Re: [exim] DANE(TA) doesn't work with self signed certificat…

Top Page
Delete this message
Reply to this message
Author: Andreas Metzler
Date:  
To: exim-users
Subject: Re: [exim] DANE(TA) doesn't work with self signed certificate
On 2018-09-07 Viktor Dukhovni via Exim-users <exim-users@???> wrote:
[...]
> Until there's either a fix in GnuTLS (Nikos Mavrogiannopoulos can get in touch
> with me if there are questions), or a work-around in Exim that disables DANE
> for domains with DANE-TA(2) records when linked with GnuTLS (supporting only
> domains that use DANE-EE(3)), the only alternative is disable DANE support in
> Exim when linked with GnuTLS.

[...]

Hello,

Are you positive that this is a problem in GnuTLS and not in a problem
in exim's usage of gnutls-dane?

Asking, since
danetool --check=lists.gentoo.org --proto tcp --starttls-proto=smtp
succeeds. (I have verified that this succeeds without local truststore,
i.e. when "gnutls-cli --starttls-proto=smtp lists.gentoo.org" throws a
verification error.)

cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'