[exim-dev] DANE support in Exim with OpenSSL

Top Page
Delete this message
Reply to this message
Author: Viktor Dukhovni
Date:  
To: exim-dev
Subject: [exim-dev] DANE support in Exim with OpenSSL
openSSL 1.0.2 has passed EOL, and 1.1.1 is the primary LTS (indeed
presently only one still supported) OpenSSL release, and OpenSSL 3.0
soon to enter beta.

With that in mind, in Postfix I decided to replace the legacy DANE code
(essentially the same as, and the original version of what is presently
used in Exim) with new DANE code that delegates all the X.509 validation
logic to OpenSSL, and just marshals the TLSA records into OpenSSL for
validation.

I would like recommend that when convenient, Exim should probably do the
same. The documentation for the OpenSSL DANE API is at:

    https://www.openssl.org/docs/man1.1.0/man3/SSL_CTX_dane_enable.html


If you have questions about the OpenSSL DANE API, feel free to drop me
a note, or ask on this list. This does not subsume the DNS logic, so
Exim would still need to perform all the relevant lookups and decide
when enable DANE etc., but all the chain verification logic would now
be via OpenSSL, rather than my legacy danssl library (still found at:
https://github.com/vdukhovni/ssl_dane).

The new Postfix DANE code will appear in an upcoming Postfix 3.6
snapshot, for eventual inclusion in the 3.6 stable release in early
2021.

[ Because Postfix uses DANE also for its "fingerprint" security policy,
and for per-destination trust-anchors mapping these to synthetic DANE-EE
and DANE-TA records as appropriate, the code in Postfix is probably not
the best reference implementation to look at, many other things going
on besides just DANE. The OpenSSL docs should be sufficient, but if I
not I'll be happy to fill any gaps that need attention. ]

-- 
    Viktor.