Disable ssl validation for replication?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Disable ssl validation for replication?

Joseph Ward
Hi,

I have two servers (HA configuration) on which I'm attempting to get
replication working over SSL.  They're at two different sites, but
connected via a site-site VPN.

Everything seems to be fine, except that the certificates are not
validating as I'm using IP addresses for the sync, as opposed to the
public hostnames for which the certificates are valid, and so I get the
following error: 

doveadm(user@domain): Error: doveadm server disconnected before
handshake: SSL certificate doesn't match expected host name 10.x.x.x

I'm on Dovecot 2.2.33.

Is there any way to disable the certificate checking/validation for the
sync engine? 

(
I'm aware of at least a couple of fallback options:
    -have a self-signed cert for replication and use the Let's Encrypt
one for IMAP/POP
    - create firewall rules allowing them to connect to each other over
the public internet so that it can validate the proper cert
 
These are both much less palatable than simply disabling the cert
validation if it's possible.
)


Thank you in advance for any assistance,
Joseph
Reply | Threaded
Open this post in threaded view
|

Re: Disable ssl validation for replication?

Andrew Sullivan
I guess what I don't understand is why the IP address approach is more
attractive to you, and why you think the "public Internet" path is less good.

Best regards,

A

--
Please excuse my clumbsy thums



----------
On December 21, 2017 12:47:47 AM Joseph Ward <[hidden email]> wrote:

> Hi,
>
> I have two servers (HA configuration) on which I'm attempting to get
> replication working over SSL.  They're at two different sites, but
> connected via a site-site VPN.
>
> Everything seems to be fine, except that the certificates are not
> validating as I'm using IP addresses for the sync, as opposed to the
> public hostnames for which the certificates are valid, and so I get the
> following error: 
>
> doveadm(user@domain): Error: doveadm server disconnected before
> handshake: SSL certificate doesn't match expected host name 10.x.x.x
>
> I'm on Dovecot 2.2.33.
>
> Is there any way to disable the certificate checking/validation for the
> sync engine? 
>
> (
> I'm aware of at least a couple of fallback options:
>     -have a self-signed cert for replication and use the Let's Encrypt
> one for IMAP/POP
>     - create firewall rules allowing them to connect to each other over
> the public internet so that it can validate the proper cert
>  
> These are both much less palatable than simply disabling the cert
> validation if it's possible.
> )
>
>
> Thank you in advance for any assistance,
> Joseph


Reply | Threaded
Open this post in threaded view
|

Re: Disable ssl validation for replication?

Joseph Tam-2
In reply to this post by Joseph Ward
Joseph Ward writes:

> I'm aware of at least a couple of fallback options:
> ??? -have a self-signed cert for replication and use the Let's Encrypt
> one for IMAP/POP
> ??? - create firewall rules allowing them to connect to each other over
> the public internet so that it can validate the proper cert
> ?
> These are both much less palatable than simply disabling the cert
> validation if it's possible.

Maybe instead of disabling the check, appease it by supplying (in
/etc/hosts) an alternate mapping of the FQDN subject of your certificate
to your internal IP:

  10.x.x.x        your.sync.target

Joseph Tam <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Disable ssl validation for replication?

Joseph Ward
In reply to this post by Andrew Sullivan
I only have one public IP at each site, so having all internal services
(and I have a lot of them) communicating over the internet to that
single IP (on each side) would get pretty complex with a lot of rules
and a lot of interesting port remapping and additional firewall rule
complexity.  That additional complexity also involves more chances to
make mistakes that introduce security problems.   So in general, I'm
eager to keep things going directly to the proper service internally. 
Obviously I can work around that when it's necessary, but going outside
the VPN is the last option I'm entertaining.

Regards,

Joseph Ward



On 12/20/2017 20:24, Andrew Sullivan wrote:
> I guess what I don't understand is why the IP address approach is more
> attractive to you, and why you think the "public Internet" path is
> less good.
>
> Best regards,
>
> A
>

Reply | Threaded
Open this post in threaded view
|

Re: Disable ssl validation for replication?

