Re: [exim] DANE(TA) doesn't work with self signed certificates

[Viktor Dukhovni via Exim-users]

> On Sep 4, 2018, at 8:52 AM, Jeremy Harris via Exim-users 
> <exim-users@exim.org> wrote:
> 
> As the docs say:
> 
> "DANE-TA usage is effectively declaring a specific CA to be used; this
> might be a private CA or a public, well-known one."
> 
> That CA needs to be known by the Exim configuration.

Sorry, that's simply wrong.  Exim MUST support validation via
DANE-TA(2) trust-anchors that ARE NOT configured locally. Indeed
Exim SHOULD ignore the local trust-anchors when validating usage
DANE-TA(2) TLSA records.  All that's required is that the remote
server include the trust-anchor certificate in its TLS certificate
message.

If Exim is to claim DANE support it MUST either correctly handle
non-public trust-anchors, or else MUST ignore "unusable" TLSA
RRsets that contain DANE-TA(2) TLSA records.  Indeed even "mixed"
TLSA RRsets with some DANE-EE(3) records and some DANE-TA(2)
records should probably be ignored until this issue (if not user
error), because quite often only the DANE-TA(2) records are valid.

My advice to the user would be to use a version of Exim that
is linked with OpenSSL and NOT GnuTLS.  The Exim DANE support
in combination with GnuTLS is not nearly as well tested or
supported.

-- 
        Viktor.


-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/