Workaround to verify intermediate certs (for e.g. imap.googlemail.com)

[alkisg]

Hi, I'm trying to test pam-imap, but I haven't been able to make ./check_user alkisg not show the following error message:

*** WARNING *** There is no way to verify this certificate. It is
possible that a hostile attacker has replaced the
server certificate. Contrinue at your own risk!
Accept this certificate anyway [no]: yes

If I type yes, I can get properly Authenticated, but how can I avoid that error? Could you write a small how-to get and install the imap server certificate, either on Debian or on Ubuntu?

[wdoekes]

Hi,

from what I gather, the verify_cert function is incomplete.

I believe not only the cert = SSL_get_peer_certificate (ssl); has to be called but rather SSL_get_peer_cert_chain (ssl). Then the chain of certificates can be traversed.

By default the certificates found in /etc/ssl/certs (on Debian/Ubuntu) is read by OpenSSL, but the intermediate you're looking at, is not in there.

See this:

openssl s_client -showcerts -connect imap.googlemail.com:993
...
(certs...)
...
QUIT

and:

$ cat > imap.googlemail.com.crt  <<EOF
-----BEGIN CERTIFICATE-----
MIIEjDCCA3SgAwIBAgIIY3J9TE8xFgwwDQYJKoZIhvcNAQELBQAwVDELMAkGA1UE
BhMCVVMxHjAcBgNVBAoTFUdvb2dsZSBUcnVzdCBTZXJ2aWNlczElMCMGA1UEAxMc
R29vZ2xlIEludGVybmV0IEF1dGhvcml0eSBHMzAeFw0xODAyMjAxNDUzMjFaFw0x
ODA1MTUxNDA5MDBaMG0xCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlh
MRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKDApHb29nbGUgSW5jMRww
GgYDVQQDDBNpbWFwLmdvb2dsZW1haWwuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAywjKzYu+k115DHCBR1m7luHvQlt0AXOQIMlZKrNGZiPwauh1
r9paAcQcF/4AFZ8qZ0BHfpw+DTHEXZJsydP7ll0AUGmMcJXb1qowoJxjBlAtboAd
nNi1NA/I0ZlXsv7YisZaga7N45PEaThOu7cJuzAmLmmnzJhUEwchNWmaR7ZWnili
beW0DO55pLQs8KoYX83Vg21pZMcq/BkTaaSeodtBLIYk6gIVOgo0bsNDLlzoJqqK
SqLlyUhSXvCIGYikSDKrEW1J+mH53wHAgXIEcTcorLAEsY500zipSsOQa5BgSdJ2
GR+ygVBdK8eESl9BBZEWoROmpO7otOzQGfxNkQIDAQABo4IBRzCCAUMwEwYDVR0l
BAwwCgYIKwYBBQUHAwEwHgYDVR0RBBcwFYITaW1hcC5nb29nbGVtYWlsLmNvbTBo
BggrBgEFBQcBAQRcMFowLQYIKwYBBQUHMAKGIWh0dHA6Ly9wa2kuZ29vZy9nc3Iy
L0dUU0dJQUczLmNydDApBggrBgEFBQcwAYYdaHR0cDovL29jc3AucGtpLmdvb2cv
R1RTR0lBRzMwHQYDVR0OBBYEFChN69uUKOEQ36vBV7BZGuwFf0VWMAwGA1UdEwEB
/wQCMAAwHwYDVR0jBBgwFoAUd8K4UJpndnaxLcKG0IOgfqZ+ukswIQYDVR0gBBow
GDAMBgorBgEEAdZ5AgUDMAgGBmeBDAECAjAxBgNVHR8EKjAoMCagJKAihiBodHRw
Oi8vY3JsLnBraS5nb29nL0dUU0dJQUczLmNybDANBgkqhkiG9w0BAQsFAAOCAQEA
pDrl3jIcluQrUiEL3V9WbR7I2z9Db6oxDMCl8dkP3pdVQe7/VJ9VMuf9JueGVNFf
EVutfd4lxlSsWww9Bqtfz2FjLIzsaLmu77p3/iItpkxyPg1ud1S2FI7ZdCHVZQgM
DLfhye8YrYU4wtBb02swYNgn0taDcSuT/G0JRoG9EY28MhToYzeCDE/FWZmM6+zw
HDAsayjW0FGi3CVRjsPSMz1obBH43/S2PlIutKFy0S6PXouvx+tFOQZ4AnLMKN86
wcb63A9Ep1RNVVnERYk0cMYq7M5IVy3aUym28LqjYWyGgpjUyvjJOP+D22RRf39y
zjtxhEJZEQInR7caFymnvA==
-----END CERTIFICATE-----
EOF