Joseph Ward
In reply to this post by Joseph Tam-2
I'd considered doing it at the internal DNS server level which I wasn't
a fan of because it's a separate server's config that I'd have to rely
on to make sure this server was working.  The thought of the local hosts
file slipped my mind.  That is a good idea; it meets my needs, and keeps
everything in the same "create mail server" ansible file.

Thank you!

-Joseph


On 12/20/2017 20:27, Joseph Tam wrote:

> Joseph Ward writes:
>
>> I'm aware of at least a couple of fallback options:
>> ??? -have a self-signed cert for replication and use the Let's Encrypt
>> one for IMAP/POP
>> ??? - create firewall rules allowing them to connect to each other over
>> the public internet so that it can validate the proper cert
>> ?
>> These are both much less palatable than simply disabling the cert
>> validation if it's possible.
>
> Maybe instead of disabling the check, appease it by supplying (in
> /etc/hosts) an alternate mapping of the FQDN subject of your certificate
> to your internal IP:
>
>     10.x.x.x        your.sync.target
>
> Joseph Tam <[hidden email]>

Reply | Threaded
Open this post in threaded view
|

Re: Disable ssl validation for replication?

Aki Tuomi-2
Thanks for letting us know, we'll check this.

But, would it make sense to sign those certs with your own CA cert and distribute the CA cert to your systems?

Aki

> On December 21, 2017 at 4:56 PM Joseph Ward <[hidden email]> wrote:
>
>
> I'd considered doing it at the internal DNS server level which I wasn't
> a fan of because it's a separate server's config that I'd have to rely
> on to make sure this server was working.  The thought of the local hosts
> file slipped my mind.  That is a good idea; it meets my needs, and keeps
> everything in the same "create mail server" ansible file.
>
> Thank you!
>
> -Joseph
>
>
> On 12/20/2017 20:27, Joseph Tam wrote:
> > Joseph Ward writes:
> >
> >> I'm aware of at least a couple of fallback options:
> >> ??? -have a self-signed cert for replication and use the Let's Encrypt
> >> one for IMAP/POP
> >> ??? - create firewall rules allowing them to connect to each other over
> >> the public internet so that it can validate the proper cert
> >> ?
> >> These are both much less palatable than simply disabling the cert
> >> validation if it's possible.
> >
> > Maybe instead of disabling the check, appease it by supplying (in
> > /etc/hosts) an alternate mapping of the FQDN subject of your certificate
> > to your internal IP:
> >
> >     10.x.x.x        your.sync.target
> >
> > Joseph Tam <[hidden email]>
>
Reply | Threaded
Open this post in threaded view
|

Re: Disable ssl validation for replication?

Sean Greenslade
In reply to this post by Joseph Ward
On December 20, 2017 6:46:24 PM EST, Joseph Ward <[hidden email]> wrote:

>Hi,
>
>I have two servers (HA configuration) on which I'm attempting to get
>replication working over SSL.  They're at two different sites, but
>connected via a site-site VPN.
>
>Everything seems to be fine, except that the certificates are not
>validating as I'm using IP addresses for the sync, as opposed to the
>public hostnames for which the certificates are valid, and so I get the
>following error: 
>
>doveadm(user@domain): Error: doveadm server disconnected before
>handshake: SSL certificate doesn't match expected host name 10.x.x.x
>
>I'm on Dovecot 2.2.33.
>
>Is there any way to disable the certificate checking/validation for the
>sync engine? 
>
>(
>I'm aware of at least a couple of fallback options:
>    -have a self-signed cert for replication and use the Let's Encrypt
>one for IMAP/POP
>    - create firewall rules allowing them to connect to each other over
>the public internet so that it can validate the proper cert

>These are both much less palatable than simply disabling the cert
>validation if it's possible.

You could add an entry in /etc/hosts (or in your internal DNS system if you have one) that gives the internal IP in response to the public hostname.

--Sean