[Logcheck-devel] Bug#616616: TLS fingerpring log message out of date

[Loïc Minier]

Package: logcheck-database
Version: 1.3.13
Severity: normal
Tags: patch

        Hey

 I'm getting reports of log lines like:
Mar  5 22:06:54 xyz postfix/smtpd[20492]: some.host.name[88.166.229.232]: Trusted: subject_CN=some.host.name, issuer=Some Signing Authority, fingerprint=12:34:56:78:90:AB:CD:EF:01:23:45:67:89:AB:CD:EF:01:23:45:67

 reported; this is with postfix 2.7.0-1.

 Only src/tls/tls_server.c in recent Postfix versions uses fingerprint=
 in logs; I've looked at the source history, and the upstream log
 message was changed from:
    msg_info("fingerprint=%s", TLScontext->peer_fingerprint);

 to:
    msg_info("%s: %s: subject_CN=%s, issuer=%s, fingerprint=%s",
             props->namaddr,
          TLS_CERT_IS_TRUSTED(TLScontext) ? "Trusted" : "Untrusted",
             TLScontext->peer_CN, TLScontext->issuer_CN,
             TLScontext->peer_fingerprint);

 between 2.4.6 and 2.5.1-RC1.

 I don't know what policy you follow for logcheck for older version of
 logged strings, but this seems to have happened a long time ago, hence
 I suggest just updating the regexp rather than keeping both versions:
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: [._[:alnum:]-]+(\[[[:xdigit:].:]{3,39}\](:[[:digit:]]+)?)?: Trusted: subject_CN=.*, issuer=.*, fingerprint=([[:digit:]A-F]{2}:){15,19}[[:digit:]A-F]{2}$

 For props->namaddr, I used the same snippet as for the "setting up TLS
 connection" message which uses the same var; then I added Trusted; this
 could also be Untrusted, but I decided this should be logged; then for
 subject_CN= and issuer= I wasn't too sure what to allow as this could
 be anything really, but I saw other places which had subject_CN=.*,
 issuer=.*; finally, fingerprint= can be different types of
 fingerprints, in my case it's SHA1 so 20 pairs of hex digits.

   Cheers,
-- 
Loïc Minier