Re: [exim-dev] [Bug 2311] New: DANE verify fails with a TA-m…

Top Page

Reply to this message
Author: Viktor Dukhovni
To: exim-dev
Subject: Re: [exim-dev] [Bug 2311] New: DANE verify fails with a TA-mode TLSA and a selfsigned sever cert

> On Sep 9, 2018, at 1:04 PM, Jeremy Harris via Exim-dev <exim-dev@???> wrote:
> The subject says "self signed".
> If it's not expected to work, perhaps you could explain why (on-list,
> to the originator)?

The OP is not sufficiently familiar with the right terms of art.
He/she surely means private-CA, not found in the local trust
store, rather than self-signed server certificate.

  self-signed root CA (not in Mozilla bundle)
  [ intermediates ]
  EE cert

DANE-TA(2) works when the trust-anchor certificate matches some
*issuer* certificate in the chain provided by the server in its
"TLS certificate message". If the match is the self-signed
root CA, that certificate MUST be included in the chain for DANE
to work, even though root CAs are not typically sent with WebPKI

The lists.gentoo.example matches both an intermediate and a root,
and both are included in the server chain. So the issue to focus
on is why (or ditto with just fails.

DANE-TA(2) never matches a self-signed EE cert.