> On Sep 9, 2018, at 10:47 AM, Jeremy Harris via Exim-users <exim-users@???> wrote:
>
> I've managed to reproduce the situation in the Exim testsuite.
> With the current master branch, built with OpenSSL it works fine;
> built with GnuTLS (v 3.6.3 on Fedora 28) it does not.
I did not expect DANE-TA(2) TLSA records to match a depth 0
self-signed "CA" cert. If it works, it is an implementation
choice, not something required by the specification. The
OpenSSL 1.1.x DANE implementation will not match in this case.
I forgot that that the danessl code I contributed that handles
DANE for OpenSSL 1.0.x does match in this case, as a concession
to users who decide to be that creative. Perhaps I should not
have been so liberal.
https://github.com/vdukhovni/ssl_dane/blob/master/danessl.c#L580-L588
That code originated in Postfix, where it seems degenerate depth 0
self-signed CAs are also supported. Seems at the time I wanted to
make every reasonable effort to match if possible, effectively
interpreting the "2 1 1" as a "3 1 1". I don't see any of these
in the wild, and support for this edge-case could be removed.
https://github.com/vdukhovni/postfix/blob/master/postfix/src/tls/tls_dane.c#L1746-L1762
However, nobody can complain if it fails to work, this edge-case
is not supported by the standards.
I think the OP here actually has trouble with a real CA.
--
Viktor.
