Re: [exim] Next Exim release

Página superior
Eliminar este mensaje
Responder a este mensaje
Autor: Viktor Dukhovni
Fecha:  
A: exim-users
Asunto: Re: [exim] Next Exim release
On Sun, Dec 13, 2015 at 10:24:29PM +0000, Jeremy Harris wrote:

> > Well, I'd like to see DANE fully supported. Did you ever get a
> > chance to integrate the latest version ssl_dane library from github?
>
> After a lot of fighting git, yes.


Thanks.

> Passes the initial Exim testsuite run with one minor difference:
>
>
> 1999-03-02 09:44:33 Start queue run: pid=pppp -qf
> 1999-03-02 09:44:33 10HmbB-0005vi-00 tls:cert depth = 2 <CN=clica CA,O=example.com>
> 1999-03-02 09:44:33 10HmbB-0005vi-00 tls:cert depth = 0 <CN=server1.example.com>
> +1999-03-02 09:44:33 10HmbB-0005vi-00 tls:cert depth = 0 <CN=server1.example.com>
> 1999-03-02 09:44:33 10HmbB-0005vi-00 tls:cert depth = 2 <CN=clica CA,O=example.com>
> 1999-03-02 09:44:33 10HmbB-0005vi-00 tls:cert depth = 1 <CN=clica Signing Cert,O=example.com>
> 1999-03-02 09:44:33 10HmbB-0005vi-00 tls:cert depth = 0 <CN=server1.example.com>
>
> ... there's yet another verify callback now.


Is that a bug report? Or just a cosmetic difference? The only
thing that comes to mind is that you have a newer OpenSSL which
which makes more callbacks than before:

    /*
     * Satisfy at least one usage 0 or 1 constraint, unless we've already
     * matched a usage 2 trust anchor.
     *
     * XXX: internal_verify() doesn't callback with top certs that are not
     * self-issued.  This should be fixed in a future OpenSSL.
     */
    if (dane->roots && sk_X509_num(dane->roots)) {
        X509 *top = sk_X509_value(ctx->chain, dane->depth);


        dane->mdpth = dane->depth;
        dane->match = top;
        X509_up_ref(top);


    #ifndef NO_CALLBACK_WORKAROUND


        if (X509_check_issued(top, top) != X509_V_OK) {
        ctx->error_depth = dane->depth;
        ctx->current_cert = top;
        if (!cb(1, ctx))
            return 0;
        }
    #endif


in which case I need to figure out which OPENSSL_VERSION_NUMBER
test should replace "NO_CALLBACK_WORKAROUND". Though with this as
the reason, I would have expected the "extra" callback to have a
depth higher than 0. What version of the library where you using
previously (git commit id).

> It's a pity GnuTLS isn't usable too. As I said previously, I'd
> like to maintain parity between the two environments if at all
> possible. On the other hand, I want DANE out there...


I may be able to do something about that at some point in 2016.

-- 
    Viktor.