Re: [exim-dev] [exim] Next Exim release

Página superior
Este mensaje es parte del siguiente hilo:
MEl árbol completo de hilos, ordenados por fecha
M\Jeremy Harris, mensaje del <-
MMViktor Dukhovni, mensaje del ->
Eliminar este mensaje
Responder a este mensaje
Autor: Viktor Dukhovni
Fecha:  
A: exim-dev
Asunto: Re: [exim-dev] [exim] Next Exim release
On Mon, Dec 14, 2015 at 07:37:54PM +0000, Jeremy Harris wrote: 

> ; full MX, sha256, TA-mode
> DNSSEC mxdane256ta          MX  1  dane256ta
> DNSSEC dane256ta            A      HOSTIPV4
> DNSSEC _1225._tcp.dane256ta TLSA 2 0 1 b2c6f27f2d16390b4f71cacc69742bf610d750534fab240516c0f2deb4042ad4

Are you sure that's a "2 0 1", the valid TLSA records for that
chain are: 

    ; Depth 0, subject= CN = server1.example.com
    3 0 1 9f543e9337a8ef9d670d245e188bac9a9f75619a4b11307cb915677f2ec9fda9
    3 1 1 16f02c566f0154d8866cdfe62f71f8f596213f54d7759064c6800526d88b9c54
    3 0 2 e249af2dd469cddb7a56348502b5f217341c00b030ed6c7222fea22ca86ccdc4a5f3baef8b4882a0056ed4b09dbcbbc974fae041f6d9f57bd478c1f380a6eea7
    3 1 2 e8c8684c50360b661ea20fa66b4e1520f7469832f1d2e380a0e7320d0ba00efc0c5a37a9da08df8cf894c2473ff2ba907f785e3ac23665af073d616276a1b24a


    ; Depth 1, subject= O = example.com, CN = clica Signing Cert
    2 0 1 b844341b5f370b3c4d1d327d87266ed81c2a594e5cf777143406b62abe5161f4
    2 1 1 3276355715f866cda0ed33f5ff14147626bb1a361ba7b06f1b243df23575be40
    2 0 2 955f15e63bba155ca5997e72d61df8c839332d0b841559a943db29fcb8bdc4b9560c03d369a442c22c9d0b42f9a3b2bb1dd29b4f267af1a2ed94d9e7aeae1ed5
    2 1 2 037be3ca5698dd81fe21b08487e62e6be67a3332a4b17a2726a3dc58e1fc84d3242045e12594aa9999b887281d2e8317a35b425e71c4e3285a6d9604b1b4ed13


    ; Depth 2, subject= O = example.com, CN = clica CA
    2 0 1 72f0326cc46e7e49d002b44cfce53f0f4b54a765944f9fa6f4d8f2e510478829
    2 1 1 b2c6f27f2d16390b4f71cacc69742bf610d750534fab240516c0f2deb4042ad4
    2 0 2 738750d9b3a7c815cb9215b664f9010181d9c989ef67e107e069f42eee800d412e2593ed9a67ae8024aa09e7a17cca20a164d359190ae9a2d0739aa3bc8d8a5f
    2 1 2 eae361f1b6997b89a72229550f9b205a77de36b6c3cc335c502eff9f5e3bcd916619b782b3532370d4ac8d30144091ed09760f941bc7188b5eb6ebae1c439b55


And the digest in question is a "2 1 1" public key digest, not a
"2 0 1" certificate digest. When I designate this as "2 1 1" the
callbacks are: 

    depth=2 verify=1 err=0 subject=/O=example.com/CN=clica CA
    depth=1 verify=1 err=0 subject=/O=example.com/CN=clica Signing Cert
    depth=0 verify=1 err=0 subject=/CN=server1.example.com


When I call it "2 1 1" I get: 

    depth=2 verify=0 err=19 subject=/O=example.com/CN=clica CA
    depth=0 verify=0 err=27 subject=/CN=server1.example.com
    depth=2 verify=1 err=27 subject=/O=example.com/CN=clica CA
    depth=1 verify=1 err=27 subject=/O=example.com/CN=clica Signing Cert
    depth=0 verify=1 err=27 subject=/CN=server1.example.com


    # define         X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN            19
    # define         X509_V_ERR_CERT_UNTRUSTED                       27


So this is a failure case, not a success case. The first two calls
report early errors uncovered before walking the links in the chain,
and the last three walk the chain looking for errors with signatures
or expiration times. That's why you see depth=0 twice.

What's not yet obvious is why there's a new error report at depth
0, before the chain walk begins. I'll see whether that's "my
fault", or OpenSSL's. 

-- 
    Viktor.


Este mensaje se envió a las siguientes listas de correo:
Exim-dev
Información de la lista de correo | Mensajes cercanos		<-Re: [exim-dev] [exim] Next Exim releaseRe: [exim-dev] [exim] Next Exim release->
Tahini and Hummus and Cumin Development Archives administrado por cumin AdminsLurker (versión 2.3)