On Tue, May 28, 2013 at 07:20:15AM -0700, Wes Hardaker wrote: > It's worth noting, since Viktor unintentionally glossed over it, that > the base TLSA definition does include definitions for how to use it over > TLS and targeted toward HTTPS specifically, so another document isn't > needed for that case. The other protocols he mentioned still need some > definition and binding, however.
Yes, my response was perhaps too brief. For HTTPS, RFC 6698 is largely sufficient. There is a corner case with "2 1 [12]" TLSA RRs and an unstated requirement for servers to include the TA certificate in their chain. Many verifier implementations don't correctly handle "2 1 0" TLSA RRs. > > OpenSSL does not yet provide ready-to-use DANE verification code, > > so applications based on OpenSSL have to roll their own. > > Or use another library that provides DANE validation hooks to use for > OpenSSL verification links. > > (eg: > https://www.dnssec-tools.org/svn/dnssec-tools/trunk/htdocs/docs/tool-description/val_getdaneinfo.html > ) > This library's (latest 2.0 release) implementation of certificate usage 2 is rather broken none of the "2 x y" cases are implemented correctly. More fundamentally, this library is (as evidenced by the curl patch) intended to be used after a permissive SSL verification callback which ignores all errors (or equivalently with any callback and SSL_VERIFY_NONE set). This will ignore parent-child signature errors and expiration problems in the certificate chain. Since applications generally expect PKIX validation to performed during the handshake, application code that runs post-handshake rarely if ever performs a complete set of PKIX checks. Thus also with certificate usage 0 and 1 the patched curl will not in fact validate the PKIX certificate chain. So only certificate usage 3 may work (at first glance), the others are definitely broken. > It shouldn't be hard to get up and running today, and many applications > and examples exist for you to glance at and study: > > https://www.dnssec-tools.org/svn/dnssec-tools/trunk/dnssec-tools/apps/curl/curl-7.29.0.patch Which in turn breaks the patched curl. Support for DANE in this library needs to be fixed or withdrawn. -- Viktor. _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
