https://bugs.exim.org/show_bug.cgi?id=2704
Bug ID: 2704
Summary: DANE client-side documentation issues
Product: Exim
Version: 4.94
Hardware: x86
OS: Linux
Status: NEW
Severity: bug
Priority: medium
Component: TLS
Assignee: jgh146exb@???
Reporter: eximusers@???
CC: exim-dev@???
Hello,
looking at 4.94+fixes I tried to get a better understanding how DANE and
"regular" CA verification worked together, I somehow failed:
-----
"Chapter 30 - The smtp transport"
The description of the smtp transport options hosts_require_dane and
hosts_try_dane are identical, probably correct for the *require* but wrong for
*try*
-----
Chapter 43 Encrypted SMTP connections using TLS/SSL
I thought this was very hard to comprehend, I read it as:
If host matches hosts_require_dane # DANE "requested"
check for DNSSEC-secured MX or A records (»The "require" variant will
result in failure if the target host is not DNSSEC-secured.«)
if this does not exist
skip host (i.e. bounce mail if it is the only MX)
else
if TLSA record exists # DANE "usable"
connect to host and try to verify cert against DNSSEC,
if cert verifies continue delivery
else skip host (i.e. bounce mail if it is the only MX)
else GOTO regular_TLS
If host matches hosts_try_dane # DANE "requested"
check for DNSSEC-secured MX or A records
if these do not exist
GOTO regular_TLS
else
if TLSA record exists # DANE "usable"
connect to host and try to verify cert against DNSSEC,
if cert verifies continue delivery
else skip host (i.e. bounce mail if it is the only MX)
else GOTO regular_TLS
regular_TLS:
check tls_verify_hosts/tls_try_verify_hosts and look at system CA store
Does my reading match reality, i.e. does hosts_require_dane not actually
require DANE? (This is not about me asking for a a change how
hosts_require_dane works, but about whether I understand the documention.)
TIA, cu Andreas
--
You are receiving this mail because:
You are on the CC list for the bug.
