[exim] Re: Follow-Up: Debug TLS/DANE problems it is GnuTLS!

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Jeremy Harris
Date:  
À: exim-users
Sujet: [exim] Re: Follow-Up: Debug TLS/DANE problems it is GnuTLS!
On 07/07/2024 17:10, Viktor Dukhovni via Exim-users wrote:
> What the server's TLSA records in that case?


(testsuite syntax, but you get the gist)

DNSSEC mxdane512ee          MX  1  dane512ee
DNSSEC dane512ee            A      HOSTIPV4


DNSSEC _1225._tcp.dane512ee TLSA 3 1 2 e8173aaefffadc6c96700f7f396a17b8e590ebd15b081f1455abb152afecceb16a5534707ecd64611c8b6d8b9111f82e3fa954b98c6b230cda0e9be386747b71

> Could the use of SNI
> depend on usage DANE-EE(3).


> In this case all the TLSA records are "2 1 1".
> Also the TLSA records are behind a CNAME


With a (single) 2 1 1 TLSA behind a CNAME, we still record an SNI having been presented:

DNSSEC mxdane256tak          MX  1  dane256tak
DNSSEC dane256tak            A      HOSTIPV4
DNSSEC _1225._tcp.dane256tak CNAME  _tlsa._tcp.dane256tak
DNSSEC _tlsa._tcp.dane256tak TLSA 2 1 1 beabbe636030e4c26d15a015e878c2a607ed5a87774443ffbc6991ec01d2b6b1


Server log line:

1999-03-02 09:44:33 10HmbB-000000005vi-0000 <= <> H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no SNI=dane256tak.test.ex S=sss id=E10HmbA-000000005vi-0000@??? for t1@???
                                                                                                                                                             ^^^^^^^^^^^^^^^^^^^^^^



--
Cheers,
Jeremy


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/