Skip to content

fix: harden Haraka TLS (renegotiation DoS + untrusted cert chain)#8

Draft
taobojlen wants to merge 1 commit into
mainfrom
fix/tls-renegotiation-and-cert-chain
Draft

fix: harden Haraka TLS (renegotiation DoS + untrusted cert chain)#8
taobojlen wants to merge 1 commit into
mainfrom
fix/tls-renegotiation-and-cert-chain

Conversation

@taobojlen

@taobojlen taobojlen commented Jul 4, 2026

Copy link
Copy Markdown
Member

Summary

Fixes two security scanner findings on app.shroud.email:25 (the Haraka SMTP TLS path):

1. Client-initiated TLS renegotiation (DoS)

haraka/haraka_config/config/tls.ini — set secureOptions=1073741824 (=crypto.constants.SSL_OP_NO_RENEGOTIATION). Haraka's tls_socket.js passes secureOptions from tls.ini [main] straight to tls.createSecureContext / TLSSocket, so this refuses renegotiation on every STARTTLS upgrade (ports 25 and 465), closing the CPU-exhaustion vector where an attacker forces repeated handshakes.

2. Untrusted certificate on port 25

cron/bundle_certs.sh + cron/Dockerfile — the daily bundle appended a hardcoded, now-expired Let's Encrypt intermediate (lets-encrypt-r4.pem, expired 2025-09-15) to Caddy's fullchain, producing leaf + correct_intermediate + expired_R4 → broken chain → untrusted. Caddy's {domain}.crt is already the full chain (leaf + intermediates); copy it verbatim and delete the stale intermediate. Also:

  • Run the bundle at container startup (not only daily) so a fresh pem_certs volume is populated before Haraka's first STARTTLS.
  • No-op gracefully (exit 0) when Caddy hasn't issued yet, so a cold boot where ACME is still running doesn't crash crond.

Test plan

  • docker compose build cron && docker compose up -d --build cron haraka — verify Haraka starts and presents a valid chain on port 25.
  • openssl s_client -starttls smtp -connect app.shroud.email:25 -showcerts </dev/null | openssl x509 -noout -issuer -subject — issuer is a current Let's Encrypt intermediate (R10/R11), not R4.
  • openssl s_client -starttls smtp -connect app.shroud.email:25 -CAfile /etc/ssl/cert.pem -verify_return_error </dev/nullVerify return code: 0 (ok).
  • Renegotiation refused: a forced renegotiation (printf 'R\n' | openssl s_client -starttls smtp -connect app.shroud.email:25) returns an alert/reset while the initial handshake still succeeds.
  • Re-run the scanner against app.shroud.email:25; both findings clear.

Notes

  • No hardcoded intermediate to maintain going forward — Caddy owns the chain, including future rotations (R10→R11→…).
  • secureOptions does not inherit into Haraka's [outbound] section, but renegotiation isn't a DoS risk on outbound (we're the client), so this is intentional.

Review in cubic

Two scanner findings on app.shroud.email:25, both in the SMTP (Haraka)
TLS path:

1. Client-initiated TLS renegotiation allowed (DoS). Haraka tls_socket
   passes secureOptions from tls.ini [main] straight to
   tls.createSecureContext. Set secureOptions=1073741824
   (crypto.constants.SSL_OP_NO_RENEGOTIATION) to refuse renegotiation,
   closing the CPU-exhaustion vector.

2. Untrusted certificate presented on port 25. The daily cron bundle
   appended a hardcoded, now-expired intermediate (lets-encrypt-r4.pem,
   expired 2025-09-15) to Caddy fullchain, producing a broken chain.
   Caddy {domain}.crt is already leaf + intermediates; copy it verbatim
   and drop the stale intermediate. Also run the bundle at container
   startup (not only daily) so a fresh pem_certs volume is populated
   before Haraka first STARTTLS, and no-op gracefully when Caddy has not
   issued yet.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant