Re: [exim-dev] [Bug 2311] New: DANE verify fails with a TA-m…

Top Page
Delete this message
Reply to this message
Author: Viktor Dukhovni
Date:  
To: exim-dev
Subject: Re: [exim-dev] [Bug 2311] New: DANE verify fails with a TA-mode TLSA and a selfsigned sever cert


> On Sep 9, 2018, at 10:50 AM, admin--- via Exim-dev <exim-dev@???> wrote:
>
>           Summary: DANE verify fails with a TA-mode TLSA and a selfsigned
>                    sever cert
>           Product: Exim
>           Version: 4.91
>          Hardware: x86
>                OS: Windows
>            Status: NEW
>          Severity: bug
>          Priority: medium
>         Component: Delivery in general
>          Assignee: nigel@???
>          Reporter: jgh146exb@???
>                CC: exim-dev@???

>
> This appears to be a GnuTLS library bug at present, but recording here for
> tracking purposes.


This does not appear to be the right description. DANE-TA(2) is NOT
expected to work with self-signed server certs, and the report for
lists.gentoo.org is not for a self-signed cert.

The reports seem to be for ordinary 2 or 3 level chains in which
DANE-TA(2) matches at depth 1 or higher (depth 0 is the EE cert).

-- 
    Viktor.