Re: [exim] DANE(TA) doesn't work with self signed certificat…

Top Page
Delete this message
Reply to this message
Author: Viktor Dukhovni
Date:  
To: exim-users
Subject: Re: [exim] DANE(TA) doesn't work with self signed certificates


> On Sep 9, 2018, at 10:47 AM, Jeremy Harris via Exim-users <exim-users@???> wrote:
>
> I've managed to reproduce the situation in the Exim testsuite.
> With the current master branch, built with OpenSSL it works fine;
> built with GnuTLS (v 3.6.3 on Fedora 28) it does not.


I did not expect DANE-TA(2) TLSA records to match a depth 0
self-signed "CA" cert. If it works, it is an implementation
choice, not something required by the specification. The
OpenSSL 1.1.x DANE implementation will not match in this case.

I forgot that that the danessl code I contributed that handles
DANE for OpenSSL 1.0.x does match in this case, as a concession
to users who decide to be that creative. Perhaps I should not
have been so liberal.

https://github.com/vdukhovni/ssl_dane/blob/master/danessl.c#L580-L588

That code originated in Postfix, where it seems degenerate depth 0
self-signed CAs are also supported. Seems at the time I wanted to
make every reasonable effort to match if possible, effectively
interpreting the "2 1 1" as a "3 1 1". I don't see any of these
in the wild, and support for this edge-case could be removed.

https://github.com/vdukhovni/postfix/blob/master/postfix/src/tls/tls_dane.c#L1746-L1762

However, nobody can complain if it fails to work, this edge-case
is not supported by the standards.

I think the OP here actually has trouble with a real CA.

-- 
    Viktor.