What a great idea. But it does create a very strong dependency between
LDAP and DNS. Does OpenSSL support private DNSSEC trust anchors in it's
DANE implementation?
On 30/07/2023 9:23 am, John Scott wrote:
Hello,
Thanks to the TLS callback support, I discovered that using DANE with libldap
is actually really easy. OpenSSL has DANE support built-in, so all you have to
do is turn it on and get the DNS records. As a proof-of-concept, I've written
an example that disables the use of certificate authorities and uses DANE
alone, in accordance with their preference in the TLSA record, to connect to
Debian's LDAP instance.
Note that Debian currently uses GnuTLS for OpenLDAP which has, in my opinion,
not so good DANE support, so this code won't work. I'm offering my help to the
Debian maintainers though to change that.
Code is at https://salsa.debian.org/-/snippets/649
--
This email has been checked for viruses by AVG antivirus software.
www.avg.com
