Andreas Metzler commented: https://gitlab.com/gnutls/gnutls/-/issues/557#note_1986670629 Picking this up again. I think something's broken here, it might have happened since I submitted this. I just cannot get Certificate usage=2 (DANE-TA Trust anchor assertion) to work at all on 3.8.5: Running `gnutls-cli -V --no-ca-verification --dane --starttls-proto=smtp lists.gentoo.org` ends with: ``` *** DANE verification error: The requested data are not available. *** Fatal error: Error in the certificate. ``` Afaict the setup is correct: ``` - Got a certificate list of 3 certificates. - Certificate[0] info: [...] Issuer: CN=R11,O=Let's Encrypt,C=US [...] Subject: CN=lists.gentoo.org [...] - Certificate[1] info: [...] Issuer: CN=ISRG Root X1,O=Internet Security Research Group,C=US Validity: [...] Subject: CN=R11,O=Let's Encrypt,C=US [...] Public Key ID: sha1:4b7c1c92dee1c036cb2cc3cbfab7b529a8447c3d sha256:6ddac18698f7f1f7e1c69b9bce420d974ac6f94ca8b2c761701623f99c767dc7 [...] - Certificate[2] info: [...] Issuer: CN=ISRG Root X1,O=Internet Security Research Group,C=US [...] Subject: CN=ISRG Root X1,O=Internet Security Research Group,C=US ``` And ``` ametzler@argenau:~$ host -t tlsa _25._tcp.lists.gentoo.org _25._tcp.lists.gentoo.org is an alias for postfix-tlsa.pigeon.gentoo.org. postfix-tlsa.pigeon.gentoo.org is an alias for generic-letsencrypt.tlsa.gentoo.org. [multiple records for generic-letsencrypt.tlsa.gentoo.org] generic-letsencrypt.tlsa.gentoo.org has TLSA record 2 1 1 6DDAC18698F7F1F7E1C69B9BCE420D974AC6F94CA8B2C761701623F9 9C767DC7 ``` i.e. the sha256 hash matches the one of certificate[1]. Whats up with **The requested data are not available.**? -- Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/557#note_1986670629 You're receiving this email because of your account on gitlab.com.
_______________________________________________ Gnutls-devel mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-devel
