Re: [exim] Next Exim release

Mon, 14 Dec 2015 09:49:12 -0800 

On Sun, Dec 13, 2015 at 10:24:29PM +0000, Jeremy Harris wrote:

> > Well, I'd like to see DANE fully supported.  Did you ever get a
> > chance to integrate the latest version ssl_dane library from github?
> 
> After a lot of fighting git, yes.  

Thanks.

> Passes the initial Exim testsuite run with one minor difference:
> 
> 
>  1999-03-02 09:44:33 Start queue run: pid=pppp -qf
>  1999-03-02 09:44:33 10HmbB-0005vi-00 tls:cert depth = 2 <CN=clica 
> CA,O=example.com>
>  1999-03-02 09:44:33 10HmbB-0005vi-00 tls:cert depth = 0 
> <CN=server1.example.com>
> +1999-03-02 09:44:33 10HmbB-0005vi-00 tls:cert depth = 0 
> <CN=server1.example.com>
>  1999-03-02 09:44:33 10HmbB-0005vi-00 tls:cert depth = 2 <CN=clica 
> CA,O=example.com>
>  1999-03-02 09:44:33 10HmbB-0005vi-00 tls:cert depth = 1 <CN=clica Signing 
> Cert,O=example.com>
>  1999-03-02 09:44:33 10HmbB-0005vi-00 tls:cert depth = 0 
> <CN=server1.example.com>
> 
> ... there's yet another verify callback now.

Is that a bug report?  Or just a cosmetic difference?  The only
thing that comes to mind is that you have a newer OpenSSL which
which makes more callbacks than before:

        /*
         * Satisfy at least one usage 0 or 1 constraint, unless we've already
         * matched a usage 2 trust anchor.
         *
         * XXX: internal_verify() doesn't callback with top certs that are not
         * self-issued.  This should be fixed in a future OpenSSL.
         */
        if (dane->roots && sk_X509_num(dane->roots)) {
            X509 *top = sk_X509_value(ctx->chain, dane->depth);

            dane->mdpth = dane->depth;
            dane->match = top;
            X509_up_ref(top);

    #ifndef NO_CALLBACK_WORKAROUND

            if (X509_check_issued(top, top) != X509_V_OK) {
                ctx->error_depth = dane->depth;
                ctx->current_cert = top;
                if (!cb(1, ctx))
                    return 0;
            }
    #endif

in which case I need to figure out which OPENSSL_VERSION_NUMBER
test should replace "NO_CALLBACK_WORKAROUND".  Though with this as
the reason, I would have expected the "extra" callback to have a
depth higher than 0.  What version of the library where you using
previously (git commit id).

> It's a pity GnuTLS isn't usable too.  As I said previously, I'd
> like to maintain parity between the two environments if at all
> possible.  On the other hand, I want DANE out there...

I may be able to do something about that at some point in 2016.

-- 
        Viktor.

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Reply via email to