Re: [exim] DANE(TA) doesn't work with self signed certificate

[Viktor Dukhovni via Exim-users]

> On Sep 7, 2018, at 3:33 AM, Jan Ingvoldstad via Exim-users 
> <exim-users@exim.org> wrote:
> 
> Please, if you have not already done so, file a bug report with Debian,
> this is a pretty major bug.

Until there's either a fix in GnuTLS (Nikos Mavrogiannopoulos can get in touch
with me if there are questions), or a work-around in Exim that disables DANE
for domains with DANE-TA(2) records when linked with GnuTLS (supporting only
domains that use DANE-EE(3)), the only alternative is disable DANE support in
Exim when linked with GnuTLS.

Though Debian may not be in a possible to fix DANE-TA(2) support in Exim+GnuTLS,
they may of course be able to bring it to the attention of the apporpriate
GnuTLS developers.  This is ultimately a GnuTLS issue.

While GnuTLS are looking at this, they should also implement a DANE
verification option that allows hostname checks in the EE certificate
to be skipped when matching DANE-EE(3) TLSA records.  This is safe
and needed for SMTP.  It can run into a subtle issue with cross-origin
policy for web browsing in HTTPS, so the checks need to be on by default,
with the application able to selectively disable them when appropriate.

-- 
        Viktor.


-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/