On 2/21/2014 4:38 PM, Viktor Dukhovni wrote:
On Fri, Feb 21, 2014 at 03:19:10PM -0500, Stephen Nightingale wrote:
It is now possible to test from both TLSlite based and GnuTLS based
clients.
The GnuTLS DANE implementation does not implement DANE-TA(2) or
correctly. It may also IIRC not do PKIX-TA(0) right either. The
issue is that the TA is incorrectly constrained to be the immediate
issuer of the leaf certificate. There may be other problems, I
did not perform a comprehensive code review.
So results from GnuTLS DANE verification can be misleading.
I should point out that I am not using GnuTLS idea of DANE verification.
I'm getting the cert chain passed up and doing my own DANE verification.
For this purpose I had to modify the python-gnutls-1.2.5 interface to
GnuTLS, to pass in a certificate chain, since in the download it only
passes in a single end cert.
A golden, canonical CA list would be nice to find. But I guess that its
non-universal availability is one of the problems of the CA system
that DANE is aiming squarely at.
There is no such beast. A form of Goedel's incompleteness theorem
applies: any list of CAs is either incomplete or untrustworthy (or
both).
The differences between TLSlite and GnuTLS clients highlight the
fact that there are unresolved interoperability issues among TLS
implementations.
Default configurations of GnuTLS typically enforce unreasonable
minimum sizes on EDH primes. Applications have to work around
these with policy overrides.
I look forward to seeing the newly upgraded OpenSSL
client with added DANE. It is quite possible that as an interim step
before its appearance I will add this DANE-in-the-App implementation
to pyOpenSSL and/or Twisted.
Such a project should not be undertaken lightly, it is too easy to
get it wrong.
If you find any glaring errors, I will be embarrassed but thankful.
If you find any subtle errors I will be impressed and thankful.
A code review is required to rule out subtle errors, glaring errors
may show up in tests if the test bed is sufficiently comprehensive.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
