Re: [exim] DANE(TA) doesn't work with self signed certificat…

Top Page
Delete this message
Reply to this message
Author: Viktor Dukhovni
Date:  
To: exim-users
Subject: Re: [exim] DANE(TA) doesn't work with self signed certificate


> On Sep 7, 2018, at 1:32 PM, Andreas Metzler via Exim-users <exim-users@???> wrote:
>
> Are you positive that this is a problem in GnuTLS and not in a problem
> in exim's usage of gnutls-dane?
>
> Asking, since
> danetool --check=lists.gentoo.org --proto tcp --starttls-proto=smtp
> succeeds. (I have verified that this succeeds without local truststore,
> i.e. when "gnutls-cli --starttls-proto=smtp lists.gentoo.org" throws a
> verification error.)


Is your Exim linked with GnuTLS or OpenSSL? Perhaps the version of GnuTLS
matters. I can confirm that danetool for GnuTLS 3.5.19 verifies lists.gentoo.org
without accessing the local trust store. What version of GnuTLS is on the
systems having problems?

Exim has to work with lower-level APIs than used by danetool, in order to
skip namechecks for DANE-EE(3). I can't speak to the correctness of Exim's
use of the GnuTLS DANE API. I am not sufficiently familiar with either
the Exim code or GnuTLS.

-- 
    Viktor.