Hi Viktor, On May 28, 2013, at 11:51 AM, Viktor Dukhovni wrote:
> On Tue, May 28, 2013 at 07:20:15AM -0700, Wes Hardaker wrote: >>> OpenSSL does not yet provide ready-to-use DANE verification code, >>> so applications based on OpenSSL have to roll their own. >> >> Or use another library that provides DANE validation hooks to use for >> OpenSSL verification links. >> >> (eg: >> https://www.dnssec-tools.org/svn/dnssec-tools/trunk/htdocs/docs/tool-description/val_getdaneinfo.html >> ) >> > > This library's (latest 2.0 release) implementation of certificate > usage 2 is rather broken none of the "2 x y" cases are implemented > correctly. > Yep, the implementation of usage 2 in the 2.0 release is quite broken. However, the svn version should be better (https://www.dnssec-tools.org/svn/dnssec-tools/trunk/dnssec-tools/validator/libval/val_dane.c). Feedback is always welcome. You're also welcome to try out the DANE-capable Bloodhound browser (http://www.dnssec-tools.org/download/#gotoBloodhound), which links against a more recent (post-2.0) version of libval primarily for this reason. > More fundamentally, this library is (as evidenced by the curl patch) > intended to be used after a permissive SSL verification callback > which ignores all errors (or equivalently with any callback and > SSL_VERIFY_NONE set). This will ignore parent-child signature > errors and expiration problems in the certificate chain. > > Since applications generally expect PKIX validation to performed > during the handshake, application code that runs post-handshake > rarely if ever performs a complete set of PKIX checks. > I agree with you that we'd normally want the DANE checks to occur during the SSL hand-shake itself for all the reasons you've given above. In the case of libcurl, though, it appears that the application performs its own set of certificate checks in ossl_connect_step3(). Now, I'm by no means an expert in the libcurl code-base and could still be way wrong, but a quick test seemed to confirm that expired TLS certs are in fact caught even with the patch applied. Thanks! Suresh _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
