Re: [exim-dev] [Bug 2311] New: DANE verify fails with a TA-mode TLSA and a selfsigned sever cert
> On Sep 9, 2018, at 1:04 PM, Jeremy Harris via Exim-dev > wrote: > > https://lists.exim.org/lurker/message/20180904.122640.3cbadefb.en.html > > The subject says "self signed". > If it's not expected to work, perhaps you could explain why (on-list, > to the originator)? The OP is not sufficiently familiar with the right terms of art. He/she surely means private-CA, not found in the local trust store, rather than self-signed server certificate. self-signed root CA (not in Mozilla bundle) | v [ intermediates ] | v EE cert DANE-TA(2) works when the trust-anchor certificate matches some *issuer* certificate in the chain provided by the server in its "TLS certificate message". If the match is the self-signed root CA, that certificate MUST be included in the chain for DANE to work, even though root CAs are not typically sent with WebPKI PKIX. The lists.gentoo.example matches both an intermediate and a root, and both are included in the server chain. So the issue to focus on is why lists.gentoo.org (or ditto with just gentoo.org) fails. DANE-TA(2) never matches a self-signed EE cert. -- Viktor. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
Re: [exim-dev] [Bug 2311] New: DANE verify fails with a TA-mode TLSA and a selfsigned sever cert
On 9/9/18 5:54 PM, Viktor Dukhovni via Exim-dev wrote: > This does not appear to be the right description. https://lists.exim.org/lurker/message/20180904.122640.3cbadefb.en.html The subject says "self signed". If it's not expected to work, perhaps you could explain why (on-list, to the originator)? -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
Re: [exim-dev] [Bug 2311] New: DANE verify fails with a TA-mode TLSA and a selfsigned sever cert
> On Sep 9, 2018, at 10:50 AM, admin--- via Exim-dev wrote: > > Summary: DANE verify fails with a TA-mode TLSA and a selfsigned >sever cert > Product: Exim > Version: 4.91 > Hardware: x86 >OS: Windows >Status: NEW > Severity: bug > Priority: medium > Component: Delivery in general > Assignee: ni...@exim.org > Reporter: jgh146...@wizmail.org >CC: exim-dev@exim.org > > This appears to be a GnuTLS library bug at present, but recording here for > tracking purposes. This does not appear to be the right description. DANE-TA(2) is NOT expected to work with self-signed server certs, and the report for lists.gentoo.org is not for a self-signed cert. The reports seem to be for ordinary 2 or 3 level chains in which DANE-TA(2) matches at depth 1 or higher (depth 0 is the EE cert). -- Viktor. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[exim-dev] [Bug 2311] New: DANE verify fails with a TA-mode TLSA and a selfsigned sever cert
https://bugs.exim.org/show_bug.cgi?id=2311 Bug ID: 2311 Summary: DANE verify fails with a TA-mode TLSA and a selfsigned sever cert Product: Exim Version: 4.91 Hardware: x86 OS: Windows Status: NEW Severity: bug Priority: medium Component: Delivery in general Assignee: ni...@exim.org Reporter: jgh146...@wizmail.org CC: exim-dev@exim.org This appears to be a GnuTLS library bug at present, but recording here for tracking purposes. Testsuite case 5822 exercises the issue. Possible workarounds: - EE-mode TLSA - A full CA-anchored cert (eg. LetsEncrypt) rather than a selfsigned -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
