[Logcheck-devel] Bug#616616: TLS fingerpring log message out of date
Loïc Minier
lool at dooz.org
Sat Mar 5 23:49:29 UTC 2011
Package: logcheck-database
Version: 1.3.13
Severity: normal
Tags: patch
Hey
I'm getting reports of log lines like:
Mar 5 22:06:54 xyz postfix/smtpd[20492]: some.host.name[88.166.229.232]: Trusted: subject_CN=some.host.name, issuer=Some Signing Authority, fingerprint=12:34:56:78:90:AB:CD:EF:01:23:45:67:89:AB:CD:EF:01:23:45:67
reported; this is with postfix 2.7.0-1.
Only src/tls/tls_server.c in recent Postfix versions uses fingerprint=
in logs; I've looked at the source history, and the upstream log
message was changed from:
msg_info("fingerprint=%s", TLScontext->peer_fingerprint);
to:
msg_info("%s: %s: subject_CN=%s, issuer=%s, fingerprint=%s",
props->namaddr,
TLS_CERT_IS_TRUSTED(TLScontext) ? "Trusted" : "Untrusted",
TLScontext->peer_CN, TLScontext->issuer_CN,
TLScontext->peer_fingerprint);
between 2.4.6 and 2.5.1-RC1.
I don't know what policy you follow for logcheck for older version of
logged strings, but this seems to have happened a long time ago, hence
I suggest just updating the regexp rather than keeping both versions:
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: [._[:alnum:]-]+(\[[[:xdigit:].:]{3,39}\](:[[:digit:]]+)?)?: Trusted: subject_CN=.*, issuer=.*, fingerprint=([[:digit:]A-F]{2}:){15,19}[[:digit:]A-F]{2}$
For props->namaddr, I used the same snippet as for the "setting up TLS
connection" message which uses the same var; then I added Trusted; this
could also be Untrusted, but I decided this should be logged; then for
subject_CN= and issuer= I wasn't too sure what to allow as this could
be anything really, but I saw other places which had subject_CN=.*,
issuer=.*; finally, fingerprint= can be different types of
fingerprints, in my case it's SHA1 so 20 pairs of hex digits.
Cheers,
--
Loïc Minier
More information about the Logcheck-devel
mailing list