[exim-dev] [Bug 2265] TLS SNI not auto-set for DANE clients

Top Page
Delete this message
Reply to this message
Author: admin
Date:  
To: exim-dev
Old-Topics: [exim-dev] [Bug 2265] New: TLS SNI not auto-set for DANE clients
Subject: [exim-dev] [Bug 2265] TLS SNI not auto-set for DANE clients
https://bugs.exim.org/show_bug.cgi?id=2265

--- Comment #6 from Phil Pennock <pdp@???> ---
Viktor notes on exim-users:
---
Thanks for bringing this up. Indeed for DANE it is essential to ignore
any statically configured value and use the "TLSA base domain".
Otherwise, the cert chain you get may well not be the one promised in
the TLSA records.

Postfix ignores the static SNI setting, when doing DANE. Exim needs
to do the same. The required SNI name is specified in RFC7672 (and/or
RFC7671), and should not be second-guessed.
---

... in response to my saying we should probably just ignore the static SNI
setting for DANE.

I also think that we should ignore `multi_domain` and force it false for DANE,
in this case. These days it's expanded, and it always defaults true.

Any objections to:

1. use the DANE-specified hostname variant as the SNI for DANE, when DANE is in
play, ignoring `tls_sni` which then becomes the fallback for non-DANE, same as
{hosts_require_tls, tls_verify_hosts, tls_try_verify_hosts,
tls_verify_certificates, tls_crl, tls_verify_cert_hostnames}

2. Disabling `multi_domain` when DANE is in play.

Really, I'm taking it as a good sign, how much manual configuration disappears
because the MTA can just do "the right thing" with DANE.

--
You are receiving this mail because:
You are on the CC list for the bug.