> On Sep 7, 2018, at 1:32 PM, Andreas Metzler via Exim-users
> <exim-users@exim.org> wrote:
>
> Are you positive that this is a problem in GnuTLS and not in a problem
> in exim's usage of gnutls-dane?
>
> Asking, since
> danetool --check=lists.gentoo.org --proto tcp --starttls-proto=smtp
> succeeds. (I have verified that this succeeds without local truststore,
> i.e. when "gnutls-cli --starttls-proto=smtp lists.gentoo.org" throws a
> verification error.)
Is your Exim linked with GnuTLS or OpenSSL? Perhaps the version of GnuTLS
matters. I can confirm that danetool for GnuTLS 3.5.19 verifies
lists.gentoo.org
without accessing the local trust store. What version of GnuTLS is on the
systems having problems?
Exim has to work with lower-level APIs than used by danetool, in order to
skip namechecks for DANE-EE(3). I can't speak to the correctness of Exim's
use of the GnuTLS DANE API. I am not sufficiently familiar with either
the Exim code or GnuTLS.
--
Viktor.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] DANE(TA) doesn't work with self signed certificate
Viktor Dukhovni via Exim-users Fri, 07 Sep 2018 11:51:33 -0700
- Re: [exim] DANE(TA) doesn't work with se... Michael Westerburg via Exim-users
- Re: [exim] DANE(TA) doesn't work wi... Michael Westerburg via Exim-users
- Re: [exim] DANE(TA) doesn't wor... Klaus Ethgen via Exim-users
- Re: [exim] DANE(TA) doesn't... Viktor Dukhovni via Exim-users
- Re: [exim] DANE(TA) doesn't... Jan Ingvoldstad via Exim-users
- Re: [exim] DANE(TA) doe... Viktor Dukhovni via Exim-users
- Re: [exim] DANE(TA... Jan Ingvoldstad via Exim-users
- Re: [exim] DAN... Viktor Dukhovni via Exim-users
- Re: [exim] DANE(TA... Andreas Metzler via Exim-users
- Re: [exim] DAN... Viktor Dukhovni via Exim-users
- Re: [exim]... Klaus Ethgen via Exim-users
