Re: [exim] Exim & DANE .. status ?

Top Page
Delete this message
Reply to this message
Author: Viktor Dukhovni
Date:  
To: exim-users
Subject: Re: [exim] Exim & DANE .. status ?


> On May 22, 2018, at 12:09 PM, Cyborg via Exim-users <exim-users@???> wrote:
>
> So, whats the status of DANE for Exim?
>
> Any usefull selfexplaning examples at hand ? :)


Have you looked at:

https://www.exim.org/exim-html-current/doc/html/spec_html/ch-encrypted_smtp_connections_using_tlsssl.html#SECDANE

One small correction to the text below:

If a private CA is used then either all clients must
be primed with it, or (probably simpler) the server TLS
handshake must transmit the entire certificate chain from
CA to server-certificate. If a public CA is used then all
clients must be primed with it (losing one advantage of
DANE) - but the attack surface is reduced from all public
CAs to that single CA.

The DANE implementation in both Postfix and Exim (at least
when OpenSSL is used, not sure about GnuTLS) ignores the
local CA trust store when building chains for DANE-TA(2)
verification. The trust-anchor certificate MUST be part
of the certificate chain provided by the server. This is
consistent with:

https://tools.ietf.org/html/rfc7671#section-5.2.2

-- 
    Viktor.