On Tue, Sep 02, 2014 at 02:03:05PM +0100, Jeremy Harris wrote:
> Viktor has, I think, opined that the builtin support
> in GnuTLS for DANE is insufficient; possibly we should
> try to use the same library (basically Viktor's code)
> for both.
The DANE support in GnuTLS does not handle DANE-TA(2) where the
trust-anchor is not the immediate issuer of the leaf certificate.
It also predates the new requirement to not enforce the expiration
date or hostname found in the leaf certificate for DANE-EE(3) as
these are already handled (much better) in DNSSEC. There may be
other issues, those were the easy ones I found when reading the
code a year or so ago.
My library depends on OpenSSL internals, I don't know how much work
is required to port/rewrite it for GnuTLS. Perhaps a better approach
is to contact the GnuTLS dane add-on maintainer, and see if he or
she would be interested in updating/improving the code.
--
Viktor.