Re: [dane] DANE for OpenSSL

Wed, 15 May 2013 08:55:30 -0700 

On Wed, May 15, 2013 at 03:43:01PM +0200, Jakob Schlyter wrote:

> Andy Polyakov has committed initial support for DANE in OpenSSL
> - please see http://rt.openssl.org/Ticket/Display.html?id=3003 for
> more information.

Note, this "initial support", does not yet perform any verification
based on TLSA records, it just adds a convenience TLSA RR lookup
function that is conditional on libunbound.  The application will
need to call SSL_get_tlsa_record_byname() and then provide the output
to the OpenSSL library via a control operation before the handshake. 

There are complications because EE certificate usage (1/3) TLSA
records are different from TA (0/2) TLSA records.  The former (or
least 3 in any case) require no name checks, and the latter do.

OpenSSL has no means to communicate the distinction, the result of
the verification engine is either "verified" (as in trust chain
verified) or not.  Since with DANE it is not enough to know whether
the chain is trusted, one needs to know whether name checks are
still required,  applications will have to also communicate the
the names to accept (plural per draft-ietf-dane-srv) to the OpenSSL
library.

Further complications can arise with session reuse, depending on
how client applications associate cached sessions with a particular
peer.

There is still a bunch of work before this is usable.

This will by the way fail to compile if one defines OPENSSL_NO_LIBUNBOUND

    $ unifdef -DOPENSSL_NO_LIBUNBOUND ssl/dnssec.c | head -20
    #include <openssl/opensslconf.h>

    #include <string.h>
    #include <netdb.h>
    #include <openssl/bio.h>
    #include <openssl/dso.h>


    /*
     * Output is array packed as [len][data][len][data][0]
     */
    unsigned char *SSL_get_tlsa_record_byname (const char *name,int port,int
    type)
    {
            unsigned char *ret=NULL;
            char *query=NULL;
            size_t qlen;

            if (ctx == NULL) return NULL;

            qlen = 7+5+strlen(name)+1;

because "ctx" is not declared in that case, the declartion requires
unbound.h:

    #include <unbound.h>

    static struct ub_ctx *ctx = NULL;

-- 
        Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane

Reply via email to