https://bugs.exim.org/show_bug.cgi?id=2311
--- Comment #4 from Andreas Metzler <[email protected]> --- Hello, looking what happens at tls-gnu-c with TLSA record 2 1 1 i.e. DANESSL_USAGE_DANE_TA. #1690 dane_verify_crt_raw() succeeds, i.e# 1701 goto tlsa_prob is not triggered. verify == 0 and 1709 goto badcert does not hit, either and 1711 state->peer_dane_verified = TRUE; runs. Now we are here: 1717 /* If a TA-mode TLSA record was used for verification we must additionally 1718 verify the CA chain and the cert name. For EE-mode, skip it. */ 1719 1720 if (usage & (1 << DANESSL_USAGE_DANE_EE)) However the test 1717 if (usage & (1 << DANESSL_USAGE_DANE_EE)) does not succeed and therefore there is no 1721 goto goodcert; and we continue on to 1726 rc = gnutls_certificate_verify_peers2(state->session, &verify); Afaiui the CA chain verification should not only be skipped for DANESSL_USAGE_DANE_EE(3 - "domain-issued certificate") but also for DANESSL_USAGE_DANE_TA(2 - "trust anchor assertion") cu Andreas -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
