Re: [exim-dev] [Bug 2198] New: DANE TLSA cert usage type 2 f…

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MM+++++++\admin at <-
.MMMMMMMMMadmin at ->
Delete this message
Reply to this message
Author: Viktor Dukhovni
Date:  
To: exim-dev
Subject: Re: [exim-dev] [Bug 2198] New: DANE TLSA cert usage type 2 fails depending on the OpenSSL library


> On Nov 22, 2017, at 6:17 PM, admin@??? wrote:
>
> https://bugs.exim.org/show_bug.cgi?id=2198
> 
>            Bug ID: 2198
>           Summary: DANE TLSA cert usage type 2 fails depending on the
>                    OpenSSL library
>           Product: Exim
>           Version: 4.89
>          Hardware: x86-64
>                OS: Linux
>            Status: NEW
>          Severity: bug
>          Priority: medium
>         Component: TLS
>          Assignee: jgh146exb@???
>          Reporter: hs@???
>                CC: exim-dev@???

>
> Depending on the OpenSSL lib Exim is linked with, the DANE verification fails
> if the TLSA record has "cert usage" 2 (as used by excalibur.iks-jena.de)
>
> The following observation is valid for Debian systems, I'm not sure if other
> Distros behave the same:
>
> 1.0.1t fails (Debian 7)
> 1.1.0f is ok (Debian 9)

Sounds like Exim needs this commit:

https://github.com/vdukhovni/ssl_dane/commit/d9767f2fc78dbaf990c18df00bf17fd0c2ee2baa

without it indeed 1.0.1 can fail with usage 2 TLSA records, while
1.0.2 and 1.1.0 work fine. Of course by this point Exim users should
really not be using the EOL 1.0.1 release. 

-- 
    Viktor.



This message was posted to the following mailing lists:
Exim-dev
Mailing List Info | Nearby Messages		<-[exim-dev] [Bug 2198] DANE TLSA cert usage type 2 fails depending on the OpenSSL library[exim-dev] [Bug 2199] New: Exim use-after-free vulnerability while reading mail header->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)