Re: [exim] DANE(TA) doesn't work with self signed certificat…

Top Page
Delete this message
Reply to this message
Author: Viktor Dukhovni
Date:  
To: exim-users
Subject: Re: [exim] DANE(TA) doesn't work with self signed certificates


> On Sep 4, 2018, at 8:26 AM, Michael Westerburg via Exim-users <exim-users@???> wrote:
>
> Hello Exim-users-list,
>
> shortly we introduced DANE but soon afterwards we detected problems
> sending mails to domains using DANE(TA) with self signed certificates.
> Using Exim 4.91 with GnuTLS 3.5.18 (Ubuntu 18.04) here is our setting:


For the record, your terminology is misleading. Self-signed certificate
is usually taken to mean that the server's certificate is not issued
by any CA at all, and is simply signed with its own key.

It seems you mean a "private" issuer CA, or any root CA that is not
included in the local trust store used for non-DANE verification.

Your report really should also be specific about which destination
domain you're having trouble with and what the TLSA records were
at the time.

-- 
    Viktor.