Re: [exim-dev] DANE

Mon, 18 Apr 2016 15:26:33 -0700 

On Mon, Apr 18, 2016 at 03:16:34PM +0100, Jeremy Harris wrote:

> >   * dane_tlsa_load() returns DEFER when after processing all the
> >     TLSA records, no usable records are found (e.g. all have
> >     certificate usage PKIX-TA(0) or PKIX-EE(1)).  The expected
> >     behaviour of opportunistic DANE TLS (rfc7672) in this case is
> >     that the delivery will proceed with *unauthenticated* TLS (TLS
> >     required, but authentication not required).
> > 
> >     I don't see the code enforces use of TLS when retrying TLS
> >     without DANE.
> 
> Testcase 5840, subtests 8-10 check this specifically.
> Please raise a specific bug if you see one.

I am not *sure* there is an issue, so if you have tests that rule
out cleartext "fallback" when all the TLSA records are unusable,
perhaps the logic is fine.  I got as far as noticing that "DEFER"
from the the DANE attempt leads to a retry without DANE.

> >   * In same function, the return value of  DANESSL_add_tlsa()
> >     might not be used quite right.  It returs 0 when the
> >     TLSA record is unusable (say unsupported selector), and
> >     negative when encountering an internal error.  Only
> >     the negative values should trigger errors.
> > 
> >     default:
> >     case 0:     /* action not taken */
> >       return tls_error(US"tlsa load", host, NULL);
> > 
> >     The 0 case should be treated just like unusable certificate
> >     usages or matching types (continue to next TLSA record).
> 
> Seems reasonable.  Is documentation for that routine and the
> others used for DANE support available yet?

Touche!  The "danessl" library is RTFS-only, because it is a stopgap
for lack of DANE support in OpenSSL itself.  With OpenSSL 1.1.0
you get a supported and documented DANE interface.

The API is not too dissimilar and in particular the "add a record"
function has the same return value: +ve for success, 0 for unusable,
and -ve for failure.

    http://www.openssl.org/docs/manmaster/ssl/SSL_CTX_dane_enable.html

> >   * TLSA record lookup failures are not handled correctly.
> >     If the host's A records are signed,
> 
> Signed in what fashion?

I should perhaps have said "DNSSEC validated", that is that the A
records are in a "signed zone".

> >     then TLSA record lookup
> >     failure must block connections to the host, whether dane is
> >     "required" or not.  On the other hand, insecure TLSA records,
> >     (CNAME to insecure zone perhaps) should simply be ignored.

-- 
        Viktor.

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

Reply via email to