLScontext->peer_fingerprint);
between 2.4.6 and 2.5.1-RC1.
I don't know what policy you follow for logcheck for older version of
logged strings, but this seems to have happened a long time ago, hence
I suggest just updating the regexp rather than keeping both versions:
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]:
[._[:alnum:]-]+(\[[[:xdigit:].:]{3,39}\](:[[:digit:]]+)?)?: Trusted:
subject_CN=.*, issuer=.*,
fingerprint=([[:digit:]A-F]{2}:){15,19}[[:digit:]A-F]{2}$
For props->namaddr, I used the same snippet as for the "setting up TLS
connection" message which uses the same var; then I added Trusted; this
could also be Untrusted, but I decided this should be logged; then for
subject_CN= and issuer= I wasn't too sure what to allow as this could
be anything really, but I saw other places which had subject_CN=.*,
issuer=.*; finally, fingerprint= can be different types of
fingerprints, in my case it's SHA1 so 20 pairs of hex digits.
Cheers,
--
Lo?c Minier
Debian Bug Tracking System
2011-Sep-08 14:51 UTC
[Logcheck-devel] Bug#616616: marked as done (TLS fingerpring log message out of date)
Your message dated Thu, 08 Sep 2011 14:48:49 +0000 with message-id <E1R1fuL-0008RY-Vg at franck.debian.org> and subject line Bug#616616: fixed in logcheck 1.3.14 has caused the Debian Bug report #616616, regarding TLS fingerpring log message out of date to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner at bugs.debian.org immediately.) -- 616616: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=616616 Debian Bug Tracking System Contact owner at bugs.debian.org with problems -------------- next part -------------- An embedded message was scrubbed... From: =?iso-8859-1?Q?Lo=EFc?= Minier <lool at dooz.org> Subject: TLS fingerpring log message out of date Date: Sun, 6 Mar 2011 00:49:29 +0100 Size: 3743 URL: <http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20110908/cb89bf96/attachment-0002.mht> -------------- next part -------------- An embedded message was scrubbed... From: Hannes von Haugwitz <hannes at vonhaugwitz.com> Subject: Bug#616616: fixed in logcheck 1.3.14 Date: Thu, 08 Sep 2011 14:48:49 +0000 Size: 10037 URL: <http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20110908/cb89bf96/attachment-0003.mht>