[exim-dev] [Bug 2311] DANE verify fails with a TA-mode TLSA …

Página superior
Eliminar este mensaje
Responder a este mensaje
Autor: admin
Fecha:  
A: exim-dev
Temas antiguos: [exim-dev] [Bug 2311] New: DANE verify fails with a TA-mode TLSA and a selfsigned sever cert
Asunto: [exim-dev] [Bug 2311] DANE verify fails with a TA-mode TLSA and a selfsigned server cert
https://bugs.exim.org/show_bug.cgi?id=2311

--- Comment #4 from Andreas Metzler <eximusers@???> ---
Hello,

looking what happens at tls-gnu-c with
TLSA record 2 1 1
i.e. DANESSL_USAGE_DANE_TA.

#1690 dane_verify_crt_raw() succeeds, i.e# 1701 goto tlsa_prob is not
triggered.
verify == 0 and 1709 goto badcert does not hit, either and

1711 state->peer_dane_verified = TRUE;
runs.

Now we are here:
1717  /* If a TA-mode TLSA record was used for verification we must
additionally
1718    verify the CA chain and the cert name.  For EE-mode, skip it. */
1719
1720    if (usage & (1 << DANESSL_USAGE_DANE_EE))


However the test
1717 if (usage & (1 << DANESSL_USAGE_DANE_EE))
does not succeed and therefore there is no
1721 goto goodcert;
and we continue on to
1726 rc = gnutls_certificate_verify_peers2(state->session, &verify);

Afaiui the CA chain verification should not only be skipped for
DANESSL_USAGE_DANE_EE(3 - "domain-issued certificate") but also for
DANESSL_USAGE_DANE_TA(2 - "trust anchor assertion")

cu Andreas

--
You are receiving this mail because:
You are on the CC list for the bug.