[exim] Re: Problems with outgoing DANE-TLSA, when CA-anchor…

Góra strony
Delete this message
Reply to this message
Autor: Viktor Dukhovni via Exim-users
Data:  
Dla: exim-users
Temat: [exim] Re: Problems with outgoing DANE-TLSA, when CA-anchored test fails
On Sun, Jun 30, 2024 at 11:32:58PM +0200, Wolfgang via Exim-users wrote:

> I have problems connecting DANE configured hosts, when the MX has a
> correct TLSA-RR but an valid certificate (letsencrypt) with the wrong
> CN.


This is required and expected behaviour. See:

    https://datatracker.ietf.org/doc/html/rfc7672#section-3.1.2


With DANE-TA(2) TLSA records, the TLSA base domain (generally equal to
the MX hostname) MUST be one of the DNS SANs (or perhaps be the fallback
CN in the absence of any DNS SANs) in the certificate.

Otherwise, any MX host with a Let's Encrypt certificate could
impersonate any other such host.

> I cases with self-signed certs and correct TLSA-RR there are no
> problems.


Also expected. See:

    https://datatracker.ietf.org/doc/html/rfc7672#section-3.1.1


> With the correct CN in an valid certificate and correct
> TLSA-RR everythings is also ok.


As required.

> In the documentation I read:
>
> >If DANE is requested and useable (see above) the following transport options are ignored:
> > hosts_require_tls = *
> > tls_verify_hosts
> > tls_try_verify_hosts
> > ls_verify_certificates
> > ls_crl
> > ls_verify_cert_hostnames
> > ls_sni


The options are ignored, so that RFC-required DANE requirements are met
unconditionally. Ignored DOES NOT mean set to "off", it just means they
have no effect.

> and that translates to me, that DANE should have precedence, when the
> TLSA-RR and all other settings match!


With DANE-TA(2) it is not enough for the CA to match, the CA has to have
asserted a matching DNS name.

> What I am missing?


Basic consequences of the CA trust model, without name checks CA certs
are useless.

-- 
    Viktor.


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/