> On Sep 7, 2018, at 3:33 AM, Jan Ingvoldstad via Exim-users <exim-users@???> wrote:
>
> Please, if you have not already done so, file a bug report with Debian,
> this is a pretty major bug.
Until there's either a fix in GnuTLS (Nikos Mavrogiannopoulos can get in touch
with me if there are questions), or a work-around in Exim that disables DANE
for domains with DANE-TA(2) records when linked with GnuTLS (supporting only
domains that use DANE-EE(3)), the only alternative is disable DANE support in
Exim when linked with GnuTLS.
Though Debian may not be in a possible to fix DANE-TA(2) support in Exim+GnuTLS,
they may of course be able to bring it to the attention of the apporpriate
GnuTLS developers. This is ultimately a GnuTLS issue.
While GnuTLS are looking at this, they should also implement a DANE
verification option that allows hostname checks in the EE certificate
to be skipped when matching DANE-EE(3) TLSA records. This is safe
and needed for SMTP. It can run into a subtle issue with cross-origin
policy for web browsing in HTTPS, so the checks need to be on by default,
with the application able to selectively disable them when appropriate.
--
Viktor.
