[exim-dev] [Bug 2704] New: DANE client-side documentation is…

Top Page
Delete this message
Reply to this message
Author: admin
Date:  
To: exim-dev
Subject: [exim-dev] [Bug 2704] New: DANE client-side documentation issues
https://bugs.exim.org/show_bug.cgi?id=2704

            Bug ID: 2704
           Summary: DANE client-side documentation issues
           Product: Exim
           Version: 4.94
          Hardware: x86
                OS: Linux
            Status: NEW
          Severity: bug
          Priority: medium
         Component: TLS
          Assignee: jgh146exb@???
          Reporter: eximusers@???
                CC: exim-dev@???


Hello,

looking at 4.94+fixes I tried to get a better understanding how DANE and
"regular" CA verification worked together, I somehow failed:

-----
"Chapter 30 - The smtp transport"
The description of the smtp transport options hosts_require_dane and
hosts_try_dane are identical, probably correct for the *require* but wrong for
*try*

-----
Chapter 43 Encrypted SMTP connections using TLS/SSL

I thought this was very hard to comprehend, I read it as:

If host matches hosts_require_dane   # DANE "requested"
   check for DNSSEC-secured MX or A records (»The "require" variant will
result in failure if the target host is not DNSSEC-secured.«)
      if this does not exist
         skip host (i.e. bounce mail if it is the only MX)
      else
        if TLSA record exists     # DANE "usable"
          connect to host and try to verify cert against DNSSEC,
          if cert verifies continue delivery
          else skip host (i.e. bounce mail if it is the only MX)
        else GOTO regular_TLS


If host matches hosts_try_dane   # DANE "requested"
   check for DNSSEC-secured MX or A records
      if these do not exist
         GOTO regular_TLS
      else
        if TLSA record exists     # DANE "usable"
          connect to host and try to verify cert against DNSSEC,
          if cert verifies continue delivery
          else skip host (i.e. bounce mail if it is the only MX)
        else GOTO regular_TLS


regular_TLS:
check tls_verify_hosts/tls_try_verify_hosts and look at system CA store

Does my reading match reality, i.e. does hosts_require_dane not actually
require DANE? (This is not about me asking for a a change how
hosts_require_dane works, but about whether I understand the documention.)

TIA, cu Andreas

--
You are receiving this mail because:
You are on the CC list for the bug.