Re: [exim-dev] [Bug 2198] New: DANE TLSA cert usage type 2 f…

Página Principal
Apagar esta mensagem
Responder a esta mensagem
Autor: Viktor Dukhovni
Data:  
Para: exim-dev
Assunto: Re: [exim-dev] [Bug 2198] New: DANE TLSA cert usage type 2 fails depending on the OpenSSL library


> On Nov 22, 2017, at 6:17 PM, admin@??? wrote:
>
> https://bugs.exim.org/show_bug.cgi?id=2198
>
>            Bug ID: 2198
>           Summary: DANE TLSA cert usage type 2 fails depending on the
>                    OpenSSL library
>           Product: Exim
>           Version: 4.89
>          Hardware: x86-64
>                OS: Linux
>            Status: NEW
>          Severity: bug
>          Priority: medium
>         Component: TLS
>          Assignee: jgh146exb@???
>          Reporter: hs@???
>                CC: exim-dev@???

>
> Depending on the OpenSSL lib Exim is linked with, the DANE verification fails
> if the TLSA record has "cert usage" 2 (as used by excalibur.iks-jena.de)
>
> The following observation is valid for Debian systems, I'm not sure if other
> Distros behave the same:
>
> 1.0.1t fails (Debian 7)
> 1.1.0f is ok (Debian 9)


Sounds like Exim needs this commit:

https://github.com/vdukhovni/ssl_dane/commit/d9767f2fc78dbaf990c18df00bf17fd0c2ee2baa

without it indeed 1.0.1 can fail with usage 2 TLSA records, while
1.0.2 and 1.1.0 work fine. Of course by this point Exim users should
really not be using the EOL 1.0.1 release.

-- 
    Viktor.