[exim] Re: Problems with outgoing DANE-TLSA, when CA-anchor…

Top Page
Delete this message
Reply to this message
Author: Wolfgang
Date:  
To: exim-users
Subject: [exim] Re: Problems with outgoing DANE-TLSA, when CA-anchored test fails
On 2024-07-01 10:41, Viktor Dukhovni via Exim-users wrote:
> On Sun, Jun 30, 2024 at 11:32:58PM +0200, Wolfgang via Exim-users wrote:
>
> > I have problems connecting DANE configured hosts, when the MX has a
> > correct TLSA-RR but an valid certificate (letsencrypt) with the wrong
> > CN.
>
> This is required and expected behaviour. See:
>
>
> With DANE-TA(2) TLSA records, the TLSA base domain (generally equal to
> the MX hostname) MUST be one of the DNS SANs (or perhaps be the fallback
> CN in the absence of any DNS SANs) in the certificate.

Thanks for the hint to the SANs, I checked right now only the CN. The failing
cert contains the right hostname as a SAN, so I really don't get it, why this
connection fails. Exim complains with:
"TLS session: (gnutls_handshake): Key usage violation in certificate has been detected."
So I make miss a configuration option, that exim should look into the SANs of the
corresponding cert, in case this is a DANE validated connection.

>
> Otherwise, any MX host with a Let's Encrypt certificate could
> impersonate any other such host.


I don't get this: Even, when either the CN nor an additional SAN matches, I see no risk
for impersonating, as the trusted public key belongs to an private key.


So if someone has further hints, what I am missing in my configuration.


Regards

Wolfgang


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/