$ cat > imap.googlemail.com.intermediate <<EOF
-----BEGIN CERTIFICATE-----
MIIEXDCCA0SgAwIBAgINAeOpMBz8cgY4P5pTHTANBgkqhkiG9w0BAQsFADBMMSAw
HgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMjETMBEGA1UEChMKR2xvYmFs
U2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjAeFw0xNzA2MTUwMDAwNDJaFw0yMTEy
MTUwMDAwNDJaMFQxCzAJBgNVBAYTAlVTMR4wHAYDVQQKExVHb29nbGUgVHJ1c3Qg
U2VydmljZXMxJTAjBgNVBAMTHEdvb2dsZSBJbnRlcm5ldCBBdXRob3JpdHkgRzMw
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDKUkvqHv/OJGuo2nIYaNVW
XQ5IWi01CXZaz6TIHLGp/lOJ+600/4hbn7vn6AAB3DVzdQOts7G5pH0rJnnOFUAK
71G4nzKMfHCGUksW/mona+Y2emJQ2N+aicwJKetPKRSIgAuPOB6Aahh8Hb2XO3h9
RUk2T0HNouB2VzxoMXlkyW7XUR5mw6JkLHnA52XDVoRTWkNty5oCINLvGmnRsJ1z
ouAqYGVQMc/7sy+/EYhALrVJEA8KbtyX+r8snwU5C1hUrwaW6MWOARa8qBpNQcWT
kaIeoYvy/sGIJEmjR0vFEwHdp1cSaWIr6/4g72n7OqXwfinu7ZYW97EfoOSQJeAz
AgMBAAGjggEzMIIBLzAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0lBBYwFAYIKwYBBQUH
AwEGCCsGAQUFBwMCMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFHfCuFCa
Z3Z2sS3ChtCDoH6mfrpLMB8GA1UdIwQYMBaAFJviB1dnHB7AagbeWbSaLd/cGYYu
MDUGCCsGAQUFBwEBBCkwJzAlBggrBgEFBQcwAYYZaHR0cDovL29jc3AucGtpLmdv
b2cvZ3NyMjAyBgNVHR8EKzApMCegJaAjhiFodHRwOi8vY3JsLnBraS5nb29nL2dz
cjIvZ3NyMi5jcmwwPwYDVR0gBDgwNjA0BgZngQwBAgIwKjAoBggrBgEFBQcCARYc
aHR0cHM6Ly9wa2kuZ29vZy9yZXBvc2l0b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEA
HLeJluRT7bvs26gyAZ8so81trUISd7O45skDUmAge1cnxhG1P2cNmSxbWsoiCt2e
ux9LSD+PAj2LIYRFHW31/6xoic1k4tbWXkDCjir37xTTNqRAMPUyFRWSdvt+nlPq
wnb8Oa2I/maSJukcxDjNSfpDh/Bd1lZNgdd/8cLdsE3+wypufJ9uXO1iQpnh9zbu
FIwsIONGl1p3A8CgxkqI/UAih3JaGOqcpcdaCIzkBaR9uYQ1X4k2Vg5APRLouzVy
7a8IVk6wuy6pm+T7HT4LY8ibS5FEZlfAFLSW8NwsVz9SBK2Vqn1N0PIMn5xA6NZV
c7o835DLAFshEWfC7TIe3g==
-----END CERTIFICATE-----
EOF

and:

$ openssl verify imap.googlemail.com.crt
imap.googlemail.com.crt: C = US, ST = California, L = Mountain View, O = Google Inc, CN = imap.googlemail.com
error 20 at 0 depth lookup:unable to get local issuer certificate

$ openssl verify -untrusted imap.googlemail.com.intermediate imap.googlemail.com.crt
imap.googlemail.com.crt: OK

But, until the verify_cert function is fixed/changed to do parent-chain traversal, what you can do is the following workaround:

• fetch the intermediate cert from google (see the 2nd ssl blob above)
• add it into the ca-certificates

Updating the ca-certificates is a matter of reading update-ca-certificates(8), reading /usr/share/doc/ca-certificates/README.Debian and then doing:

$ sudo cp imap.googlemail.com.intermediate /usr/local/share/ca-certificates/Google_Internet_Authority_G3-for-imap.googlemail.com.crt

$ sudo update-ca-certificates 
Updating certificates in /etc/ssl/certs...
...
Adding debian:Google_Internet_Authority_G3-for-imap.googlemail.com.pem

after which this works, and the verify_cert in pam-imap should too (I think?):

$ openssl verify imap.googlemail.com.crt
imap.googlemail.com.crt: OK

[wdoekes]

P.S. The verify_cert also looks like it leaks a small bit of memory, see #3.