On Mon, Nov 10, 2014 at 09:39:31PM +0000, Viktor Dukhovni wrote:
> > ;; Passed(depth 3, hostname jhcloos.com): jhcloos.com. IN TLSA 1 1 1
> > 597CC279D90F0FB950B540921C4A76916590A2B7DEDDDDBC353C65337160E1A8
> > ;; Passed(depth 0): jhcloos.com. IN TLSA 3 1 1
> > 597CC279D90F0FB950B540921C4A76916590A2B7DEDDDDBC353C65337160E1A8
> > ;; Passed(depth 4, hostname *.kumari.net): www.kumari.net. IN TLSA 1 0 1
> > 8D930A464843E08660E3FD1DDCE8ED4269CC0CD9CD53A8A306BCE8ABCF47AEF5
> > ;; Passed(depth 3, hostname dougbarton.us): dougbarton.us. IN TLSA 1 0 2
> > F994F42839BE5C864F143A037D4E96BB0F559AD7284C57EA09BF6A69D37C1D8359E57C604BB42A9A56586DB21E700404C38B8152365C03543BBF210A4FE30E08
>
> The jhcloos site is however, in both camps. Above, my code is
> misreporting the match depth for usage PKIX-EE(1) reporting the
> depth of the cert chain, not the match, I'll fix that shortly.
If anyone is already using the ssl_dane code, the fix for the above
is below. I'll push it to github later this evening.
diff --git a/danessl.c b/danessl.c
index 5d1ead0..f7e5993 100644
--- a/danessl.c
+++ b/danessl.c
@@ -871,8 +871,8 @@ static int verify_chain(X509_STORE_CTX *ctx)
* Check for an EE match, then a CA match at depths > 0, and
* finally, if the EE cert is self-issued, for a depth 0 CA match.
*/
- if (leaf_rrs)
- matched = match(leaf_rrs, xn, 0);
+ if (leaf_rrs && (matched = match(leaf_rrs, xn, 0)) > 0)
+ n = 0;
while (!matched && issuer_rrs && --n >= 0) {
xn = sk_X509_value(ctx->chain, n);
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
