Re: [exim-dev] [Bug 2311] New: DANE verify fails with a TA-m…

Top Page
Delete this message
Reply to this message
Author: Viktor Dukhovni
Date:  
To: exim-dev
Subject: Re: [exim-dev] [Bug 2311] New: DANE verify fails with a TA-mode TLSA and a selfsigned sever cert


> On Sep 9, 2018, at 1:04 PM, Jeremy Harris via Exim-dev <exim-dev@???> wrote:
>
> https://lists.exim.org/lurker/message/20180904.122640.3cbadefb.en.html
>
> The subject says "self signed".
> If it's not expected to work, perhaps you could explain why (on-list,
> to the originator)?


The OP is not sufficiently familiar with the right terms of art.
He/she surely means private-CA, not found in the local trust
store, rather than self-signed server certificate.

  self-signed root CA (not in Mozilla bundle)
    |
    v
  [ intermediates ]
    |
    v
  EE cert


DANE-TA(2) works when the trust-anchor certificate matches some
*issuer* certificate in the chain provided by the server in its
"TLS certificate message". If the match is the self-signed
root CA, that certificate MUST be included in the chain for DANE
to work, even though root CAs are not typically sent with WebPKI
PKIX.

The lists.gentoo.example matches both an intermediate and a root,
and both are included in the server chain. So the issue to focus
on is why lists.gentoo.org (or ditto with just gentoo.org) fails.

DANE-TA(2) never matches a self-signed EE cert.

-- 
    Viktor.