Author: Jeremy Harris Date: To: exim-users Subject: Re: [exim] DANE(TA) doesn't work with self signed certificates
On 9/4/18 1:26 PM, Michael Westerburg via Exim-users wrote: > shortly we introduced DANE but soon afterwards we detected problems
> sending mails to domains using DANE(TA) with self signed certificates.
> Using Exim 4.91 with GnuTLS 3.5.18 (Ubuntu 18.04) here is our setting: > According to the logfiles Exim complains about the certificates:
> "R=world T=remote_smtp defer (-37) H=xyz [1.2.3.4]: TLS session:
> (certificate verification failed): certificate invalid". Even switching
> to debug level doesn't give further informations. The TLSA record suits
> the CA certificate and the remote server delivers the complete
> certificate chain. On this side everything seems to be okay.
I've managed to reproduce the situation in the Exim testsuite.
With the current master branch, built with OpenSSL it works fine;
built with GnuTLS (v 3.6.3 on Fedora 28) it does not.
[testcases 5822, 5842 for anyone following along at home...]
This is with a selfsigned cert on the server, with "CA" extension
and a wildcard SAN covering the server dns name.
The call into GnuTLS which does not succeed is dane_verify_crt_raw();
it seems to be claiming that the list of one TLSA record we feed
it has none suitable for use. There is, unfortunately, no debug
output for its internal workings even with the usual GnuTLS library
debug level at "9".
TA (2 1 1) fails in the same way.
An EE-mode (3 1 1) works ok, so that's one possible workaround.
A LetsEncrypt cert rather than a selfsigned might be another.
I've not tried the gentoo.org case.
--
Cheers,
Jeremy