-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 More details. Join the [email protected] list if you're interested in DNSSEC identity verification for XMPP (link at bottom).
- -------- Original Message -------- Subject: Re: [dane] DANE for OpenSSL Date: Wed, 15 May 2013 15:55:17 +0000 From: Viktor Dukhovni <[email protected]> Reply-To: [email protected] To: [email protected] On Wed, May 15, 2013 at 03:43:01PM +0200, Jakob Schlyter wrote: > Andy Polyakov has committed initial support for DANE in OpenSSL - > please see http://rt.openssl.org/Ticket/Display.html?id=3003 for > more information. Note, this "initial support", does not yet perform any verification based on TLSA records, it just adds a convenience TLSA RR lookup function that is conditional on libunbound. The application will need to call SSL_get_tlsa_record_byname() and then provide the output to the OpenSSL library via a control operation before the handshake. There are complications because EE certificate usage (1/3) TLSA records are different from TA (0/2) TLSA records. The former (or least 3 in any case) require no name checks, and the latter do. OpenSSL has no means to communicate the distinction, the result of the verification engine is either "verified" (as in trust chain verified) or not. Since with DANE it is not enough to know whether the chain is trusted, one needs to know whether name checks are still required, applications will have to also communicate the the names to accept (plural per draft-ietf-dane-srv) to the OpenSSL library. Further complications can arise with session reuse, depending on how client applications associate cached sessions with a particular peer. There is still a bunch of work before this is usable. This will by the way fail to compile if one defines OPENSSL_NO_LIBUNBOUND $ unifdef -DOPENSSL_NO_LIBUNBOUND ssl/dnssec.c | head -20 #include <openssl/opensslconf.h> #include <string.h> #include <netdb.h> #include <openssl/bio.h> #include <openssl/dso.h> /* * Output is array packed as [len][data][len][data][0] */ unsigned char *SSL_get_tlsa_record_byname (const char *name,int port,int type) { unsigned char *ret=NULL; char *query=NULL; size_t qlen; if (ctx == NULL) return NULL; qlen = 7+5+strlen(name)+1; because "ctx" is not declared in that case, the declartion requires unbound.h: #include <unbound.h> static struct ub_ctx *ctx = NULL; - -- Viktor. _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.19 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJRk7B3AAoJEOoGpJErxa2p4PoP/RBaz7BIlmtGVGiTKUcacV/r BOAzT+ztOQxSb4cTXo3tQhc4KEynYMD03zYsd2vbJi7XglYIV+KmwJ0Ua/NS6rPn QbDyncWx80oKfF0hOIFjF9CfsonewHJD/qD/ObRwXw6q4kK/NWrlkE7LjaNRBJ+Q nAFWsA+rPX6KIH8TmG1h6oeOHbzkGQQIDhWefJgtQwtjX181onBcoglUt9wW7qX6 0zkqoC47syA8bM6wko10DiomH5EMW+Mxabna0+7xuXfv9mAOjyBSuNwfdD2qUfZ1 1qE1nDnAb0JDxsmlb160mh9r/DpAKiqhy2hmV8vXV70oJfz2Ax4xBaagxgDFi+7e ZiSfGtU/Z2+uotTPiiJNXm43u/ULeZKCQ5xFygt6QmsmsKUCVXhuW0sOZmqXjQMb WyOpHvioSgmn7d1JswTU6hW9RbTdaRpyRhIx1fAyX01xn+fj1r6NALWyz3wYwd4h gX0JDGGm41DKaotiuFpB6ZysYnmZqZPoP6STvQ8qeBcxctLIay2ps08EUE2a+TFI YAi4CpEZI5foJOsqoR18+cpMz+eiVcnedTCWM8kDtIGpWrZANCWY3dtKRYQCLrS8 2kk3ZNuvVaWIWIgQ0xXO11sH+9IvO2aYXe/KPpAD5W9TkQoyQZEomDevLL/zdjbL eXnBbQng2H4B6+88v8Ow =tk93 -----END PGP SIGNATURE-----
