https://bugs.exim.org/show_bug.cgi?id=2311
--- Comment #4 from Andreas Metzler <eximusers@???> ---
Hello,
looking what happens at tls-gnu-c with
TLSA record 2 1 1
i.e. DANESSL_USAGE_DANE_TA.
#1690 dane_verify_crt_raw() succeeds, i.e# 1701 goto tlsa_prob is not
triggered.
verify == 0 and 1709 goto badcert does not hit, either and
1711 state->peer_dane_verified = TRUE;
runs.
Now we are here:
1717 /* If a TA-mode TLSA record was used for verification we must
additionally
1718 verify the CA chain and the cert name. For EE-mode, skip it. */
1719
1720 if (usage & (1 << DANESSL_USAGE_DANE_EE))
However the test
1717 if (usage & (1 << DANESSL_USAGE_DANE_EE))
does not succeed and therefore there is no
1721 goto goodcert;
and we continue on to
1726 rc = gnutls_certificate_verify_peers2(state->session, &verify);
Afaiui the CA chain verification should not only be skipped for
DANESSL_USAGE_DANE_EE(3 - "domain-issued certificate") but also for
DANESSL_USAGE_DANE_TA(2 - "trust anchor assertion")
cu Andreas
--
You are receiving this mail because:
You are on the CC list for the bug.
