Re: [exim] DANE(TA) doesn't work with self signed certificat…

Top Page
Delete this message
Reply to this message
Author: Klaus Ethgen
Date:  
To: exim-users
Subject: Re: [exim] DANE(TA) doesn't work with self signed certificate
Hi,

for my installation I can assure that exim is linked to gnutls
(libgnutls-dane0 + libgnutls30, currently installed with version 3.5.8).

After installing gnutls-bin (and for the undocumented dependencies
dns-root-data) and disabling of the root certificate, dane verifies
without problems with danetool:
Resolving 'lists.gentoo.org:smtp'...
Obtaining certificate from '208.92.234.80:25'...
Querying DNS for lists.gentoo.org (tcp:25)...

   ==== Entry 1 ====
   _25._tcp.lists.gentoo.org. IN TLSA ( 02 01 01 563b3caf8cfef34c2335caf560a7a95906e8488462eb75ac59784830df9e5b2b )
   Certificate usage: Local CA (02)
   Certificate type:  SubjectPublicKeyInfo (01)
   Contents:         SHA2-256 hash (01)
   Data:         563b3caf8cfef34c2335caf560a7a95906e8488462eb75ac59784830df9e5b2b


Verification: Certificate matches.

   ==== Entry 2 ====
   _25._tcp.lists.gentoo.org. IN TLSA ( 02 01 01 60b87575447dcba2a36b7d11ac09fb24a9db406fee12d2cc90180517616e8a18 )
   Certificate usage: Local CA (02)
   Certificate type:  SubjectPublicKeyInfo (01)
   Contents:         SHA2-256 hash (01)
   Data:         60b87575447dcba2a36b7d11ac09fb24a9db406fee12d2cc90180517616e8a18


Regards
   Klaus
- -- 
Klaus Ethgen                                       http://www.ethgen.ch/
pub  4096R/4E20AF1C 2011-05-16            Klaus Ethgen <Klaus@???>
Fingerprint: 85D4 CA42 952C 949B 1753  62B3 79D0 B06F 4E20 AF1C